2440: 141 Web Site Administration Web Server Configuration Instructor: Enoch E. Damson

Choosing Web Server Software The Web server software determines the scalability, manageability, and accessibility of the sites hosted on a server Evaluating a Web server involves looking at several aspects including: Price Scalability Configuration options Performance Web Server Configuration2

Choosing Web Server Software… Price – spending a lot of money does not guarantee a good server package Some of the best Web servers are free Scalability – a Web server’s ability to run on different hardware configurations and operating systems Configuration – it is important that the Web server is flexible and easy to configure Performance – a Web server must be able to withstand heavy loads and avoid crashing Web Server Configuration3

Evaluating Web Server Software Some of the questions to ask when evaluating different Web servers are: How much is the server? Has the server been thoroughly tested in real-world situations? What is more important: ease of use or speed and flexibility? How easy is it to install and configure? Can non-webmasters publish documents to it easily? Will the server scale to meet the needs of the growing business? Does it behave well under heavy load? Does it meet any special needs of your business? Does it supported well defined and accepted industry standards? Is it customizable and extendable? Is technical support available? How well does it run on existing hardware? How good is the documentation? Web Server Configuration4

How Web Servers Work HTTP (Hypertext Transfer Protocol) defines how information is passed between a browser and a Web server Two of the most popular Web servers include: Apache – from Apache Software Foundation Has the largest Web server software market share Internet Information Services (IIS) – from Microsoft Web Server Configuration5

Web Server Software Market Share VendorProductPercentage Apache 60%+ MicrosoftIIS 14%+ Igor Sysoevnginx11%+ GoogleGWS 3%+ lighttpd Web Server Configuration6 Source: Netcraft ( server-survey.html), July 2012http://news.netcraft.com/archives/2012/07/03/july-2012-web- server-survey.html

Apache The most widely supported Web server the biggest market share Developed by a group of volunteers (The Apache Group) around the world since 1995 Software is free for anyone to use, modify and redistribute An open source project written in the C programming language Originated on UNIX systems but available on Windows platforms Somewhat difficult to configure than other servers Has no management console application The Apache Web site is: Web Server Configuration7

IIS Microsoft’s Web server specifically written for Windows platforms Free if the Windows operating system is purchased but source code not available The second most widely used Web server with over 25% market share Easy to setup, configure and use Not supported on UNIX systems Extendable through Microsoft’s Internet Server Application Program Interface (ISAPI) ISAPI – provides a convenient way to add functionality to a Web server – relies on DLLs (Dynamic Link Libraries) Offers ASP and supports FrontPage extensions Web Server Configuration8

Understanding HTTP Virtually no browsers are so old not to support HTTP 1.1 HTTP is a stateless protocol, meaning that each Web page sent is independent of every other Web page sent This makes it more challenging to create a shopping cart application Web Server Configuration9

Understanding HTTP… HTTP 1.1 supports persistent connections Allows the browser to receive multiple files in one TCP connection Can speed up communication Although you see a single page in your browser, it can be composed of many text and image files Web Server Configuration10

Understanding HTTP… When the browser sends a request to a Web server, it looks like: GET /hello.html HTTP/1.1 Host: The above requests the hello.html file from the root of the Web server Each Web server has a root, which is where you store the HTML documents It specifies the host of There could be multiple hosts at the IP address Web Server Configuration11

How Web Servers Work… As is true with other servers such as DNS, Web servers listen for communication at a port number The default port for Web servers is 80 Other conventional port numbers for web services are 8080 or 8000 You can also create Web servers at port numbers greater than 1023 Ports up to and including 1023 are reserved for other uses Web Server Configuration12

Installing Apache Modules You may download and install other Apache modules from the Apache Web site ( Some of the modules include: mod_cgi – allows the execution of CGI scripts mod_perl – incorporates a Perl interpreter mod_aspdotnet – provides an ASP.NET host interface to MS ASP.NET engine mod_ssl – provides strong cryptography via SSL and TLS protocols CGI scripts mod_ftpd – allows FTP connections mod_userdir – allows user content to be served from user-specific directories via HTTP mod_authz_ldap – provides support for authenticating users against an LDAP database E.g. to install a module on Fedora, type: yum install mod_ssl Web Server Configuration13

