1
Nov 16, 2014
1
2
Table of content Introduction Installation Verifying installation Httpd.conf Instances Virtual Hosts Security Tuning Plug-in installation Trouble shooting Uninstalling
3
Introduction to Web Server
A computer program that is responsible for accepting HTTP requests from clients (user agents such as web browsers), and serving them HTTP responses along with optional data contents, which usually are web pages such as HTML documents and linked objects (images, etc.).
Common features Http HTTPS support Logging Authentication Handling of static content Content compression Virtual hosting Large file support
4
5
Historical notes
The world's first web server.
In 1989 Tim Berners-Lee proposed to his employer CERN (European Organization for Nuclear Research) a new project, which had the goal of easing the exchange of information between scientists by using a hypertext system. As a result of the implementation of this project, in 1990 Berners-Lee wrote two programs:
* a browser called WorldWideWeb; * the world's first web server, later known as CERN HTTPd,
which ran on NeXTSTEP.
6
IBM HTTP Server Installation
7
License Agreement
8
Installation Directory
9
Setup Types
10
Make IHS as Windows Service
11
Showing Info Before Instalation
12
Installing…………
13
Installation Completed.
14
IHS Home Dir
15
Start/Stop/Restart HTTP server
In Windows Start the command prompt
e.g.: Start Run Type CMD Enter Go to Http server Bin directory (c:\program files\IBM HTTP Server\
bin\) Use apache.exe to start/stop/restart as below
e.g.: To startapache.exe start To Stop apache.exe stopTo Restart apache.exe restart
In Unix
# /usr/IBMIHS/bin/apachectl start # /usr/IBMIHS/bin/apachectl stop
16
Verifying Web server Installation
17
Verifying Logs post installation
18
Httpd.conf
IHS is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. The location of this file is set at compile-time, but may be overridden with the -f command line flag. In addition, other configuration files may be added using the Include directive. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache when it is started or restarted.
Directives in the configuration files are case-insensitive, but arguments to directives are often case sensitive. Lines which begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on a line after a configuration directive. Blank lines and white space occurring before a directive are ignored, so you may indent directives for clarity.
You can check your configuration files for syntax errors without starting the server by using apachectl configtest or the -t command line option.
E.g: # /opt/IBMIHS/bin/apachectl -t /opt/IBMIHS/conf/ins1.conf c:\program files\IBM http server\conf\apache.exe -t opt/IBMIHS/conf/ins1.conf
19
Httpd.conf The Apache HTTP Server configuration file is /etc/httpd/conf/httpd.conf.
The httpd.conf file is well-commented and mostly self-explanatory. Its default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.
Section 1: Global Environment ServerType standalone ServerRoot "/etc/httpd" PidFile /var/run/httpd.pid ResourceConfig /dev/null AccessConfig /dev/null Timeout 300 KeepAlive On MaxKeepAliveRequests 0 KeepAliveTimeout 15 MinSpareServers 16 MaxSpareServers 64 StartServers 16 MaxClients 512 MaxRequestsPerChild 100000
20
Httpd.confPort 80
<IfDefine SSL> Listen 80 Listen 443 </IfDefine>
User www Group www ServerAdmin [email protected] ServerName www.openna.com DocumentRoot "/home/httpd/ona“
<Directory "/home/httpd/ona"> Options None AllowOverride None Order allow,deny Allow from all </Directory>
21
Httpd.conf<IfModule mod_dir.c>
DirectoryIndex index.htm index.html index.php index.php3 default.html index.cgi
</IfModule>
#<IfModule mod_include.c> #Include conf/mmap.conf #</IfModule>
ErrorLog /var/log/httpd/error_log LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%
{User-Agent}i\"" combined SetEnvIf Request_URI \.gif$ gif-image CustomLog /var/log/httpd/access_log combined env=!gif-image
ErrorDocument 500 "The server made a boo boo. ErrorDocument 404 http://192.168.1.1/error.htm ErrorDocument 403 "Access Forbidden -- Go away.
