New SYSTEM ADMINISTRATION MTAT.08.021 LECTURE 6 … · 2016. 3. 23. · APACHE LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE • Apache web server characteristics: • Apache supports

LECTURE 6 NETWORK SERVICES PART2: WEB SERVICE

SYSTEM ADMINISTRATION MTAT.08.021

1

Prepared By: Amnir Hadachi and Artjom Lind

University of Tartu, Institute of Computer Science [email protected] / [email protected]

mailto:[email protected]

mailto:[email protected]?subject=

OUTLINE

LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE

• Web server:

1.Apache

2.Virtual hosts

3.Common directives

4.Log analyzers

5.FTP filer server

6.NFS file server

7.Windows shares with Samba

8.HTTP/FTP proxy

9.LDAP directory

2

APACHE1.

3

APACHE


INFO:

Apache is the most widely used web server; however, there are others which can offer better performance with lack of certain features and modules. (e.g. other web servers: nginx, lightpd,etc.)

Apache installation is done via installing the apache package The name apache comes from the concept of extensive patching of existing code Why apache because it is:

Free or available at reasonable price

INFO: what is web server ?It is a computer program capable of accepting Hypertext Transfer Protocol (HTTP) request from clients (known as web browsers) and serving them HTTP responses along with optional data contents (known as web pages).

4

APACHE


• Apache2 packages contains many modules even MPM:

• Multi-processing modules (MPM),

• Gives apache the ability to handle parallel processing of many requests.

• MPM strongly affects the way apache works and handles threads

INFO: (FULL LIST OF MODULES) HTTP://HTTPD.APACHE.ORG/DOCS/2.4/MOD/INDEX.HTML

5

http://httpd.apache.org/docs/2.4/mod/index.html

APACHE


• Apache web server characteristics:

• Apache supports many features, many are implemented as compiled modules that extend the core functionality.

• These can range from server-side programming language support to authentication schemes.

• Apache contains also compression modules such as: mod-gzip that helps in reducing the size of web pages served over HTTP.

6

APACHE


• Apache core components:Component Description

http_protocol.c

These components are in charge of handling other extensions and their processes in order to keep the good functioning of the server. as example

Authentication. http_main.c

http_request.c

http_core.cIts the handle of all the basic functionality

of the server like allocating requests, pooling all the connections,etc.

7

APACHE


• Core components interactions:

HTTP_MAIN (SERVER LOOP)

HTTP_REQUEST (PHASES OF REQUEST)

HTTP_CORE (MAIN FUNCTIONALITY)

HTTP_PROTOCOL (IMPLEMENTATION)

UTILITIES ALLOC (RES POOLS)

HTTP client modules

de-patch toto/from

8

APACHE


• Handling Requests

source: https://click.apache.org/docs/user-guide/html/ch02s02.html 9

https://click.apache.org/docs/user-guide/html/ch02s02.html

VIRTUAL HOST

2.

10

VIRTUAL HOSTS


• Virtual hosts types:

• Virtual hosts based on the IP address

• Virtual hosts based on the domain name of the web server.

QUOTE:A virtual host is an extra identity for the web server

DEFINITION:

Virtual hosts means running multiple virtual web sites in one system.

11

VIRTUAL HOSTS


• Virtual hosts types:

• Virtual hosts based on the IP address:

✴ Requires allocating a different IP address for each site.

• Virtual hosts based on the domain name of the web server:

✴ Can work only on a single IP address

✴ Sites are differentiated by the hostname sent by the HTTP client.

12

VIRTUAL HOSTS


• Virtual hosts are described by a file:

• location: ‘’ /etc/apache2/sites-available/ ‘’EXAMPLE: THE /ETC/APACHE2/SITES-AVAILABLE/WWW.MYSPACE,EE.CONF FILE

<VirtualHost *:80>ServerName www.myspace.eeServerAlias myspace.eeDocumentRoot /srv/www/www.myspace.ee</VirtualHost>

13

VIRTUAL HOSTS


• Virtual hosts log file:

• uses one log file for all virtual hosts (defaults)

• Can be modified by adding “Customlog” directives in the definition of the virtual host.