Starting Apache By default, Apache does not start after you install it The following table has a list of commands ProcedureCommand Start Apacheapachectl start Stop Apacheapachectl stop Restart Apacheapachectl restart Web Server Configuration14

Minimal Apache Configuration To configure the name of the server: Add a ServerName in /etc/httpd/conf/httpd.conf E.g. ServerName Where 80 is the port number To start Apache automatically when the computer is started: Add apachectl start at the bottom of the /etc/rc.d/rc.local file. Web Server Configuration15

Default Web Site Properties in IIS Web Server Configuration16

Apache Properties- Global Environment ServerRoot Directory location of server files KeepAlive Indicates whether Apache should maintain a persistent connection Listen Determines the port number for the server Default is 80 Web Server Configuration17

Apache Properties- Main Server Configuration User Shows the user name that Apache employs when someone requests a Web page The default is apache ServerAdmin address of administrator ServerName DNS host name or IP address of server DocumentRoot Directory where the Web pages are stored Web Server Configuration18

Hosting Multiple Web Sites by Port Number Associate each new Web site with a port above 1023 To retrieve a Web page from a site at port 8080: Web Server Configuration19

Hosting Multiple Web Sites by IP Address You can create multiple IP addresses on a single NIC Referred to as virtual IP addresses Useful for flexibility because if each domain has its own unique IP address, you can easily move the domain to a different Web server It is getting more expensive to get multiple IP addresses from an ISP Web Server Configuration20

Hosting Multiple Web Sites by Host Name Multiple host names can be associated with a single IP address Getting a single IP address from your ISP is relatively inexpensive You can host an almost unlimited number of domains with a single IP address It is the most common method of hosting Web Server Configuration21

Virtual Hosts Domains associated with a server A server can host many domains Domain names point to IP addresses A server is capable of having many IP addresses – typically, a server has only one IP address There are two types of virtual hosts: Name-based virtual hosts – does not have a unique IP address IP-based virtual hosts – have unique IP addresses like a normal host The HTTPD listens for requests on a particular IP address instead of relying on the HTTP headers to determine the destination Web Server Configuration22

User Access It is possible to restrict access to certain pages on a Web server HTTP offers a simple authentication protocol used to require a username and password in order to access resources on the server The webmaster can make certain directories and files private and require a client to authenticate before allowing access HTTP 1.1 offers two types of authentication: Basic authentication – offers little security because it does not encrypt any information sent over the network Digest authentication – not very secure either and not available on some older versions of some server software The best way to secure authentication is to use HTTPS Web Server Configuration23

User Access… Although implementations are different for virtually every Web server, the basic procedures for enabling user authentication are as follows: Determine which resources need to be restricted Evaluate content and determine which directories/files require authentication Determine users and groups Determine list of users/groups to be allowed to view resources Create users and groups IIS – create user accounts in the operating system Apache – requires password and group files containing information about usernames, passwords, and groups Apply restrictions to resources (files and directories) Web Server Configuration24

Host Access There are situations when denying access to your server from a particular host or domain may be desirable Requests from domains may be rejected to prevent a site from being indexed by spiders and search engines Hackers may be banned by IP address or domain These methods are not foolproof but can control access to a site in many situations The default for most servers is to allow access from any hosts Sometimes access may only be allowed from particular hosts Allowing access by IP address eliminates having to issue usernames and passwords Easy way to allow access to a particular host address, range of addresses, or an entire subnet or domain Web Server Configuration25

Host Access… Most Web servers have provisions for restricting access to specific hosts, networks, or domains Apache uses the allow and deny directives to control access by host In the Apache access.conf configuration file, an entry can be used to restrict any hosts from a sample.com domain Specify IP addresses whenever possible – specifying domain names can decrease performance of a Web server by requiring a DNS lookup for each request order allow, deny allow from all deny from *.samplesite.com Web Server Configuration26

