Apache Street Smarts Presentation (SANS 99)

Apache Street Smarts For the Systems Management Professional

By Michael E. Dobe

ESM Services, Inc.

Network Security 1999

New Orleans, LA

Introduction: The Need For Training

Proficiency with the installation and operation of the Apache HTTP server is as important today as skill in traditional areas such as NIS, NFS, and Perl.– Need For Day-to-Day Proficiency: As businesses port

applications to the Web there is an increase in the frequency and complexity of requests for HTTP server support from more savvy users and developers. Web Security also becomes a day-to-day support issue.

– Resume Building: In the last few years, support for HTTP servers has become an obligatory bullet on the resumes of UNIX and NT

professionals.

Tutorial Objectives

• Through discussion and demonstrations this tutorial gives you the tools you need to stay ahead of the Apache knowledge curve

• You will gain proficiency with the basics of Apache installation, configuration and support on the Linux and Win32 platforms

• We will also point you to a number of lesser-known gotchas of Apache administration on the UNIX and Windows NT platforms

Overview Starting with an overview of setting up Apache on Linux and

NT and ending with a review of available sources for current information, this tutorial covers a wide gamut of configuration issues from modules and directives to performance monitoring and security.

FP Extensio

ns

Tuning

SSL

CurrentInfo

Modules

Directives

Security

Config

CGISetup

Welcome to Your New Job: Sysadmin For GRSL

• You Have Just Been Hired By General Republic Savings and Loan of Baltimore, MD

• The Many Hats You Wear:– UNIX Systems Admin, Windows NT Systems Admin

and Web Services

• Your User Base: – Wide Range of Needs

– Intranet Publishing For Workgroups

– Internet Presence Supported By Web Development Consultants External to the Firm

Your Presence on the Internet

• GRSL Has a New CIO Who Loves Linux, But Who Doesn’t Want to Change Too Much All at Once

• The Company Has Just Hired Consultants To Develop Custom Banking Applications For the External Web Site

• You Successfully Make the Case that the Internet Presence Should Run on RH Linux (6.0) With Apache

Your Test Intranet Site and Developer Workstations

• Large Installed Base of Windows NT on Corporate Network. Existing Intranet on IIS, Workstations Using PWS

• Company Seeks to Standardize on One Web Server Technology

• You Convince the CIO to Run a Test Intranet Server on Windows NT Server

• Also Get the Green Light To Test Using Apache as a Replacement for Personal Web Server on Win 98 Stations for Your Developers

Rolling Up Your Sleeves and Jumping In: Linux Installation

• Each Comes as Source Code or Pre-Compiled Binary (RPM for RH Linux 6.0)

• Default RH Linux Installation Gives You apache-1.3.6-7– Default is standalone server (Note: Running Apache out

of inetd is not recommended for servers anticipating heavy loads.)

– Loads at boot time via rc scripts– Parent Process Runs as root– Child Processes Run as nobody– Use ps to verify that it is running

HTTP Process Control on Linux: Stopping and Restarting Your Server• Linux stores pid at /var/run/httpd.pid

– kill -TERM `cat /var/run/httpd.pid`– To Restart /usr/sbin/httpd &

• Can Use GUI Interface, e.g. Comanche– Comanche RPM Available (Need itcl and rcs)– Part of Apache GUI Project– http://comanche.com.dtu.dk/comanche/– Demonstration of GUI (/usr/bin/comanche)

• Command-Line Tool: apachectl

Working With Support Programs For Apache: Setting Up apachectl

– Install Apache Source Tree Using apache_1.3.6.src.rpm

– Support Files Will Be Found In:

/usr/src/redhat/SOURCES/apache_1.3.6/src/support– Copy to /usr/bin (or somewhere else in your path) – Edit Config to Reflect Your Local Setup