22
Httpd.conf <IfModule mod_setenvif.c> BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 </IfModule> httpd.conf
23
To create New IHS Instance
In IBM HTTP server we can create multiple web instances by coping the httpd.config file .To start the instance use the –f option as belowSyntax: apachectl -k $action -f <path_to_configuration_file>
apache.exe -k $action -f <path_to_configuration_file>
Action Start/stop/restart
For example, the apachectl command is not in your PATH, the IBM HTTP Server installation directory is /opt/IBMIHS, and an alternate configuration file, /opt/IBMIHS/conf/ins1.conf, is used:
E.g: # /opt/IBMIHS/bin/apachectl -k start -f /opt/IBMIHS/conf/ins1.conf c:\program files\IBM http server\conf\apache.exe -k stop -f
opt/IBMIHS/conf/ins1.conf
24
Virtual Host The term Virtual Host refers to the practice of maintaining
more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a web server to have their own domains, with web servers accessible as www.company1.com and www.company2.com, without requiring the user to know any extra path information.
Apache was one of the first servers to support IP-based virtual hosts right out of the box. Versions 1.1 and later of Apache support both, IP-based and name-based virtual hosts (vhosts).
Running several name-based web sites on a single IP address.
Your server has a single IP address, and multiple aliases (CNAMES) point to this machine in DNS. You want to run a web server for www.example1.com and www.example2.org on this machine.
25
Configuring VHOST Add the below syntax on the httpd.conf to configure virtual host on
your IHS webserver
<VirtualHost addr[:port] [addr[:port]] ...> …………
………… </VirtualHost>
e.g:# Listen for virtual host requests on all IP addressesNameVirtualHost *:80
<VirtualHost *:80>DocumentRoot /www/example1ServerName www.example1.com
# Other directives here
</VirtualHost>
26
Example for VHOST Simple name-based vhosting
Setup: The server machine has a primary name server.domain.tld. There are two aliases (CNAMEs) www.domain.tld and www.sub.domain.tld for the address server.domain.tld.
Server configuration: ... Port 80 ServerName server.domain.tld
NameVirtualHost *:80
<VirtualHost *:80> DocumentRoot /www/domain ServerName www.domain.tld
</VirtualHost> <VirtualHost *:80> DocumentRoot /www/subdomain ServerName www.sub.domain.tld
</VirtualHost>
The asterisks match all addresses, so the main server serves no requests. Due to the fact that www.domain.tld is first in the configuration file, it has the highest priority and can be seen as the default or primary server.
27
Authentication Types
HTTP Basic Authentication
HTTP Digest Authentication
HTTPS Client Authentication
Integrating OS Authentication
28
HTTP Basic Authentication
HTTP Basic Authentication, which is based on a username and password, is the authentication mechanism defined in the HTTP/1.0 specification. A web server requests a web client to authenticate the user. As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The web client obtains the username and the password from the user and transmits them to the web server. The web server then authenticates the user in the specified realm.
Basic Authentication is not a secure authentication protocol. User passwords are sent in simple base64 ENCODING (not ENCRYPTED !), and the target server is not authenticated
29
HTTP Digest Authentication
Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an ENCRYPTED form which is much MORE SECURE than the simple base64 encoding used by Basic Authentication
The advantage of this method is that the cleartext password is protected in transmission, it cannot be determined from the digest that is submitted by the client to the server.
30
HTTPS Client Authentication.
End user authentication using HTTPS (HTTP over SSL) is a strong authentication mechanism. This mechanism requires the user to possess a Public Key Certificate (PKC). Currently, PKCs are useful in e-commerce applications and also for a single-sign-on from within the browser. Servlet containers that are not J2EE technology compliant are not required to support the HTTPS protocol.
Client-certificate authentication is a more secure method of authentication than either BASIC or Digest authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, and optional client authentication for a TCP/IP connection. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. Prior to running an application that uses SSL, you must configure SSL support on the server and set up the public key certificate.
31
Configuring HTTPSThe following steps will guide you through the proper set up of SSL within the
IBM HTTP Server:
1. Confirm that the Global Security Kit (GSKit) is installed and meets the minimum requirements
2. Create a key database file and certificates needed to authenticate the Web server during an SSL handshake
3. Enable SSL directives within the IBM HTTP Server configuration file (httpd.conf)
4. Other considerations when enabling SSL directives within the IBM HTTP Server configuration file (httpd.conf)
32
Verifying GSK1. Confirm that the Global Security Kit is installed and meets the minimum requirements
The Global Security Kit (GSKit) is a required component for the Secure Sockets Layer (SSL) enablement within the IBM HTTP Server. Therefore, it is important to confirm that a supported version of the Global Security Kit is installed prior to enabling SSL.
