You don't want to expose a web server to the wild without setting up logging. We all know this. We sometimes forget this. Don't.

Windows developers over the years get cushy with IIS's protection and we take it for granted, but now we're on Apache and going back to our roots of not trusting the core is a good thing.

Our current virtual hosts file is quite a bit different from the Apache default file, if we look to that original we'll see the recommended minimum log lines.

God Forbid

The default behaviour for Apache is to give any user any file that they ask for but you can protect files based on any common or custom file extensions you need.

So far all of our examples have shown a pages-only webapp, no mentions of javascript files, css or images. What all these external resources have in common is that they're typically going to be held in subfolders off of the root.

Related to forbidding folder browsing is forbidding remote access to private files. It's not uncommon to have some quick server-cached lookup data that you want to hold as a file and let the .Net/Mono service work with but not expose to the whole world.

Because the Mono Team knew that most of their new users would be coming over from Windows and usually doing their first tests by dumping some previously written web apps on a Linux box 'just to watch it all fail', they created a one-line compatibility command called Mono IOMAP.

Unfortunately for new users, the setting is not the default (but experienced users would probably not want it bo be). It is turned on at the overall Apache service level by adding the following line to the top of the /etc/apache2/httpd.conf file:

Before you go-live with the server, you should handle the default IP Address request case. Disabling the default Apache "It Works" site using "a2dissite default" will do it BUT...

If your network DNS is resolving site urls to the box and they have a value registered that you haven't set up yet then each request will make Apache go through its list of enabled sites and, not finding a match, the last site in its collection will be used.

Sooooo, if you have a porn site first and a Christian site to come later, you may not want to tell your DNS administrator about the Christian site until after you have at least a placeholder site set up for it on the server. We're all usually good about this stuff in our SOX-hampered companies but space out on it when pointing multiple Internet domain names to our homeoffice IPs. Do'h!

Handling Apache/Mono site errors - get past IE's "helpfulness" - managed and unmanages test pages - setting Apache error redirects - managed error handling - 500s are just as deadly in Apache as IIS

Setting the default page

This is easy, just nano the /etc/apache2/sites-available/[site vhost file] and add a DirectoryIndex line for the page that you want to appear if no page is specified in the request.

The only question you have to ask yourself is do you want this to be a static page of non-dynamic html or an ASP.Net page. Most likely, since you're here at smithvoice.com, you'll want it to be an ASPX page... but just remember that if it is a managed page and if you have any serverside issues that kill Mono's ASP.Net (such as a mistake in the web.config) your users will see an unhandleable 500 error *from Mono* that won't bubble up to be redirected by Apache. Standard stuff, same as MS.Net, but something to consider.