Rolling Up Your Sleeves and Jumping In: Win32 Installations

• Visit Apache Site at http://www.apache.org/

• Download apache-1.3.9 For Win32

• Run the Installation Program

• Launch from command line, start menu

• Option to Run as a Windows Service

Rolling Up Your Sleeves and Jumping In: Win32 Process Control on NT

• Note: Running Win32 Apache as a Service is Recommended

• Install As A Service From the Start Menu?• Try apache –i –n Apache • Apache Running as Service Allow you to Stop and

Start Using Control Panel/Services or Using

NET START APACHE

NET STOP APACHE

More on Win32 HTTP Process Control: Apache on Windows 98

• Can Kill Win32 Version of Apache Using Ctrl C at Apache console or at the command line using apache -k shutdown

• Can Restart From Command Line or Start Menu• Win32 stores pid by default at:

C:\Program Files\Apache Group\Apache\logs\htttp.pidCould script this with apachectl

• Can Also Use Comanche on Win32• Win32 Comanche Demo

Working With Config Files and Basic Directives (Linux & Win32)

• Linux: /etc/httpd has conf, logs and modules

• Win32: C:/Program Files/Apache Group/Apache/

• Config files include httpd.conf, srm.conf and access.conf, each of which contains sets of directives (configuration parameters)

Running One Config File

• Win 32 (Version 1.3.9) Has Only One Config File • Default RH 6.0 Install Gives You all three files:

httpd.conf, srm.conf and access.conf• Apache Server Allows You to Consolidate Everything Into

httpd.conf• You Need to Add the Following to the end of httpd.conf to

make this workAccessConfig /dev/nullResourceConfig /dev/null

• For Demonstration Purposes, We Will Stick With the Default RPM Install on RH Linux 6.0

Working With Config Files on Linux: httpd.conf

httpd.conf Contains Directives That Allow You to Configure:– Basic Server Configuration Parameters– Caching – Virtual Hosts– Support for Modules (Enable and Disable)

Directives Demo #1 (httpd.conf): Virtual Hosts and Virtual Directories for Your Site

• Business Needs: Two Banking Divisions With Different Host Names Need to Be on the Same Server; Both Divisions Need to Provide Access to Some (But Not All) of the Same Content

• Technical Solution: – Configure Virtual Hosts

– Configure Virtual Directories

(Note on Virtual Directories: Without DNS Need to Set UseCanonicalName off)

Working With Config Files on Linux: srm.conf

• /etc/httpd/conf/srm.conf contains directives that allow you to configure:– name space that users see of your http server,

e.g. DocumentRoot and UserDir – server settings which affect how requests are

serviced, and how results should be formatted, e.g. Alias, ScriptAlias and ErrorDocument

– In apache-1.3.9 for Win32, These Directives are all in httpd.conf

Directives Demo #2 (srm.conf): Customizing Error Messages For Your Site

• Business Need: You Want to Help People Locate Content on Your Site that May Have Moved

• Technical Solution: Customize Message for 404 Error Message in srm.conf to Include a Link to Your Search Page

Working With Config Files on Linux: access.conf

• /etc/httpd/conf/access.conf Contains Directives That Allow You to Configure:– server settings which affect which types of

services are allowed, and in what circumstances– Set Up Default Directory Restrictions– Follow Up With More Detailed Configuration– In apache-1.3.9 for Win32, These Directives

are in httpd.conf

Directives Demo #3 (access.conf): Password Protection of Pages, Authentication on RH 6.0

• Business Need: Provide Customers With Access to Value Added Web Services

• Technical Solution: – Role of access.conf directives– Use of htaccess mechanism

Directives Demo #3 Continued (access.conf): Password Protection/User Authentication on RH 6.0

• More Support Files: Working With htaccess and htpasswd

• Need to Go Beyond Default Authentication Mechanisms?

