7.2. Web Architecture

A web server that does any significant work usually consists of many pieces. Figure 7-1 depicts a simplified architecture showing the multiple layers that make up a modern web server.

Figure 7-1. Simplified web server architecture

The most important relationship implied in Figure 7-1 is the transitivity of security. Users on the Internet make requests that invoke one or more other programs that ultimately access resources in the operating system. Depending on your configuration, you may be able to eliminate many of the alternate paths from the Internet to your operating system.

It may be surprising that no firewall or router is depicted in this diagram. Surely your firewall helps protect your web server, right? Only to a point. Many significant attacks that have severe impacts on your organization pass unmodified through proxies, firewalls, routers, and network-based "intrusion prevention systems." They use requests that are well-formed from a protocol point of view but that tickle bugs in the underlying application software. Exploitation of these bugs can yield access to the operating system, all passing happily beneath the radar of the network-based security controls. Third-generation firewalls are only aware of source and target ports incoming traffic to HTTP ports 80 and 443 are usually not restricted. Even fourth-generation firewalls, which can analyze and understand HTTP requests, are not 100% effective in stopping well-formed attacks.

Figure 7-2. Layers of security relevant to a web server

One of the goals of securing a web server is to prevent Internet-based users from having unintended interactions with the operating system. Figure 7-2 shows many layers where some sort of protection can be built. The operating system is at the bottom, and the network-based protections are at the top. This chapter focuses on configuring the operating system to protect itself, and making the web server safer than its default configuration.

7.2.1. Server Software Choices

Figure 7-3 shows the Netcraft web server survey from June 2004 ("Nearly 2.5 Million Active Sites Running FreeBSD," Netcraft, Inc., http://news.netcraft.com/archives/2004/06/07/nearly_25_million_active_sites_running_freebsd.html. Similar data for OpenBSD was not available.) At that time, there were 2.5 million active sites running FreeBSD. FreeBSD has consistently been increasing in usage since January 2002. OpenBSD, while not represented in the graph, is equally strong as a reliable and efficient host operating system for a web server.

Figure 7-3. Hostnames and active sites running FreeBSD, January 2002 to June 2004

There are really only a handful of production-quality web servers that see a lot of use on the Internet. Apache dominates, accounting for approximately two thirds of all web servers, according to Netcraft LTD (http://www.netcraft.com/). The other products that rank behind Apache do not run on FreeBSD or OpenBSD: SunONE and Microsoft's IIS.

Apache is an excellent choice for almost any web application. It is the most flexible, well-documented, and best supported web server available. If you have a need with a web server, chances are that a good solution already exists using Apache (and perhaps one or more modules).

We also discuss thttpd, a compact, no-frills web server that's easy to configure and manage. It doesn't offer all the complex APIs and integrated middleware that Apache does, but it can serve static pages very quickly and perform a remarkable job of throttling and bandwidth smoothing functions over its traffic.

The Zeus web server is a commercial product that does not run natively on either operating system we consider here. Although it ranks fourth in popularity on the Internet, according to Netcraft LTD, that's with only a 1.5% representation among web servers.