Apache

There was a hight rise on MS IIS, almost the same as Apache's decline in the market share.

  1. It could be the case that at that time MS roll out a lot of web services run on it's own IIS server.
  2. It could also be that some service provides suddenly switch from apache environment to IIS. The change can be dramatic, if the hosting company is large enough.
  3. MS Windows server roll out a new version that year, and gained a lot new users. And those new users all run the IIS service by default and hosted some kind of company website, like SharePoint.

Since the end of 2008 there is another noticeable change in the graph. What is happening and how does that affect all servers? Explain.

At the end of 2008 beginning of 2009, there is a peak on the “other” web server. This can be the case that QQ.com switched from Apache to its own web server application. On the newly built platform they host some kind of blog service and gave virtual domain name to every user. usernumber.qq.com . In this way, there are suddenly more than millions virtual hosts running QZONE. This did make the others suddenly look smaller as well. One point worth mentioning is they claim to have more than 160 million of unique users, and each of them can have more than one user account. This made the picture look even worse.

Installing Apache

Older source trees like 2.0.* and 1.3.* are still maintained. Can you think of reasons why?

  1. For compatible reasons. it might be the case that people created old application which only work on the old platform
  2. For legacy issues. it might be too expensive and tricky for the big company to follow the fast change of the software.
  3. People do not want to or do not want to bother about the new features of the new software.

Virtual hosts

Implement virtual hosting in the webserver for the virtual domains you created in the assignment about MTA’s.

I did this for my www.rome.practicum.os3.nl (see my log for that). In short, to be able to host virtual hosts, one has to do the following:

  1. enable it during compile time ( –enable-vhost-alias )
  2. enable it in the http.conf ( Include conf/extra/httpd-vhosts.conf )
  3. configure the http-vhosts.conf
  4. restart the server! :)

Make sure the webmaster email for the virtual domain goes to the mailserver for the virtual domain.

I did this by putting my email address for the virtual domain into the http-vhosts.conf. 

ServerAdmin vic@rome.practicum.os3.nl

Encryption

Configure your webserver to support SSL/TLS. Note the hints below!

I did this in my log. In short, to enable SSL, do the following:

  1. enable it during compile ( –enable ssl )
  2. enable in httpd.conf ( Include conf/extra/httpd-ssl.conf )
  3. Create certificate ( request CA for a certificate, put it in the desired directory)
    1. create person key
    2. Create/request a CA
    3. create/get certificate

What encryption standards does the webserver support using the standard configuration file?

I found this in httpd-ssl.conf 

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

But hey, what is it?? I can get more meaningful information by using the openssl command 

vic@rome:/usr/local/apache2/conf$ openssl ciphers -v 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

We see a lot of options. It can mean user friendly, but also crack friendly.

Describe how you created your own certificate for your webserver.

I created my certificate using a single command. It is really ONLY for testing. It is even worse than the fake CA method in certain way. 

openssl req  -new  -x509  -days 30  -keyout /usr/local/apache2/conf/ssl.key/server.key   -out /usr/local/apache2/conf/ssl.crt/server.crt  -subj '/CN=Test-Only Certificate'

This command create a private key and request a certificate with that key. In the certificate only the CN is mentioned. The reason I say it's worse than fake CA in certain way, is that when I use this one in the browser, it explicitly complained that no CA can be found.

How does this influence authentication?

Well, user receives security warnings when visiting the site by using https. He has to manually add it to the trusted certificate to be able to view the content. And hence the integrity of the content and the publisher of the content cannot be ensured.

You can test your secure webserver using a web browser, but you can also use openssl or curl. Test your webserver using these tools.

I did it in my log It's just a command line tool. 

openssl s_client -connect www.rome.practicum.os3.nl:443

issuer=/CN=Test-Only Certificate
---
No client certificate CA names sent
---
SSL handshake has read 1151 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 5D848897BE2D1F51E0AF86DDD99D6126B3CF708B1DC70869FA76672340D61EBD
    Session-ID-ctx: 
    Master-Key: 163EE922435C65EFF9991FBD8A71F2219647049CB6E5DA33472D228233E7E7C5A1D03F1DC639AFE822C0FF2966B32E61
    Key-Arg   : None
    Start Time: 1287745406
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

curl 

curl https://www.rome.practicum.os3.nl
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

both says that my certificate is not OK, as it shouldn't be.

Webserver security

Investigate what configuration options there are that govern user access right.

Please see below the answers

What options are there?

Admin can change the user access right in two ways in general

  1. change the <Directory> pair, tweak the allow, deny cluseters in httpd.conf
  2. if it is allowed in httpd.conf , we can use .htaccess file to limit the access

The first method can be done by administrator of the server. But the second one can be done by normal user of the web server. So choose it accordingly.

What ways are there to use these options on documents?

In both ways, we can allow/deny certain traffice to certain directory and files. We can define the order for applying the rules we defined. the we can define multiple rules. 

<directory /dir/name>
order deny, allow
allow from ip
allow from domain
deny from ip
deny from domain

Also extended options are available 

AuthType Basic
AuthName "Password Required"
AuthUserFile /www/passwords/password.file
AuthGroupFile /www/passwords/group.file
Require Group admins

The above code, we can use it in both httpd.conf or .htaccess . It will ask user for password to enter the folder and he must be a group member of admins.

Does the Apache documentation provide any tips?

Yes. In the security tips see the document here. http://httpd.apache.org/docs/2.0/misc/security_tips.html

  1. Keep (software) up to Date
  2. (limit) Permissions on ServerRoot Directories
  3. (limit) Server Side Includes
  4. (limit dynamic contents) in General
  5. Protect Server Files by Default
  6. Watching Your Logs

And, this document. It is a “howto” style document. But gives a good practice on .htaccess.

Now create two webpages, one with a simple SSI instruction and one with a simple Perl/Python/Ruby CGI script

I did this in my log.

Set up your webserver so that only code on these pages can be executed.

SSI is allowed on htdocs/rome.practicum.os3.nl/. I put 

<directory /htdocs/rome.practicum.os3.nl>  
Options +Includes 
</directory>
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml

So only shtml file in that folder will have SSI enabled.

For Perl, I give the CGI option only to cgi-bin directory. 

<Directory "/usr/local/apache2/cgi-bin">
    AllowOverride None
    Options FollowSymLinks +ExecCGI
    Order allow,deny
    Allow from all
</Directory>
 
sudo chmod +x test.cgi

only test.cgi can be executed. since only it has the x enabled.

We can further limit to the document level for both files by using the following tag. 

        <Files "index.shtml">
                Options +Includes 
                AddType text/html .shtml
                AddOutputFilter INCLUDES .shtml
        </Files>
        <Files "test.cgi">
                Options FollowSymLinks +ExecCGI
        </Files>

But this does not scale and can easily mess up the configure file.