Apache Street Smarts Presentation (SANS 99)

2,111 views
2,053 views

Published on

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,111
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Start the presentation in Windows 98
  • Boot Linux
  • Switch to NT Server …
  • Reboot in Windows 98
  • Return to Linux
  • Switch Back to Windows 98
  • Return to Linux Server
  • Apache Street Smarts Presentation (SANS 99)

    1. 1. Apache Street Smarts For theSystems Management Professional By Michael E. Dobe ESM Services, Inc. Network Security 1999 New Orleans, LA
    2. 2. Introduction: The Need For TrainingProficiency with the installation and operation of the Apache HTTP server is as important today as skill in traditional areas such as NIS, NFS, and Perl. – Need For Day-to-Day Proficiency: As businesses port applications to the Web there is an increase in the frequency and complexity of requests for HTTP server support from more savvy users and developers. Web Security also becomes a day-to-day support issue. – Resume Building: In the last few years, support for HTTP servers has become an obligatory bullet on the resumes of UNIX and NT professionals.
    3. 3. Tutorial Objectives• Through discussion and demonstrations this tutorial gives you the tools you need to stay ahead of the Apache knowledge curve• You will gain proficiency with the basics of Apache installation, configuration and support on the Linux and Win32 platforms• We will also point you to a number of lesser- known gotchas of Apache administration on the UNIX and Windows NT platforms
    4. 4. OverviewStarting with an overview of setting up Apache on Linux and NT and ending with a review of available sources for current information, this tutorial covers a wide gamut of configuration issues from modules and directives to performance monitoring and security. Setup CGI Confi g Module Current FP Info Extensio s Directive ns s Security Tuni ng SSL
    5. 5. Welcome to Your New Job: Sysadmin For GRSL• You Have Just Been Hired By General Republic Savings and Loan of Baltimore, MD• The Many Hats You Wear: – UNIX Systems Admin, Windows NT Systems Admin and Web Services• Your User Base: – Wide Range of Needs – Intranet Publishing For Workgroups – Internet Presence Supported By Web Development Consultants External to the Firm
    6. 6. Your Presence on the Internet• GRSL Has a New CIO Who Loves Linux, But Who Doesn’t Want to Change Too Much All at Once• The Company Has Just Hired Consultants To Develop Custom Banking Applications For the External Web Site• You Successfully Make the Case that the Internet Presence Should Run on RH Linux (6.0) With Apache
    7. 7. Your Test Intranet Site and Developer Workstations• Large Installed Base of Windows NT on Corporate Network. Existing Intranet on IIS, Workstations Using PWS• Company Seeks to Standardize on One Web Server Technology• You Convince the CIO to Run a Test Intranet Server on Windows NT Server• Also Get the Green Light To Test Using Apache as a Replacement for Personal Web Server on Win 98 Stations for Your Developers
    8. 8. Rolling Up Your Sleeves and Jumping In: Linux Installation• Each Comes as Source Code or Pre-Compiled Binary (RPM for RH Linux 6.0)• Default RH Linux Installation Gives You apache- 1.3.6-7 – Default is standalone server (Note: Running Apache out of inetd is not recommended for servers anticipating heavy loads.) – Loads at boot time via rc scripts – Parent Process Runs as root – Child Processes Run as nobody – Use ps to verify that it is running
    9. 9. HTTP Process Control on Linux:Stopping and Restarting Your Server• Linux stores pid at /var/run/httpd.pid – kill -TERM `cat /var/run/httpd.pid` – To Restart /usr/sbin/httpd &• Can Use GUI Interface, e.g. Comanche – Comanche RPM Available (Need itcl and rcs) – Part of Apache GUI Project – http://comanche.com.dtu.dk/comanche/ – Demonstration of GUI (/usr/bin/comanche)• Command-Line Tool: apachectl
