Web Services

CSCI N321 – System and Network Administration

Copyright © 2007,2008 by Scott Orr and the Trustees of Indiana University

Section Overview

HTTP Protocol

Apache Configuration

HTTPS/SSL

Virtual Hosts

References

Apache Site – http://www.apache.org

RedHat Deployment GuideChapter 22 – Apache HTTP Server

World Wide Web Components

Widget Widget WebWeb

ServerServer

UserUserWorkstationWorkstation

Widget 2.0------------------------------------------------------------

Download Demo

Buy it Now

Name:CC #:

SubmitSubmit ResetReset

Browser

Hypertext Transfer Protocol

GET /index.html HTTP/1.1Host: tempest.cs.iupui.edu <cr><cr>

HTTP/1.1 200 OKDate: Sun, 25 Nov 2007 20:43:31 GMTServer: Apache/2.2.3 (Red Hat)Last-Modified: Thu, 16 Aug 2007 01:48:43 GMTETag: "50602ec-71-4638f4c0"Accept-Ranges: bytesContent-Length: 113Connection: closeContent-Type: text/html; charset=UTF-8

File Content…

HTTP Status Codes

1xx – Informational 2xx – Success3xx – Redirection4xx – Client Error5xx – Server Error

Common Gateway Interface (CGI)

Allowed for dynamic web contentRelies on external programs Form processing Parameters passed as part of URL Outputs valid context Header/Content

Coding problems create security issues!

Web Server Market Share

Source: www.netcraft.comSource: www.netcraft.com

Web Server – Active Sites

Source: www.netcraft.comSource: www.netcraft.com

Apache Web Server

Runs on multiple platformsModules define capabilitiesSSL SupportWeb Hosting Multiple IP/Posts Virtual Hosts

Proxies/etc/http/conf/httpd.conf & /etc/httpd/conf.d

Basic Apache Configuration

ServerRoot – Where to find configurationListen – Which port(s) to bindDaemon Ownership

User GroupServerAdmin – Email address for AdministratorServerName – FQDN for serverDocumentRoot – Web content directoryDirectoryIndex – Files to load if only directory specifiedLoadModule – Feature module code to include

Many included by default LoadModule <module_name> <path_to_module>

Basic Performance Settings

Persistent Connections KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15

Concurrent Daemons (prefork module) StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000

Web Request Logging

Remote Address (%h)Client ID (%l)Authenticated User (%u)Date/Time of Request (%t)Request Line (\"%r\" )Request Status (%s)Size of data sent to client (%b)Referrer and Client info can also be included

Log Files

access_log - All web page requestserror_log – Problems & Failed requestsagent_log – Client info (browser/OS)referrer_log – Site that directed to URLCombined logs – Merge access_log, agent_log and referrer_log into one file

Directory Specific Settings

Override system defaultsEnclosed in <Directory></Directory>Options – Features to allow/disallow

Indexes Includes/IncludesNOEXEC FollowSymLinks/SymLinksIfOwnerMatch Multiviews All Multiple Options not merged, ‘+’ and ‘-’ to merge

Limit - Access Control Allow/Deny Order

User Personal Sites

URL: http://<site>/~<user>/Activation<IfModule mod_userdir.c>

# UserDir Disabled

UserDir public_html

</IfModule>

<Directory /home/*/public_html>

.htaccess

If present in directory, modifies settingsAllowOverride Must be in <directory> directive for tree Can be all All or list specific settings

Password Authentication Require directive in limit htpasswd - create users/passwords

.htaccess Example

AuthUserFile /etc/httpd/.htpasswdAuthGroupFile /dev/nullAuthName "HTAccess Demo"AuthType Basic

<Limit GET>require valid-user

</Limit>

Secure Socket Layer

Used to encrypt web trafficSSL Directives SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Generating a Self-Signed Cert

openssl req -new > new.cert.csropenssl rsa -in privkey.pem -out new.cert.keyopenssl x509 -in new.cert.csr -out new.cert.cert \

-req -signkey new.cert.key -days 3650cp new.cert.key \

/etc/httpd/conf/ssl.key/server.keycp new.cert.cert \

/etc/http/conf/ssl.crt/server.crtservice httpd restart

Virtual Hosts

Multiple sites using the same server IP Based Port Based Name Based (No SSL support)

Example (Name)<VirtualHost *> DocumentRoot /var/www/webmail/ ServerName webmail.cs.iupui.edu</VirtualHost>

Security Notes

Remove unneeded CGI ScriptsMinimize use of external executablesIf needed, limit scope suexec Options –IncludeNOEXECAllowOverride None/AuthConfigOptions –Indexes -FollowSymLinksPrevent Fingerprinting ServerSignature Off ServerTokens Prod