CIA Lab Assignment: Web Servers



Similar documents
Monitoring Nginx Server

Apache Usage. Apache is used to serve static and dynamic content

Agenda. How to configure

APACHE. Presentation by: Lilian Thairu

Welcome to Apache the number one Web server in

APACHE HTTP SERVER 2.2.8

Smart Card Authentication. Administrator's Guide

UBS KeyLink Quick reference WEB Installation Guide

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

Abstract. 1. Introduction

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

Lab 3.4.2: Managing a Web Server

SQL Injection Attack Lab Using Collabtive

Apache 2.2 on QNX Neutrino 6.4.x OS Step-by-step installation manual

Ipswitch Client Installation Guide

MS Windows DHCP Server Configuration

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

Contents. Introduction. Prerequisites. Requirements. Components Used

Introduction to Apache and Global Environment Directives. S.B.Lal Indian Agricultural Statistics Research Institute, New Delhi

Automatic updates for Websense data endpoints

1Intro. Apache is an open source HTTP web server for Unix, Apache

Setting Up SSL on IIS6 for MEGA Advisor

StreamServe Persuasion SP4 StreamServe Connect for SAP - Business Processes


Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

How to: Install an SSL certificate

APACHE WEB SERVER. Andri Mirzal, PhD N

Running Nginx as Reverse Proxy server

Web Browsing Examples. How Web Browsing and HTTP Works

Service Manager and the Heartbleed Vulnerability (CVE )

imhosted Web Hosting Knowledge Base

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

Apache and Apache-ssl Proxy setup to Paradox Web Server OCX for Internet Enabled Databases by Dennis Santoro Getting Started:

SonicWALL Security Quick Start Guide. Version 4.6

The course will be run on a Linux platform, but it is suitable for all UNIX based deployments.

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

ECE 4893: Internetwork Security Lab 12: Web Security

OpenIMS 4.2. Document Management Server. User manual

Installation Guide Magento Localized Editions

How to use PDFlib products with PHP

How to Make the Client IP Address Available to the Back-end Server

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Apache Thrift and Ruby

Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

Accelerating Rails with

Java Secure Application Manager

An Overview of Oracle Forms Server Architecture. An Oracle Technical White Paper April 2000

Advantech WebAccess Device Driver Guide. BwSNMP Advantech WebAccess to SNMP Agent (Simple Network Management Protocol) Device Driver Guide

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Client applications are available for PC and Mac computers and ios and Android mobile devices. Internet

MASTER THESIS. TITLE: Analysis and evaluation of high performance web servers

XIA Configuration Server

Easy Setup Guide for the Sony Network Camera

SSL VPN Technology White Paper

IFS CLOUD UPLINK INSTALLATION GUIDE

A Tool for Evaluation and Optimization of Web Application Performance

Nokia E90 Communicator Using WLAN

Installation and Deployment

User Manual. User Manual for Version

Building a protocol validator for Business to Business Communications. Abstract

Configuring Load Balancing

Apache Configuration

MPI Frequently Asked Questions

Apache Tomcat. Load-balancing and Clustering. Mark Thomas, 20 November Pivotal Software, Inc. All rights reserved.

Secret Server Installation Windows Server 2008 R2

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Microsoft Exchange ActiveSync Administrator s Guide

ERserver. iseries. Printing

By default, pilight uses a random port for its socket server. Use the port setting If you want to set this to a fixed port.

Internet Banking System Web Application Penetration Test Report

CPanel SSL Certificate Deployment Guide

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Getting Started With Delegated Administration

Cisco SSL Encryption Utility

Secret Server Installation Windows Server 2012

E-Blocks Easy Internet Bundle

Leonardo Hotels Group Page 1

Contents Release Notes System Requirements Administering Jive for Office

MAGENTO HOSTING Progressive Server Performance Improvements

C:\www\apache2214\conf\httpd.conf Freitag, 16. Dezember :50

Cleaning Encrypted Traffic

Securing Your Apache Web Server With a Thawte Digital Certificate

Addressing Application Layer Attacks with Mod Security

Steps for Basic Configuration

Forward proxy server vs reverse proxy server


Creating secure web based user interfaces for Embedded Devices

How to scan/exploit a ssl based webserver. by xxradar. mailto:xxradar@radarhack.com. Version 1.

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

Apache Security with SSL Using Ubuntu

Shellshock. Oz Elisyan & Maxim Zavodchik

Collax Mail Server. Howto. This howto describes the setup of a Collax server as mail server.

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

How To - Implement Single Sign On Authentication with Active Directory

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Smart Card Authentication Client. Administrator's Guide

Transcription:

