SYSTEM ADMINISTRATION MTAT.08.021 LECTURE 6 NETWORK SERVICES PART2: WEB SERVICE Prepared By: Amnir Hadachi and Artjom Lind University of Tartu, Institute of Computer Science amnir.hadachi@ut.ee / artjom.lind@ut.ee 1
OUTLINE Web server: 1.Apache 2.Virtual hosts 3.Common directives 4.Log analyzers 5.FTP filer server 6.NFS file server 7.Windows shares with Samba 8.HTTP/FTP proxy 9.LDAP directory 2
1. APACHE 3
APACHE INFO: what is web server? It is a computer program capable of accepting Hypertext Transfer Protocol (HTTP) request from clients (known as web browsers) and serving them HTTP responses along with optional data contents (known as web pages). INFO: Apache is the most widely used web server; however, there are others which can offer better performance with lack of certain features and modules. (e.g. other web servers: nginx, lightpd,etc.) Apache installation is done via installing the apache package The name apache comes from the concept of extensive patching of existing code Why apache because it is: Free or available at reasonable price 4
APACHE Apache2 packages contains many modules even MPM: Multi-processing modules (MPM), Gives apache the ability to handle parallel processing of many requests. MPM strongly affects the way apache works and handles threads INFO: (FULL LIST OF MODULES) HTTP://HTTPD.APACHE.ORG/DOCS/2.4/MOD/INDEX.HTML 5
APACHE Apache web server characteristics: Apache supports many features, many are implemented as compiled modules that extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache contains also compression modules such as: mod-gzip that helps in reducing the size of web pages served over HTTP. 6
APACHE Apache core components: Component Description http_protocol.c http_main.c These components are in charge of handling other extensions and their processes in order to keep the good functioning of the server. as example Authentication. http_request.c http_core.c 7 Its the handle of all the basic functionality of the server like allocating requests, pooling all the connections,etc.
APACHE Core components interactions: HTTP_MAIN (SERVER LOOP) to/from HTTP client HTTP_PROTOCOL (IMPLEMENTATION) HTTP_REQUEST (PHASES OF REQUEST) de-patch to modules HTTP_CORE (MAIN FUNCTIONALITY) UTILITIES ALLOC (RES POOLS) 8
APACHE Handling Requests 9 source: https://click.apache.org/docs/user-guide/html/ch02s02.html
2. VIRTUAL HOST 10
VIRTUAL HOSTS QUOTE: A virtual host is an extra identity for the web server DEFINITION: Virtual hosts means running multiple virtual web sites in one system. Virtual hosts types: Virtual hosts based on the IP address Virtual hosts based on the domain name of the web server. 11
VIRTUAL HOSTS Virtual hosts types: Virtual hosts based on the IP address: Requires allocating a different IP address for each site. Virtual hosts based on the domain name of the web server: Can work only on a single IP address Sites are differentiated by the hostname sent by the HTTP client. 12
VIRTUAL HOSTS Virtual hosts are described by a file: location: /etc/apache2/sites-available/ EXAMPLE: THE /ETC/APACHE2/SITES-AVAILABLE/WWW.MYSPACE,EE.CONF FILE <VirtualHost *:80> ServerName www.myspace.ee ServerAlias myspace.ee DocumentRoot /srv/www/www.myspace.ee </VirtualHost> 13
VIRTUAL HOSTS Virtual hosts log file: uses one log file for all virtual hosts (defaults) Can be modified by adding Customlog directives in the definition of the virtual host. Location: /etc/apache2/conf-available/customlog.conf And enabling it with a2enconf customlog EXAMPLE: THE /ETC/APACHE2/CONF.D/CUSTOMLOG.CONF FILE # New log format including (virtual) host name LogFormat %v %h %l %u %t \ %r\ %>s %b \ %{Referer}i\ \ %{User-Agent}i\ vhost # Now let s use this vhost format by default CustomLog /var/log/apache2/access.log vhost 14
3. COMMON DETECTIVES ConFig 15
COMMON DETECTIVES OBJECTIVE: In this section we will try to focus on putting the spot light on the commonly used Apache configuration detectives. The main directives are related to: Directive blocks Requiring authentication Restricting access 16
COMMON DETECTIVES Directory blocks: DEFINITION: The main configuration file contains usually many directive block. this latter allow the specification of different behaviors for the server depending the location of the file being served. (e.g. block which includes Options & AllowOverride) EXAMPLE: DIRECTORY BLOCK <Directory /var/www> Options Includes FollowSymlinks AllowOverride All DirectoryIndex index.php index.html index.htm </Directory> 17
COMMON DETECTIVES Directory blocks Within the directory blocks we have: DirectoryIndex Options AllowOverride 18
COMMON DETECTIVES Directory blocks DirectoryIndex: INFO: DirectoryIndex contains a list of file to try when the client request matches a directory. The first file existing in the list is used and sent as a answer. 19
