Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
LECTURE 6 NETWORK SERVICES PART2: WEB SERVICE
SYSTEM ADMINISTRATION MTAT.08.021
1
Prepared By: Amnir Hadachi and Artjom Lind
University of Tartu, Institute of Computer Science [email protected] / [email protected]
OUTLINE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Web server:
1.Apache
2.Virtual hosts
3.Common directives
4.Log analyzers
5.FTP filer server
6.NFS file server
7.Windows shares with Samba
8.HTTP/FTP proxy
9.LDAP directory
2
APACHE1.
3
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
INFO:
Apache is the most widely used web server; however, there are others which can offer better performance with lack of certain features and modules. (e.g. other web servers: nginx, lightpd,etc.)
Apache installation is done via installing the apache package The name apache comes from the concept of extensive patching of existing code Why apache because it is:
Free or available at reasonable price
INFO: what is web server ?It is a computer program capable of accepting Hypertext Transfer Protocol (HTTP) request from clients (known as web browsers) and serving them HTTP responses along with optional data contents (known as web pages).
4
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Apache2 packages contains many modules even MPM:
• Multi-processing modules (MPM),
• Gives apache the ability to handle parallel processing of many requests.
• MPM strongly affects the way apache works and handles threads
INFO: (FULL LIST OF MODULES) HTTP://HTTPD.APACHE.ORG/DOCS/2.4/MOD/INDEX.HTML
5
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Apache web server characteristics:
• Apache supports many features, many are implemented as compiled modules that extend the core functionality.
• These can range from server-side programming language support to authentication schemes.
• Apache contains also compression modules such as: mod-gzip that helps in reducing the size of web pages served over HTTP.
6
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Apache core components:Component Description
http_protocol.c
These components are in charge of handling other extensions and their processes in order to keep the good functioning of the server. as example
Authentication. http_main.c
http_request.c
http_core.cIts the handle of all the basic functionality
of the server like allocating requests, pooling all the connections,etc.
7
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Core components interactions:
HTTP_MAIN (SERVER LOOP)
HTTP_REQUEST (PHASES OF REQUEST)
HTTP_CORE (MAIN FUNCTIONALITY)
HTTP_PROTOCOL (IMPLEMENTATION)
UTILITIES ALLOC (RES POOLS)
HTTP client modules
de-patch toto/from
8
APACHE
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Handling Requests
source: https://click.apache.org/docs/user-guide/html/ch02s02.html 9
VIRTUAL HOST
2.
10
VIRTUAL HOSTS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Virtual hosts types:
• Virtual hosts based on the IP address
• Virtual hosts based on the domain name of the web server.
QUOTE:A virtual host is an extra identity for the web server
DEFINITION:
Virtual hosts means running multiple virtual web sites in one system.
11
VIRTUAL HOSTS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Virtual hosts types:
• Virtual hosts based on the IP address:
✴ Requires allocating a different IP address for each site.
• Virtual hosts based on the domain name of the web server:
✴ Can work only on a single IP address
✴ Sites are differentiated by the hostname sent by the HTTP client.
12
VIRTUAL HOSTS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Virtual hosts are described by a file:
• location: ‘’ /etc/apache2/sites-available/ ‘’EXAMPLE: THE /ETC/APACHE2/SITES-AVAILABLE/WWW.MYSPACE,EE.CONF FILE
<VirtualHost *:80>ServerName www.myspace.eeServerAlias myspace.eeDocumentRoot /srv/www/www.myspace.ee</VirtualHost>
13
VIRTUAL HOSTS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Virtual hosts log file:
• uses one log file for all virtual hosts (defaults)
• Can be modified by adding “Customlog” directives in the definition of the virtual host.
