Apache
One year after its introduction the apache webserver was already the most popular webserver and it stayed that way for a long time, though since around 2006 there seems to be a shift2.Can you think of reasons for this change? Explain
There was a hight rise on MS IIS, almost the same as Apache's decline in the market share.
- It could be the case that at that time MS roll out a lot of web services run on it's own IIS server.
- It could also be that some service provides suddenly switch from apache environment to IIS. The change can be dramatic, if the hosting company is large enough.
- MS Windows server roll out a new version that year, and gained a lot new users. And those new users all run the IIS service by default and hosted some kind of company website, like SharePoint.
Since the end of 2008 there is another noticeable change in the graph. What is happening and how does that affect all servers? Explain.
At the end of 2008 beginning of 2009, there is a peak on the “other” web server. This can be the case that QQ.com switched from Apache to its own web server application. On the newly built platform they host some kind of blog service and gave virtual domain name to every user. usernumber.qq.com . In this way, there are suddenly more than millions virtual hosts running QZONE. This did make the others suddenly look smaller as well. One point worth mentioning is they claim to have more than 160 million of unique users, and each of them can have more than one user account. This made the picture look even worse.
Installing Apache
Older source trees like 2.0.* and 1.3.* are still maintained. Can you think of reasons why?
- For compatible reasons. it might be the case that people created old application which only work on the old platform
- For legacy issues. it might be too expensive and tricky for the big company to follow the fast change of the software.
- People do not want to or do not want to bother about the new features of the new software.
Virtual hosts
Implement virtual hosting in the webserver for the virtual domains you created in the assignment about MTA’s.
I did this for my www.rome.practicum.os3.nl (see my log for that). In short, to be able to host virtual hosts, one has to do the following:
- enable it during compile time ( –enable-vhost-alias )
- enable it in the http.conf ( Include conf/extra/httpd-vhosts.conf )
- configure the http-vhosts.conf
- restart the server! :)
Make sure the webmaster email for the virtual domain goes to the mailserver for the virtual domain.
I did this by putting my email address for the virtual domain into the http-vhosts.conf.
ServerAdmin vic@rome.practicum.os3.nl
Encryption
Configure your webserver to support SSL/TLS. Note the hints below!
I did this in my log. In short, to enable SSL, do the following:
- enable it during compile ( –enable ssl )
- enable in httpd.conf ( Include conf/extra/httpd-ssl.conf )
- Create certificate ( request CA for a certificate, put it in the desired directory)
- create person key
- Create/request a CA
- create/get certificate
What encryption standards does the webserver support using the standard configuration file?
I found this in httpd-ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
But hey, what is it?? I can get more meaningful information by using the openssl command
vic@rome:/usr/local/apache2/conf$ openssl ciphers -v 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL' DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
We see a lot of options. It can mean user friendly, but also crack friendly.
Describe how you created your own certificate for your webserver.
I created my certificate using a single command. It is really ONLY for testing. It is even worse than the fake CA method in certain way.
openssl req -new -x509 -days 30 -keyout /usr/local/apache2/conf/ssl.key/server.key -out /usr/local/apache2/conf/ssl.crt/server.crt -subj '/CN=Test-Only Certificate'
This command create a private key and request a certificate with that key. In the certificate only the CN is mentioned. The reason I say it's worse than fake CA in certain way, is that when I use this one in the browser, it explicitly complained that no CA can be found.
How does this influence authentication?
Well, user receives security warnings when visiting the site by using https. He has to manually add it to the trusted certificate to be able to view the content. And hence the integrity of the content and the publisher of the content cannot be ensured.
You can test your secure webserver using a web browser, but you can also use openssl or curl. Test your webserver using these tools.
I did it in my log It's just a command line tool.
openssl s_client -connect www.rome.practicum.os3.nl:443
issuer=/CN=Test-Only Certificate
---
No client certificate CA names sent
---
SSL handshake has read 1151 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5D848897BE2D1F51E0AF86DDD99D6126B3CF708B1DC70869FA76672340D61EBD
Session-ID-ctx:
Master-Key: 163EE922435C65EFF9991FBD8A71F2219647049CB6E5DA33472D228233E7E7C5A1D03F1DC639AFE822C0FF2966B32E61
Key-Arg : None
Start Time: 1287745406
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
curl
curl https://www.rome.practicum.os3.nl curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
both says that my certificate is not OK, as it shouldn't be.
Webserver security
Investigate what configuration options there are that govern user access right.
Please see below the answers
What options are there?
Admin can change the user access right in two ways in general
- change the <Directory> pair, tweak the allow, deny cluseters in httpd.conf
- if it is allowed in httpd.conf , we can use .htaccess file to limit the access
The first method can be done by administrator of the server. But the second one can be done by normal user of the web server. So choose it accordingly.
What ways are there to use these options on documents?
In both ways, we can allow/deny certain traffice to certain directory and files. We can define the order for applying the rules we defined. the we can define multiple rules.
<directory /dir/name> order deny, allow allow from ip allow from domain deny from ip deny from domain
Also extended options are available
AuthType Basic AuthName "Password Required" AuthUserFile /www/passwords/password.file AuthGroupFile /www/passwords/group.file Require Group admins
The above code, we can use it in both httpd.conf or .htaccess . It will ask user for password to enter the folder and he must be a group member of admins.
Does the Apache documentation provide any tips?
Yes. In the security tips see the document here. http://httpd.apache.org/docs/2.0/misc/security_tips.html
- Keep (software) up to Date
- (limit) Permissions on ServerRoot Directories
- (limit) Server Side Includes
- (limit dynamic contents) in General
- Protect Server Files by Default
- Watching Your Logs
And, this document. It is a “howto” style document. But gives a good practice on .htaccess.
Now create two webpages, one with a simple SSI instruction and one with a simple Perl/Python/Ruby CGI script
I did this in my log.
Set up your webserver so that only code on these pages can be executed.
SSI is allowed on htdocs/rome.practicum.os3.nl/. I put
<directory /htdocs/rome.practicum.os3.nl>
Options +Includes
</directory>
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
So only shtml file in that folder will have SSI enabled.
For Perl, I give the CGI option only to cgi-bin directory.
<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options FollowSymLinks +ExecCGI
Order allow,deny
Allow from all
</Directory>
sudo chmod +x test.cgi
only test.cgi can be executed. since only it has the x enabled.
We can further limit to the document level for both files by using the following tag.
<Files "index.shtml">
Options +Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</Files>
<Files "test.cgi">
Options FollowSymLinks +ExecCGI
</Files>
But this does not scale and can easily mess up the configure file.