    10. 10. Working With Support ProgramsFor Apache: Setting Up apachectl– Install Apache Source Tree Using apache_1.3.6.src.rpm– Support Files Will Be Found In:/usr/src/redhat/SOURCES/apache_1.3.6/src/support– Copy to /usr/bin (or somewhere else in your path)– Edit Config to Reflect Your Local Setup
    11. 11. Demo of HTTP Process Control on Linux: apachectl• Program to stop and start the http server• Run with following options: start | stop | restart | fullstatus | status | graceful | configtest | help• Demo: Try start, stop, restart and configtest• We’ll Return Later to fullstatus and status
    12. 12. Rolling Up Your Sleeves and Jumping In: Win32 Installations• Visit Apache Site at http://www.apache.org/• Download apache-1.3.9 For Win32• Run the Installation Program• Launch from command line, start menu• Option to Run as a Windows Service
    13. 13. Rolling Up Your Sleeves and Jumping In: Win32 Process Control on NT• Note: Running Win32 Apache as a Service is Recommended• Install As A Service From the Start Menu?• Try apache –i –n Apache• Apache Running as Service Allow you to Stop and Start Using Control Panel/Services or Using NET START APACHE NET STOP APACHE
    14. 14. More on Win32 HTTP Process Control: Apache on Windows 98• Can Kill Win32 Version of Apache Using Ctrl C at Apache console or at the command line using apache -k shutdown• Can Restart From Command Line or Start Menu• Win32 stores pid by default at: C:Program FilesApache GroupApachelogshtttp.pid Could script this with apachectl• Can Also Use Comanche on Win32• Win32 Comanche Demo
    15. 15. Working With Config Files and Basic Directives (Linux & Win32)• Linux: /etc/httpd has conf, logs and modules• Win32: C:/Program Files/Apache Group/Apache/• Config files include httpd.conf, srm.conf and access.conf, each of which contains sets of directives (configuration parameters)
    16. 16. Running One Config File• Win 32 (Version 1.3.9) Has Only One Config File• Default RH 6.0 Install Gives You all three files: httpd.conf, srm.conf and access.conf• Apache Server Allows You to Consolidate Everything Into httpd.conf• You Need to Add the Following to the end of httpd.conf to make this work AccessConfig /dev/null ResourceConfig /dev/null• For Demonstration Purposes, We Will Stick With the Default RPM Install on RH Linux 6.0
    17. 17. Working With Config Files on Linux: httpd.confhttpd.conf Contains Directives That Allow You to Configure: – Basic Server Configuration Parameters – Caching – Virtual Hosts – Support for Modules (Enable and Disable)
    18. 18. Directives Demo #1 (httpd.conf): Virtual Hosts and Virtual Directories for Your Site• Business Needs: Two Banking Divisions With Different Host Names Need to Be on the Same Server; Both Divisions Need to Provide Access to Some (But Not All) of the Same Content• Technical Solution: – Configure Virtual Hosts – Configure Virtual Directories (Note on Virtual Directories: Without DNS Need to Set UseCanonicalName off)
    19. 19. Working With Config Files on Linux: srm.conf• /etc/httpd/conf/srm.conf contains directives that allow you to configure: – name space that users see of your http server, e.g. DocumentRoot and UserDir – server settings which affect how requests are serviced, and how results should be formatted, e.g. Alias, ScriptAlias and ErrorDocument – In apache-1.3.9 for Win32, These Directives are all in httpd.conf
    20. 20. Directives Demo #2 (srm.conf): Customizing Error Messages For Your Site• Business Need: You Want to Help People Locate Content on Your Site that May Have Moved• Technical Solution: Customize Message for 404 Error Message in srm.conf to Include a Link to Your Search Page
    21. 21. Working With Config Files on Linux: access.conf• /etc/httpd/conf/access.conf Contains Directives That Allow You to Configure: – server settings which affect which types of services are allowed, and in what circumstances – Set Up Default Directory Restrictions – Follow Up With More Detailed Configuration – In apache-1.3.9 for Win32, These Directives are in httpd.conf
