The University of Akron College of Applied Science & Technology Dept The University of Akron College of Applied Science & Technology Dept. of Business & Information Technology 2440: 141 Web Site Administration Web Server Configuration Instructor: Joseph Nattey

Choosing Web Server Software The Web server software determines the scalability, manageability, and accessibility of the sites hosted on a server Evaluating a Web server involves looking at several aspects including: Price Support Scalability Configuration options Performance Security Web Server Configuration

Choosing Web Server Software… Price – spending a lot of money does not guarantee a good server package Cost is usually the first thing that people look at when trying to decide to buy something. With Web servers, it should be the final thing you look at. Limiting yourself to a specific Web server because of cost could end up hurting your site because of a lack of scalability or functionality, or not be maintainable because of lack of support. Web Server Configuration

Choosing Web Server Software… Scalability – is the ability of your Web server software to grow as your Web site grows. Having a slow server can cost you both existing customers and new ones, and you often only have a few seconds (less than 10) to grab and hold your customers to your site. You do not want a Web server that will bog down after 1,000 hits. Web Server Configuration

Choosing Web Server Software… Support – one of the most popular Web servers in the world is also completely free, but with that comes a price. That price is a lack of formal support. If you do not have a large IT department, already staffed to support the server you're going to choose, then you should probably look into either a server with support included, or a third-party support contract for a less well-supported server. Some support questions to ask: What are the vendor’s support parameters and do they meet your needs? How often do you expect to need to contact support? Will you have to pay more for an additional level of support? (ksa) What do people say about the support organization? Web Server Configuration

Choosing Web Server Software… Security – security should be your number one concern when considering a Web server. Your Web site is very public, and being hacked is a public way to reduce your customer confidence. (ksa) Once you have a secure Web server, you also need to focus on how you configure it. Many Web servers come with defaults that are not as secure as they could be, and that could make your site vulnerable. Finally, when thinking of security, you must stay up-to-date on patches and security issues. (ksa) Web Server Configuration

Choosing Web Server Software… Configuration – it is important that the Web server is flexible and easy to configure Performance – a Web server must be able to withstand heavy loads and avoid crashing Web Server Configuration

Evaluating Web Server Software Some of the questions to ask when evaluating different Web servers are: How much is the server? Has the server been thoroughly tested in real-world situations? What is more important: ease of use or speed and flexibility? How easy is it to install and configure? Can non-webmasters publish documents to it easily? Will the server scale to meet the needs of the growing business? Does it behave well under heavy load? (ksa) Does it meet any special needs of your business? Does it support well defined and accepted industry standards? Is it customizable and extendable? Is technical support available? How well does it run on existing hardware? How good is the documentation? Web Server Configuration

How Web Servers Work Two of the most popular Web servers include: Apache – from Apache Software Foundation Has the largest Web server software market share Internet Information Services (IIS) – from Microsoft Web Server Configuration

Web Server Software Market Share Vendor Product Percentage Apache 60%+ Microsoft IIS 14%+ Igor Sysoev nginx 11%+ Google GWS 3%+ lighttpd Source: Netcraft (http://news.netcraft.com/archives/2014/12/18/december-2014-web-server-survey.html ), December 2014 Web Server Configuration

Apache The most widely supported Web server has the biggest market share Apache is generally recognized as the world's most popular Web server. Developed by a group of volunteers (Apache Software Foundation) around the world since 1995 Software is free for anyone to use, modify and redistribute An open source project written in the C/C++ programming language Originated on UNIX systems but available on Windows platforms Web Server Configuration

Apache The name "Apache" derives from the word "patchy" that the Apache developers used to describe early versions of their software. The Apache Web server provides a full range of Web server features, including CGI, SSL, and virtual domains. The Apache Web site is: http://www.apache.org Web Server Configuration

Features in Apache Apache can be used as a proxy server Apache has A proxy server isolates your real Web server from the Internet acts as an intermediary for requests from clients seeking resources from other servers. Apache has Better support for Windows Support for IPv6 Simplified configuration Unicode support in Windows Multilanguage error responses Apache supports many programming languages such as Perl and PHP The apache server is highly efficient and secure as a web server. Core features for apache web server make the server a close competitor to similar other servers.  Web Server Configuration