• And enabling it with “a2enconf customlog”Location: “/etc/apache2/conf-available/customlog.conf”

EXAMPLE: THE /ETC/APACHE2/CONF.D/CUSTOMLOG.CONF FILE

# New log format including (virtual) host nameLogFormat ”%v %h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” vhost

# Now let’s use this ”vhost” format by defaultCustomLog /var/log/apache2/access.log vhost

14

COMMON DETECTIVES

3.

ConFig

15

COMMON DETECTIVES


• The main directives are related to:

• Directive blocks

• Requiring authentication

• Restricting access

OBJECTIVE:

In this section we will try to focus on putting the spot light on the commonly used Apache configuration detectives.

16

COMMON DETECTIVES


• Directory blocks:DEFINITION:

The main configuration file contains usually many directive block. this latter allow the specification of different behaviors for the server depending the location of the file being served. (e.g. block which includes Options & AllowOverride)

EXAMPLE: DIRECTORY BLOCK

<Directory /var/www>Options Includes FollowSymlinksAllowOverride AllDirectoryIndex index.php index.html index.htm</Directory>

17

COMMON DETECTIVES


• Directory blocks

• Within the directory blocks we have:

• DirectoryIndex

• Options

• AllowOverride

18

COMMON DETECTIVES



• DirectoryIndex:

INFO:

DirectoryIndex contains a list of file to try when the client request matches a directory. The first file existing in the list is used and sent as a answer.

19

COMMON DETECTIVES



• Options:INFO:

Options directive is followed by a list of options to enable. (None value disable all the options)

Option Description

ExecCGI Means CGI scripts can be executed

FollowSymlinks Means symbolic links can be followed

SymlinksIfOwnerMatchTells the server to follow symbolic links, but only when the link and the its target

have the same owner.MultiViews Enables content negotiation

20

COMMON DETECTIVES



• AllowOverride:

INFO:

AllowOverride directive lists all the options that can be enabled or disabled by way of a .htaccess file.

21

COMMON DETECTIVES


• Requiring authentication: INFO:

In some case it is necessary to restrict the access to some parts of the website; therefore, only the appropriate users can access by providing a username and password.

EXAMPLE: .HTACCESS FILE REQUIRING AUTHENTICATION

Require valid-userAuthName ”Private directory”AuthType BasicAuthUserFile /etc/apache2/authfiles/htpasswd-private

22

COMMON DETECTIVES


• Requiring authentication:

INFO:

AuthUserFile /etc/apache2/authfiles/htpasswd-private

The “/etc/apache2/authfiles/htpasswd-private” file contains a list of users and their passwords. it is commonly manipulated with the htpasswd command.

EXAMPLE COMMAND TO ADD USERS OR CHANGE THEIR PASSWORDS

# htpasswd /etc/apache2/authfiles/htpasswd-private userNew password:Re-type new password:Adding password for user user

23

COMMON DETECTIVES


• Restricting Access:

• Example of type of restrictions:

• based on IP

INFO:

Restricting access is used to control access to specific directories and their subdirectories recursively based on many criteria.

ONLY ALLOW FROM THE LOCAL NETWORK

Order deny,allowAllow from 192.168.0.0/16Deny from all

24

LOG ANALYZERS

4.

Logs

25

LOG ANALYZERS


• Example of Log analyzer

• “advanced web statistics” AWStats.

INFO:

Log analyzers are useful for following the activity on your websites and the most important gives the administrators a praise idea about usage patterns on their web servers.

26

LOG ANALYZERS


• AWStats:

• configuration:

• can be customized through cons file, location: “/etc/awstats/awstats.conf”

EXAMPLE AWSTATS CONFIGURATION FILE AND ITS PARAMETERS

LogFile=”/var/log/apache2/access.log”LogFormat = ”%virtualname %host %other %logname %time1 %methodurl %code %bytesd %å refererquot %uaquot”SiteDomain=”www.myspace.ee”HostAliases=”myspace.ee REGEX[^.*\.myspace\.ee$]”DNSLookup=1LoadPlugin=”tooltips”

27

LOG ANALYZERS


• AWStats:

• Access to stats:

• AWStats statistics are web based and there no restriction in accdeissnf them by default; however, it is possible to put access restriction based on IP addresses using “AllowAccessFromWebToFollowingIPAddresses” parameter

• For each virtual host you need AWStats configuration file associate to it.