    22. 22. Directives Demo #3 (access.conf): PasswordProtection of Pages, Authentication on RH 6.0• Business Need: Provide Customers With Access to Value Added Web Services• Technical Solution: – Role of access.conf directives – Use of htaccess mechanism
    23. 23. Directives Demo #3 Continued (access.conf):Password Protection/User Authentication on RH 6.0• More Support Files: Working With htaccess and htpasswd• Need to Go Beyond Default Authentication Mechanisms?• Support For Additional Authentication Databases Using Modules: mod_auth_dbm, mod_auth_db, mod_auth_msql, mod_auth_pg95, mod_auth_dbi, mod_auth_external.c, mod_auth_kerb, mod_auth_ldap
    24. 24. Modules and Apache’s Design• Modules are Programs That Extend The Power of the Apache HTTP Server• The HTTP Server Was Kept Small Intentionally• Because Apache is Open Source Software, You Can Write Your Own Modules to Accomplish Your Organizations Web Goals
    25. 25. Finding Apache Modules• Apache Project Maintains a Web-based Modules Registry and an ftp directory For Modules at http://modules.apache.org/• Modules Come With You Distribution in the src Directory• Module Documentation Included With Manual• Refer to Writing Apache Modules With Perl and C (Stein & MacEachern) For Information About Rolling Your Own
    26. 26. Working With Modules on RH Linux: Starting With the Defaults• What Modules are Supported By Default With the rpm distribution?• Run the Command /usr/sbin/httpd -l Compiled-in modules: http_core.c mod_so.c• Gotcha: Modules Still Need to Be Loaded in httpd.conf to be Available At Run-Time With, Even With DSO
    27. 27. Support For Additional ModulesApache on RH 6.0: Using DSO• DSO = Dynamic Shared Object• Remember the apachectl options status and fullstatus? Need to Have Support For mod_status For This To Work• Mod_so is Compiled Into Apache rpm By Default• No need to Recompile Apache to Use mod_status, because mod_so is running• Mod_so and DSO Documented at: http://127.0.0.1/manual/mod/mod_so.html http://127.0.0.1/manual/dso.html
    28. 28. Recompiling Apache For Additional Modules• Need to Edit Configuration file in/usr/src/redhat/SOURCES/apache_1.3.6/src• Uncomment Lines With Modules You Want• Run configure From/usr/src/redhat/SOURCES/apache_1.3.6/• Run make and make install From/usr/src/redhat/SOURCES/apache_1.3.6/src
    29. 29. Difference in Module Support: Out-of-Box Linux (RPM) and Default Compile• RPM: Run the Command /usr/sbin/httpd -l Compiled-in modules: http_core.c mod_so.c• From Source:Run the Command /usr/local/apache/bin/httpd -l Compiled-in modules: http_core.c, mod_env.c, mod_log_config.c, mod_mime.c, mod_negotiation.c, mod_status.c, mod_include.c mod_autoindex.c, mod_dir.c, mod_cgi.c, mod_asis.c, mod_imap.c, mod_actions.c, mod_userdir.c, mod_alias.c, mod_access.c, mod_auth.c, mod_setenvif.c
    30. 30. More Useful Apache Modules• Controlling Your Server’s Responses: – mod_proxy: control access to Internet sites – mod_rewrite: remap URLs on the fly• Enabling Robust Server-Side Scripting: – mod_fastcgi: better performance than mod_cgi – mod_perl: perl interpreter in the apache executable – mod_php: apache support for PHP scripting• Anticipating Common (Re-) Configuration Issues• Limitations on the Win32 Platform: Still Beta Quality Code
    31. 31. Out-of-Box Win32• Win32 Can Be Installed on Win95/98, NT Workstation 4.0 or NT Server 4.0 (NT Server Version 1.3+)• Source Comes With Distribution, But to Compile You Must Have a Compiler Installed• Documentation Recommends Using Visual C++• Running it on NT Server Means It Can Run as Service, Which is More Efficient• Soon Find You Need Unix-Like Features: – More Robust Command Line Tools – Remote Management Capabilities