Features in Apache It supports password authentication and digital certificate authentication. Because the source code is freely available, anyone can adapt the server for specific needs, and there is a large public library of Apache add-ons. Although the main design goal of Apache is not to be the "fastest" web server Apache does have performance similar to other "high-performance" web servers. Web Server Configuration

IIS (Internet Information Services) Microsoft’s Web server specifically written for Windows platforms Free if the Windows operating system is purchased but source code not available The second most widely used Web server with over 25% market share Easy to setup, configure and use Not supported on UNIX systems Offers ASP support Web Server Configuration

Components in IIS File Transfer Protocol (FTP) server NNTP(Network News Transfer Protocol) Service Used to create user forums SMTP(Simple Mail Transfer Protocol) - is an Internet standard for electronic mail (e-mail) transmission. HTTP – (the standard protocol for transferring hypertext documents on the World Wide Web.) HTTPS – (is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.) FTPS – (is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.) Web Server Configuration

How Web Servers Work… As is true with other servers such as DNS, Web servers listen for communication at a port number The default port for Web servers is 80 Other conventional port numbers for web services are 8080 or 8000 You can also create Web servers at port numbers greater than 1023 Ports up to and including 1023 are reserved for other uses Web Server Configuration

Installing Apache Modules You may download and install other Apache modules from the Apache Web site (http://modules.apache.org) Some of the modules include: mod_cgi – allows the execution of CGI scripts mod_perl – incorporates a Perl interpreter mod_aspdotnet – provides an ASP.NET host interface to MS ASP.NET engine mod_ssl – provides strong cryptography via SSL and TLS protocols CGI scripts mod_ftpd – allows FTP connections mod_userdir – allows user content to be served from user-specific directories via HTTP mod_authz_ldap – provides support for authenticating users against an LDAP database Web Server Configuration

Starting Apache By default, Apache does not start after you install it The following table has a list of commands Procedure Command Start Apache apachectl start Stop Apache apachectl stop Restart Apache apachectl restart Web Server Configuration

Minimal Apache Configuration To configure the name of the server: Add a ServerName in /etc/httpd/conf/httpd.conf e.g. ServerName www.jdoe.com:80 where 80 is the port number To start Apache automatically when the computer is started: Add apachectl start at the bottom of the /etc/rc.d/rc.local file. Web Server Configuration

Microsoft IIS Internet Information Services (IIS) provides a secure, easy-to-manage, modular and extensible platform for reliably hosting websites, services and applications. With IIS, you get choice and control without giving up reliability or security. You can customize and add new features Maximize web security Easily deploy and run both ASP.NET and PHP web applications on the same server. Web Server Configuration

Microsoft IIS Powerful Admin Tools Control Delegated Remote Management Centralized Web Farm Management Deploy and manage Web sites and applications across large farms of Web servers from a central place. IIS7 makes it simple to centrally deploy and manage configuration and content across a farm of Web servers. Delegated Remote Management IIS7 provides built-in support for delegating administration tasks to Web site owners, allowing basic configuration and management tasks to be performed securely and without Administrative intervention. Powerful Admin Tools IIS7 includes a comprehensive set of administration tools, including new administration and command-line tools, new managed code and scripting APIs and Windows Powershell support to simplify day-to-day tasks for developers and administrators. Web Server Configuration

Microsoft IIS Reliability Scalable Web Infrastructure Implement a scalable Web infrastructure with built-in HTTP-based load balancing and intelligent request handling and routing. Speed up your Web site through built-in dynamic caching and enhanced compression. Web Server Configuration

Microsoft IIS Rich Diagnostic Tools Security Access Protection Minimize downtime and rapidly diagnose server and application issues with the new built-in diagnostic tools Security Enhanced Server Protection IIS7 maximizes Web server security by default with minimal Web server footprint and automatic application isolation. Secure Content Publishing IIS7 makes publishing Web content more secure with built-in support for standards-based publishing protocols. Access Protection Safeguard your Web server from malicious requests and unauthorized access with new URL authorization rules and built-in request filtering. Web Server Configuration

Hosting Multiple Web Sites by Port Number Associate each new Web site with a port above 1023 To retrieve a Web page from a site at port 8080: http://localhost:8080/file Web Server Configuration

Virtual Hosts There are two types of virtual hosts: Virtual hosting is a method for hosting multiple domain names on a single server (or pool of servers).  a virtual host is often used by companies or individuals that do not want to purchase and maintain their own Web servers and Internet connections. There are two types of virtual hosts: Name Based Virtual Hosting IP Based Virtual Hosting Web Server Configuration