CIA Lab Assignment: Web Servers A. Bakker N. Sijm C. Dumitru J. van der Ham Feedback deadline: October 17, 2014 10:00 CET Abstract Web servers are an important way of putting information out on the Internet or on an Intranet. Well-known web servers are the Apache HTTP server, nginx and lighttpd. You will compile and install one of these web servers under Ubuntu on your experimentation machine. The goal is to learn the various configuration options of that server and to understand the concepts. 1 History The Apache web server originated from the public domain web server of the National Center for Supercomputer Applications (NCSA). After the development of the NCSA web server stopped in 1994, system administrators started creating their own patches for it. A group of system administrators decided to create a web server based on the NCSA web server with the most useful patches included. Since then the Apache web server has been completely rewritten, and from version 2 onwards the old NCSA code has been fully replaced and is no longer part of the source. One year after its introduction the Apache web server was already the most popular web server and it stayed that way for a long time, though since about 2006 there seems to be a shift and the popularity of Apache is declining. Nginx (pronounced engine-x ) originated from the need for a stable server for hightraffic sites. Unlike Apache, it uses an asynchronous event-driven approach, which makes it behave more predictably under high loads. Nginx can also be used as a reverse proxy for many different protocols and services. lighttpd (pronounce lighty ) is an open-source webserver aimed for speed, and was orignally developed as a proof-of-concept to solve the c10k problem: how to handle 10.000 connections in parallel on one server. The server runs as a single process with a single thread and non-blocking I/O. It has since been adopted and extended by a larger community. Based on earlier work by E.P. Schatborn and A. van Inge. Version October 10, 2014. Arno.Bakker@os3.nl, jeroen@os3.nl 1

Question 1. Can you think of reasons for the change in popularity of Apache? Explain. 2 Installation Which server you should install depends on your table number t: Apache t mod 3 = 0 nginx t mod 3 = 1 lighttpd t mod 3 = 2 Download the latest release of your designated web server. Be sure to check the signature as per usual. Question 2. Older source trees like Apache 2.2.*, and nginx 1.6.* are still maintained. Can you think of reasons why? Page 2

To compile the server you will be using the standard sequence of./configure, make and make install. Be sure to set the correct options for configure when you start compilation. (Hint: read the requirements section carefully... ) Modern web servers are modular. Modules can either be compiled into the binary, or they can be compiled as Dynamic Shared Objects (DSO) which can be loaded at runtime. Make sure at least the module with TLS/SSL support is enabled. Be sure to first remove all other installations since they might interfere with yours, then compile and install the software in /usr/local/< servername >. Make sure that the web server starts at boot, using the method prescribed by the server. The servers use /usr/local/apache/conf/httpd.conf, /usr/local/nginx/conf/ nginx.conf and /usr/local/lighttpd/lighttpd.conf, respectively, as their main configuration file. Read the example files carefully and look up things that are not clear to you. Then configure the basic settings like the webmaster email address, the web server name, the root directory for the web documents and the port the web server listens on. You can check the syntax of the configuration file using apachectl -t, nginx -t and lighttpd -t, respectively. 3 Virtual Hosts A much used functionality that these three web servers provide is the hosting of multiple domains from a single web server. This virtual host functionality resembles the MTA setup we worked with last week. The virtual domains exist only as resource records on the DNS server and as data on the web server. Questions 3. Implement virtual hosting in the web server for the virtual domains visit, travel and info. Show your configuration. 4. Create a simple HTML page for each virtual host make sure that the server can correctly serve it. 5. Use curl to display the contents of a full HTTP/1.1 session served by your server. Explain the meaning of each request and reply header. 4 Encryption It may be necessary to encrypt an HTTP session so that others cannot listen in. It is essential for online banking or financial transactions. This is what the HTTPS protocol is used for. It is a connection over port 443 using SSL/TLS encryption. 6. Configure your web server to support SSL/TLS. Page 3

It is not difficult to set up your server to support SSL/TLS. It is however difficult to do it correctly. Be sure you know what you are doing and read the server s documentation on SSL carefully 1. Read the SSL configuration options carefully before you start. Adapt it to your needs and make sure the SSL module is loaded. 7. What encryption standards does the web server support using the standard configuration file? 8. Describe how you created your own certificate for your web server. 9. You can test your secure web server using a web browser, but you can also use openssl or curl. Test your web server using these two tools, and report your findings. 10. Can you enable SSL for all your virtual hosts? Explain. 5 Web Server Security The security of a web server is largely derived from the access rights given to documents on the server. Apache has a reasonably good reputation in the area of security. It is mostly the code that users 2 add to the web server that creates security problems. 11. Investigate what configuration options there are that govern user access rights. What ways are there to use these options on documents? 12. Now create two web pages, one with a simple SSI instruction and one with a simple Perl/Python/Ruby CGI script (beware of Shellshock). Set up your web server so that only code on these pages can be executed (if possible). 6 Extra Assignments (Optional) 6.1 Web Server Performance Web server performance is a very important issue as this directly impacts user experience and can affect operation costs. 13. Investigate what configuration options there are that can potentially improve the performance of the web server. Also look at how you can check the (current) load on the web server using e.g. the Apache mod status module. 1 Apache HOWTO quote: [... ] but always try to understand the stuff before you use it. Nothing is worse than using a security solution without knowing its restrictions and coherences. 2 The users are the people using your web server to make their content available on the Internet. Page 4

14. Using a standard benchmarking tool (e.g. ab, siege, etc.) evaluate the performance of your server before and after optimizations for both the static page and the dynamic page. Try to maximize the number of requests per second. Explain all the changes made. 6.2 Logging Checking the logging information on your web server is important to discover problems and/or attacks on your web server. The web servers have different configuration options to adapt the log information to your needs. This allows you to extract useful information from the logfile. 15. Define your own log format containing information you deem important. Use Conditional logging to add User-Agent and Referrer information to request logs that generated an error. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information