    32. 32. Apache Win32 Admin: Adding Robust Command Line Tools• Free Option: Cygnus GNU Tools- User and Developer Tools- Available From http://www.cygnus.com(Also included with Apache, The Definitive Guide)• Commercial Option: MKS Toolkit – Contains Visual Tools as Well as Command Line: Visual Pax, Visual Diff, GUI port of vi – Comes With Extensive Documentation
    33. 33. Apache Win32 Admin: Adding Remote Management• Free Option: Virtual Network Computing – Available from http://www.uk.research.att.com/vnc/• Commercial Options: – pcANYWHERE – Timbuktu• Using VNC, You Can Manage Linux and NT From the Same PC Workstation
    34. 34. Making Good Use of Apache Directives on Win32• Core Directives Covered For Linux Also Apply to Win32• Excellent Listing of Modules and Directives in Appendix A of Apache Server For Windows, Little Black Book (Holden & Keller)• Business Need: To Test The Power of Win32 Apache as a Development Platform• Technical Solution for Adding Ability For Dynamic Web Content: mod_cgi, mod_php and mod_perl
    35. 35. Empowering Your Developers: Apache Web Development Environment• Server-Side Scripts With CGI and Perl Supported on Both Linux and Win32• Linux and Win32 Support For PHP as Well• Kick It Up a Notch With mod_perl• First Step: Getting Perl Running On Your System – RH Linux 6.0 - Default Perl Installation (5.005_03) Use the RPM to Update – On Win32 Active State Distribution http://www.activestate.com/
    36. 36. Web Programming Support: The Common Gateway Interface on Win32• The Binary Distribution of Apache 1.3.6 For Win32 has statically-linked mod_cgi support (Try apache –l to Verify)• Make sure the Script Alias is Set:ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache/cgi-bin/"• Test Simple Script Called variables.pl in DOS Box, Then Run Through CGI Interface
    37. 37. Web Programming Support: PHP on Apache for Win32• Get Windows Binary From a Local Mirrorhttp://www.php.net/download-php.php3• Win32 Installation Documentation:http://www.php.net/manual/install-windows95-nt.php3• Win32 Config Documentation:http://www.php.net/manual/config-apache-nt.html• Note: PHP Win32 Works With IIS 3 and 4, PWS, and Apache 1.3.X
    38. 38. Win32 PHP For Windows98: The Details• Set up a PHP3 Directory and Move the Contents of the Archive There, Use c:php3• Copy php3.ini-dist to c:windowsphp3.ini – Set extension_dir = c:php3• Add/Modify The Following Directives in httpd.conf – ScriptAlias /php3/ "c:/php3/" – AddType application/x-httpd-php3 .php3 – AddType application/x-httpd-php3 .phtml – Action application/x-httpd-php3 "/php3/php.exe"• Test with test.php3
    39. 39. Web Programming Support: SSI and CGI on Linux• With RH Linux 6.0 Support For mod_include and mod_cgi is Enabled Through DSO• Make Sure That httpd.conf Contains These Directives Uncommented: LoadModule includes_module modules/mod_include.so AddModule mod_include.c LoadModule cgi_module modules/mod_cgi.so AddModule mod_cgi.c• Example using mod_cgi: Simple CGI Variables Query (Command Line and Browser)
    40. 40. Web Programming Support: Kicking It Into High Gear With mod_perl• Get Source and Compile mod_perlhttp://perl.apache.org/dist/• Enable DSO Support• Configure mod_perl as a mod_cgi replacement• Tap Into the Wealth of mod_perl-based modules for Apachehttp://www.perl.com/CPAN/modules/by-module/Apache
    41. 41. MS Technologies and Apache: apache::ASP• Apache::ASP Available From CPAN (Comprehensive Perl Archive Network) http://www.perl.com/CPAN/modules/by-module/Apache/• This Only Supports Perl Scripting for ActiveX, To Use VBScript or JScript You Will Need ChiliSoft’s ASP Technology (http://www.chilisoft.com/)
    42. 42. Empowering Your Users: Challenges ofContent Management For Your Web Presence• Allowing Windows Users to Access a Linux Server – Manage From the Server Side: Samba vs. FP 2000 Extensions – Manage From the Client Side: FTP Clients vs. PC-NFS• Allowing UNIX Users to Access a PC Server? FTP? Your Internal Users are on NT Workstations.