• And enabling it with “a2enconf customlog”Location: “/etc/apache2/conf-available/customlog.conf”
EXAMPLE: THE /ETC/APACHE2/CONF.D/CUSTOMLOG.CONF FILE
# New log format including (virtual) host nameLogFormat ”%v %h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” vhost
# Now let’s use this ”vhost” format by defaultCustomLog /var/log/apache2/access.log vhost
14
COMMON DETECTIVES
3.
ConFig
15
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• The main directives are related to:
• Directive blocks
• Requiring authentication
• Restricting access
OBJECTIVE:
In this section we will try to focus on putting the spot light on the commonly used Apache configuration detectives.
16
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Directory blocks:DEFINITION:
The main configuration file contains usually many directive block. this latter allow the specification of different behaviors for the server depending the location of the file being served. (e.g. block which includes Options & AllowOverride)
EXAMPLE: DIRECTORY BLOCK
<Directory /var/www>Options Includes FollowSymlinksAllowOverride AllDirectoryIndex index.php index.html index.htm</Directory>
17
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Directory blocks
• Within the directory blocks we have:
• DirectoryIndex
• Options
• AllowOverride
18
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Directory blocks
• DirectoryIndex:
INFO:
DirectoryIndex contains a list of file to try when the client request matches a directory. The first file existing in the list is used and sent as a answer.
19
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Directory blocks
• Options:INFO:
Options directive is followed by a list of options to enable. (None value disable all the options)
Option Description
ExecCGI Means CGI scripts can be executed
FollowSymlinks Means symbolic links can be followed
SymlinksIfOwnerMatchTells the server to follow symbolic links, but only when the link and the its target
have the same owner.MultiViews Enables content negotiation
20
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Directory blocks
• AllowOverride:
INFO:
AllowOverride directive lists all the options that can be enabled or disabled by way of a .htaccess file.
21
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Requiring authentication: INFO:
In some case it is necessary to restrict the access to some parts of the website; therefore, only the appropriate users can access by providing a username and password.
EXAMPLE: .HTACCESS FILE REQUIRING AUTHENTICATION
Require valid-userAuthName ”Private directory”AuthType BasicAuthUserFile /etc/apache2/authfiles/htpasswd-private
22
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Requiring authentication:
INFO:
AuthUserFile /etc/apache2/authfiles/htpasswd-private
The “/etc/apache2/authfiles/htpasswd-private” file contains a list of users and their passwords. it is commonly manipulated with the htpasswd command.
EXAMPLE COMMAND TO ADD USERS OR CHANGE THEIR PASSWORDS
# htpasswd /etc/apache2/authfiles/htpasswd-private userNew password:Re-type new password:Adding password for user user
23
COMMON DETECTIVES
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Restricting Access:
• Example of type of restrictions:
• based on IP
INFO:
Restricting access is used to control access to specific directories and their subdirectories recursively based on many criteria.
ONLY ALLOW FROM THE LOCAL NETWORK
Order deny,allowAllow from 192.168.0.0/16Deny from all
24
LOG ANALYZERS
4.
Logs
25
LOG ANALYZERS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Example of Log analyzer
• “advanced web statistics” AWStats.
INFO:
Log analyzers are useful for following the activity on your websites and the most important gives the administrators a praise idea about usage patterns on their web servers.
26
LOG ANALYZERS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• AWStats:
• configuration:
• can be customized through cons file, location: “/etc/awstats/awstats.conf”
EXAMPLE AWSTATS CONFIGURATION FILE AND ITS PARAMETERS
LogFile=”/var/log/apache2/access.log”LogFormat = ”%virtualname %host %other %logname %time1 %methodurl %code %bytesd %å refererquot %uaquot”SiteDomain=”www.myspace.ee”HostAliases=”myspace.ee REGEX[^.*\.myspace\.ee$]”DNSLookup=1LoadPlugin=”tooltips”
27
LOG ANALYZERS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• AWStats:
• Access to stats:
• AWStats statistics are web based and there no restriction in accdeissnf them by default; however, it is possible to put access restriction based on IP addresses using “AllowAccessFromWebToFollowingIPAddresses” parameter
• For each virtual host you need AWStats configuration file associate to it.
