Apache Web Server for NetWare replaces the NetWare Enterprise Web server, and is the only HTTP stack provided for NetWare 6.5. The Apache Web server is an open source Web server used by more than two- thirds of the Internet's Web servers. As such, it runs on all major server platforms and can scale to support thousands of simultaneous connections. Apache Web server is a complex and full-featured Web server, so there is a lot more to it than can be covered here. However, because Apache is an open source application, most anything you want to know about it is available on the Web. You should take some time to look through the open source Apache documentation in order to become familiar with architecture and capabilities, particularly if you are going to implement a more complex Web environment. The Apache Web server documentation is available online at http://httpd.apache.org/docs-2.0. Apache Web server is used in two separate ways on NetWare 6.5. First, one instance of Apache is installed automatically as a dedicated Web server to support the administration tools for NetWare 6.5 and its related products and services. You can find all files related to this instance of Apache in the SYS:ADMINSRV directory. The admin server supports Web Manager, iManager, iFolder, and iPrint, and other NetWare 6.5 services that need a Web interface. A second instance of Apache can optionally be installed on NetWare 6.5 that will function as a dedicated Web server for hosting your organization's Web services, such as a corporate intranet, external Web site, or any other Web service. You can find all files related to this instance of Apache in the SYS:APACHE2 directory. When you use iManager, accessible from any Web browser (including the new Web browser now available from the NetWare GUI), it is the Admin instance of the Apache Web server that is serving up the data between the Web browser and NetWare 6.5. Installing Apache Web ServerIf you are interested in using Apache only as the foundation for your NetWare 6.5 tools and services, you don't have to do anything to get Apache up and running. The admin server instance of Apache is installed automatically during the NetWare 6.5 installation. However, if you want to create a dedicated Web server on NetWare 6.5, you need to specify the installation of the second instance of Apache. If you didn't select Apache as one of the NetWare 6.5 components to install during the initial server installation, you can install it after the fact through iManager. To install Apache Web server through iManager, complete the following steps:
Once Apache Web server is installed, the following commands are inserted into the server's AUTOEXEC.NCF to load Apache and Tomcat automatically whenever the server starts: AP2WEBUP SYS:\TOMCAT\BIN\TOMCAT4.NCF The full path for TOMCAT4.NCF is optional because a SEARCH ADD path for this directory is also provided. However, by default, the TOMCAT4.NCF load statement includes the path. To unload Apache Web server and Tomcat, use the following console commands: AP2WEBDN TC4STOP The admin server instance of Apache and Tomcat are also loaded automatically from the AUTOEXEC.NCF with the following commands: ADMSRVUP TCADMUP To unload the admin server and Tomcat, use the following commands: ADMSRVDN TCADMDN Apache Web Server ConfigurationApache Web servers are managed through a configuration file: HTTPD.CONF. NetWare 6.5 stores HTTPD.CONF in SYS:APACHE2\CONF\ . Typically, this means that you manually edit the configuration file to configure Apache. However, NetWare 6.5 offers Apache Manager, which puts a browser-based face on the HTTPD.CONF file. Apache Manager not only reduces the potential for errors, but also lets you manage your Web server environment from any Web browser. NOTE The admin server instance of Apache Web server also uses a configuration file SYS:ADMINSRV\CONF\ADMINSERV.CONF . However, you will likely not have to modify this file as part of your network administration duties . Apache Manager operates in two modes: File and Directory. If you are running a single Web server, you can use the File mode to modify the HTTPD.CONF and store it directly on the Web server. To launch Apache Manager in File mode, complete the following steps:
From this page, you can perform all the necessary configuration and management activities associated with Apache Web server. When changes are made, they will be written to the HTTPD.CONF file on the Apache Web server. However, if you are running multiple Apache Web servers in your environment, consider using Apache Manager in Directory mode. Directory mode lets you share configurations between several Apache Web servers by storing the configuration file in eDirectory. In Directory mode, a configuration daemon imports the contents of the HTTPD.CONF file from each Web server into eDirectory. To launch and configure Apache Manager in Directory mode, you should first load the configuration daemon on each Apache Web server in your environment:
Once this has been done on all Apache Web servers, all configuration files will be stored in eDirectory. Once this is done, you are ready to run Apache Manager in Directory mode:
With the complete Apache Web server configuration file in eDirectory, the configuration can now be applied to a single server, to a group of servers, or to all servers in your Web environment. Apache Manager lets you define groups of servers and apply a consistent configuration to all servers in the group. When a change is made to the configuration file, the configuration daemon will make sure that the change is replicated to each server in the group so that everything stays consistent. Figure 9.2. Apache Manager running in Directory mode.