    43. 43. MS Technologies and Apache: FrontPage 2000 Extensions• Extensions, installation script and Apache patch:http://msdn.microsoft.com/workshop/languages/fp/2000/ unixfpse.asp• Installing the FP 2000 Extensions using fp_install.sh – Gotcha: Need to Set AllowOverride All for document root – Installs SERK and Admin Tools in /usr/local/frontpage/ – Modification to srm.conf allows _vti_bin scripting
    44. 44. Using FrontPage 2000 Extensions• Administering the Extensions• SERK Installed Along With Extensions: http://127.0.0.1/SERK/inunix.htm (Need to Create Alias or Move to Doc Root)• Demo of Command Line Admin Utility: /usr/local/frontpage/version4.0/bin/fpsrvadm.exe• HTML Interface Also Available http://127.0.0.1/admin/fpadmin.htm
    45. 45. FrontPage 2000 Extensions: Upside and Downside• What the Extensions Offer Your Users – Elimination of Need For FTP – Ease of Update and Integration With MS Office• Risks Associated With the Extensions Install Script: – Changes Permissions For Document Root (Option to Do This Later is Offered) – Modifies Config Files (here srm.conf)
    46. 46. Roll Your Own Apache Binary WithSupport For FrontPage 2000 Extensions • Big Gotcha! With The FP Patched Version of Apache, Problems With Support For Default Modules Not Compiled In • Suggest Compiling Your Own Patched Version of Apache to Avoid Removing Support For Modules You Are Using • FrontPage module support documented in SERK (Server Extension Resource Kit)
    47. 47. Class BreakTake 15 Minutes
    48. 48. Everyday Troubleshooting Hints• Working With Logs: Access Logs, Error Logs and Changing Log Formats• Some Statistics-Generating Programs You Might Use• Testing Your Server• Fixing SSI and CGI Problems• Win32-Specific Issues• Unix-Specific Issues
    49. 49. Performance Monitoring• Using mod_status via apachctl• Log File Analysis: Webalizer Example• SNMP and Apache: – Running an Open Source Pinger • SPONG: Son of Pong http://www.edsgarage.com/projects/spong/index.html – Plugging Your Apache Server Into Commercial Network Management Tools
    50. 50. Performance Tuning: Some Things to Consider• Hardware Issues• Configuration Tuning: Directives That Can Slow You Down (Reverse DNS Lookups, etc.)• Compile-Time Options You May Want to Revisit• Issues With Large Sites: Adding Processes, etc.
    51. 51. Web Security, Some First Steps• Your Boss Asks You To Help With an Web Server Security Appendix to the GRSL Operations Manual. Some Considerations Include: – Preventing A Break-In and What To Do If Youre Hacked – Authentication on the Web: more on htaccess, directories and databases – Tips for Securing Apache (Among Others: CGI Risks, suEXEC, CGIWrap) – After the Break-in: Damage Control, Getting Up and Running Again and Making Sure It Doesnt Happen Again
    52. 52. Securing Your Web Transactions: SSL on the Apache Platform• Many Options You Have in Securing the GRSL External Web Site: Commercial Options (Stronghold, etc.), Apache- ssl, mod_ssl• We Will Use mod_ssl Because it is Free and Runs as a Module (Get mod_ssl-2.3.11-1.3.6.tar.gz from http://www.modssl.org/)• Could Also Use Apache-ssl: Free and the Authors focus on “reliability, security and performance, rather than features and bells and whistles” (Adam Laurie) – Redhat FTP Site Has an SRPM for apache-ssl at: ftp://ftp.redhat.com/contrib/libc6/SRPMS/ – Alternatively You Can Get Apache-ssl from a Mirror Site (See http://www.apache-ssl.org/)
    53. 53. Securing Your Web Transactions: Other SSL Options• Could Also Use Apache-ssl: Free and the Authors focus on “reliability, security and performance, rather than features and bells and whistles” (Adam Laurie) – Redhat FTP Site Has an SRPM for apache-ssl at: ftp://ftp.redhat.com/contrib/libc6/SRPMS/ – Alternatively You Can Get Apache-ssl from a Mirror Site (See http://www.apache-ssl.org/)• Commercial Options: Red Hat Secure Server, Stronghold, etc.