COMMON DETECTIVES Directory blocks Options: INFO: Options directive is followed by a list of options to enable. (None value disable all the options) Option Description ExecCGI Means CGI scripts can be executed FollowSymlinks SymlinksIfOwnerMatch MultiViews 20 Means symbolic links can be followed Tells the server to follow symbolic links, but only when the link and the its target have the same owner. Enables content negotiation
COMMON DETECTIVES Directory blocks AllowOverride: INFO: AllowOverride directive lists all the options that can be enabled or disabled by way of a.htaccess file. 21
COMMON DETECTIVES Requiring authentication: INFO: In some case it is necessary to restrict the access to some parts of the website; therefore, only the appropriate users can access by providing a username and password. EXAMPLE:.HTACCESS FILE REQUIRING AUTHENTICATION Require valid-user AuthName Private directory AuthType Basic AuthUserFile /etc/apache2/authfiles/htpasswd-private 22
COMMON DETECTIVES Requiring authentication: AuthUserFile /etc/apache2/authfiles/htpasswd-private INFO: The /etc/apache2/authfiles/htpasswd-private file contains a list of users and their passwords. it is commonly manipulated with the htpasswd command. EXAMPLE COMMAND TO ADD USERS OR CHANGE THEIR PASSWORDS # htpasswd /etc/apache2/authfiles/htpasswd-private user New password: Re-type new password: Adding password for user user 23
COMMON DETECTIVES Restricting Access: INFO: Restricting access is used to control access to specific directories and their subdirectories recursively based on many criteria. Example of type of restrictions: based on IP ONLY ALLOW FROM THE LOCAL NETWORK Order deny,allow Allow from 192.168.0.0/16 Deny from all 24
4. LOG Logs ANALYZERS 25
LOG ANALYZERS INFO: Log analyzers are useful for following the activity on your websites and the most important gives the administrators a praise idea about usage patterns on their web servers. Example of Log analyzer advanced web statistics AWStats. 26
LOG ANALYZERS AWStats: configuration: can be customized through cons file, location: /etc/awstats/awstats.conf EXAMPLE AWSTATS CONFIGURATION FILE AND ITS PARAMETERS LogFile= /var/log/apache2/access.log LogFormat = %virtualname %host %other %logname %time1 %methodurl %code %bytesd % å refererquot %uaquot SiteDomain= www.myspace.ee HostAliases= myspace.ee REGEX[^.*\.myspace\.ee$] DNSLookup=1 LoadPlugin= tooltips 27
LOG ANALYZERS AWStats: Access to stats: AWStats statistics are web based and there no restriction in accdeissnf them by default; however, it is possible to put access restriction based on IP addresses using AllowAccessFromWebToFollowingIPAddresses parameter For each virtual host you need AWStats configuration file associate to it. EXAMPLE: AWSTATS CONFIGURATION FILE FOR A VIRTUAL HOST Include /etc/awstats/awstats.conf SiteDomain= www.myspace.ee HostAliases= myspace.ee 28
CAUTION: To make AWStats take into account all the logs file it needs to be run right before the Apache log files are rotated. This matter can be solved by looking at the perorate directive /etc/ logrotate.d/apache2 file and adding a symlink to /usr/share/awstats/ tools/update.sh in /etc/ logrotate.d/httpdprerotate LOG ANALYZERS $ cat /etc/logrotate.d/apache2 /var/log/apache2/*.log { daily missingok rotate 14 compress delaycompress notifempty create 644 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then \ /etc/init.d/apache2 reload > /dev/null; \ fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript } $ sudo mkdir -p /etc/logrotate.d/httpd-prerotate $ sudo ln -sf /usr/share/awstats/tools/update.sh \ /etc/logrotate.d/httpd-prerotate/awstats 29
5. FTP FILE SERVER 30
FTP FILE SERVER DEFINITION: File Transfer Protocol (FTP) was issued in 1985 and it was used to distribute files before web was even born. it allows both file upload and downloads. FTP Commands FTP Replies FTP Client Data Connection FTP Server 31
FTP FILE SERVER Requirement for using FTP: FTP client installed on your machine Information about FTP server FTP server address authentication access (username, password) 32
FTP FILE SERVER FTP Client has two modes of connection: Active mode Active FTP connection, the client opens a port and listens and the server actively connects to it Passive mode The server opens a port and listens (passively) and the client connects to it 33
6. NFS FILE SERVER 34
NFS FILE SERVER DEFINITION: Network File System (NFS) is a protocol allowing remote access to a filesystem via the network. Limitation: The latest version is hard to configure, Managing the security features such as authentication or encryption is not a straight forward task, 35