However, the aspects of the configuration are identical whether you are using File or Directory mode for doing the management of your Apache Web servers. So, for simplicity's sake, the actual Apache Web server configuration issues are discussed from the perspective of File mode. For more information on using Apache Manager in Directory mode, see the NetWare 6.5 online documentation. Storing Web ContentThe most important aspect of running a Web server is making sure that the various Web pages are available to your Web users. Although the art of creating Web pages is beyond the scope of this book, you need to know the basics about storing files on Apache Web servers so that pages will be available as needed. There are three main Web server directory features with which you should become familiar to do this: Document Root, Additional Document Directories, and User Home Directories. Document RootThe home page associated with your Web server's IP address and/or DNS name is stored in the document root with the name INDEX.HTM (or .HTML). From the home page, you can create links to other pages, graphics, and applications as needed. Secondary resources can have any filename. The document root, also called the primary document directory , is where a Web server will start looking for requested Web pages and resources. By default, Apache Web server document root is set to the following location: SYS:APACHE2\HTDOCS Because it's not necessarily a good idea to use the SYS: volume for storing your Web pages, you can change the document root to another volume and directory by completing the following steps: NOTE For the best Web server performance, you should keep the document root as high in the directory structure as possible to reduce document search times.
Apache will be restarted so that the change will take effect. Additional Document DirectoriesYou can also create additional document directories for those who want to publish their own content, but to whom you don't want to grant access to the document root. This also lets you easily distribute the responsibility of Web content to those responsible for it. NOTE Additional directories don't even have to be located on the Web server. You can specify another server's volume and directory so long as that server is accessible from the Web server via TCP/IP. To set an additional document root, complete the following steps:
You will see a list of all additional document directories that are currently defined for this Apache Web server. In addition to creating new document directories, you can configure those that have already been defined. User Home DirectoriesThis feature lets you to set up document directories for each user in your eDirectory tree. This lets users access their own files from a Web browser. Effectively, users can have their own personal Web sites. To create a document directory for a user, complete the following steps:
Apache will be restarted so that the change will take effect. Once enabled, users can view the content of their user home directory by typing the domain name, followed by a slash (/), followed by ~usersname . For example: http://www.quills.com/~jharris Hosting Multiple Web SitesApache supports virtual servers to host multiple Web sites on a single physical server. This lets a single NetWare 6.5 server potentially host all your Web server needs. This is useful if you need to let different divisions or departments host their own Web resources, or if you are an ISP and need to host multiple Web sites for your clients without having a separate physical server for each one of them. You can host two types of virtual servers on your NetWare server:
NOTE To support software virtual servers, configure Apache to listen on the additional ports by using the Listen Ports link in Apache Manager. From this page, you can define all the ports to which the Apache Web server should listen for incoming requests . For more information on both of these virtual server options, see the Novell online documentation. To set up a virtual server, complete the following steps:
Apache will be restarted so that the new virtual server can be loaded as configured. NOTE For more information on both hardware and software virtual servers, you should review the Apache documentation on the subject at http://httpd.apache.org/docs-2.0/vhosts/ . Apache ModulesThe Apache Web server has been developed with a component architecture that permits functionality to be added through the addition of a functionality-specific module. A module is a specially developed extension for Apache Web server that provides new or expanded functionality. Requests directed to an Apache Web server pass through a series of stages as they are handled. Some of the Apache stages include authentication, authorization, and access control. Modules can be inserted at these, or any other, stage to provide increased functionality. There are several modules available for use with Apache Web server on NetWare 6.5:
Selecting the Modules button in the header of Apache Manager can enable the caching module and the three scripting modules. For more information on using Apache modules, see the NetWare 6.5 online documentation and visit the Apache Web server documentation site at http://httpd.apache.org/docs-2.0/mod/. Adding Content to Your Web SiteAfter Apache Web server has been installed and enabled, you can immediately access a sample Web page and some subpages that are included for demonstration. The default Web pages look just like Web Manager, but lack the links to the management utilities that are available through the secure interface. This content is stored in the default document root at SYS:APACHE2\HTDOCS . To view the sample Web site, open a client Web browser on a workstation in your network and enter your NetWare server's IP address or DNS name. For example: http:// <server_IP_address> or http://< domain_name > Once your Web server is running, you can start posting content for your Web server audience to accesswhether that's your department, your company, or the whole world. Do this by placing files in the Web server's primary or additional document directories. For example, suppose you created a new HTML file called MKTG_DOCS.HTM that includes links to the marketing collateral for your organization. You would probably copy that file to the additional document directory assigned to the marketing organization; for example, PRV_DATA:\WEB_PAGES\MARKETING . Once the file is stored in the additional document directory, users can access the file by entering the Web server's DNS name together with the additional document directory identifier and the filename. For example: HTTP://WWW.QUILLS.COM/MARKETING/MKTG_DOCS.HTM The same general process governs the creation of any Web content, whether that content is an Internet site, a corporate intranet, a departmental page, or even a personal Web page. What differentiates one Web site from another is how it is available (internally versus externally) and what type of server it is running on. External sites and larger corporate sites are usually run on dedicated Web servers or hardware virtual servers, whereas smaller departmental sites work well on software virtual servers where users can easily create personalized pages, if necessary. Publishing Content to a Web SiteWhen you are configuring an internal Web site, you will often have areas of a Web site that are available for contributors to publish their content. This makes it possible for users to communicate within a department, share information with other departments, and communicate items of general interest. NOTE Virtual Office is a powerful new feature for NetWare 6.5 that makes it much easier to create temporary or ad hoc portals for information sharing purposes. For more information on Virtual Office, see Chapter 10 . Web content contributors have several options for publishing content to your Web server. For example:
Additionally, users who are familiar with Web publishing tools can choose any of those with which they are familiar. Publishing Content Using a Mapped DriveIf your contributors are using the Novell Client, this is one way of providing access to Web content areas. Use iManager to assign the appropriate rights to Web content contributors and provide users with the correct network path so they can map a drive to the content directory. You can also set up the drive mapping in a login script. For more information on login scripts with the Novell Client, see Appendix B. Publishing Content Using Internet ExplorerWeb-distributed authoring and versioning (WebDAV) is an industry-standard protocol that enhances HTTP, turning the Web into a document database that enables collaborative creation, editing, and searching from remote locations. WebDAV support is provided on NetWare 6.5 through NetStorage. With NetStorage enabled, you can publish content directly to a specified document directory from Internet Explorer. For more information on NetStorage, see Chapter 10. Publishing Content with NetDriveNovell NetDrive lets you map a drive to any server without using the traditional Novell Client. This means that with NetDrive, you can access your files on any server and modify them through standard Windows utilities such as Windows Explorer. The NetDrive client can be installed from the Novell client's CD-ROM. For more information on NetDrive, see Chapter 10. Securing Web ContentOnce you have content organized and published, you should immediately start looking for ways to prevent unauthorized access and malicious tampering with your Web resources. There are three main areas that affect the security of Apache Web server: authentication, authorization, and encryption. AuthenticationAs mentioned previously, Apache Web server integrates with any LDAP directory to provide authentication services through the mod_ldap_auth module. This makes it possible to integrate Apache with most any directory service that is available, including Novell eDirectory. Apache will refer to the LDAP directory to determine access controls, authentication credentials, and so on. The mod_ldap_auth module, discussed previously, provides this support. AuthorizationApache must be able to access both eDirectory and remote server file systems in order to determine access rights to Web resources that a user might request when he or she visits an Apache-hosted Web site. The mod_edir module provides Apache with the capability to access both eDirectory and remote file systems in order to determine user rights. Two authorization modes are supported: Anonymous and Authenticated. Anonymous ModeInstead of using a username and password to authenticate to eDirectory or the remote file system, Anonymous mode lets Apache leverage [Public] rights to access eDirectory and remote files systems. However, in order to use Anonymous mode, you must do two things. First, you must grant [Public] access to the Home