CHAPTER FOUR Server Configuration

1
CHAPTER FOUR Server Configuration

• By
• Kofi Lokko

2

• The objectives of the chapter is to learn about
  the following topics.
• Choosing a Web Server Software.
• Customizing your Web Server.
• Controlling access
• Secure Sockets Layer Configuration
• Virtual hosts.

3
Choosing a Web Server Software

• What is a Web server?
• Computer hardware where web pages are stored
  and accessed by others using web client software,
  or the computer software that allows users to
  access the web pages.
• http//www.wda.org/Public/help/glossary.htm

4
Choosing Web Server Software

• Price There are different prices, ranging from
  being free to several hundreds of dollars.
• Scalability How scalable the web server
  software is depends on the different platforms on
  which it can run.
• Manageability There are resource tools that
  helps in the administering, securing, and on the
  whole manage you web server.
• Performance A web server needs to be available
  at all times to show its reliability.

5
Choosing Web Server Software

• Accessibility It is essential that the Web be
  accessible in order to provide equal access and
  equal opportunity to everybody. Much of the focus
  on Web accessibility has been on the
  responsibilities of Web developers. However, Web
  software also has a vital role in Web
  accessibility. Software needs to help developers
  produce and evaluate accessible Web sites, and be
  usable by everyone including people with
  disabilities.
• http//www.w3.org/WAI/intro/accessibility.php

6
Choosing Web Server Software

• Surveys have shown that the following are the 3
  most widely used web servers on the internet.
• Apache makes up about 69 percent
• Microsoft IIS makes up about 21 percent
• Netscape Enterprise Server / Sun makes up about
  3 percent
• http//news.netcraft.com/archives/web_server_surv
  ey.html

7
Choosing Web Server Software

• Installation You can easily download web server
  software from the internet.
• You may have the option to download source code
  or binary, the source code will give you the
  option of twigging it to suite you, but the
  binary will not. Amongst the web servers
  mentioned earlier, only Apache offers the
  software in both formats.
• Most of the other servers have installation
  programs to install the binary executables.

8
Customizing your Web Server

• There are many options that are used to configure
  a Web server.
• Each web server has its own configuration tools
  or interface.
• Apache Configurations are done by editing a
  series of configuration files. The configuration
  files contain directives that control the
  behavior of Apache.
• Directives is simply a special word that
  describes a configuration option. It is typically
  a name followed by a value or a series of values
• A list of configuration directives are available
  at the Apache site.
• http//httpd.apache.org/docs/1.3/mod/directives.h
  tml

9
Customizing your Web Server

• Microsoft IIS Configuration is done through the
  MMC snap-in console.
• Microsoft Management console
• The Microsoft Management Console (MMC) is an
  extensible, common console framework for
  management of applications
• The Microsoft Management Console (MMC) was
  provided with the Windows NT 4.0 Option Pack as a
  common interface for administration of the IIS
  4.0, Certificate Server, Transaction Server, and
  other Option Pack tools. Now it is included in
  all versions of windows starting from Windows
  2000.
• http//www.windowsitlibrary.com/Content/405/15/1.h
  tml1
• http//www.microsoft.com/windows2000/techinfo/plan
  ning/management/mmcsteps.asp

10
Customizing your Web Server

• The configuration options have different names
  for each server type, but they all do the same
  thing control the behavior of the web server.
• Apache refers to these options as directives,
• Microsoft IIS refers to them as properties and
  Netscape refers to them as resources

11
Customizing your Web Server

• Some general server options
• User and Group this is used to restrict access
  on the server.
• Ports This option specifies which port the
  HTTPD should listen to.
• The default port is set to 80 on most servers.
• You can also configure the web server to listen
  on other ports.

12
Customizing your Web Server

• Some Directory Options
• DocumentRoot / Home Directory / Primary Document
  Directory
• Alias / Virtual Directory / Additional Document
  Directories
• DirectoryIndex / Default Document
• IndexOptions / Directory Browsing

13
Controlling Access

• A web server must have permissions to access
  documents in order to make pages available to
  requesting clients.
• Unix operating systems and new versions of
  Microsoft Operating systems offer directories and
  files access control abilities.
• The file system plays a big roll in these access
  control abilities.

14
Controlling Access

• File Systems
• In computing, a file system is a method for
  storing and organizing computer files and the
  data they contain to make it easy to find and
  access them. File systems may use a storage
  device such as a hard disk or CD-ROM and involve
  maintaining the physical location of the files,
  or they may be virtual and exist only as an
  access method for virtual data or for data over a
  network (e.g. NFS). en.wikipedia.org/wiki/File_sy
  stems

15
Controlling Access

• Folder and File level permissions
• Share permissions are available for both the FAT
  file system and the NTFS file system.
• Share permission does not work on individual
  files, it is designed to work on shared folders.
• The Share permissions are limited to Read,
  Change, and Full Control.
• Share permissions only apply to those who are
  connecting over the network
• Needless to say, you must be using the NTFS file
  system to be able to use NTFS permissions
• NTFS permissions will apply whether the user
  connects over the network, or connects locally.
• NTFS permissions also allow you to set
  permissions on individual files, and those
  permissions can be different from the parent
  folder
• The permission levels in NTFS are narrower than
  the Share permissions, with 6 levels for folders
  and 5 levels for files.