    54. 54. Mod_ssl Installation and Configuration: First Steps• Need to Get and Install SSLeay, So Go To:ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL• Next Unpack and Compile SSLeay• Gotcha: Where Is Perl Installed? Read the Install File, There is a Fix!• Need to Get and Install OpenSSL, Go To: http://www.openssl.org/source/• Next Unpack and Compile OpenSSL
    55. 55. Mod_ssl Installation/Configuration: Rebuilding Apache• Delete Apache Source Tree and Reinstall• Expand the mod_ssl Archive Into Your redhat/SOURCES Directory at the Same Level as apache_1.3.6 Directory• Run The Following:$ ./configure --with-apache=../apache_1.3.6 --with-ssl=/usr/src/openssl-0.9.4$ cd ../apache_1.3.6$ SSL_BASE=/usr/src/openssl-0.9.4 ./configure ... --enable-module=ssl$ make$ make certificate TYPE=test$ make install
    56. 56. Digital Certificates and Signatures• In the Apache Source Tree You Now Have A PEM-encoded X.509 certificate signing request file File called conf/ssl.csr/server.csr Send this file to a Real CA for Signing• Certificate Authorities (CA)
    57. 57. Running Apache With SSL• Starting the Server With SSL [root@apache bin]# ./apachectl sslstart Apache/1.3.6 mod_ssl/2.3.11 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server apache.clioweb.net:443 Enter pass phrase: Ok: Pass Phrase Dialog successful. ./apachectl sslstart: httpd started [root@apache bin]#• Browsing the Site (Demo)
    58. 58. Summary• Through discussion and demonstrations tutorial gave you the tools you need to stay ahead of the Apache knowledge curve.• You have gained an understanding of the basics of Apache support and a number of lesser-known "gotchas" of Apache administration on the UNIX and Windows NT platforms.
    59. 59. Where to Get More Information on Apache• Web Sites• E-Mail Lists• Print Media: Books and Magazines• User Groups and Support Organizations• Conferences
    60. 60. General Apache Web Sites• The Apache Group: http://www.apache.org• Builder.com’s Maximum Apache: http://builder.com/Servers/Apache/ss01.html• Apache RTFM Site: http://www.jlk.net/apache/
    61. 61. Security-Related Web Sites• SSLeay and SSLapps FAQ http://www2.psy.uq.edu.au/~ftp/Crypto/• “Linux Apache SSL PHP/FI frontpage mini-HOWTO” by Marcus Faure – PHP, FrontPage, SSLhttp://www.redhat.com/mirrors/LDP/HOWTO/mini/Apache+SSL+PHP+f p.html
    62. 62. E-Mail Lists and Newsgroups• Apache Week Mailing List http://www.apacheweek.com• Dotslash Notification Service http://www.dotslash.org/• Tech Republic’s Admin Republic http://www.techrepublic.com/• Newsgroups: comp.infosystems.www.servers.unix comp.infosystems.www.servers.ms-windows
    63. 63. Print Media: Books/Magazines• O’Reilly Web Series – Apache, The Definitive Guide (Laurie & Laurie) – Web Performance Tuning (Killelea) – Web Security and Commerce (Garfinkel & Spafford)• Apache Server Administrator’s Handbook by Mohammed J. Kabir (IDG Books)• Apache Server For Windows, Little Black Book by Greg Holden and Matthew Keller (Coriolis Press)
    64. 64. Support Organizations• Local Linux on NT User Groups• Laurie and Laurie Point to: – A.B. Enterprises http://www.futurefx.com - C2Net Software, Inc. http://www.c2.net - UK Web http://www.ukweb.com - Zyzzyva Enterprises http://www.zyzzyva.com/
    65. 65. Conferences• O’Reilly Open Source Conference – http://conference.oreilly.com/• SANS – http://www.sans.org/• USENIX – http://www.usenix.org/
    66. 66. Contact Information• ESM Services Has a Web Site at: http://www.esm.com• To Contact the Instructor, Send E-Mail to: dobe@esm.com

    ×