Document Directories A Web server (httpd) provides access to HTML documents from the server Access should not be granted to all files on a server Most Web servers will enable a single directory for publishing Web documents by default The directory is called the document root directory Microsoft’s IIS – c:\Inetpub\wwwroot Apache creates – c:\Program Files\Apache Software Foundation\apache\htdocs Users & Documents27

Document Directories… Accessing files outside a document root directory requires creating an alias or virtual directory Mapped to another directory anywhere on the server Users & Documents28

User Directories Profile scripts (login scripts) – usually used to customize the user account environment There is usually a special subdirectory in the user’s home directory used for html files Traditionally named public_html or www – provides a private Web space for the user account E.g. Users & Documents29

Directory Indexing Allows the Web server to generate a page containing a list of files in a directory automatically if no default document is specified Should be disabled on most directories to ensure that an index file Web servers determine what file to retrieve based on directory indexes If directory indexes are enabled, the server returns a default document if it receives a request for a directory The server administrator chooses any filenames for directory indexes Users & Documents30

Directory Indexing… Several options are available when choosing how a Web server views directories: No directory browsing permitted – there must be an index document otherwise no files are listed Directory browsing permitted, but no default documents enabled – if no index document, all files in a directory are listed Indexes enabled – if a filename with the correct name exists in a directory, it will be returned instead of a directory listing Users & Documents31

Default Documents Commonly used index filenames (default documents) include: index.html default.html welcome.html Default documents (index files): Allow nicer looking URLs Provide some security People cannot see all the files in a directory if there is an index file in place Only linked files can be accessed (unless users happen to know the names of other files in the directory) Users & Documents32

Transferring Files Some of the methods of publishing files on a Web server include: File sharing File transfer protocol (FTP) HTTP PUT FrontPage extensions Users & Documents33

Secure Socket Layer Configuration HTTP is not a secure protocol by default Contents of a normal HTTP transaction are not encrypted Unauthorized people might be able to intercept and view unencrypted transactions When credit card numbers, passwords and other private data are being sent over the Internet, there needs to be an assurance of data security Web Server Configuration34

Secure Socket Layer (SSL) The most popular encryption protocol on the Internet Developed by Netscape but used by many other companies Meant to go between an application-level protocol (HTTP) and communications protocol (TCP/IP) Forms a layer between the application and the network communications Not limited to Web transactions Used by other applications that need to transfer secured data over a network FTP and telnet clients use SSL Several open-source projects offer free implementations of SSL for other applications (e.g. SSLeay and OpenSSL) Transport Layer Security (TLS) protocol is based on SSL Web Server Configuration35

HTTPS A normal HTTP wrapped in SSL Netscape, Internet Explorer and other browsers support the HTTPS protocol IIS and Netscape servers provide HTTPS support Apache does not have HTTPS support by default Users must download a separate SSL-enabled server to provide secure content Patches are available to add HTTP functionality to Apache using SSLeay or OpenSSL Web Server Configuration36

HTTPS… A URL to a resource on an HTTPS server uses a slightly different naming convention than normal URLs The https prefix is used instead of the http prefix Instructs the browser to attempt a secure connection E.g. HTTPS connects to a server at port 443 instead of connecting to a server at port 80 as usual Port 443 is the designated port for HTTPS (assigned by the Internet Assigned Numbers Authority-IANA) A signal may shown to indicated a secured connection if successfully connected to a server Most browsers use a padlock to signal secured connection Web Server Configuration37

Certificates Documents that contain information about a site A certificate authority digitally signs a certificate Certificate authority (CA) – typically, a well-known mutually trusted organization that issues and verifies certificates Verisign and Thawte are two of the most popular CAs The certificate should contain information about the server and the certificate authority Web Server Configuration38

Obtaining Certificate Obtaining and installing a certificate is typically the most difficult aspect of setting up a secure server Certificates are obtained by providing a well-known CA information about your company and hosts Letter of authorization Proof of organization’s name Proof to use domain name A certificate-signing request (CSR) – contains the pubic key for the Web server The CA processes the request and verifies the information to generate a digitally-signed certificate based on the CSR Certificates may be costly and may have to be renewed each year A large well-known company can create and sign its own certificate to offer clients an assurance of data security Web Server Configuration39