Web Services CSCI N321 – System and Network Administration Copyright © 2007,2008 by Scott Orr and the Trustees of Indiana University
Section Overview HTTP Protocol Apache Configuration HTTPS/SSL Virtual Hosts
References Apache Site – RedHat Deployment Guide Chapter 22 – Apache HTTP Server
World Wide Web Components WidgetWebServer UserWorkstation Widget Download Demo Buy it Now Name: CC #: Submit Reset Browser
Hypertext Transfer Protocol GET /index.html HTTP/1.1 Host: tempest.cs.iupui.edu HTTP/ OK Date: Sun, 25 Nov :43:31 GMT Server: Apache/2.2.3 (Red Hat) Last-Modified: Thu, 16 Aug :48:43 GMT ETag: "50602ec f4c0" Accept-Ranges: bytes Content-Length: 113 Connection: close Content-Type: text/html; charset=UTF-8 File Content…
HTTP Status Codes 1xx – Informational 2xx – Success 3xx – Redirection 4xx – Client Error 5xx – Server Error
Common Gateway Interface (CGI) Allowed for dynamic web content Relies on external programs Form processing Parameters passed as part of URL Outputs valid context Header/Content Coding problems create security issues!
Web Server Market Share Source:
Web Server – Active Sites Source:
Apache Web Server Runs on multiple platforms Modules define capabilities SSL Support Web Hosting Multiple IP/Posts Virtual Hosts Proxies /etc/http/conf/httpd.conf & /etc/httpd/conf.d
Basic Apache Configuration ServerRoot – Where to find configuration Listen – Which port(s) to bind Daemon Ownership User Group ServerAdmin – address for Administrator ServerName – FQDN for server DocumentRoot – Web content directory DirectoryIndex – Files to load if only directory specified LoadModule – Feature module code to include Many included by default LoadModule
Basic Performance Settings Persistent Connections KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 Concurrent Daemons (prefork module) StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000
Web Request Logging Remote Address (%h) Client ID (%l) Authenticated User (%u) Date/Time of Request (%t) Request Line (\"%r\" ) Request Status (%s) Size of data sent to client (%b) Referrer and Client info can also be included
Log Files access_log - All web page requests error_log – Problems & Failed requests agent_log – Client info (browser/OS) referrer_log – Site that directed to URL Combined logs – Merge access_log, agent_log and referrer_log into one file
Directory Specific Settings Override system defaults Enclosed in Options – Features to allow/disallow Indexes Includes/IncludesNOEXEC FollowSymLinks/SymLinksIfOwnerMatch Multiviews All Multiple Options not merged, ‘+’ and ‘-’ to merge Limit - Access Control Allow/Deny Order
User Personal Sites URL: /~ / Activation # UserDir Disabled UserDir public_html
.htaccess If present in directory, modifies settings AllowOverride Must be in directive for tree Can be all All or list specific settings Password Authentication Require directive in limit htpasswd - create users/passwords
.htaccess Example AuthUserFile /etc/httpd/.htpasswd AuthGroupFile /dev/null AuthName "HTAccess Demo" AuthType Basic require valid-user
Secure Socket Layer Used to encrypt web traffic SSL Directives SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Generating a Self-Signed Cert openssl req -new > new.cert.csr openssl rsa -in privkey.pem -out new.cert.key openssl x509 -in new.cert.csr -out new.cert.cert \ -req -signkey new.cert.key -days 3650 cp new.cert.key \ /etc/httpd/conf/ssl.key/server.key cp new.cert.cert \ /etc/http/conf/ssl.crt/server.crt service httpd restart
Virtual Hosts Multiple sites using the same server IP Based Port Based Name Based (No SSL support) Example (Name) DocumentRoot /var/www/webmail/ ServerName webmail.cs.iupui.edu
Security Notes Remove unneeded CGI Scripts Minimize use of external executables If needed, limit scope suexec Options –IncludeNOEXEC AllowOverride None/AuthConfig Options –Indexes -FollowSymLinks Prevent Fingerprinting ServerSignature Off ServerTokens Prod