NFS FILE SERVER NFS Procedures: Procedures Functions LOOKUP MKDIR RMDIR READDIR RENAME REMOVE CREATE READ WRITE GETATTR SETATTR Returns a file handle and attribute corresponding to a file name in a specified directory Create a directory Delete a directory Read a directory Rename a file Delete a file Create a file Read from a file, by specify the file handle, starting offset and max. no. of bytes to read (up to 8192). Write to a file Returns the attributes of a file: type of file, permissions, size, owner, last-access time, and so on. Set the attributes of a file: permissions, owner, group, size,and last-access and lastmodification time. 36
NFS FILE SERVER NFS Procedures: Procedures Functions LINK Create a Unix hard link to a file. SYMLINK Create a symbolic link to a file. READLINK Returns the name of the file to whidh the symbolic link points. STATFS Returns the status of a file system. Used by the Unix df command, for example. 37
NFS FILE SERVER Securing NFS: Easy way is to use kerberos-based security features If not: Ensure that NFS can get connected to RPC servers. Firewall is up and must block IP spoofing. DEFINITION: RCP Remote Procedure Call is a UNIX standard for remote services. 38
DONEC QUIS NUNC NFS Server: One configuration file: /etc/exports Defines a location, a list of authorized clients, and options Client identified by: 1.Machine name 2. Wildcards on a domain name 3.A netgroup (if NIS is used) An IP address Options include: rw, ro, root_squash, all_squash, anonuid 39
DONEC QUIS NUNC NFS Server start: Start rpc.mountd and rpc.nfs Optionally start rpc.statd and rpc.lockd Use rpcinfo p to check if working Files: 1. /var/lib/nfs/rmtab contains client information 2. /var/lib/nfs/etab contains detailed export information 3. /proc/fs/nfs/exports contains list of clients 4. /var/lib/nfs/xtab contains explicit machine names If /etc/export is updated use exportfs command to inform servers 40
DONEC QUIS NUNC NFS Client: MANUALLY MOUNTING WITH THE MOUNT COMMAND # mount -t nfs4 -o rw,nosuid arrakis.internal.myspace.ee:/shared /srv/ EXAMPLE: NFS ENTRY IN THE /ETC/FSTAB FILE arrakis.internal.myspace.ee:/shared /srv/shared nfs4 rw,nosuid 0 0 41
NFS FILE SERVER NFS Protocol USER PROCESS NFS SERVER LOCAL FILE ACCESS LOCAL FILE ACCESS CLIENT KERNEL NFS CLIENT RPC TCP/UDP IP RPC TCP/UDP IP port 2077 SERVER KERNEL local disk local disk 42
7. WINDOWS SHARES WITH SAMBA 43
WINDOWS SHARES WITH SAMBA Samba DEFINITION: Samba is a tool that helps handling Server Message Block protocol (SMB) on linux (also known as CIFS). This protocol is used by windows for network shares and shared printers. It is also used as a windows domain controller. Besides, it is an good tool for ensuring seamless integration of linux servers and the office desktop machines still running windows. DEFINITION: SMB protocol operates as an application layer for network protocol and it is used for providing shared access to files, printers, and ports. in addition, it can also integrate authentication in the inter-processes communication mechanism. 44
WINDOWS SHARES WITH SAMBA Samba server The Samba 4 package contains two main processes/servers: smbd nmbd To start Samba three ways: Manually As stand-alone daemons From inetd 45
WINDOWS SHARES WITH SAMBA Samba server Configuration with debconf Installation by default put the stick minimum configuration is done. For configuring: run dpkg-reconfigure samba-common info needed: name of the workgroup package process the identification of WINS server 46
WINDOWS SHARES WITH SAMBA Samba server Configuration manually The change should be affected to smb.conf [global] ## Browsing/Identification ### # Change this to the workgroup/nt-domain name your Samba server will part of workgroup = FALCOTNET # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server wins support = yes x [ ] ####### Authentication ####### # Server role. Defines in which mode Samba will operate. Possible # values are standalone server, member server, classic primary # domain controller, classic backup domain controller, active # directory domain controller. # # Most people will want standalone sever or member server. # Running as active directory domain controller will require first # running samba-tool domain provision to wipe databases and create a # new domain. server role = standalone server # security = user is always a good idea. This will require a Unix account # in this server for every user accessing the server. security = user x [...] 47 INDICATES THAT SAMBA SHOULD ACT AS A NETBIOS NAME SERVER (WINS) FOR THE LOCAL NETWORK THIS IS THE DEFAULT VALUE FOR THIS PARAMETER; HOWEVER, SINCE IT IS CENTRAL TO THE SAMBA CONFIGURATION, FILLING IT EXPLICITLY IS RECOMMENDED. EACH USER MUST AUTHENTICATE BEFORE ACCESSING ANY SHARE.
