Presentation is loading. Please wait.

Presentation is loading. Please wait.

2B3309 Server Security Lars Noodén ( ) Web Server Configuration.

Published byArlene Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "2B3309 Server Security Lars Noodén ( ) Web Server Configuration."— Presentation transcript:

1 2B3309 Server Security Lars Noodén ( lars.nooden@gmail.com ) Web Server Configuration

2 What is a Web Server? ● Client - Server architecture ● HTTP, HTTPS over TCP/IP ● Serves files or output from programs ● images ● audio ● video ● text

3 Lighttpd Apache2

4 Lighttpd Smaller, lighter, faster, ● but less powerful Simpler configuration, ● but fewer options

5 Apache2 Powerful, flexible, fast, ● but requires resources Advanced configuration possiblities, ● many, many options

6 K.I.S.S. ● System Calls http://blogs.zdnet.com/threatchaos/?p=311 (note, the ZDNet article has been removed from the net since two years ago, and the author's blog has been removed from the net since last year) If you want to research a dangerously hot topic, then you can do a similar analysis with new versions of Linux, BSD, Solaris and OSX comparing them to the legacy system(s)

7 Web Server System Calls A B Which design is simpler? Source: http://blogs.zdnet.com/threatchaos/?p=311

8 HTTP Request - Response I Use http://web-sniffer.net/ to examine the following sites: ● www.google.de ● www.umich.edu ● www.ipl.org ● www.oulu.fi ● www.ltu.se and one or two more of your own choosing.

9 HTTP Request – Response II ● Use PuTTy or other SSH client to connect to port 80 of a web server. e.g. telnet www.oulu.fi 80 telnet www.oulu.fi 80 ● Use the GET method to request the default page. i.e. enter the following HTTP request once the connection is made. Be sure to use uppercase: GET / GET / ● Note that each image needs its own request

10 Modules Modularity is a key to security and maintenance

11 ● smaller components can be more easily examined ● parts not used can be removed – if it's not there, it can't break ● remove or add modules for lighttpd – lighty-disable-mod modulename – lighty-enable-mod modulename ● similar for apache ()

12 Lighttpd Server Modules ● mod_access ● mod_alias ● mod_accesslog ● mod_compress ● mod_rewrite ● mod_redirect ● mod_status ● mod_evhost ● mod_usertrack ● mod_rrdtool ● mod_webdav ● mod_expire ● mod_flv_streaming ● mod_evasive

13 mod_access, mod_alias mod_access ● deny access mod_alias ● "shortcut" paths ● e.g. "/cgi-bin/" => "/var/www/cgi-bin/"

14 mod_accesslog, mod_compress mod_accesslog ● custom formating for access logs ● name or address of remote-host ● ident name (not supported) ● authenticated user ● timestamp for the request-start ● request-line ● status code ● bytes sent for the body ● HTTP-header field ● remote address ● etc... mod_compress ● compress and cache static content ● saves bandwidth ● speeds delivery ● methods: ● deflate, ● gzip, ● bzip

15 mod_rewrite, mod_redirect mod_rewrite ● rewrite URLs before processing ● e.g. ● keep old URLs after major site redesign ● shorten CMS URLs mod_redirect ● use HTTP 1.1 status codes to redirect the client externally ● temporarily ● permanently

16 mod_status, mod_evhost mod_status ● server state and configuration ● diagnostics and administration ● not too good to have this info public mod_evhost ● name-based virtual hosts ● serve many web sites from same web server

17 mod_usertrack, mod_rrdtool mod_usertrackmod_rrdtool ● monitor traffic and load

18 mod_webdav, mod_expire mod_webdav ● r/w folders via WebDAV mod_expire ● control caching ● sets expiration time

19 mod_flv_streaming, mod_evasive mod_flv_streamingmod_evasive

20 Settings Customization is expected

21 Definition ● Virtual Host - a separate web service hosted by the same httpd server – name-based virtual host ● different names for each service – port-based virtual host ● same name, but different ports ● e.g. ● http://www.ipl.org:80/ ● http://www.ipl.org:2000/

22 Virtual Hosts ● One machine can thus serve many web sites ● Apache excels at this ● Lighttpd does well, too

23 Definition ● Least Privilege – ● Privilege Separation –

24 Least Privilege ● httpd runs as a non-root user: ● ## change uid to (default: don't care) server.username = "www-data" ● ## change uid to (default: don't care) server.groupname = "www-data"

25 Privilege Separation in OpenSSH http://www.citi.umich.edu/u/provos/ssh/privsep.html privileged Ope nSSH Listen *:22 privileged Ope nSSH Monitor privileged Ope nSSH Monitor un privileged Ope nSSH Network Processing user privileged Ope nSSH User Request Processing fork unprivileged child Auth Result Request Auth Network Connection time line Request PTY Pass PTY fork user child State Export Key ExchangeAuthenticationUser Network Data

26 Privilege Separation in Apache HTTPd ● User and Group Runtime Directives – Define the user and group Apache runs as – e.g. nobody, www, www-data, etc. ● suexec runs CGI and SSI programs under a different user ID from the user ID of the web server

27 Saving Bandwidth ● compression saves bandwidth: ● (time and money) ● compress.cache-dir = "/var/cache/lighttpd/compress/" ● cache compressed files to save time: ● compress.filetype = ("text/plain", "text/html", "application/x-javascript", "text/css")

28

29 2B3309 Server Security Lars Noodén ( lars.nooden@gmail.com ) Web Server Configuration

Download ppt "2B3309 Server Security Lars Noodén ( ) Web Server Configuration."

Similar presentations

Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Cornell CS502 Web Basics and Protocols CS 502 – 20020129 Carl Lagoze Acks to McCracken Syracuse Univ.

Cornell CS502 Web Basics and Protocols CS 502 – Carl Lagoze Acks to McCracken Syracuse Univ.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
Advanced Web 2012 Lecture 2 Sean Costain 2012. How the Web Works - Refresh Sean Costain 2012 The web is a matrix of servers that handle client requests.

Advanced Web 2012 Lecture 2 Sean Costain How the Web Works - Refresh Sean Costain 2012 The web is a matrix of servers that handle client requests.
Internet Information Server (IIS)

Internet Information Server (IIS)
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Web Client/Server Communication A290/A590, Fall 2014 09/09/2014.

Web Client/Server Communication A290/A590, Fall /09/2014.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.

Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Linux Operations and Administration

Linux Operations and Administration
Lighttpd & Modcache 2009/06/28. Basic lighttpd info Event-driven, single process Event-driven, single process Uses non-block io (network) + writev (memory)

Lighttpd & Modcache 2009/06/28. Basic lighttpd info Event-driven, single process Event-driven, single process Uses non-block io (network) + writev (memory)

Similar presentations

Ads by Google