Apache web server Quick overview

About An open source web server. Mostly for Unix, Linux and Solaris platforms Apache is the most popular web server on the net. It is very secure, fast, and reliable. Created by Apache foundation http://httpd.apache.org Apache foundation started to support the web server project, but now extends to a multitude of other projects. (tomcat, hadoop, ant etc. etc)

Features Modern, secure, multi-threaded server. Multiple protocols: HTTP and HTTPS (FTP, proxy etc.) It provides a full range of Web server features, including CGI, SSL, and virtual hosts. Modular design: most features implemented thorough loadable modules, Including (but not exhaustive): dynamic content via interpreting languages (PHP) authentication via lots of different back-ends (database, LDAP, pam etc.) database support proxying etc. Full list: http://httpd.apache.org/docs/2.4/mod/ To put it another way: if Apache can't do it, it's not wort doing.

Features II Virtual hosting is one of the most important features Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same host name. Apache Provides multiple options of virtual hosting and scales Name Based virtual hosts IP Based Virtual Hosts Aliases Its recommended to use an IP address over hostnames in virtual hosting configuration

IP vs. Name? In the „good old days“ HTTP ruled, name based virtual hosting was common One could not do HTTPS name based virtual hosting, because TLS handshake must be completed BEFORE http request. Problem IP adresses are more and more scarse Solution: SNI Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.

Apache and TLS Lets review some key points Default TLS port is 443 HTTPS is important to protect communication between browser and web-server Implenetation requires the creation of SSL certificates and Certificate Signing Requests (CSR) For integrity SSL certificates are signed by a Certificate Authority’s (CA) such as Verisign Self signed Certificates will also work but your browser will not trust it and will give a warning to users (which most don’t read) To use a HTTPS feature a module must be loaded first

SSL Certificate Each SSL certificate has a Public and Private key The Public Key is used to encrypt the information The Public Key is accessible to everyone The private Key is used to decipher the information The private should be not be disclosed

Role of CA There are a number of CA that certify certificates Most browsers have pre-included public Keys from the CA’s A CA certified certificate will have validation information signed by the CA’s private key The browser will decrypt the validation information using the public key and verify that the certificate is certified by the CA If this fails a warning is given Security tip: it's actually very easy and cheap to obtain an „simple“ certificate. Only domain ownership validation are done. most users do not notice nor understand the problem. Due to limitation of our environment only self-signed certs are used in labs :(

Tips: Apache configuration files Example configuration tree /etc/apache2/ (sometimes httpd) ├── apache2.conf (general conf, not many actual directives here) ├── conf.d (here goes real configuration) │   ├── charset │   ├── localized-error-pages │   ├── other-vhosts-access-log │   └── security ├── envvars ├── magic ├── mods-available │   ├── actions.conf /../ │   ├── php5.conf │   └── vhost_alias.load ├── mods-enabled │   ├── php5.conf -> ../mods-available/php5.conf │   ├── php5.load -> ../mods-available/php5.load │   └── status.load -> ../mods-available/status.load ├── ports.conf (here goes your Listen directive) ├── sites-available │   ├── default │   ├── default-ssl │   └── portal.conf └── sites-enabled └── 000-quake -> ../sites-available/portal.conf

Some more tips to help you To use a feature, appropriate module must be loaded Good practice is to use <IfModule> Modules can be enabled via manual symlinking or use utility a2enmod sometimes you need to install module first with apt Sites can be enabled via manual symlinking or use utility a2enmod As usual to services of UNIX-like systems Apache will not re-read the .conf files after the Web server starts running. usually „service apache2 reload“ is enough to re-read and activate new configuration but not always. Restart always works. apachectl is another useful utility for admin, check it out Use official documentation from https://httpd.apache.org/docs/ that corresponds your server version. DO NOT trust any crap you can google out. Wish you success with your lab