Presentation is loading. Please wait.

Presentation is loading. Please wait.

Central Web Services at Fermilab Presented by Jim Fromm October 27,2006.

Published byBenjamin Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "Central Web Services at Fermilab Presented by Jim Fromm October 27,2006."— Presentation transcript:

1 Central Web Services at Fermilab Presented by Jim Fromm October 27,2006

2 Presentation Overview Why we have a central web farm Configuration of farm Hardware Software Automated tools for administration Monitoring of web farm Log processing Futures

3 Why a Central Webserver Farm? Eliminate experiments from worrying about configuration/maintaining their own web server Keep on top of security issues Maintain up-to-date versions of apache/perl/python etc Maintain valid ssl certs Leverage our expertise to provide basic consulting for cgi scripts, web page development etc.. The web managers are responsible ultimately, but if they ask nice… Manage file system space (AFS has a quota mechanism, we keep track of when an area is getting full).

4 Overview of Central Webserver Farm 5 Computers – 1 Load balancing switch. 84 vhosts (and rising fast) 53 Additional web areas (conferences, projects, computing…) 1300 Web Content Managers Web hits/year: > 220 million Staff: Basically 0.5 of one person right now.

5 Hardware Configuration Alteon www01www02www03 www04 (cgi) www05 (cgi) AFS

6 Hardware Configuration - Details Alteon Load Balancing Switch Configuration allows for traffic to be directed depending on type. CGI scripts only executable on www04/05. Alteon AD3 switch, 8x 100Base-T ports with a single GigE uplink Web Servers Sun Netra X1 AFS file system

7 Alteon Configuration 51: 131.225.70.46, enabled, name www05-vhosts, weight 1, timeout 10 mins, maxcon 200000 backup none, inter 2, retry 4, restr 8 remote disabled, proxy enabled, submac disabled handle URL cookie: disabled exclusionary string matching: disabled 1: any 2: /cgi-bin 7:.php real ports: http: vport http, group 11 HTTP Application: urlslb virtual server: 4, 131.225.70.20, enabled http: vport 8875, group 11 virtual server: 4, 131.225.70.20, enabled http: vport http, group 11 HTTP Application: urlslb virtual server: 5, 131.225.70.52, enabled https: vport https, group 12 virtual server: 4, 131.225.70.20, enabled 4443: vport https, group 99, pbind sslid

8 Software Apache v1_3 Mid-range plans to upgrade to v2_0 as security requires. Perl Python PHP Wiki support on Plone server (on separate set of servers outside of the webfarm)

9 Automated Tools No way we can keep on top of everything the old fashioned way. Tools (perl scripts mostly) written to automate routine tasks Create vhosts Symlink check Password check File perms check File space check

10 Automated Tools(cont) Symlink check Run 1x week Check for symlinks to areas that are sharing data that should not be shared Check for symlinks pointing to non-existent data Check for circular links Sends email to web admin team

11 Automated Tools (cont) Permission check 1x per week Scan for vulnerable cgi scripts, weak permissions on files and directories This can be any variation that leave security holes or fit the profile of known exploits:  wide read-access permissions to area where passwords are stored  write-access to cgi area  wide read-access permissions to top level directories

12 Automated Tools(cont) Passwords (1x week) Password files, although encrypted, should not be shared algorithm is not particularly smart: looks for variations on the word "PASSWORD" in file name and reports these if file permissions or locations are problematic

13 Web Server Monitoring NGOP (FNAL developed monitoring system) remotely monitors and alerts on the following: Ping of Alteon switch Ping of each web host machine Ping of each web server IP address Fetch pages for each web server and virtual host Fetching pages for commonly used services (telephone,stock) and checking correct results Verifying that the httpd for each server is running on at least one webserver host

14 Web Server Monitoring (cont) Verifying that "fs examine" succeeds on the main web volume for each server (/afs/fnal/files/expwww/*), and any specific other volumes associated with it Watching each webserver's error log on each web host, and reporting important error messages (i.e. "out of memory") Generally an error will cut a helpdesk ticket, and page the primary.

15 Log Processingwith Urchin Urchin v5 This product provides accurate web site analytics which supplies the executives, marketers, webmasters, and the web designers at your firm with the vital up-to-date information they need to make informed business decisions. Blah blah blah. Recently taken over by google. Mixed opinions about the product…

16 Urchin (cont) Urchin likes to just stop processing without notification. Lots of pretty pictures and gizmos. Overkill for what we need, but if you are running an e- commerce business…. We bought Urchin to remove dependence on a home grown log processing package that was very difficult to maintain. Urchin is easier to maintain when it works.

17 Security Requirements Run Nessus Scans 2x year. Nessus comes with a library of known exploits scanning profiles. Scan various newsgroups looking for announcements. Rely on our security team to alert us. Follow defined baseline of apache webservers developed at Fermilab.

18 Future Plans We are looking to upgrade to using the Cisco load balancer switch SunFire V240 servers Considered moving to Linux, but… Not confident of support model. Great for general purpose farms, not as confident for server level service. Lot’s of work to convert. Software installs, possibly broken cgi scripts etc… Apache 2.0 Conscious of user communities in content management systems. CMS are hot items.

19 Thanks for your attention! That’s all One more thing before I go….

20 GO CARDS!!!!

Download ppt "Central Web Services at Fermilab Presented by Jim Fromm October 27,2006."

Similar presentations

Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting

Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.

Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Chapter 8: Web Server Hardware and Software. Electronic Commerce, Seventh Annual Edition2 Web Server Basics The main job of a Web server computer is to.

Chapter 8: Web Server Hardware and Software. Electronic Commerce, Seventh Annual Edition2 Web Server Basics The main job of a Web server computer is to.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.

NGOP J.Fromm K.Genser T.Levshina M.Mengel V.Podstavkov.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Linux Operations and Administration

Linux Operations and Administration
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (

Similar presentations

Ads by Google