• Support For Additional Authentication Databases Using Modules: mod_auth_dbm, mod_auth_db, mod_auth_msql, mod_auth_pg95, mod_auth_dbi, mod_auth_external.c, mod_auth_kerb, mod_auth_ldap

Modules and Apache’s Design

• Modules are Programs That Extend The Power of the Apache HTTP Server

• The HTTP Server Was Kept Small Intentionally

• Because Apache is Open Source Software, You Can Write Your Own Modules to Accomplish Your Organizations Web Goals

Finding Apache Modules

• Apache Project Maintains a Web-based Modules Registry and an ftp directory For Modules at http://modules.apache.org/

• Modules Come With You Distribution in the src Directory

• Module Documentation Included With Manual • Refer to Writing Apache Modules With Perl and C

(Stein & MacEachern) For Information About Rolling Your Own

Working With Modules on RH Linux: Starting With the Defaults

• What Modules are Supported By Default With the rpm distribution?

• Run the Command /usr/sbin/httpd -lCompiled-in modules: http_core.c mod_so.c

• Gotcha: Modules Still Need to Be Loaded in httpd.conf to be Available At Run-Time With, Even With DSO

Support For Additional Modules Apache on RH 6.0: Using DSO

• DSO = Dynamic Shared Object• Remember the apachectl options status and

fullstatus? Need to Have Support For mod_status For This To Work

• Mod_so is Compiled Into Apache rpm By Default• No need to Recompile Apache to Use mod_status,

because mod_so is running• Mod_so and DSO Documented at:

http://127.0.0.1/manual/mod/mod_so.html http://127.0.0.1/manual/dso.html

Recompiling Apache For Additional Modules

• Need to Edit Configuration file in

/usr/src/redhat/SOURCES/apache_1.3.6/src

• Uncomment Lines With Modules You Want

• Run configure From

/usr/src/redhat/SOURCES/apache_1.3.6/

• Run make and make install From

/usr/src/redhat/SOURCES/apache_1.3.6/src

Difference in Module Support:Out-of-Box Linux (RPM) and Default Compile

• RPM: Run the Command /usr/sbin/httpd -lCompiled-in modules: http_core.c mod_so.c

• From Source: Run the Command /usr/local/apache/bin/httpd -l

Compiled-in modules: http_core.c, mod_env.c, mod_log_config.c, mod_mime.c,

mod_negotiation.c, mod_status.c, mod_include.c mod_autoindex.c, mod_dir.c, mod_cgi.c, mod_asis.c, mod_imap.c, mod_actions.c, mod_userdir.c, mod_alias.c, mod_access.c, mod_auth.c, mod_setenvif.c

More Useful Apache Modules

• Controlling Your Server’s Responses: – mod_proxy: control access to Internet sites– mod_rewrite: remap URLs on the fly

• Enabling Robust Server-Side Scripting:– mod_fastcgi: better performance than mod_cgi– mod_perl: perl interpreter in the apache executable– mod_php: apache support for PHP scripting

• Anticipating Common (Re-) Configuration Issues • Limitations on the Win32 Platform: Still Beta

Quality Code

Out-of-Box Win32

• Win32 Can Be Installed on Win95/98, NT Workstation 4.0 or NT Server 4.0 (NT Server Version 1.3+)

• Source Comes With Distribution, But to Compile You Must Have a Compiler Installed

• Documentation Recommends Using Visual C++

• Running it on NT Server Means It Can Run as Service, Which is More Efficient

• Soon Find You Need Unix-Like Features: – More Robust Command Line Tools

– Remote Management Capabilities

Apache Win32 Admin: Adding Robust Command Line Tools

• Free Option: Cygnus GNU Tools- User and Developer Tools- Available From http://www.cygnus.com (Also included with Apache, The Definitive Guide)

• Commercial Option: MKS Toolkit– Contains Visual Tools as Well as Command

Line: Visual Pax, Visual Diff, GUI port of vi– Comes With Extensive Documentation

Apache Win32 Admin: Adding Remote Management

• Free Option: Virtual Network Computing– Available from

http://www.uk.research.att.com/vnc/

• Commercial Options: – pcANYWHERE– Timbuktu

• Using VNC, You Can Manage Linux and NT From the Same PC Workstation

Making Good Use of Apache Directives on Win32

• Core Directives Covered For Linux Also Apply to Win32

• Excellent Listing of Modules and Directives in Appendix A of Apache Server For Windows, Little Black Book (Holden & Keller)