EXAMPLE: AWSTATS CONFIGURATION FILE FOR A VIRTUAL HOST
Include ”/etc/awstats/awstats.conf”SiteDomain=”www.myspace.ee”HostAliases=”myspace.ee”
28
LOG ANALYZERS
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
CAUTION:
To make AWStats take into account all the logs file it needs to be run right before the Apache log files are rotated. This matter can be solved by looking at the perorate directive “/etc/logrotate.d/apache2” file and adding a symlink to “/usr/share/awstats/tools/update.sh in /etc/logrotate.d/httpd-prerotate”
$ cat /etc/logrotate.d/apache2/var/log/apache2/*.log {
dailymissingokrotate 14compressdelaycompressnotifemptycreate 644 root admsharedscriptspostrotate
if /etc/init.d/apache2 status > /dev/null ; then \/etc/init.d/apache2 reload > /dev/null; \fi;
endscriptprerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \run-parts /etc/logrotate.d/httpd-prerotate; \fi; \
endscript}$ sudo mkdir -p /etc/logrotate.d/httpd-prerotate$ sudo ln -sf /usr/share/awstats/tools/update.sh \
/etc/logrotate.d/httpd-prerotate/awstats29
FTP FILE SERVER
5.
30
FTP FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
DEFINITION:
File Transfer Protocol (FTP) was issued in 1985 and it was used to distribute files before web was even born. it allows both file upload and downloads.
FTP ClientFTP Server
FTP Commands
FTP Replies
DataConnection
31
FTP FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Requirement for using FTP:
• FTP client installed on your machine
• Information about FTP server
• FTP server address
• authentication access (username, password)
32
FTP FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• FTP Client has two modes of connection:
• Active mode
• Active FTP connection, the client opens a port and listens and the server actively connects to it
• Passive mode
• The server opens a port and listens (passively) and the client connects to it
33
NFS FILE SERVER
6.
34
NFS FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
DEFINITION:
Network File System (NFS) is a protocol allowing remote access to a filesystem via the network.
Limitation:
The latest version is hard to configure, Managing the security features such as authentication or encryption is not a
straight forward task,
35
NFS FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Procedures:Procedures Functions
LOOKUP Returns a file handle and attribute corresponding to a file name in a specified directory
MKDIR Create a directory
RMDIR Delete a directory
READDIR Read a directory
RENAME Rename a file
REMOVE Delete a file
CREATE Create a file
READ Read from a file, by specify the file handle, starting offset and max. no. of bytes to read (up to 8192).
WRITE Write to a file
GETATTR Returns the attributes of a file: type of file, permissions, size, owner, last-access time, and so on.
SETATTR Set the attributes of a file: permissions, owner, group, size,and last-access and last- modification time.
36
NFS FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Procedures:
Procedures Functions
LINK Create a Unix hard link to a file.
SYMLINK Create a symbolic link to a file.
READLINK Returns the name of the file to whidh the symbolic link points.
STATFS Returns the status of a file system. Used by the Unix df command, for example.
37
NFS FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Securing NFS:
• Easy way is to use kerberos-based security features
• If not:
• Ensure that NFS can get connected to RPC servers.
• Firewall is up and must block IP spoofing.
DEFINITION:
RCP “Remote Procedure Call” is a UNIX standard for remote services.
