270 likes | 423 Views
The objectives of the chapter is to learn about the following topics.Choosing a Web Server Software.Customizing your Web Server.Controlling accessSecure Sockets Layer ConfigurationVirtual hosts. . Choosing a Web Server Software. What is a Web server? Computer hardware where web pages ar
E N D
1. CHAPTER FOUR Server Configuration By
Kofi Lokko
2. The objectives of the chapter is to learn about the following topics.
Choosing a Web Server Software.
Customizing your Web Server.
Controlling access
Secure Sockets Layer Configuration
Virtual hosts.
3. Choosing a Web Server Software What is a Web server?
Computer hardware where web pages are stored and accessed by others using web client software, or the computer software that allows users to access the web pages.
http://www.wda.org/Public/help/glossary.htm
4. Choosing Web Server Software Price – There are different prices, ranging from being free to several hundreds of dollars.
Scalability – How scalable the web server software is depends on the different platforms on which it can run.
Manageability – There are resource tools that helps in the administering, securing, and on the whole manage you web server.
Performance – A web server needs to be available at all times to show it’s reliability.
5. Choosing Web Server Software Accessibility – It is essential that the Web be accessible in order to provide equal access and equal opportunity to everybody. Much of the focus on Web accessibility has been on the responsibilities of Web developers. However, Web software also has a vital role in Web accessibility. Software needs to help developers produce and evaluate accessible Web sites, and be usable by everyone including people with disabilities.
http://www.w3.org/WAI/intro/accessibility.php
6. Choosing Web Server Software Surveys have shown that the following are the 3 most widely used web servers on the internet.
Apache – makes up about 69 percent
Microsoft IIS – makes up about 21 percent
Netscape Enterprise Server / Sun– makes up about 3 percent
http://news.netcraft.com/archives/web_server_survey.html
7. Choosing Web Server Software Installation: You can easily download web server software from the internet.
You may have the option to download source code or binary, the source code will give you the option of twigging it to suite you, but the binary will not. Amongst the web servers mentioned earlier, only Apache offers the software in both formats.
Most of the other servers have installation programs to install the binary executables.
8. Customizing your Web Server There are many options that are used to configure a Web server.
Each web server has its own configuration tools or interface.
Apache – Configurations are done by editing a series of configuration files. The configuration files contain directives that control the behavior of Apache.
Directives : is simply a special word that describes a configuration option. It is typically a name followed by a value or a series of values
A list of configuration directives are available at the Apache site.
http://httpd.apache.org/docs/1.3/mod/directives.html
9. Customizing your Web Server Microsoft IIS – Configuration is done through the MMC snap-in console.
Microsoft Management console:
The Microsoft® Management Console (MMC) is an extensible, common console framework for management of applications
The Microsoft Management Console (MMC) was provided with the Windows NT 4.0 Option Pack as a common interface for administration of the IIS 4.0, Certificate Server, Transaction Server, and other Option Pack tools. Now it is included in all versions of windows starting from Windows 2000.
http://www.windowsitlibrary.com/Content/405/15/1.html#1
http://www.microsoft.com/windows2000/techinfo/planning/management/mmcsteps.asp
10. Customizing your Web Server The configuration options have different names for each server type, but they all do the same thing; control the behavior of the web server.
Apache refers to these options as directives,
Microsoft IIS refers to them as properties and Netscape refers to them as resources
11. Customizing your Web Server Some general server options :
User and Group – this is used to restrict access on the server.
Ports – This option specifies which port the HTTPD should listen to.
The default port is set to 80 on most servers.
You can also configure the web server to listen on other ports.
12. Customizing your Web Server Some Directory Options
DocumentRoot / Home Directory / Primary Document Directory
Alias / Virtual Directory / Additional Document Directories
DirectoryIndex / Default Document
IndexOptions / Directory Browsing
13. Controlling Access A web server must have permissions to access documents in order to make pages available to requesting clients.
Unix operating systems and new versions of Microsoft Operating systems offer directories and files access control abilities.
The file system plays a big roll in these access control abilities.
14. Controlling Access File Systems
In computing, a file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems may use a storage device such as a hard disk or CD-ROM and involve maintaining the physical location of the files, or they may be virtual and exist only as an access method for virtual data or for data over a network (e.g. NFS). en.wikipedia.org/wiki/File_systems
15. Controlling Access Folder and File level permissions
Share permissions are available for both the FAT file system and the NTFS file system.
Share permission does not work on individual files, it is designed to work on shared folders.
The Share permissions are limited to Read, Change, and Full Control.
