210 Part II ✦ Web Site Administration • The ProtectedTicketTable, ProtectedTicketUserTable, and ProtectedTicketSecretTable keys tell the module which ticket and user tables to use in the database and what fields are needed. • The ProtectedTicketPasswordStyle sets the encryption type. You have three choices: traditional Unix style one-way hash encryption (a.k.a crypt), or plaintext (not recommended), or MD5. 6. Next add the following configuration lines: PerlSetVar ProtectedTicketExpires 30 PerlSetVar ProtectedTicketLogoutURI /protected/index.html PerlSetVar ProtectedTicketLoginHandler /protectedlogin PerlSetVar ProtectedTicketIdleTimeout 15 PerlSetVar ProtectedPath / PerlSetVar ProtectedDomain .domain_name PerlSetVar ProtectedSecure 1 PerlSetVar ProtectedLoginScript /protectedloginform The following list tells you what’s happening in the above configuration: • The ProtectedTicketExpires key sets the session (ticket) expiration time in minutes. • The ProtectedTicketLogoutURI key sets the URL that is displayed after a user logs out. • The ProtectedTicketLoginHandler sets the path to the login handler, which must correspond to a <Location> container, as discussed later. • The ProtectedTicketIdleTimeout sets number of minutes a session is allowed to be idle. • The ProtectedPath sets the cookie path. The default value of / ensures that the cookie is returned with all requests. You can restrict the cookie to the protected area only by changing / to /protected (or whatever location you are protecting). • The ProtectedDomain sets the domain name of the cookie. The leading dot ensures that the cookie is sent to all Web hosts in the same domain. For example, setting this to .mobidac.com would allow the cookie to be seen in web1.Mobidac.com or web2.Mobidac.com. You can also restrict the cookie to a single host by specifying the fully qualified host name here. • The ProtectedSecure setting of 1 ensures that the cookie is secure. • The ProtectedLoginScript sets the location for the login form, which is generated by the module. 7. Now you need to create a <Location> container for the /protected directory as follows: <Location /protected> AuthType Apache::AuthTicket AuthName Protected PerlAuthenHandler Apache::AuthTicket->authenticate e4821-2 ch07.F 2/22/02 10:12 AM Page 210 211 Chapter 7 ✦ Authenticating and Authorizing Web Site Visitors PerlAuthzHandler Apache::AuthTicket->authorize require valid-user </Location> Here Apache is told to require valid user credentials, which are to be authenti- cated by the Apache::AuthTicket module. 8. Now you need to setup the handlers for the login screen, login script, and logout functions of the module as follows: <Location /protectedloginform> AuthType Apache::AuthTicket AuthName Protected SetHandler perl-script Perlhandler Apache::AuthTicket->login_screen </Location> <Location /protectedlogin> AuthType Apache::AuthTicket AuthName Protected SetHandler perl-script PerlHandler Apache::AuthTicket->login </Location> <Location /protected/logout> AuthType Apache::AuthTicket AuthName Protected SetHandler perl-script PerlHandler Apache::AuthTicket->logout </Location> </Location> 9. After you have created the above configuration, make sure you have added at least one user to the wwwusers table. See “Managing users and groups in any RDBM” section earlier in this chapter for details on how to manage users in a database. 10. Restart the Apache Web server by using /usr/local/apache/bin/apachectl restart command. 11. To make sure that you see the cookie, set your Web browser to prompt for cookie. For Netscape Navigator, you can check the Warn me before storing a cookie option using Edit ➪ Preference ➪ Advanced ➪ Cookies option. For Microsoft IE, you must use Tools ➪ Internet Options ➪ Security ➪ Custom Levels ➪ Cookies ➪ Prompt options. 12. Now access the http://your_server_name/protected/ directory and you should see a Web form requesting your username and password. Enter the a valid username and an invalid password and the Web form should simply redisplay itself. Now enter a valid username/password pair and your Web browser will ask your permission to store a cookie. A sample session (ticket) cookie is shown below Cookie Name: Apache::AuthTicket_Protected Cookie Domain: nitec.com Path: / e4821-2 ch07.F 2/22/02 10:12 AM Page 211 212 Part II ✦ Web Site Administration Expires: End of session Secure: Yes Data: expires:988390493:version::user:kabir2:hash:bf5ac94173071cde9 4489ef79f24b158:time:988389593 13. Allow the Web browser to store the cookie and you should have access to the restricted Web section. 