For a complete listing of IBM HTTP Server releases and corresponding Global Security Kit versions, click IBM HTTP Server: Global Security Kit (GSKit) supported versions.
33
Create a key database file and certificates
34
Create a key database
35
Password For KDB
36
New Self Signed Cert
37
Enter Required Information
38
Example
39
Self signed Cert Is done
40
3 Enable SSL directives within the configuration file
41
Access using Https
42
Double Click the lock to test the cert
43
Check for issued name
44
Tuning IHS
Configure the IBM HTTP Server to show a status page:
Edit the IBM HTTP Server httpd.conf file and remove the comment character (#) from the following lines in this file:
#LoadModule status_module, modules/ApacheModuleStatus.dll,
#<Location/server-status> #SetHandler server-status #</Location>
Save the changes and restart the IBM HTTP Server. In a Web browser, go to: http://yourhost/server-status.
Alternatively, click Reload to update status. (Optional) If the browser supports refresh, go to
http://your_host/server-status?refresh=5 to refresh every five seconds.
45
Tuning IHS
All of these Web servers allocate a thread to handle each client connection. Ensuring that enough threads are available for the maximum number of concurrent client connections helps prevent this tier from being a bottleneck. The settings for these Web servers can be tuned by making changes to the httpd.conf file on the Web server system.
You can check the IBM HTTP Server error_log file to see if there are any warnings about having reached the maximum number of clients (MaxClients). There are several parameters, depending on the specific operating system platform, that determine the maximum number of clients the Web server supports.
Support thousands of concurrent clients. It is not unusual for a single IBM HTTP Server system to support thousands of concurrent clients. If your requirements are to support more concurrent clients than the number of threads that are supported by the Web server operating system and hardware, consider using multiple Web servers.
46
Tuning IHS
Change the setting on the Web server's Access logging parameter to reduce the load on the Web server. If you do not need to log every access to the Application Server, change the default value of the Web server's Access logging parameter. This change will reduce the load on the Web server.
Modify the settings of the Load balancing option and Retry interval on Web server plug-in properties to improve performance. You can improve the performance of IBM HTTP Server (with the WebSphere Web server plug-in) by modifying the following Web server plug-in configuration properties:
* Load balancing option, which specifies the load balancing option that the plug-in uses in sending requests to the various application servers associated with that Web server.
47
Plug-in installation
48
License Agreement
49
OS Prerequisites Check
50
Select Your Webserver
51
Select Remote or Local
52
Plug-in installation Location
53
If Local –Apps Server Location
54
Location Of HTTPD.Conf
55
Webserver Definition Name
56
Plug-in Location
57
Installation In Progress
58
Plug-in Installation Completed
59
Httpd.conf comparison After and before plug-in installation
60
Troubleshooting IHS
61
Troubleshooting IHS Connection Refused error message
Symptoms of poor server response time If you notice that server CPU utilization appears low, but client requests for static pages take a long time to service, your server may be running out of server threads to handle requests. This situation results when you have more inbound requests than you have Apache threads to handle those requests. New connections queue in the TCP/IP stack listen queue wait for acceptance from an available thread. As a thread becomes available, it accepts and handles a connection off of the listen queue. Connections can take a long time to reach the top of the listen queue. This condition will be logged in a single error message in the error log: v The message on AIX, Linux, Solaris, or HP-UX platforms is: ?Server reached MaxClients setting, consider raising the MaxClients setting? v The message on Windows operating systems is: ?Server ran out
62
Error Messages
Message: SSL0600S: Unable to connect to session ID cache
Reason: The server was not able to connect to the Session ID caching daemon.
Solution: Verify that the daemon was successfully started Message: SSL0701S: The password was not entered. Reason: The password was not entered on the command line. Solution: Rerun the command with the password added. Message: SSL0702S: Password exceeds the allowed
length of 512. Reason: The password that was entered is longer than the
allowed maximum of 512 characters. Solution: Use a shorter password.
63