38
DONEC QUIS NUNC
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Server:
• One configuration file: /etc/exports
• Defines a location, a list of authorized clients, and options
• Client identified by:
1.Machine name
2. Wildcards on a domain name
3.A netgroup (if NIS is used) An IP address
• Options include: rw, ro, root_squash, all_squash, anonuid
39
DONEC QUIS NUNC
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Server start:
• Start rpc.mountd and rpc.nfs
• Optionally start rpc.statd and rpc.lockd
• Use rpcinfo –p to check if working
• Files:
1. /var/lib/nfs/rmtab contains client information
2. /var/lib/nfs/etab contains detailed export information
3. /proc/fs/nfs/exports contains list of clients
4. /var/lib/nfs/xtab contains explicit machine names
• If /etc/export is updated use exportfs command to inform servers
40
DONEC QUIS NUNC
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Client:MANUALLY MOUNTING WITH THE MOUNT COMMAND
# mount -t nfs4 -o rw,nosuid arrakis.internal.myspace.ee:/shared /srv/
EXAMPLE: NFS ENTRY IN THE /ETC/FSTAB FILE
arrakis.internal.myspace.ee:/shared /srv/shared nfs4 rw,nosuid 0 0
41
NFS FILE SERVER
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• NFS Protocol USER
PROCESS
NFS CLIENTLOCAL FILE
ACCESS
RPC ———————— TCP/UDP
IP
LOCAL FILE ACCESS
NFS SERVER
CLIENT KERNEL
SERVER KERNEL
local disk
local disk
RPC ———————— TCP/UDP
IP
port 2077
42
WINDOWS SHARES WITH SAMBA
7.
43
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba
44
DEFINITION:
Samba is a tool that helps handling Server Message Block protocol (SMB) on linux (also known as CIFS). This protocol is used by windows for network shares and shared printers.
It is also used as a windows domain controller. Besides, it is an good tool for ensuring seamless integration of linux servers and the office desktop machines still running windows.
DEFINITION:
SMB protocol operates as an application layer for network protocol and it is used for providing shared access to files, printers, and ports. in addition, it can also integrate authentication in the inter-processes communication mechanism.
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba server
• The Samba 4 package contains two main processes/servers:
• smbd
• nmbd
• To start Samba three ways:
• Manually
• As stand-alone daemons
• From inetd
45
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba server
• Configuration with debconf
• Installation by default put the stick minimum configuration is done.
• For configuring:
• info needed:
• name of the workgroup
• package process the identification of WINS server
46
run dpkg-reconfigure samba-common
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba server
• Configuration manually
• The change should be affected to smb.conf
47
[global]## Browsing/Identification #### Change this to the workgroup/NT-domain name your Samba server will part ofworkgroup = FALCOTNET# Windows Internet Name Serving Support Section:# WINS Support - Tells the NMBD component of Samba to enable its WINS Serverwins support = yes x[…]####### Authentication ######## Server role. Defines in which mode Samba will operate. Possible# values are ”standalone server”, ”member server”, ”classic primary# domain controller”, ”classic backup domain controller”, ”active# directory domain controller”.## Most people will want ”standalone sever” or ”member server”.# Running as ”active directory domain controller” will require first# running ”samba-tool domain provision” to wipe databases and create a# new domain.server role = standalone server# ”security = user” is always a good idea. This will require a Unix account# in this server for every user accessing the server.security = user x[...]
INDICATES THAT SAMBA SHOULD ACT AS A NETBIOS NAME SERVER (WINS) FOR THE LOCAL NETWORK
THIS IS THE DEFAULT VALUE FOR THIS PARAMETER; HOWEVER, SINCE IT IS CENTRAL TO THE SAMBA CONFIGURATION, FILLING IT EXPLICITLY IS RECOMMENDED. EACH USER MUST AUTHENTICATE BEFORE ACCESSING ANY SHARE.
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba server
• Configuration manually
• Each Samba user needs an account on the server
• steps:
• Create unix account
• user need to register to Samba database
48
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba client
• Mounting Windows Shares
49
INFO:
The Samba client has interesting features that allow linux machine to access Windows shares and shared printers. needed programs are available in cifs-utils and smbclient packages.
INFO:
The mount command allows mounting a windows share into linux file system hierarchy. it has also many options that can be added in the command.