• Business Need: To Test The Power of Win32 Apache as a Development Platform

• Technical Solution for Adding Ability For Dynamic Web Content: mod_cgi, mod_php and mod_perl

Empowering Your Developers: Apache Web Development Environment

• Server-Side Scripts With CGI and Perl Supported on Both Linux and Win32

• Linux and Win32 Support For PHP as Well• Kick It Up a Notch With mod_perl• First Step: Getting Perl Running On Your System

– RH Linux 6.0 - Default Perl Installation (5.005_03) Use the RPM to Update

– On Win32 Active State Distribution http://www.activestate.com/

Web Programming Support: The Common Gateway Interface on Win32

• The Binary Distribution of Apache 1.3.6 For Win32 has statically-linked mod_cgi support (Try apache –l to Verify)

• Make sure the Script Alias is Set:ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache/cgi-bin/"

• Test Simple Script Called variables.pl in DOS Box, Then Run Through CGI Interface

Web Programming Support: PHP on Apache for Win32

• Get Windows Binary From a Local Mirrorhttp://www.php.net/download-php.php3 • Win32 Installation Documentation:http://www.php.net/manual/install-windows95-nt.php3

• Win32 Config Documentation:http://www.php.net/manual/config-apache-nt.html • Note: PHP Win32 Works With IIS 3 and 4, PWS,

and Apache 1.3.X

Win32 PHP For Windows98: The Details

• Set up a PHP3 Directory and Move the Contents of the Archive There, Use c:\php3

• Copy php3.ini-dist to c:\windows\php3.ini– Set extension_dir = c:\php3

• Add/Modify The Following Directives in httpd.conf– ScriptAlias /php3/ "c:/php3/" – AddType application/x-httpd-php3 .php3 – AddType application/x-httpd-php3 .phtml – Action application/x-httpd-php3 "/php3/php.exe"

• Test with test.php3

Web Programming Support: SSI and CGI on Linux

• With RH Linux 6.0 Support For mod_include and mod_cgi is Enabled Through DSO

• Make Sure That httpd.conf Contains These Directives Uncommented:LoadModule includes_module modules/mod_include.so

AddModule mod_include.c

LoadModule cgi_module modules/mod_cgi.soAddModule mod_cgi.c

• Example using mod_cgi: Simple CGI Variables Query (Command Line and Browser)

Web Programming Support: Kicking It Into High Gear With mod_perl

• Get Source and Compile mod_perl

http://perl.apache.org/dist/ • Enable DSO Support• Configure mod_perl as a mod_cgi replacement• Tap Into the Wealth of mod_perl-based modules

for Apachehttp://www.perl.com/CPAN/modules/by-module/Apache

MS Technologies and Apache:apache::ASP

• Apache::ASP Available From CPAN (Comprehensive Perl Archive Network)http://www.perl.com/CPAN/modules/by-module/Apache/

• This Only Supports Perl Scripting for ActiveX, To Use VBScript or JScript You Will Need ChiliSoft’s ASP Technology (http://www.chilisoft.com/)

Empowering Your Users: Challenges of Content Management For Your Web Presence

• Allowing Windows Users to Access a Linux Server– Manage From the Server Side: Samba vs. FP

2000 Extensions– Manage From the Client Side: FTP Clients vs.

PC-NFS

• Allowing UNIX Users to Access a PC Server? FTP? Your Internal Users are on NT Workstations.