16
Controlling Access

• Folder and File level permissions
• Needless to say, you must be using the NTFS file
  system to be able to use NTFS permissions
• NTFS permissions will apply whether the user
  connects over the network, or connects locally.
• NTFS permissions also allow you to set
  permissions on individual files, and those
  permissions can be different from the parent
  folder
• The permission levels in NTFS are narrower than
  the Share permissions, with 6 levels for folders
  and 5 levels for files.
• Read, List the Folder Contents, Write, Read
  Execute, Modify and Full Control
• For only folders

17
Controlling Access

• You can choose to share a folder from any file
  system, FAT, FAT32, or NTFS If you are sharing
  from a FAT or FAT32 partition, your choices for
  what kinds of permissions you place on the
  folders are limited to three choices, Read,
  Modify, or Full Control.
• If you truly want to secure your folders and
  files, you will want to have an NTFS file system
  on your partition, and have the far greater
  controls of the NTFS permissions. With NTFS you
  can specify the exact permissions for both
  folders and files, and choose whether they have
  the same permissions inherited from the parent to
  the child, or to have different permissions.
• Remember, permissions are cumulative, but a deny
  will always override an allow, and in NTFS, a
  file permissions will always override its
  folders' permissions.

18
Controlling Access

• The HTTP protocol (RFC2616) defines a simple
  framework for access authentication schemes. The
  assumption is that a certain group of pages --
  usually referred to as a protected realm or just
  a realm -- should only be accessible to certain
  people who are able to provide credentials if
  challenged by the server
• Basic Access Authentication
• The basic authentication scheme assumes that your
  (the client's) credentials consist of a username
  and a password where the latter is a secret known
  only to you and the server.
• The major drawback of the basic authentication
  scheme is that it is relatively simple for
  eavesdroppers to spy out your password since it
  is transmitted in plain sight.

19
Controlling Access

• Cryptography
• An alternative authentication scheme known as
  digest authentication remedies this weakness
  through the use of cryptographic, usually the MD5
  message digest algorithm defined in RFC 1321.
• MD5 takes an input string of arbitrary length and
  computes a 128-bit number from it. Since MD5 is a
  one-way function, it is virtually impossible to
  reverse the computation and obtain the input
  value from the output value.

20
Controlling Access

• Digest Access Authentication
• To securely prevent replay attacks, a more
  sophisticated procedure is obviously necessary
  the digest access authentication scheme.
• Security Considerations
• You should keep in mind that even with digest
  authentication, all data except for your password
  is transmitted in plain view, fully accessible to
  potential eavesdroppers.
• There's no way for the client to establish that
  it's actually talking to the server it intends to
  talk to. There's no mechanism in place that
  allows the server to authenticate itself to the
  client.
• For a detailed review of the security properties
  of digest access authentication, please refer to
  section 4 of RFC 2617.
• Unfortunately, some browsers are lacking support
  for digest authentication, see this discussion
  group message and the replies for details
• http//frontier.userland.com/stories/storyReader2
  159

21
Secure Socket Layer Configuration

• SSL - Short for Secure Sockets Layer, a protocol
  developed by Netscape for transmitting private
  documents via the Internet. SSL works by using a
  public key to encrypt data that's transferred
  over the SSL connection. Both Netscape Navigator
  and Internet Explorer support SSL, and many Web
  sites use the protocol to safely transmit
  confidential information, such as credit card
  numbers.www.techniqueweb.com/terminology.php

22
Secure Socket Layer Configuration

• HTTPS - Hypertext Transfer Protocol over Secure
  Socket Layer, or HTTP over SSL (HTTPS) is a Web
  protocol developed by Netscape and built into its
  browser that encrypts and decrypts user page
  requests as well as the pages that are returned
  by the Web server. HTTPS is the use of Netscape's
  Secure Socket Layer (SSL) as a sub layer under
  its regular HTTP application layering.
  www.agimo.gov.au/publications/2003/08/framework/gl
  ossary

23
Secure Socket Layer Configuration

• S-HTTP - A protocol for transmitting data
  securely over the World Wide Web is Secure HTTP
  (S-HTTP).
• Whereas SSL creates a secure connection between a
  client and a server, over which any amount of
  data can be sent securely, S-HTTP is designed to
  transmit individual messages securely. SSL and
  S-HTTP, therefore, can be seen as complementary
  rather than competing technologies. Both
  protocols have been approved by the Internet
  Engineering Task Force (IETF) as a standard.
• www.elepub.com/sw/3_010.html

24
Virtual Hosts

• We do not have to use a separate machine to host
  each domain.
• Several domains associated with one server is
  called virtual hosts.
• There are two types of virtual hosts
• IP-based and Named-based

25
Virtual Hosts

• IP-based virtual hosts use the IP address of the
  connection to determine the correct virtual host
  to serve. Therefore you need to have a separate
  IP address for each host.
• With name-based virtual hosting, the server
  relies on the client to report the hostname as
  part of the HTTP headers. Using this technique,
  many different hosts can share the same IP
  address.

26
Virtual Hosts

• Name-based virtual hosting is usually simpler,
  since you need only configure your DNS server to
  map each hostname to the correct IP address and
  then configure the HTTP Server to recognize the
  different hostnames. Name-based virtual hosting
  also eases the demand for scarce IP addresses.
  Therefore you should use name-based virtual
  hosting unless there is a specific reason to
  choose IP-based virtual hosting. Some reasons why
  you might consider using IP-based virtual
  hosting
• http//httpd.apache.org/docs/1.3/vhosts/name-based
  .html

27
Virtual Hosts

• Some ancient clients are not compatible with
  name-based virtual hosting. For name-based
  virtual hosting to work, the client must send the
  HTTP Host header. This is required by HTTP/1.1,
  and is implemented by all modern HTTP/1.0
  browsers as an extension.
• Name-based virtual hosting cannot be used with
  SSL secure servers because of the nature of the
  SSL protocol.
• Some operating systems and network equipment
  implement bandwidth management techniques that
  cannot differentiate between hosts unless they
  are on separate IP addresses.