Chapter 7. Building a Secure Web Server

What he trusts in is fragile;
what he relies on is a spider's web.

Job 8:14, Holy Bible,New International Version

The World Wide Web: to many people, it is the Internet. Few machines in your network are so blatantly visible if they are compromised. Your router might be weak, your mail server might be compromised, but it is hard for the average person to see that. If your web server is compromised, however, all manner of things go very wrong very fast. Your organization might be publically humiliated, it might lose money or sales, or your server might be commandeered to attack another site. Additionally, it is a core server in your network that probably has many non-administrators working on it. You know that if your mail server suddenly breaks or if the firewall starts denying everything, it was either an administrator or a hacker who did it. With web servers, you have any number of sources of code and configurations that are managed by a wide variety of people with varying skill sets. The potential for inadvertent problems is high. The system is critical and there are a lot of sources for problems, both inside and outside your organization. Fortunately, with FreeBSD and OpenBSD, you have an outstanding tool chest full of diverse tools for securing your web servers.

In this chapter, we focus on Internet-facing web servers, because FreeBSD and OpenBSD systems thrive there, despite the hostile environment. First, we cover a variety of topics related to running a secure web server, starting with the importance of web server security and the kinds of attacks web servers face. Next, we describe a general web architecture that puts the operating system and the web server software in context. Having established why you care about security and which defenses the operating systems can offer, we describe how to install and configure two popular web server packages: Apache and the Tiny HTTP daemon (thttpd). Apache is the best known and most commonly used web server on the Internet and it can do just about everything. Because of its Swiss-army-knife capabilities and the potential to misconfigure it, we focus on a variety of pitfalls and best practices for configuring it. The thttpd server is less well known but is often used by people with very demanding web sites. It has a variety of very specific, performance-oriented features, but fewer settings to configure, so its configuration is necessarily simpler.