Directory attribute associated with every User object in the eDirectory tree. This is necessary in order to provide users with access to their home directories through the Web server. Second, in order to access a remote server's file system, the NetWare 6.5 server running Apache must be able to log in to the remote server. To make this possible, make sure the Apache server hosts a local eDirectory replica and grant the Apache Web server's eDirectory object Read and File Scan rights to all remote file systems it will need to access. Authenticated ModeInstead of relying on [Public] access rights, Authenticated mode leverages a username and password that you create specifically for the Apache Web server. This username and password are stored in the Apache Web server's HTTPD.CONF file. This information must match an eDirectory user object that is created for the Apache Web server to use. This User object is then assigned rights to access the Home Directory attribute of all User objects in eDirectory, and Read and File Scan rights to all remote file systems that it will need to access. Because storing an eDirectory username and password in HTTPD.CONF poses a significant security lapse, you should restrict access to the HTTPD.CONF file to only those with administrative rights to your Web server environment. You can also create a separate .CONF file that only holds the Apache directives necessary to specify the user ID and password to the Apache User object. Then you can reference this .CONF file from HTTPD.CONF whenever it is necessary. EncryptionEncryption is the third aspect of a sound Web server security policy. Apache Web server can take advantage of the robust cryptographic foundations provided by NetWare 6.5, including the cryptographic keys and certificates provided by Novell Certificate Server. Certificate Server lets you create and securely store server certificates that can be used to encrypt Web server communications with SSL. Once enabled, SSL requires that you use the HTTPS:// prefix rather than the standard HTTP:// prefix when specifying URLs. For more information on Certificate Server, see Chapter 6. SSL communications require a separate HTTP port than that used for unencrypted communications. Port numbers enable IP packets to be routed to the correct process on a computer. A total of 65,535 port numbers are available. Some port numbers are permanently assigned to a specific process; for example, email data under SMTP goes to port number 25. Other processes, such as Telnet sessions, receive a temporary port number during initialization. The Telnet port is reserved for use by the Telnet process only while the session is active. When the Telnet session terminates, the port is released for potential use by another process. By default, unencrypted HTTP uses port 80 and encrypted HTTP (SSL) uses port 443 . To configure a secure port on which Apache can listen for secure communications, complete the following steps:
In the Add Listen Port page, you will see a list of all currently configured listening ports for Apache. From this page, you can also edit or delete existing listen ports, as needed. You should be careful as you create new listening ports that you aren't creating any conflicts with existing IP services. Some ports in the NetWare 6.5 environment can be reassigned, whereas others are permanent. Table 9.1 shows the default port assignments for NetWare 6.5 Web services as a starting point for planning the installation and configuration of your Web services. Table 9.1. Default Port Assignments
Apache Web Server ManagementThere are several pages of configuration options for the Apache Web server. They are organized into groups that correspond to the various buttons in the Header frame. In each group, the Navigation frame on the left provides links to specific configuration pages for Apache Web server. The following sections describe those features, not previously discussed, which are available in each group. Server PreferencesThis group of settings allows you to configure specific server-level settings that govern the behavior of the Web server itself. Server Preferences is the default group when the Apache Web server management interface is opened. Server StatusThis page shows you the current status of the Web server (Up or Down) and allows you to stop and restart the Web server remotely. It also tells you the configuration file management option that is currently in use (File or Directory). View ConfigurationThis page gives you easy access to the server configuration parameters stored in HTTPD.CONF. It displays an abbreviated look at Apache's configuration parameters, showing some of the more important Web server settings (see Figure 9.4). Clicking any of the links displays a page that allows you to modify the information in these files. Make any necessary changes, click Save, and then choose Save and Apply to restart the server with the new settings. Figure 9.4. The View Configuration page in Apache Manager.
Restore ConfigurationIf you have made changes to your server that have caused unwanted results, the Restore Configuration page can help you get back on track (see Figure 9.5). On this page, you will see a list of versions, dates, and change log notes indicating what was changed in Apache's configuration file each time. These are backups of every configuration that your server has had. Figure 9.5. Restoring previous versions of HTTPD.CONF with Apache Manager.