14. Next, you should verify that there is a new ticket in the tickets table. You can log onto your database server and view the contents of the tickets table. For example, on Linux system running a MySQL server, I can run the select * from tickets command after I am logged onto MySQL via the mysql -u httpd -p auth command. A sample output is shown below: mysql> select * from tickets; + + + | ticket_hash | ts | + + + | 145e12ad47da87791ace99036e35357d | 988393278 | | 6e115d1679b8a78f9b0a6f92898e1cd6 | 988393401 | + + + 2 rows in set (0.00 sec) Here MySQL reports that there are two sessions currently connected to the Web server. 15. You can force Web browsers to log in again by removing the tickets stored in this table. For example, issuing the delete from tickets command on your database server removes all records in the tickets table and forces everyone to login again. ✦✦✦ e4821-2 ch07.F 2/22/02 10:12 AM Page 212 Monitoring Access to Apache H ave you ever wondered who is accessing your Web site? Or how your Apache server is performing on your system? Monitoring, logging, and analyzing Apache server can provide you with a great deal of information that is vital to the smooth system administration of the Web servers, and it can also help with the marketing aspects of your site. In this chapter, I show you how to monitor and log information on an Apache server to satisfy your need to know. Among other things, in this chapter I show you how to: ✦ Quickly access Apache server configurations ✦ Monitor the status of a running Apache server ✦ Create log files in both CLF and custom formats ✦ Analyze log files using third-party applications Monitoring Apache Apache enables you to monitor these two types of very valuable information via the Web: ✦ Server configuration information: This information is static, but being able to quickly access a running server’s configuration information can be very useful when you want to find out what modules are installed on the server. ✦ Server status: This information changes constantly. Using Apache’s Web-based server-status monitoring capabilities, you can monitor information such as the server’s uptime, total requests served, total data transfer, status of child processes, and system resource usage. 8 8 CHAPTER ✦✦✦✦ In This Chapter Monitoring Apache status Enabling logging Customizing logging Archiving your logs Tracking users Analyzing log files Maintaining your log files ✦✦✦✦ e4821-2 ch08.F 2/22/02 10:13 AM Page 213 214 Part II ✦ Web Site Administration I discuss both types of information in the following sections. Accessing configuration information with mod_info System configuration information can be accessed via the mod_info module. This module provides a comprehensive overview of the server configuration, including all installed modules and directives in the configuration files. This module is con- tained in the mod_info.c file. It is not compiled into the server by default. You have to compile it using the enable-info option with the configure script. For example: ./configure prefix=/usr/local/apache \ with-mpm=prefork \ enable-info This command configures Apache to be installed on /usr/local/apache direc- tory, configures the source to run as a preforking server, and enables the mod_info module. Run make and make install to compile and install the newly built Apache server. After you have installed this module in the server, you can view server configuration information via the Web by adding the following configuration to the httpd.conf file: <Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from 127.0.0.1 .domain.com </Location> This allows the localhost (127.0.0.1) and every host on your domain to access the server information. Do not forget to replace the .domain.com with your top-level domain name. For example, if your Web site is www.nitec.com, you need to add: Allow from 127.0.0.1 .nitec.com The dot in front of the domain name enables any host in the domain to access the server information. However, if you wish to limit this to a single host called sysadmin.domain.com, then change the Allow from line to: Allow from 127.0.0.1 sysadmin.domain.com After the server is configured and restarted, the server information is obtained from the localhost (that is, running a Web browser such as lynx on the server itself) by accessing http://localhost/server-info. e4821-2 ch08.F 