Share permissions only apply to those who are connecting over the network
Needless to say, you must be using the NTFS file system to be able to use NTFS permissions
NTFS permissions will apply whether the user connects over the network, or connects locally.
NTFS permissions also allow you to set permissions on individual files, and those permissions can be different from the parent folder
The permission levels in NTFS are narrower than the Share permissions, with 6 levels for folders and 5 levels for files.
16. Controlling Access Folder and File level permissions
Needless to say, you must be using the NTFS file system to be able to use NTFS permissions
NTFS permissions will apply whether the user connects over the network, or connects locally.
NTFS permissions also allow you to set permissions on individual files, and those permissions can be different from the parent folder
The permission levels in NTFS are narrower than the Share permissions, with 6 levels for folders and 5 levels for files.
Read, List the Folder Contents*, Write, Read & Execute, Modify and Full Control
* For only folders
17. Controlling Access You can choose to share a folder from any file system, FAT, FAT32, or NTFS If you are sharing from a FAT or FAT32 partition, your choices for what kinds of permissions you place on the folders are limited to three choices, Read, Modify, or Full Control.
If you truly want to secure your folders and files, you will want to have an NTFS file system on your partition, and have the far greater controls of the NTFS permissions. With NTFS you can specify the exact permissions for both folders and files, and choose whether they have the same permissions inherited from the parent to the child, or to have different permissions.
Remember, permissions are cumulative, but a deny will always override an allow, and in NTFS, a file permissions will always override its folders' permissions.
18. Controlling Access The HTTP protocol (RFC2616) defines a simple framework for access authentication schemes. The assumption is that a certain group of pages -- usually referred to as a protected realm or just a realm -- should only be accessible to certain people who are able to provide credentials if challenged by the server
Basic Access Authentication
The basic authentication scheme assumes that your (the client's) credentials consist of a username and a password where the latter is a secret known only to you and the server.
The major drawback of the basic authentication scheme is that it is relatively simple for eavesdroppers to spy out your password since it is transmitted in plain sight.
19. Controlling Access Cryptography
An alternative authentication scheme known as digest authentication remedies this weakness through the use of cryptographic, usually the MD5 message digest algorithm defined in RFC 1321.
MD5 takes an input string of arbitrary length and computes a 128-bit number from it. Since MD5 is a one-way function, it is virtually impossible to reverse the computation and obtain the input value from the output value.
20. Controlling Access Digest Access Authentication
To securely prevent replay attacks, a more sophisticated procedure is obviously necessary: the digest access authentication scheme.
Security Considerations
You should keep in mind that even with digest authentication, all data except for your password is transmitted in plain view, fully accessible to potential eavesdroppers.
There's no way for the client to establish that it's actually talking to the server it intends to talk to. There's no mechanism in place that allows the server to authenticate itself to the client.
For a detailed review of the security properties of digest access authentication, please refer to section 4 of RFC 2617.
Unfortunately, some browsers are lacking support for digest authentication, see this discussion group message and the replies for details
http://frontier.userland.com/stories/storyReader$2159
21. Secure Socket Layer Configuration SSL - Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to safely transmit confidential information, such as credit card numbers.www.techniqueweb.com/terminology.php
22. Secure Socket Layer Configuration HTTPS - Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL (HTTPS) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is the use of Netscape's Secure Socket Layer (SSL) as a sub layer under its regular HTTP application layering. www.agimo.gov.au/publications/2003/08/framework/glossary
23. Secure Socket Layer Configuration S-HTTP - A protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP).
Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.
www.elepub.com/sw/3_010.html
24. Virtual Hosts We do not have to use a separate machine to host each domain.
Several domains associated with one server is called virtual hosts.
There are two types of virtual hosts :
IP-based and Named-based
25. Virtual Hosts IP-based virtual hosts use the IP address of the connection to determine the correct virtual host to serve. Therefore you need to have a separate IP address for each host.
With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.
26. Virtual Hosts Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Therefore you should use name-based virtual hosting unless there is a specific reason to choose IP-based virtual hosting. Some reasons why you might consider using IP-based virtual hosting:
http://httpd.apache.org/docs/1.3/vhosts/name-based.html
27. Virtual Hosts Some ancient clients are not compatible with name-based virtual hosting. For name-based virtual hosting to work, the client must send the HTTP Host header. This is required by HTTP/1.1, and is implemented by all modern HTTP/1.0 browsers as an extension.
Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.
Some operating systems and network equipment implement bandwidth management techniques that cannot differentiate between hosts unless they are on separate IP addresses.