Apache saves a backup copy of HTTPD.CONF each time you make a change. These previous versions are stored in SYS:\APACHE2\CONF\BACKUP . By clicking the Restore button for a particular date and time, you can restore your server to the exact configuration it had at that time. Performance TuningThe Performance Tuning page enables you to make some basic performance adjustments to Apache Web server. However, the changes available through the Performance Tuning page are only the tip of the iceberg when compared to the options available by editing HTTPD.CONF directly. However, this can also lead quickly to problems if you are not very familiar with Apache server directives. Before going down that path, review the relevant material on the Apache documentation Web site at http://httpd.apache.org/docs-2.0. NOTE You will have much greater control over HTTPD.CONF if you are using Apache Manager in Directory mode as opposed to File mode. Directory mode was discussed earlier in this chapter. MIME TypesAlso known as context labels, MIME (Multipurpose Internet Mail Extension) types specify the file types that Apache Web server recognizes and supports. The MIME Types configuration file is SYS:APACHE2\CONF\MIME.TYPES . If you want to put MP3 files on your server, for example, you must add the MP3 extension to your MIME types. If this extension is not added, the server transfers the file to the user as text, instead of as a sound file. The Global MIME Types page makes it easy to add new types. From this page, you can also delete or modify existing types. To add a new MIME type to your Web server, provide the following information:
Once you have entered the information, click New and your new MIME type will be added. Network SettingsThis page lets you specify three settings for your Apache Web server:
Listen PortsThis page lets you configure the various ports that Apache Web server uses to listen for incoming requests. This information was discussed previously. Error ResponsesTypical HTTP error messages are pretty generic and do not give much information. Use the Error Responses page to customize error messages and potentially redirect the client to a location where more help is available. When a server cannot complete a request, it can send one of the following four error messages to the client:
There are many situations in which you might want to use custom messages. For example, if users are denied access, instead of receiving a message that simply says "Unauthorized," they could receive a custom error message that explains the reason they were denied access and points them to the help desk to have an account created. To change the error response for your server, complete the following steps:
If you want to return to the default error messages, simply delete the custom information in the dialog box and click Save. Server LogsApache Web server provides two types of server logs for tracking what is happening in your Web server environment. To view the error logs, click the Server Logs button in the header of Apache Manager. Access LogSelect View Access Log in the left navigation frame to see Apache's access log. The access log records information about Web clients that access your Web server, and records client information such as IP addresses and date and time of access. By default, the access log is SYS:\APACHE2\LOGS\ACCESS_LOG . Select Log Preferences in the left navigation frame to configure access log settings. From this page, you can enable/disable access logging, change the log filename and location, manage log file rotation scheme to prevent files from getting too big, and specify what information is logged. Error LogSelect View Error Log in the left navigation frame to see Apache's error log. The error log records diagnostic information related to errors that occurred while processing requests. The error log is very important because it often contains details of what went wrong and how to fix it. By default, the error log is SYS:\APACHE2\LOGS\ERROR_LOG . From View Error Log, you can also set the number of entries to display on a page, as well as filter entries for specific content, such as a specific error code. Select Error Preferences in the left navigation frame to configure error log settings. From this page, you can change the log filename and location, manage the log file rotation scheme to prevent files from getting too big, and set the log level, or level of detail, you want included in the error log. Content ManagementApache Web server offers many options for configuring and storing your Web content. To access these options, click the Content Management button in the header of Apache Manager. Primary Document DirectoryThis page lets you set the primary storage location for Web server content, and was discussed previously. Additional Document DirectoriesThis page lets you set secondary document locations for Web server content, and was discussed previously. User Home DirectoriesThis page lets you configure locations where individual users can manage and access their own Web content. This information was discussed previously. Document PreferencesUse this page to set the default Web page that Apache Web server will look for if no specific file is specified in a client's request. By default, this is INDEX.HTML, but you can set this to any filename you want. URL ForwardingForwarding URLs is a common task on the Internet because Web sites move to new locations for various reasons. URL forwarding enables you to specify a forwarding address for any URL on your server. That way, if you move your Web site, a user can still type the old URL, but her browser automatically connects to the new location. To forward a URL, simply provide the pathname of the content that has moved, and then specify the new location for that content. Then, when a Web client requests the content, Apache returns the new URL to the client, which then requests it from the new location. CGI ExtensionsCommon Gateway Interface (CGI) provides a very common method for adding dynamic content to a Web site. The CGI Extensions page lets you specify how Apache Web server handles CGI scripts. To configure a CGI interpreter, simply provide the required information and click Add.
Virtual HostsThis page lets you configure software and hardware virtual hosts. Virtual hosts were discussed previously in this chapter. |