2/22/02 10:13 AM Page 214 215 Chapter 8 ✦ Monitoring Access to Apache This returns a full configuration page for the server and all modules. If you wish to access it from a different location, use the fully qualified server name in place of localhost. For example, if your Web server is called www.nitec.com, you access the server information by using http://www.nitec.com/server-info. The mod_info module also provides a directive called AddModuleInfo, which enables you to add descriptive text in the module listing provided by the mod_info module. The descriptive text could be anything including HTML text. AddModuleInfo has this syntax: AddModuleInfo module_name descriptive_text For example: AddModuleInfo mod_info.c ‘See <a href=”http://localhost/manual/mod/mod_info.html”>man mod_info</a>’ This shows an HTML link next to the listing of mod_info.c, providing a quick way to get more information on the module from the Apache online manual, as shown below. Module Name: mod_info.c Content handlers: (code broken) Configuration Phase Participation: Create Server Config, Merge Server Configs Module Directives: AddModuleInfo - a module name and additional information on that module Current Configuration: AddModuleInfo mod_info.c ‘man mod_info’ Additional Information: man mod_info You can also limit the information displayed on the screen as follows: ✦ Server configuration only. Use http://server/server-info?server, which shows the following information: Server Version: Apache/2.0.14 (Unix) Server Built: Mar 14 2001 12:12:28 API Version: 20010224:1 Hostname/port: rhat.nitec.com:80 Timeouts: connection: 300 keep-alive: 15 MPM Information: Max Daemons: 20 Threaded: no Forked: yes Server Root: /usr/local/apache Config File: conf/httpd.conf ✦ Configuration for a single module. Use http://server/server-info? module_name.c . For example, to view information on only the mod_cgi module, run http://server/server-info?mod_cgi.c, which shows the following information: e4821-2 ch08.F 2/22/02 10:13 AM Page 215 216 Part II ✦ Web Site Administration Module Name: mod_cgi.c Content handlers: (code broken) Configuration Phase Participation: Create Server Config, Merge Server Configs Module Directives: ScriptLog - the name of a log for script debugging info ScriptLogLength - the maximum length (in bytes) of the script debug log ScriptLogBuffer - the maximum size (in bytes) to record of a POST request Current Configuration: ✦ A list of currently compiled modules. Use http://server/server-info? list , which shows the following information: mod_cgi.c mod_info.c mod_asis.c mod_autoindex.c mod_status.c prefork.c mod_setenvif.c mod_env.c mod_alias.c mod_userdir.c mod_actions.c mod_imap.c mod_dir.c mod_negotiation.c mod_log_config.c mod_mime.c http_core.c mod_include.c mod_auth.c mod_access.c core.c Of course, your listing will vary based on which modules you have enabled during source configuration. Now, let’s look at how you can monitor the status of a running Apache server. Enabling status pages with mod_status The mod_status module enables Apache administrators to monitor the server via the Web. An HTML page is created with server statistics. It also produces another page that is program friendly. The information displayed on both pages includes: ✦ The current time on the server system ✦ The time when the server was last restarted e4821-2 ch08.F 2/22/02 10:13 AM Page 216 217 Chapter 8 ✦ Monitoring Access to Apache ✦ Time elapsed since the server was up and running ✦ The total number of accesses served so far ✦ The total bytes transferred so far ✦ The number of children serving requests ✦ The number of idle children ✦ The status of each child, the number of requests that child has performed, and the total number of bytes served by the child ✦ Averages giving the number of requests per second, the number of bytes served per second, and the average number of bytes per request ✦ The current percentage CPU used by each child and used in total by Apache ✦ The current hosts and requests being processed Some of the above information is only available when you enable displaying of such informatino using the ExtendedStatus directive, which is discussed later in this section. Like the mod_info module, this module is also not compiled by default in the stan- dard Apache distribution, so you need use the enable-status option with the configure script and compile and install Apache. Viewing status pages After you have the mod_status module compiled and built into your Apache server, you need to define the URL location that Apache should use to display the information. In other words, you need to tell Apache which URL will bring up the server statistics on your Web browser. Let’s say that your domain name is domain.com, and you want to use the following URL: http://www.domain.com/server-status Using the <Location . . .