MS Technologies and Apache:FrontPage 2000 Extensions

• Extensions, installation script and Apache patch:

http://msdn.microsoft.com/workshop/languages/fp/2000/unixfpse.asp

• Installing the FP 2000 Extensions using fp_install.sh– Gotcha: Need to Set AllowOverride All for document root

– Installs SERK and Admin Tools in /usr/local/frontpage/

– Modification to srm.conf allows _vti_bin scripting

Using FrontPage 2000 Extensions

• Administering the Extensions

• SERK Installed Along With Extensions:

http://127.0.0.1/SERK/inunix.htm

(Need to Create Alias or Move to Doc Root)

• Demo of Command Line Admin Utility: /usr/local/frontpage/version4.0/bin/fpsrvadm.exe

• HTML Interface Also Available

http://127.0.0.1/admin/fpadmin.htm

FrontPage 2000 Extensions: Upside and Downside

• What the Extensions Offer Your Users– Elimination of Need For FTP– Ease of Update and Integration With MS Office

• Risks Associated With the Extensions Install Script: – Changes Permissions For Document Root

(Option to Do This Later is Offered) – Modifies Config Files (here srm.conf)

Roll Your Own Apache Binary With Support For FrontPage 2000 Extensions

• Big Gotcha! With The FP Patched Version of Apache, Problems With Support For Default Modules Not Compiled In

• Suggest Compiling Your Own Patched Version of Apache to Avoid Removing Support For Modules You Are Using

• FrontPage module support documented in SERK (Server Extension Resource Kit)

Class Break

Take 15 Minutes

Everyday Troubleshooting Hints

• Working With Logs: Access Logs, Error Logs and Changing Log Formats

• Some Statistics-Generating Programs You Might Use

• Testing Your Server• Fixing SSI and CGI Problems• Win32-Specific Issues• Unix-Specific Issues

Performance Monitoring

• Using mod_status via apachctl

• Log File Analysis: Webalizer Example

• SNMP and Apache: – Running an Open Source Pinger

• SPONG: Son of Pong

http://www.edsgarage.com/projects/spong/index.html

– Plugging Your Apache Server Into Commercial Network Management Tools

Performance Tuning: Some Things to Consider

• Hardware Issues• Configuration Tuning: Directives That Can

Slow You Down (Reverse DNS Lookups, etc.)

• Compile-Time Options You May Want to Revisit

• Issues With Large Sites: Adding Processes, etc.

Web Security, Some First Steps

• Your Boss Asks You To Help With an Web Server Security Appendix to the GRSL Operations Manual. Some Considerations Include:– Preventing A Break-In and What To Do If You're Hacked– Authentication on the Web: more on htaccess, directories

and databases– Tips for Securing Apache (Among Others: CGI Risks,

suEXEC, CGIWrap)– After the Break-in: Damage Control, Getting Up and

Running Again and Making Sure It Doesn't Happen Again

Securing Your Web Transactions: SSL on the Apache Platform

• Many Options You Have in Securing the GRSL External Web Site: Commercial Options (Stronghold, etc.), Apache-ssl, mod_ssl

• We Will Use mod_ssl Because it is Free and Runs as a Module (Get mod_ssl-2.3.11-1.3.6.tar.gz from http://www.modssl.org/)

• Could Also Use Apache-ssl: Free and the Authors focus on “reliability, security and performance, rather than features and bells and whistles” (Adam Laurie)– Redhat FTP Site Has an SRPM for apache-ssl at:

ftp://ftp.redhat.com/contrib/libc6/SRPMS/ – Alternatively You Can Get Apache-ssl from a Mirror Site (See

http://www.apache-ssl.org/)

Securing Your Web Transactions: Other SSL Options

• Could Also Use Apache-ssl: Free and the Authors focus on “reliability, security and performance, rather than features and bells and whistles” (Adam Laurie)– Redhat FTP Site Has an SRPM for apache-ssl at:

ftp://ftp.redhat.com/contrib/libc6/SRPMS/ – Alternatively You Can Get Apache-ssl from a Mirror

Site (See http://www.apache-ssl.org/)

• Commercial Options: Red Hat Secure Server, Stronghold, etc.