WINDOWS SHARES WITH SAMBA Samba server Configuration manually Each Samba user needs an account on the server steps: Create unix account user need to register to Samba database 48
WINDOWS SHARES WITH SAMBA Samba client INFO: The Samba client has interesting features that allow linux machine to access Windows shares and shared printers. needed programs are available in cifs-utils and smbclient packages. Mounting Windows Shares INFO: The mount command allows mounting a windows share into linux file system hierarchy. it has also many options that can be added in the command. EXAMPLE: MOUNTING A WINDOWS SHARE mount -t cifs //arrakis/shared /shared \ -o credentials=/etc/smb-credentials 49
WINDOWS SHARES WITH SAMBA Samba client Share printers Example CUPS which allows installing Windows shared printers automatically. 50
WINDOWS SHARES WITH SAMBA Samba client Share printers Requires steps with CUPS: Enter the CUPS configuration interface: http://localhost:631/admin Click on Add Printer. Choose the printer device, pick Windows Printer via SAMBA. Enter the connection URI for the network printer. It should look like the following: smb://user:password@server/printer. Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers. Indicate the manufacturer /model of the printer, or directly provide a working printer description file (PPD). 51
8. HTTP/FTP PROXY 52
HTTP/FTP PROXY DEFINITION: HTTP/FTP Proxy acts as an intermediary for HTTP and/or FTP connections. it has two roles: 1.Cashing: downloaded document are copied locally, this way multiple downloads are avoided. 2.Filtering server: in case of use of the proxy then this latter determines whether or not the request is to be granted. Concept: 1. User request web content ProxySG 2. Web request 3. Web content returned 4. User 5. User receives web content STORED IN PROXYSG CACHE Internet 53
HTTP/FTP PROXY Installation: Debian package: squid3 contains only modular caching proxy. Needs: squidguard package: gives it filtering ability squid-cgi package: gives it querying and administration interface for a Squid proxy. 54
HTTP/FTP PROXY Cache configuration: Enabling the caching need editing the file: /etc/squid3/ squid.conf THE /ETC/SQUID3/SQUID.CONF FILE (EXCERPTS) # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks http_access allow localhost # And finally deny all other access to this proxy http_access deny all 55
HTTP/FTP PROXY Filter configuration: squid does not handle filtering, it is delegated to squidguard. Enabling squidguard need configuration in the file: /etc/squid3/ squid.conf For more info on how to create the file: http://www.squidguard.org/doc/configure.html adding url: url_rewrite_program /usr/bin/squidguard -c /etc/squid3/squidguard.conf reload service squid3 All the policies should be defined by the admin can be done by creating the /etc/squid3/squidguard.conf file For more info on how to create the file: http://www.squidguard.org/doc/configure.html 56
9. LDAP DIRECTORY 57
LDAP DIRECTORY INFO: Lightweight Directory Access Protocol (LDAP), is an Internet protocol that email and other programs use to look up information from a server. LDAP Main Role: Defines a standard method for accessing and updating information in a directory. 58
LDAP DIRECTORY LDAP: Advantages Disadvantages Handle well information referenced by many entities Very bad in handling information that changes often Handle well multi-location accessing the same information Very bad in handling unstructured information Handle well information that is read more than written 59
LDAP DIRECTORY LDAP models: Information: Structure of the information stored in the LDAP directory. Naming: How the information is organized and identified. Functional / operations: Described which can of operations can be performed on the LDAP directory. Security: Shows how the information is protected and secured. 60
LDAP DIRECTORY LDAP directory information tree (DIT): EXAMPLE OF DIT The data is stored in entries. These entries are ordered in tree nodes. Example of Tool in debian OpenLDAP source: http://www.novell.com/documentation/integrationmanager6/docs/help/composer/books/ldapwelcome.html 61