Implementing a web server, Maintaining a web server, Implementing a proxy server, Be able to install and configure an Apache web server: Monitoring Apache load and performance, restricting client user access,... As the main contents of the Lesson LPI 202 Chapter 4 - Advancer Linux Netword Administration Web Services. Invite you to consult.
Chapter 05 Advanced Linux Network Administration Web Services SaigonCTT All rights reserved Objectives • Be able to install and configure an Apache web server: – monitoring Apache load and performance – restricting client user access – setting up client user authentication – configuring Apache server options such as maximum requests, minimum and maximim servers, and clients • Implementing a web server • Maintaining a web server • Implementing a proxy server LPI Linux Apache • Very well known and respected http server • Used commercially • Freely available from http://www.apache.org • Plenty of plugins • Relatively easy and flexible to configure • Fast and Reliable LPI Linux Structure Child http request MUX Idle Child Response Child Get data from disk Child Child LPI Linux Initial Settings StartServers MinSpareServers MaxSpareServers 20 MaxClients 150 MaxRequestsPerChild 1000 • These options are important, but often the least likely to be changed from the defaults! LPI Linux Important Files • /etc/init.d/httpd – the server control script • /etc/httpd/conf/httpd.conf – the main configuration file • Remember when changing the configurations it is only reread on a server reload or restart • Errors and other details are logged by default in /var/log/httpd/ as access_log, error_log LPI Linux Mimic a Browser • To understand how a sever is running is it sometimes useful to make requests at the keyboard of a server and see the results as text • Telnet can do this, so long as you have learned some basic HTTP commands • The two important ones are: – HEAD – Give information on a page – GET – Give me the whole page LPI Linux HTTP 1.1 • In HTTP 1.1 we can use virtual hosts • This allows multiple hosts to share a single server • Each host has a different name • The name of the host you want to answer a query is given as part of a page request • This is only supported in HTTP 1.1 and beyond LPI Linux HTTP 1.1 $ telnet linuxzoo.net 80 HEAD / HTTP/1.1 Host: linuxzoo.net HTTP/1.1 200 OK Date: Mon, 01 Nov 2004 15:06:44 GMT Server: Apache/2.0.46 (Red Hat) Last-Modified: Fri, 29 Oct 2004 14:47:22 GMT ETag: "4981dd-920-22ea7280" Accept-Ranges: bytes Content-Length: 2336 Content-Type: text/html; charset=UTF-8 LPI Linux VirtualHosts • The sharing of a single IP to provide multiple hostnames is well supported in Apache • The part of the conf file which handles this is called • Each part holds a list of hostnames it can handle • The first host found in the file is always considered the default, so if no VirtualHost section matches the first block is done instead 10 LPI Linux Add to .htaccess AuthType Basic AuthName "By Invitation Only" AuthUserFile /home/gordon/password AuthGroupFile /home/gordon/groups Require group staff 19 LPI Linux Control by IP • You can also restrict access to directories by IP • To do this you need to use – Order – read deny then allow or vice versa – Allow from – allow this match to access – Deny from – stop this match 20 LPI Linux Example • Stop 10.0.0.1 accessing a directory… • Edit the .htaccess in that directory: order allow,deny allow from all deny from 10.0.0.1 21 LPI Linux Logging in /var/log/http access file • The normally used log format is called “combined” • It contains significant amounts of information about each page request • Specifically, the log format is: %h %l %u %t %r %>s %b Referrer UserAgent 22 LPI Linux Logging in /var/log/http access file %h %l %u %t %r %>s %b Referrer UserAgent • h – IP of the client • l – useless ident info • u – username in basic authentication • t – time of request • r – the request itself • s – The response code (e.g. 200 is a successful request) • b – size of the response page • Referrer – who the client things told it to come here • User Agent – identification info of the browser 23 LPI Linux Analysing the log • The log is useful in itself for checking the proper function of the server • However, traffic analysis is also valuable • There are a number of tools available to do this • One of the best free ones is webaliser – http://www.mrunix.net/webalizer/ 24 LPI Linux Webaliser Summary 25 LPI Linux Per day activity – October 2004 26 LPI Linux Hour analysis – October 2004 27 LPI Linux Referrer Info # Hits Referrer 61169 10.95% (Direct Request) 3068 0.55% http://www.google.com/search 701 0.13% http://grussell.org/ 677 0.12% http://sqlzoo.net/ 589 0.11% http://www.google.co.uk/search 560 0.10% http://www.grussell.org/ 503 0.09% http://www.google.co.in/search 305 0.05% http://www.grussell.org 201 0.04% http://neo.napier.ac.uk/SCRIPT/CO22001/scripts/student/serve_home 10 182 0.03% http://www.umiacs.umd.edu/~jimmylin/LBSC6902004Fall/schedule.html 11 177 0.03% http://www.expertsexchange.com/Databases/ 28 LPI Linux Where from? 29 LPI Linux Implementing a Proxy Server •Installation –You can verify that the squid proxy server is installed using: rpm -q squid –Install from RPM package rpm -i squid*.rpm •Create the initial caching directories: –The script /etc/init.d/squid –If install from source, create cache directories with the -z switch squid -z •The configuration file is /etc/squid/squid.conf •The syntax of this file can be checked using the -k switch: squid -k check •The /etc/init.d/squid rc-script is used to start the service 30 LPI Linux Access Lists and Access Control • Access lists are created as follows: acl aclname type string – Example: acl localnet src 192.168.2.0/255.255.255.0 • Access control lists (http_access) – With http_access a particular access list is either allowed or denied access via the proxy http_access allow|deny aclname – Example http_access allow localnet 31 LPI Linux Reporting Tools • Most log analysis tools available for squid are listed on the following site: http://www.squid-cache.org/Scripts/ • The main logfile for squid is the /var/log/squid/access.log file • Analysis tools: – Calamaris: The code is GPL and can be downloaded from http://cord.de/tools/squid/calamaris – Webalizer: It is also GPL'ed and can be downloaded from http://www.mrunix.net/webalizer/ 32 LPI Linux Summary • Implementing a web server – monitoring Apache load and performance – restricting client user access – setting up client user authentication • Maintaining a web server • Implementing a proxy server 33 LPI Linux ... One of the best free ones is webaliser – http://www.mrunix.net/webalizer/ 24 LPI Linux Webaliser Summary 25 LPI Linux Per day activity – October 20 04 26 LPI Linux Hour analysis – October 20 04 27 LPI Linux Referrer Info... Hat) Last-Modified: Fri, 29 Oct 20 04 14: 47:22 GMT ETag: "49 81dd-92 0-2 2ea7280" Accept-Ranges: bytes Content-Length: 2336 Content-Type: text/html; charset=UTF-8 LPI Linux VirtualHosts • The sharing of a single IP to provide multiple hostnames is well ... This is only supported in HTTP 1.1 and beyond LPI Linux HTTP 1.1 $ telnet linuxzoo.net 80 HEAD / HTTP/1.1 Host: linuxzoo.net HTTP/1.1 200 OK Date: Mon, 01 Nov 20 04 15:06 :44 GMT Server: Apache/2.0 .46 (Red Hat) Last-Modified: Fri,