> container, you can tell the server that you want it to handle this URL using the server-status handler found in the mod_status module. The following will do the job: <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 .domain.com </Location> Note e4821-2 ch08.F 2/22/02 10:13 AM Page 217 218 Part II ✦ Web Site Administration Here, the SetHandler directive sets the handler (server-status) for the previously mentioned URL. After you have added the configuration in httpd.conf, restart the server and access the URL from a browser. The <Location . . .> container enables you to access the status information from any host in your domain, or from the server itself. Don’t forget to change .domain.com to your real domain name, and also don’t forget to include the leading dot. You can also have the status page update itself automatically using the http:// server/server-status?refresh=N URL to refresh the page every N seconds. To view extended status information, add the ExtendedStatus On directive in the server configuration context. For example, your entire server status-related configuration in httpd.conf could look as follows: ExtendedStatus On <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 .domain.com </Location> An example of the extended status information is shown here: Apache Server Status for rhat.nitec.com Server Version: Apache/2.0.14 (Unix) Server Built: Mar 14 2001 12:12:28 Current Time: Thursday, 15-Mar-2001 11:05:08 PST Restart Time: Thursday, 15-Mar-2001 11:02:40 PST Parent Server Generation: 0 Server uptime: 2 minutes 28 seconds Total accesses: 17807 - Total Traffic: 529 kB CPU Usage: u173.4 s.03 cu0 cs0 - 117% CPU load 120 requests/sec - 3660 B/second - 30 B/request 4 requests currently being processed, 8 idle servers _WKKK _ _ _ _ _ _ _ Scoreboard Key: “_” Waiting for Connection, “S” Starting up, “R” Reading Request, “W” Sending Reply, “K” Keepalive (read), “D” DNS Lookup, “L” Logging, “G” Gracefully finishing, “.” Open slot with no current process Tip e4821-2 ch08.F 2/22/02 10:13 AM Page 218 219 Chapter 8 ✦ Monitoring Access to Apache Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request 0-0 0 0/87/87 _ 0.07 1726072572 0 0.0 0.10 0.10 (unavailable) 0-0 0 105/105/105 W 0.00 1726072572 0 50.5 0.05 0.05 (unavailable) 0-0 0 166/166/166 K 0.02 1726072572 0 233.5 0.23 0.23 (unavailable) 0-0 0 49/49/49 K 0.01 1726072572 0 25.2 0.02 0.02 (unavailable) 0-0 0 77/77/77 K 0.08 1726072572 0 116.6 0.11 0.11 (unavailable) 4-0 0 0/0/17323 _ 173.25 1726072572 0 0.0 0.00 0.00 (unavailable) Srv Child Server number - generation PID OS process ID Acc Number of accesses this connection / this child / this slot M Mode of operation CPU CPU usage, number of seconds SS Seconds since beginning of most recent request Req Milliseconds required to process most recent request Conn Kilobytes transferred this connection Child Megabytes transferred this child Slot Total megabytes transferred this slot Apache/2.0.14 Server at rhat.nitec.com Port 80 Simplifying the status display The status page displayed by the mod_status module provides extra information that makes it unsuitable for using as a data file for any data analysis program. For example, if you want to create a graph from your server status data using a spread- sheet program, you need to clean up the data manually. However, the module pro- vides a way for you to create machine-readable output from the same URL by modifying it using ?auto as in http://server/server-status?auto. An example status output is shown here: Total Accesses: 17855 Total kBytes: 687 CPULoad: 14.1982 Uptime: 1221 ReqPerSec: 14.6233 BytesPerSec: 576.157 BytesPerReq: 39.4001 BusyServers: 8 IdleServers: 8 Scoreboard: _KKWKKKKK _ _ _ _ _ _ _ e4821-2 ch08.F 2/22/02 10:13 AM Page 219 [...]