Virtual Hosts Name-based virtual hosts – do not have unique IP addresses With the name based virtual hosting you can host several domains/websites on a single machine with a single IP. All domains on that server will be sharing a single IP. It’s easier to configure than IP based virtual hosting, you only need to configure DNS of the domain to map it with its correct IP address. Web Server Configuration

Virtual Hosts IP-based virtual hosts – have unique IP addresses like a normal host With the IP based virtual hosting, you can assign a separate IP for each domain on a single server, these IP’s can be attached to the server with single NIC cards and as well as multiple NICs. When IP-based virtual hosting is used, each site points to a unique IP address. Web Server Configuration

Virtual Hosts The downside of this approach is the server needs a different IP address for every web site. This increases administrative overhead (both assigning addresses to servers and justifying the use of those addresses to internet registries) and contributes to IPv4 address exhaustion. Web Server Configuration

Configuring a Virtual Host Based on an IP Address in Apache By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers. By default Keepalive is set to off. Configuring a Virtual Host Based on an IP Address in Apache The httpd.conf file is the main configuration file for the Apache web server. A lot of options exist, and it's important to read the documentation that comes with Apache for more information on different settings and parameters.  ServerRoot The option ServerRoot specifies the directory in which the configuration files of the Apache server lives. It allows Apache to know where it can find its configuration files when it starts. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers. Timeout 300 The option Timeout specifies in seconds the amount of time Apache will wait for a GET, POST, PUT request and ACKs on transmissions. You can safely leave this option on its default values. Web Server Configuration

Configuring a Virtual Host Based on an IP Address in Apache In IP-based Virtual Hosts, each site points to a unique IP address. IP-based Virtual Hosting is useful if your server has more than one NIC /IP’s. In that case you can configure your web server to host different site based on the IP address for which request is coming.  Therefore you need to have a separate IP address for each host. In /etc/rc.d/rc.local, add an IP address such as: /bin/ifconfig eth0:0 192.168.0.150 In the Virtual Host section of httpd.conf <VirtualHost 192.168.0.150> ServerName research.technowidgets.com DocumentRoot /var/www/research </VirtualHost> Web Server Configuration

Configuring a Virtual Host Based on a Host Name in Apache Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Therefore you should use name-based virtual hosting unless you are using equipment that explicitly demands IP-based hosting. NameVirtualHost defines the common IP address Multiple configurations repeat the same IP address and define unique ServerName settings Web Server Configuration

Configuring a Virtual Host Based on a Host Name in Apache To use name-based virtual hosting, you must designate the IP address on the server that will be accepting requests for the hosts. This is configured using the NameVirtualHost directive.  The next step is to create a <VirtualHost> block for each different host that you would like to serve. The argument to the <VirtualHost> directive must match a defined NameVirtualHost directive.   Inside each <VirtualHost> block, you will need at minimum a ServerName directive to designate which host is served and a DocumentRoot directive to show where in the filesystem the content for that host lives. NameVirtualHost 192.168.0.100 <VirtualHost 192.168.0.100> ServerName www.technowidgets.com DocumentRoot /var/www/html </VirtualHost> <VirtualHost 192.168.0.100> ServerName web1.technowidgets.com DocumentRoot /var/www/web1 </VirtualHost> Web Server Configuration

User Access It is possible to restrict access to certain pages on a Web server HTTP offers a simple authentication protocol used to require a username and password in order to access resources on the server The webmaster can make certain directories and files private and require a client to authenticate before allowing access HTTP 1.1 offers two types of authentication: Basic authentication – offers little security because it does not encrypt any information sent over the network Digest authentication – not very secure either and not available on some older versions of some server software The best way to secure authentication is to use HTTPS Web Server Configuration

User Access… Although implementations are different for virtually every Web server, the basic procedures for enabling user authentication are as follows: Determine which resources need to be restricted Evaluate content and determine which directories/files require authentication Determine users and groups Determine list of users/groups to be allowed to view resources Create users and groups IIS – create user accounts in the operating system Apache – requires password and group files containing information about usernames, passwords, and groups Apply restrictions to resources (files and directories) Web Server Configuration