EXAMPLE: AWSTATS CONFIGURATION FILE FOR A VIRTUAL HOST

Include ”/etc/awstats/awstats.conf”SiteDomain=”www.myspace.ee”HostAliases=”myspace.ee”

28

LOG ANALYZERS


CAUTION:

To make AWStats take into account all the logs file it needs to be run right before the Apache log files are rotated. This matter can be solved by looking at the perorate directive “/etc/logrotate.d/apache2” file and adding a symlink to “/usr/share/awstats/tools/update.sh in /etc/logrotate.d/httpd-prerotate”

$ cat /etc/logrotate.d/apache2/var/log/apache2/*.log {

dailymissingokrotate 14compressdelaycompressnotifemptycreate 644 root admsharedscriptspostrotate

if /etc/init.d/apache2 status > /dev/null ; then \/etc/init.d/apache2 reload > /dev/null; \fi;

endscriptprerotate

if [ -d /etc/logrotate.d/httpd-prerotate ]; then \run-parts /etc/logrotate.d/httpd-prerotate; \fi; \

endscript}$ sudo mkdir -p /etc/logrotate.d/httpd-prerotate$ sudo ln -sf /usr/share/awstats/tools/update.sh \

/etc/logrotate.d/httpd-prerotate/awstats29

FTP FILE SERVER

5.

30

FTP FILE SERVER


DEFINITION:

File Transfer Protocol (FTP) was issued in 1985 and it was used to distribute files before web was even born. it allows both file upload and downloads.

FTP ClientFTP Server

FTP Commands

FTP Replies

DataConnection

31

FTP FILE SERVER


• Requirement for using FTP:

• FTP client installed on your machine

• Information about FTP server

• FTP server address

• authentication access (username, password)

32

FTP FILE SERVER


• FTP Client has two modes of connection:

• Active mode

• Active FTP connection, the client opens a port and listens and the server actively connects to it

• Passive mode

• The server opens a port and listens (passively) and the client connects to it

33

NFS FILE SERVER

6.

34

NFS FILE SERVER


DEFINITION:

Network File System (NFS) is a protocol allowing remote access to a filesystem via the network.

Limitation:

The latest version is hard to configure, Managing the security features such as authentication or encryption is not a

straight forward task,

35

NFS FILE SERVER


• NFS Procedures:Procedures Functions

LOOKUP Returns a file handle and attribute corresponding to a file name in a specified directory

MKDIR Create a directory

RMDIR Delete a directory

READDIR Read a directory

RENAME Rename a file

REMOVE Delete a file

CREATE Create a file

READ Read from a file, by specify the file handle, starting offset and max. no. of bytes to read (up to 8192).

WRITE Write to a file

GETATTR Returns the attributes of a file: type of file, permissions, size, owner, last-access time, and so on.

SETATTR Set the attributes of a file: permissions, owner, group, size,and last-access and last- modification time.

36

NFS FILE SERVER


• NFS Procedures:

Procedures Functions

LINK Create a Unix hard link to a file.

SYMLINK Create a symbolic link to a file.

READLINK Returns the name of the file to whidh the symbolic link points.

STATFS Returns the status of a file system. Used by the Unix df command, for example.

37

NFS FILE SERVER


• Securing NFS:

• Easy way is to use kerberos-based security features

• If not:

• Ensure that NFS can get connected to RPC servers.

• Firewall is up and must block IP spoofing.

DEFINITION:

RCP “Remote Procedure Call” is a UNIX standard for remote services.

