Bài giảng LPI202 - Chapter 05 Advanced Linux Network Administration

Web Services Chapter 05Advanced Linux Network Administration ObjectivesBe able to install and configure an Apache web server:monitoring Apache load and performancerestricting client user accesssetting up client user authentication.configuring Apache server options such as maximum requests, minimum and maximim servers, and clients.Implementing a web serverMaintaining a web serverImplementing a proxy serverApacheVery well known and respected http server.Used commercially.Freely available from of plugins.Relatively easy and flexible to configure.Fast and Reliable.StructureMUXChildChildChildChildhttp requestIdle ChildGet data from diskResponseInitial SettingsStartServers 8MinSpareServers 5MaxSpareServers 20MaxClients 150MaxRequestsPerChild 1000These options are important, but often the least likely to be changed from the defaults!Important Files/etc/init.d/httpdthe server control script/etc/httpd/conf/httpd.conf the main configuration file.Remember when changing the configurations it is only reread on a server reload or restart.Errors and other details are logged by default in /var/log/httpd/ as access_log, error_log.Mimic a BrowserTo understand how a sever is running is it sometimes useful to make requests at the keyboard of a server and see the results as text.Telnet can do this, so long as you have learned some basic HTTP commands.The two important ones are:HEAD – Give information on a page.GET – Give me the whole page.HTTP 1.1In HTTP 1.1 we can use virtual hosts.This allows multiple hosts to share a single server.Each host has a different name.The name of the host you want to answer a query is given as part of a page request.This is only supported in HTTP 1.1 and beyond.HTTP 1.1$ telnet linuxzoo.net 80HEAD / HTTP/1.1Host: linuxzoo.netHTTP/1.1 200 OKDate: Mon, 01 Nov 2004 15:06:44 GMTServer: Apache/2.0.46 (Red Hat)Last-Modified: Fri, 29 Oct 2004 14:47:22 GMTETag: "4981dd-920-22ea7280"Accept-Ranges: bytesContent-Length: 2336Content-Type: text/html; charset=UTF-8VirtualHostsThe sharing of a single IP to provide multiple hostnames is well supported in Apache.The part of the conf file which handles this is called Each part holds a list of hostnames it can handleThe first host found in the file is always considered the default, so if no VirtualHost section matches the first block is done instead.VirtualHosts ServerAdmin me@grussell.org DocumentRoot /home/gordon/public_html ServerName grussell.org ServerAlias www.grussell.org grussell.org.uk ErrorLog logs/gr-error_log CustomLog logs/gr-access_log combinedBasic AuthenticationOften you might want simple usernames and passwords to control access you parts of a website.There are many approaches for this.The easiest way is to use Basic Authentication.This, when required, asks the browser to ask you for a username and password for accessing protected pages.The username and password is sent as clear text for every page request made by the browser..htaccessThe best way to control basic authentication is via an .htaccess file in the directory to protect.To allow this the definition which includes the directory to be protected must haveAllowOveride AuthConfigBuilding a Password FileYou have to create a file with usernames and passwords.It is a good idea if this file is not one which someone can access via a URL.# htpasswd –c /home/gordon/password andrewNew Password: *******Retype New Password: *******Adding password for user andrew.-c is only the first time running the command, as this creates the file too. Miss out –c after the first run..htaccess AuthType BasicAuthName "Restricted Files"AuthUserFile /home/gordon/passwordRequire user andrew Authtype DigestThis is another option, which requests the passwords in an encrypted format. It is not as widely supported as Basic.The password fileThe password file created is just a text file.As a text file it does not scale wellAs more users are added the file gets bigger.On every page request the file has to be parsed again.There are other formats available using hashed files (either db or dbm). These are faster to access but more complex to manage.Any valid userRequire user andrewCan be changed to Require valid-user In this way any user in the password file can access the directory.GroupsJust as in passwd users are also in groups, you can use the same idea for apache.Create a plain text file with the following format:Groupname: user1 user2 user3 If users gordon and andrew exists, and you want them to be known as group staffstaff: gordon andrewAdd to .htaccess AuthType BasicAuthName "By Invitation Only"AuthUserFile /home/gordon/passwordAuthGroupFile /home/gordon/groupsRequire group staff Control by IPYou can also restrict access to directories by IP.To do this you need to useOrder – read deny then allow or vice versaAllow from – allow this match to accessDeny from – stop this matchExampleStop 10.0.0.1 accessing a directoryEdit the .htaccess in that directory:order allow,denyallow from alldeny from 10.0.0.1Logging in /var/log/http access fileThe normally used log format is called “combined”.It contains significant amounts of information about each page request.Specifically, the log format is:%h %l %u %t %r %>s %b Referrer UserAgentLogging in /var/log/http access file%h %l %u %t %r %>s %b Referrer UserAgenth – IP of the clientl – useless ident infou – username in basic authenticationt – time of requestr – the request itselfs – The response code (e.g. 200 is a successful request)b – size of the response pageReferrer – who the client things told it to come hereUser Agent – identification info of the browserAnalysing the logThe log is useful in itself for checking the proper function of the server.However, traffic analysis is also valuable.There are a number of tools available to do this.One of the best free ones is webaliser. SummaryPer day activity – October 2004Hour analysis – October 2004Referrer Info# Hits Referrer 1 61169 10.95% - (Direct Request) 2 3068 0.55% 3 701 0.13% 4 677 0.12% 5 589 0.11% 6 560 0.10% 7 503 0.09% 8 305 0.05% 9 201 0.04% 10 182 0.03% 11 177 0.03% from? Implementing a Proxy ServerInstallationYou can verify that the squid proxy server is installed using: rpm -q squidInstall from RPM package rpm -i squid*.rpmCreate the initial caching directories:The script /etc/init.d/squidIf install from source, create cache directories with the -z switch.squid -z The configuration file is /etc/squid/squid.conf. The syntax of this file can be checked using the -k switch:squid -k checkThe /etc/init.d/squid rc-script is used to start the service. Access Lists and Access ControlAccess lists are created as follows:acl aclname type stringExample:acl localnet src 192.168.2.0/255.255.255.0Access control lists (http_access)With http_access a particular access list is either allowed or denied access via the proxy. http_access allow|deny aclnameExample http_access allow localnet Reporting ToolsMost log analysis tools available for squid are listed on the following site: main logfile for squid is the /var/log/squid/access.log file.Analysis tools:Calamaris: The code is GPL and can be downloaded from It is also GPL'ed and can be downloaded from a web servermonitoring Apache load and performancerestricting client user accesssetting up client user authentication.Maintaining a web serverImplementing a proxy server