Mod_ssl Installation and Configuration: First Steps

• Need to Get and Install SSLeay, So Go To:ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL• Next Unpack and Compile SSLeay• Gotcha: Where Is Perl Installed? Read the

Install File, There is a Fix!• Need to Get and Install OpenSSL, Go To:

http://www.openssl.org/source/• Next Unpack and Compile OpenSSL

Mod_ssl Installation/Configuration: Rebuilding Apache

• Delete Apache Source Tree and Reinstall

• Expand the mod_ssl Archive Into Your redhat/SOURCES Directory at the Same Level as apache_1.3.6 Directory

• Run The Following: $ ./configure --with-apache=../apache_1.3.6 --with-ssl=/usr/src/openssl-0.9.4

$ cd ../apache_1.3.6

$ SSL_BASE=/usr/src/openssl-0.9.4 ./configure ... --enable-module=ssl

$ make

$ make certificate TYPE=test

$ make install

Digital Certificates and Signatures

• In the Apache Source Tree You Now Have A PEM-encoded X.509 certificate signing request fileFile called conf/ssl.csr/server.csr

Send this file to a Real CA for Signing

• Certificate Authorities (CA)

Running Apache With SSL

• Starting the Server With SSL[root@apache bin]# ./apachectl sslstart

Apache/1.3.6 mod_ssl/2.3.11 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide us with the pass phrases.

Server apache.clioweb.net:443

Enter pass phrase:

Ok: Pass Phrase Dialog successful.

./apachectl sslstart: httpd started

[root@apache bin]#

• Browsing the Site (Demo)

Summary

• Through discussion and demonstrations tutorial gave you the tools you need to stay ahead of the Apache knowledge curve.

• You have gained an understanding of the basics of Apache support and a number of lesser-known "gotchas" of Apache administration on the UNIX and Windows NT platforms.

Where to Get More Information on Apache

• Web Sites

• E-Mail Lists

• Print Media: Books and Magazines

• User Groups and Support Organizations

• Conferences

General Apache Web Sites

• The Apache Group:

http://www.apache.org

• Builder.com’s Maximum Apache:

http://builder.com/Servers/Apache/ss01.html

• Apache RTFM Site:

http://www.jlk.net/apache/

Security-Related Web Sites

• SSLeay and SSLapps FAQ

http://www2.psy.uq.edu.au/~ftp/Crypto/

• “Linux Apache SSL PHP/FI frontpage mini-HOWTO” by Marcus Faure

– PHP, FrontPage, SSLhttp://www.redhat.com/mirrors/LDP/HOWTO/mini/

Apache+SSL+PHP+fp.html

E-Mail Lists and Newsgroups

• Apache Week Mailing List http://www.apacheweek.com

• Dotslash Notification Servicehttp://www.dotslash.org/

• Tech Republic’s Admin Republichttp://www.techrepublic.com/

• Newsgroups: comp.infosystems.www.servers.unix

comp.infosystems.www.servers.ms-windows

Print Media: Books/Magazines

• O’Reilly Web Series– Apache, The Definitive Guide (Laurie & Laurie)

– Web Performance Tuning (Killelea)

– Web Security and Commerce (Garfinkel & Spafford)

• Apache Server Administrator’s Handbook by Mohammed J. Kabir (IDG Books)

• Apache Server For Windows, Little Black Book by Greg Holden and Matthew Keller (Coriolis Press)

Support Organizations

• Local Linux on NT User Groups• Laurie and Laurie Point to:

– A.B. Enterprises http://www.futurefx.com

- C2Net Software, Inc.http://www.c2.net

- UK Webhttp://www.ukweb.com

- Zyzzyva Enterpriseshttp://www.zyzzyva.com/

Conferences

• O’Reilly Open Source Conference– http://conference.oreilly.com/

• SANS– http://www.sans.org/

• USENIX– http://www.usenix.org/

Contact Information

• ESM Services Has a Web Site at:

http://www.esm.com

• To Contact the Instructor, Send E-Mail to:

[email protected]

Apache Street Smarts Presentation (SANS 99)

Education

Transcript of Apache Street Smarts Presentation (SANS 99)