38

DONEC QUIS NUNC


• NFS Server:

• One configuration file: /etc/exports

• Defines a location, a list of authorized clients, and options

• Client identified by:

1.Machine name

2. Wildcards on a domain name

3.A netgroup (if NIS is used) An IP address

• Options include: rw, ro, root_squash, all_squash, anonuid

39

DONEC QUIS NUNC


• NFS Server start:

• Start rpc.mountd and rpc.nfs

• Optionally start rpc.statd and rpc.lockd

• Use rpcinfo –p to check if working

• Files:

1. /var/lib/nfs/rmtab contains client information

2. /var/lib/nfs/etab contains detailed export information

3. /proc/fs/nfs/exports contains list of clients

4. /var/lib/nfs/xtab contains explicit machine names

• If /etc/export is updated use exportfs command to inform servers

40

DONEC QUIS NUNC


• NFS Client:MANUALLY MOUNTING WITH THE MOUNT COMMAND

# mount -t nfs4 -o rw,nosuid arrakis.internal.myspace.ee:/shared /srv/

EXAMPLE: NFS ENTRY IN THE /ETC/FSTAB FILE

arrakis.internal.myspace.ee:/shared /srv/shared nfs4 rw,nosuid 0 0

41

NFS FILE SERVER


• NFS Protocol USER

PROCESS

NFS CLIENTLOCAL FILE

ACCESS

RPC ———————— TCP/UDP

IP

LOCAL FILE ACCESS

NFS SERVER

CLIENT KERNEL

SERVER KERNEL

local disk

local disk

RPC ———————— TCP/UDP

IP

port 2077

42

WINDOWS SHARES WITH SAMBA

7.

43



• Samba

44

DEFINITION:

Samba is a tool that helps handling Server Message Block protocol (SMB) on linux (also known as CIFS). This protocol is used by windows for network shares and shared printers.

It is also used as a windows domain controller. Besides, it is an good tool for ensuring seamless integration of linux servers and the office desktop machines still running windows.

DEFINITION:

SMB protocol operates as an application layer for network protocol and it is used for providing shared access to files, printers, and ports. in addition, it can also integrate authentication in the inter-processes communication mechanism.



• Samba server

• The Samba 4 package contains two main processes/servers:

• smbd

• nmbd

• To start Samba three ways:

• Manually

• As stand-alone daemons

• From inetd

45



• Samba server

• Configuration with debconf

• Installation by default put the stick minimum configuration is done.

• For configuring:

• info needed:

• name of the workgroup

• package process the identification of WINS server

46

run dpkg-reconfigure samba-common



• Samba server

• Configuration manually

• The change should be affected to smb.conf

47

[global]## Browsing/Identification #### Change this to the workgroup/NT-domain name your Samba server will part ofworkgroup = FALCOTNET# Windows Internet Name Serving Support Section:# WINS Support - Tells the NMBD component of Samba to enable its WINS Serverwins support = yes x[…]####### Authentication ######## Server role. Defines in which mode Samba will operate. Possible# values are ”standalone server”, ”member server”, ”classic primary# domain controller”, ”classic backup domain controller”, ”active# directory domain controller”.## Most people will want ”standalone sever” or ”member server”.# Running as ”active directory domain controller” will require first# running ”samba-tool domain provision” to wipe databases and create a# new domain.server role = standalone server# ”security = user” is always a good idea. This will require a Unix account# in this server for every user accessing the server.security = user x[...]

INDICATES THAT SAMBA SHOULD ACT AS A NETBIOS NAME SERVER (WINS) FOR THE LOCAL NETWORK

THIS IS THE DEFAULT VALUE FOR THIS PARAMETER; HOWEVER, SINCE IT IS CENTRAL TO THE SAMBA CONFIGURATION, FILLING IT EXPLICITLY IS RECOMMENDED. EACH USER MUST AUTHENTICATE BEFORE ACCESSING ANY SHARE.



• Samba server

• Configuration manually

• Each Samba user needs an account on the server

• steps:

• Create unix account

• user need to register to Samba database

48



• Samba client

• Mounting Windows Shares

49

INFO:

The Samba client has interesting features that allow linux machine to access Windows shares and shared printers. needed programs are available in cifs-utils and smbclient packages.

INFO:

The mount command allows mounting a windows share into linux file system hierarchy. it has also many options that can be added in the command.