EXAMPLE: MOUNTING A WINDOWS SHARE
mount -t cifs //arrakis/shared /shared \ -o credentials=/etc/smb-credentials
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba client
• Share printers
• Example CUPS which allows installing Windows shared printers automatically.
50
WINDOWS SHARES WITH SAMBA
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Samba client
• Share printers
• Requires steps with CUPS:
51
➡Enter the CUPS configuration interface: http://localhost:631/admin➡Click on “Add Printer”.➡Choose the printer device, pick “Windows Printer via SAMBA”.➡Enter the connection URI for the network printer. It should look like the following:➡smb://user:password@server/printer.➡Enter the name that will uniquely identify this printer. Then enter the description
and➡location of the printer. Those are the strings that will be shown to end users to
help them identify the printers.➡Indicate the manufacturer /model of the printer, or directly provide a working
printer description file (PPD).
HTTP/FTP PROXY
8.
52
HTTP/FTP PROXY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Concept:
53
DEFINITION:
HTTP/FTP Proxy acts as an intermediary for HTTP and/or FTP connections. it has two roles: 1.Cashing: downloaded document are copied locally, this way multiple
downloads are avoided. 2.Filtering server: in case of use of the proxy then this latter determines whether
or not the request is to be granted.
User Internet
1. User request web content
5. User receives web content
2. Web request
3. Web content returned
STORED IN PROXYSG
CACHE
4.
ProxySG
HTTP/FTP PROXY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Installation:
• Debian package: “squid3”
• contains only modular caching proxy.
• Needs:
• squidguard package: gives it filtering ability
• squid-cgi package: gives it querying and administration interface for a Squid proxy.
54
HTTP/FTP PROXY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Cache configuration:
• Enabling the caching need editing the file: “/etc/squid3/squid.conf”
55
THE /ETC/SQUID3/SQUID.CONF FILE (EXCERPTS)
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS# Example rule allowing access from your local networks. Adapt# to list your (internal) IP networks from where browsing should# be allowedacl our_networks src 192.168.1.0/24 192.168.2.0/24http_access allow our_networkshttp_access allow localhost# And finally deny all other access to this proxyhttp_access deny all
HTTP/FTP PROXY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• Filter configuration:
• squid does not handle filtering, it is delegated to squidGuard.
• Enabling squidGuard need configuration in the file: “/etc/squid3/squid.conf”
• adding url:
• reload service squid3
• All the policies should be defined by the admin
• can be done by creating the “/etc/squid3/squidGuard.conf” file
56
url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
For more info on how to create the file: http://www.squidguard.org/Doc/configure.html
For more info on how to create the file: http://www.squidguard.org/Doc/configure.html
LDAP DIRECTORY
9.
57
LDAP DIRECTORY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
58
INFO:
Lightweight Directory Access Protocol (LDAP), is an Internet protocol that email and other programs use to look up information from a server.
LDAP Main Role: Defines a standard method for accessing and updating information in a directory.
LDAP DIRECTORY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• LDAP:
59
Advantages Disadvantages
Handle well information referenced by many entities
Very bad in handling information that changes often
Handle well multi-location accessing the same information Very bad in handling unstructured
information
Handle well information that is read more than written
LDAP DIRECTORY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• LDAP models:
• Information:
• Structure of the information stored in the LDAP directory.
• Naming:
• How the information is organized and identified.
• Functional / operations:
• Described which can of operations can be performed on the LDAP directory.
• Security:
• Shows how the information is protected and secured.
60
LDAP DIRECTORY
LECTURE 6: NETWORK SERVICES- PART2- WEB SERVICE
• LDAP directory information tree (DIT):
• The data is stored in entries.
• These entries are ordered in tree nodes.
• Example of Tool in debian “OpenLDAP”
61
source: http://www.novell.com/documentation/integrationmanager6/Docs/help/Composer/books/LDAPWelcome.html
EXAMPLE OF DIT