Host Access There are situations when denying access to your server from a particular host or domain may be desirable Requests from domains may be rejected to prevent a site from being indexed by spiders and search engines Hackers may be banned by IP address or domain These methods are not foolproof but can control access to a site in many situations The default for most servers is to allow access from any hosts Sometimes access may only be allowed from particular hosts Allowing access by IP address eliminates having to issue usernames and passwords Easy way to allow access to a particular host address, range of addresses, or an entire subnet or domain Web Server Configuration

Allow specifies which client can access a given directory. Host Access… Most Web servers have provisions for restricting access to specific hosts, networks, or domains Apache uses the allow and deny directives to control access by host In the Apache access.conf configuration file, an entry can be used to restrict any hosts from a sample.com domain Specify IP addresses whenever possible – specifying domain names can decrease performance of a Web server by requiring a DNS lookup for each request Allow specifies which client can access a given directory. <Directory /docroot> order allow, deny allow from all deny from *.samplesite.com </Directory> Web Server Configuration

Document Directories A Web server (httpd) provides access to HTML documents from the server Access should not be granted to all files on a server Most Web servers will enable a single directory for publishing Web documents by default The directory is called the document root directory Microsoft’s IIS – c:\Inetpub\wwwroot Apache creates – c:\Program Files\Apache Software Foundation\apache\htdocs Users & Documents

Document Directories… Accessing files outside a document root directory requires creating an alias or virtual directory Mapped to another directory anywhere on the server Users & Documents

User Directories Profile scripts (login scripts) – usually used to customize the user account environment There is usually a special subdirectory in the user’s home directory used for html files Traditionally named public_html or www – provides a private Web space for the user account e.g. http://yourdomain.com/~username/ Users & Documents

Default Documents Commonly used index filenames (default documents) include: index.html, default.html welcome.html, home.html default.asp, default.aspx, index.php Users & Documents

Transferring Files Some of the methods of publishing files on a Web server include: File sharing File transfer protocol (FTP) Users & Documents

(SSL) Secure Socket Layer Configuration HTTP is not a secure protocol by default Contents of a normal HTTP transaction are not encrypted Unauthorized people might be able to intercept and view unencrypted transactions When credit card numbers, passwords and other private data are being sent over the Internet, there needs to be an assurance of data security Web Server Configuration

Secure Socket Layer (SSL) The most popular encryption protocol on the Internet Developed by Netscape but used by many other companies Meant to go between an application-level protocol (HTTP) and communications protocol (TCP/IP) Forms a layer between the application and the network communications Not limited to Web transactions Used by other applications that need to transfer secured data over a network FTP and telnet clients use SSL Several open-source projects offer free implementations of SSL for other applications (e.g. SSLeay and OpenSSL) Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). Web Server Configuration

HTTPS Is a normal HTTP wrapped in SSL Internet Explorer and other browsers support the HTTPS protocol IIS servers provide HTTPS support Apache does not have HTTPS support by default Users must download a separate SSL-enabled server to provide secure content Patches are available to add HTTP functionality to Apache using SSLeay or OpenSSL Web Server Configuration

HTTPS… A URL to a resource on an HTTPS server uses a slightly different naming convention than normal URLs The https prefix is used instead of the http prefix Instructs the browser to attempt a secure connection e.g. https://www.securedconnection.com HTTPS connects to a server at port 443 instead of connecting to a server at port 80 as usual Port 443 is the designated port for HTTPS (assigned by the Internet Assigned Numbers Authority-IANA) A signal may be shown to indicate a secured connection if successfully connected to a server Most browsers use a padlock to signal secured connection Web Server Configuration

Certificates Are documents that contain information about a site A certificate authority digitally signs a certificate Certificate authority (CA) – typically, a well-known mutually trusted organization that issues and verifies certificates Verisign and Thawte are two of the most popular CAs The certificate should contain information about the server and the certificate authority SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. Web Server Configuration

Obtaining Certificate Obtaining and installing a certificate is typically the most difficult aspect of setting up a secure server Certificates are obtained by providing a well-known CA(cert auth) information about your company and hosts Letter of authorization Proof of organization’s name Proof to use domain name A certificate-signing request (CSR) – contains the pubic key for the Web server The CA processes the request and verifies the information to generate a digitally-signed certificate based on the CSR Certificates may be costly and may have to be renewed each year A large well-known company can create and sign its own certificate to offer clients an assurance of data security Web Server Configuration