EXAMPLE: MOUNTING A WINDOWS SHARE

mount -t cifs //arrakis/shared /shared \ -o credentials=/etc/smb-credentials



• Samba client

• Share printers

• Example CUPS which allows installing Windows shared printers automatically.

50



• Samba client

• Share printers

• Requires steps with CUPS:

51

➡Enter the CUPS configuration interface: http://localhost:631/admin➡Click on “Add Printer”.➡Choose the printer device, pick “Windows Printer via SAMBA”.➡Enter the connection URI for the network printer. It should look like the following:➡smb://user:password@server/printer.➡Enter the name that will uniquely identify this printer. Then enter the description

and➡location of the printer. Those are the strings that will be shown to end users to

help them identify the printers.➡Indicate the manufacturer /model of the printer, or directly provide a working

printer description file (PPD).

HTTP/FTP PROXY

8.

52

HTTP/FTP PROXY


• Concept:

53

DEFINITION:

HTTP/FTP Proxy acts as an intermediary for HTTP and/or FTP connections. it has two roles: 1.Cashing: downloaded document are copied locally, this way multiple

downloads are avoided. 2.Filtering server: in case of use of the proxy then this latter determines whether

or not the request is to be granted.

User Internet

1. User request web content

5. User receives web content

2. Web request

3. Web content returned

STORED IN PROXYSG

CACHE

4.

ProxySG

HTTP/FTP PROXY


• Installation:

• Debian package: “squid3”

• contains only modular caching proxy.

• Needs:

• squidguard package: gives it filtering ability

• squid-cgi package: gives it querying and administration interface for a Squid proxy.

54

HTTP/FTP PROXY


• Cache configuration:

• Enabling the caching need editing the file: “/etc/squid3/squid.conf”

55

THE /ETC/SQUID3/SQUID.CONF FILE (EXCERPTS)

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS# Example rule allowing access from your local networks. Adapt# to list your (internal) IP networks from where browsing should# be allowedacl our_networks src 192.168.1.0/24 192.168.2.0/24http_access allow our_networkshttp_access allow localhost# And finally deny all other access to this proxyhttp_access deny all

HTTP/FTP PROXY


• Filter configuration:

• squid does not handle filtering, it is delegated to squidGuard.

• Enabling squidGuard need configuration in the file: “/etc/squid3/squid.conf”

• adding url:

• reload service squid3

• All the policies should be defined by the admin

• can be done by creating the “/etc/squid3/squidGuard.conf” file

56

url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf

For more info on how to create the file: http://www.squidguard.org/Doc/configure.html

For more info on how to create the file: http://www.squidguard.org/Doc/configure.html

http://www.squidguard.org/Doc/configure.html

http://www.squidguard.org/Doc/configure.html

LDAP DIRECTORY

9.

57

LDAP DIRECTORY


58

INFO:

Lightweight Directory Access Protocol (LDAP), is an Internet protocol that email and other programs use to look up information from a server.

LDAP Main Role: Defines a standard method for accessing and updating information in a directory.

LDAP DIRECTORY


• LDAP:

59

Advantages Disadvantages

Handle well information referenced by many entities

Very bad in handling information that changes often

Handle well multi-location accessing the same information Very bad in handling unstructured

information

Handle well information that is read more than written

LDAP DIRECTORY


• LDAP models:

• Information:

• Structure of the information stored in the LDAP directory.

• Naming:

• How the information is organized and identified.

• Functional / operations:

• Described which can of operations can be performed on the LDAP directory.

• Security:

• Shows how the information is protected and secured.

60

LDAP DIRECTORY


• LDAP directory information tree (DIT):

• The data is stored in entries.

• These entries are ordered in tree nodes.

• Example of Tool in debian “OpenLDAP”

61

source: http://www.novell.com/documentation/integrationmanager6/Docs/help/Composer/books/LDAPWelcome.html

EXAMPLE OF DIT

http://www.novell.com/documentation/integrationmanager6/Docs/help/Composer/books/LDAPWelcome.html

New SYSTEM ADMINISTRATION MTAT.08.021 LECTURE 6 … · 2016. 3. 23. · APACHE LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE • Apache web server characteristics: • Apache supports

Documents