... HTTP/1.1 status codes 22 1 e4 821 -2 ch08.F 22 2 2/ 22/ 02 10:13 AM Page 22 2 Part II ✦ Web Site Administration The date field can have this format: date = [day/month/year:hour:minute:second zone] The date field sizes are given in Table 8-1 Table 8-1 Date Field Sizes Fields Value Day 2 digits Month 3 letters Year 4 digits Hour 2 digits Minute 2 digits Second 2 digits Zone (`+’ | `-’) 4* digit The following... /usr/local /apache/ logs/access_log file 20 7.183 .23 3.19 - - [15/Mar /20 01:13:05:01 -0800] “GET /book/images/back.gif HTTP/1.1” 3 04 0 20 7.183 .23 3 .20 - - [15/Mar /20 01: 14: 45: 02 -0800] “GET /book/images/forward.gif HTTP/1.1” 3 04 0 20 7.183 .23 3 .21 - - [15/Mar /20 01:15:30:03 -0800] “GET /book/images/top.gif HTTP/1.1” 3 04 0 If you had HostNameLookups turned on, Apache will resolve the client IP addresses 20 7.183 .23 3.19,... run it as a cron job For example, on my Apache Web server running on Linux, I simply add the script to /etc/cron.daily to create a resolved version of the log every day ✦ ✦ ✦ 23 7 e4 821 -2 ch08.F 2/ 22/ 02 10:13 AM Page 23 8 e4 821 -2 ch09.F 2/ 22/ 02 10:18 AM Page 23 9 9 C H A P T E R Rewriting Your URLs ✦ ✦ ✦ ✦ In This Chapter U RLs bring visitors to your Web site As an Apache administrator, you need to ensure... case, the server produces a 40 4 status (Not Found) header So, to log the referring URLs you can use the format specifier: ‘ %40 4{Referer}i’ e4 821 -2 ch08.F 2/ 22/ 02 10:13 AM Page 22 7 Chapter 8 ✦ Monitoring Access to Apache Similarly, to log referring URLs that resulted in an unusual status, you can use: ‘% !20 0,3 04, 3 02{ Referer}i’ Notice the use of the ! character to denote the absence of the server status... with the server variables shown in Table 9-1, which can be used in many rewrite rules and conditions e4 821 -2 ch09.F 2/ 22/ 02 10:18 AM Page 24 1 Chapter 9 ✦ Rewriting Your URLs Table 9-1 Server Variables Available for URL Rewrite Rules Server Variable Explanation SERVER_ NAME Host name of the Web server SERVER_ADMIN Web server administrator’s e-mail address SERVER_ PORT Port address of the Web server SERVER_PROTOCOL... logs/access.log myrecfmt 22 3 e4 821 -2 ch08.F 22 4 2/ 22/ 02 10:13 AM Page 22 4 Part II ✦ Web Site Administration Here the access.log will have lines in the myrecfmt format Note The TransferLog and CustomLog directives can be used multiple times in each server to cause each request to be logged to multiple files For example: CustomLog logs/access1.log common CustomLog logs/access2.log common Here the server will create... script called /etc/logrotate.d /apache as shown in Listing 8 -2 e4 821 -2 ch08.F 2/ 22/ 02 10:13 AM Page 23 5 Chapter 8 ✦ Monitoring Access to Apache Listing 8 -2: /etc/logrotate.d /apache # Note that this script assumes the following: # # a You have installed Apache in /usr/local /apache # b Your log path is /usr/local /apache/ logs # c Your access log is called access_log (default in Apache) # d Your error log... control file (.htaccess) Let’s take a look at an example: RewriteRule /~([^/]+)/?(.*) /users/$1/ $2 [R] Here, the search pattern is /~([^/]+)/?(.*) and the substitution string is /users/$1/ $2 Notice the use of back-references in the substitution string The 24 3 e4 821 -2 ch09.F 24 4 2/ 22/ 02 10:18 AM Page 24 4 Part II ✦ Web Site Administration first back-reference string $1 corresponds to the string found... URI REQUEST_FILENAME Same as SCRIPT_FILENAME THE_REQUEST Requested URL TIME_YEAR Current year TIME_MON Current month TIME_DAY Current day Continued 24 1 e4 821 -2 ch09.F 24 2 2/ 22/ 02 10:18 AM Page 24 2 Part II ✦ Web Site Administration Table 9-1: (continued) Server Variable Explanation TIME_HOUR Current hour TIME_MIN Current minute TIME_SEC Current second TIME_WDAY Current weekday TIME Current time API_VERSION... TransferLog or CustomLog defined in the primary server configuration, and you have a virtual host defined, the virtual host-related logging is also performed in those logs For example: TransferLog logs/access_log CustomLog logs/agents_log “%{User-agent}i” 22 7 e4 821 -2 ch08.F 22 8 2/ 22/ 02 10:13 AM Page 22 8 Part II ✦ Web Site Administration ServerName reboot.nitec.com DocumentRoot . 105/105/105 W 0.00 1 726 0 725 72 0 50.5 0.05 0.05 (unavailable) 0-0 0 166/166/166 K 0. 02 1 726 0 725 72 0 23 3.5 0 .23 0 .23 (unavailable) 0-0 0 49 /49 /49 K 0.01 1 726 0 725 72 0 25 .2 0. 02 0. 02 (unavailable) 0-0. case, the server produces a 40 4 status (Not Found) header. So, to log the referring URLs you can use the format specifier: ‘ %40 4{Referer}i’ e4 821 -2 ch08.F 2/ 22/ 02 10:13 AM Page 22 6 22 7 Chapter. Server configuration only. Use http:/ /server/ server-info ?server, which shows the following information: Server Version: Apache/ 2. 0. 14 (Unix) Server Built: Mar 14 20 01 12: 12: 28 API Version: 20 01 022 4: 1 Hostname/port: