Running a Web Server


Using Linux, you can configure your computer to act as a web servera computer that delivers web content to web browsers running on computers around your network or around the Internet at large.

The web server software included with Fedora Core 4 is the single most popular web server platform in use today and is known as the Apache web server. To use your Fedora Core 4 system as a web server with existing web content, you must complete the following tasks:

1.

Install the Apache web server by installing the web server software group

2.

Install the tools used to configure the Apache web server by checking system-config-httpd in the Server Configuration Tools software group

3.

Configure Linux to automatically start the Apache web server each time Linux starts

4.

Configure your Linux firewall to allow traffic related to web requests

Installing Apache

You can install the Apache web server using the Package Management tool. Start this tool by choosing Desktop, System Settings, Add/Remove Applications. In the Package Management tool, scroll down to the Servers category and check the box next to the Web Server package group, as shown in Figure 34.1. Then click the Update button to install the new software.

Figure 34.1. Use the Package Management tool to install the Apache web server that comes with Fedora Core 4.


Before you use the Apache web server, you should also install the Apache Configuration tool, so that you can make more involved changes to Apache's configuration if you choose to do so. You can do this in the software configuration tool by following these steps:

1.

Click the Details button next to the Server Configuration Tools software group in the Package Management tool, as shown in Figure 34.2.

Figure 34.2. In the Details view for the Server Configuration Tools software group, check the box for system-config-httpd.


2.

Check the box next to the system-config-httpd software package.

3.

Click Close to close the Details view, then click Update to install the software on your system.

4.

Log out of your desktop, then log back in again to update your desktop menus.

The Apache web server and a user-friendly tool to configure it are now installed on your computer system and ready for use. In fact, for many users, no additional Apache configuration is required at all!

Configuring Apache to Start Automatically

To use your Fedora Core 4 computer as a web server after you have installed the Apache web server software, you must configure Apache to start automatically each time you start Linux. To configure Apache to start automatically using desktop tools, choose Desktop, System Settings, Server Settings, Services to start the Service Configuration tool. Check the box next to the httpd service, as shown in Figure 34.3.

Figure 34.3. Use the Service Configuration tool to configure the Apache web server to start each time Linux starts.


After you check the box next to the httpd service, click the Save button to save your changes. Next, click the Start button to start the httpd service now. Then choose File, Quit to exit the Service Configuration tool.

If you prefer to use command-line tools, you can use the chkconfig command to configure the Apache web server to start automatically each time Linux starts at your default runlevel. Call the chkconfig command, supplying httpd and the word on as arguments:

 [root@workstation20 you]# /sbin/chkconfig --level 5 httpd on [root@workstation20 you]# 

You have now configured your web server to start automatically when Linux starts, but if you've just installed it, it isn't running yet. To start it, either reboot Linux or call the service command, supplying httpd and the word start as arguments to cause the server to start now:

 [root@workstation20 you]# /sbin/service httpd start Starting httpd:                      [ OK ] [root@workstation20 you]#  

Allowing Web Requests Through Your Firewall

Now you have the Apache web server running, but before it can answer web requests from machines on your network or from the Internet at large, you must configure your firewall to allow web requests. To do this, start the Security Level Configuration tool by choosing Desktop, System Settings, Security Level.

Ensure that the security level is set to Enable Firewall, then check the WWW (HTTP) option in the Trusted Services area of the tool, as shown in Figure 34.4. Click OK to save your changes.

Figure 34.4. Check the WWW (HTTP) box in the Security Level Configuration tool to allow web requests through your firewall.


Using the Apache Web Server

After a reboot, or after starting Apache using the Service Configuration tool, your web server is up and running and allowing requests from the outside world. The default Apache configuration is adequate and correct for most usersno need for additional up-front configuration when starting out. The properties of the web server in its default configuration are as follows:

  • Your web content goes in the /var/www/html directory tree. Note that any files your web server should deliver must be set to have publicly (all users) readable permissions.

  • The contact email address, which is displayed to visitors when errors occur, is root@hostname, where hostname is your computer's hostname.

  • The default index files, which will be loaded for any visited directory, are index.php, index.html, index.htm, and index.shtml, in that order.

  • Your Common Gateway Interface (CGI) /cgi-bin/ scripts should be placed in the /var/www/cgi-bin directory.

  • Secure Sockets Layer (SSL) https:// connections are supported.

Because your web serveris already online if you've followed the steps outlined thus far in this chapter, you can begin copying your content to or creating your content in /var/www/html; any files you place there from now on will be instantly available to the world.

Enabling Home Directory Websites

If your Linux computer system serves a number of users, you might want to give each user the opportunity to host his or her own home page. Although you can do this while still keeping all content in the /var/www/html directory tree, it is certainly not convenient, and of course it's not a good idea to give multiple users write access to system directories.

The Apache web server has the capability of giving each user on a Linux system her own HTML content directory, by default in /home/user/public_html. Visitors can then load the index page at /home/user/public_html/index.html by constructing a URL using the hostname of your web server followed by a slash (/), a tilde (~), another slash, and the name of the user whose home page should be loaded, as follows:

 http://host.mycompany.com/~jane/ 

For example, this URL loads the file index.html stored in the /home/jane/public_html directory.

To enable this functionality in Apache, you must edit the web server configuration file, /etc/httpd/conf/httpd.conf. Load the file into your favorite text editor and search for the text shown in Listing 34.1.

Listing 34.1. Text to Change to Enable Home Pages
 <IfModule mod_userdir.c>   #   # UserDir is disabled by default since it can confirm the presence   # of a username on the system (depending on home directory   # permissions).   #   UserDir disable 

Notice the text UserDir disable. If user home directories are to be enabled, you must change this line to read UserDir public_html, as shown in Listing 34.2.

Listing 34.2. Text Changed to Enable Home Pages
 <IfModule mod_userdir.c>   #   # UserDir is disabled by default since it can confirm the presence   # of a username on the system (depending on home directory   # permissions).   #   UserDir public_html 

Then save the httpd.conf file and exit. To cause the changes to take effect, restart your web server using either the Service Configuration tool you used earlier or using the service command, supplying httpd and restart as arguments:

 [root@workstation20 you]# /sbin/service httpd restart Stopping httpd:                      [ OK ] Starting httpd:                      [ OK ] [root@workstation20 you]# 

You Can Restart a Web Server Gracefully

On a busy web server, you should use the graceful argument instead of the restart argument to restart the web server:

 /sbin/service httpd graceful 

When a web server is restarted using the graceful argument, it might not restart and update its configuration immediately; instead, it processes all pending requests before restarting, to make sure that everyone who has requested to view your website is able to do so.


Before a user's public_html directory can be used, the permissions for the user's home directory, the ~/public_html directory, and the contents of the ~/public_html directory must be correctly configured:

  • Using chmod in numeric mode, you must set the user's home directory to 711user read, write, and execute; group execute; and other (public) execute.

  • Using chmod in numeric mode, you must set the user's ~/public_html directory and all subdirectories to 755user read, write, and execute; group read and execute; and public read and execute.

  • Using chmod in numeric mode, you must set all the content files in the user's ~/public_html directory tree, such as HTML files and images, to 644user read and write, group read, and public read.

Don't Change a User's File Permissions Without Asking

If you're administering a system with many users, always warn users before changing the permissions of any files or directories in their home directory. Using administration privileges to change users' file or directory permissions without first warning them of which files and directories will be changed might make public files that were intended to remain private or endanger the files in other ways! By warning users first of the changes that will be made to their home directory, you give them a chance to move critical files or directories to other areas, or to ask you, the administrator, not to make the change in the first place.


If permissions are incorrectly set or if a user does not have a public_html directory, visitors who try to load a user's home page get an error message saying that the page in question is Forbidden.

Introducing the Apache Configuration Tool

The default configuration of the Apache web server is sufficient to provide access to basic public web content. The default configuration may not be appropriate, however, when business interests or large amounts of content are at stake. You can use the Apache Configuration tool to configure many of the options related to the Apache web server and its level of security and performance while operating.

To start the Apache Configuration tool, choose Desktop, System Settings, Server Settings, HTTP; the Apache Configuration tool is displayed, as shown in Figure 34.5.

Figure 34.5. The Apache Configuration tool provides a graphical interface for configuring the Apache web server.


The Apache configuration tool contains four basic tabsMain, Virtual Hosts, Server, and Performance Tuningthat function as follows:

  • The Main tab contains general systemwide configuration options, including the fully qualified domain name of your web server, the email address of the administrator, and the set of Ethernet addresses on which your web server will listen for incoming requests.

  • The Virtual Hosts tab enables you to configure the default host (most commonly used for small web servers) or a number of user-definable virtual hosts, such as are commonly used by ISPs or larger companies.

  • The Server tab enables you to configure some basic housekeeping properties, such as the directory in which Apache will write machine-readable error information if it crashes, and the user and group identities under which Apache should run. As a general rule, changing these options is not a good idea.

  • The Performance Tuning tab enables you to fine-tune your Apache installation for the amount of traffic you expect to receive. It includes options such as the maximum number of connections Apache will manage at one time before it begins turning down requests for web content.

The two most important tabs are the Virtual Hosts tab, where most security control occurs and where multiple hosts are managed if you are running a larger server, and the Performance Tuning tab, which enables you to adjust Apache's workload to suit your computer system hardware and the set of scripts (if any) you'll be using on your website.

Basic Apache Security

As you run your web server on a day-to-day basis, you will likely want to be able to control which Internet users can view which parts of your website. Some areas of a site are meant for public consumption, and other parts are intended for certain viewers only. You can control viewership of your site by filtering web requests based on the Internet addresses from which viewers originate.

You can filter requests through the Virtual Hosts tab. Because we're covering only the basics in this chapter, let's assume that you are running only a single web host that provides you with basic web server functionality.

To control which visitors will be able to see files delivered by your default virtual host, follow these steps:

1.

Click the Virtual Hosts tab and then click the Edit Default Settings button to display the Virtual Host Properties dialog box.

2.

Click the Performance tab to display the Directory configuration pane, as shown in Figure 34.6.

Figure 34.6. In the Directories item of the Virtual Host Properties dialog box, you can configure directories on your website to have specific security features.


By default, only one directory, the root directory (/) appears in the list, meaning that all of the directories on your web server share the same set of security properties. If you wish to specify different per-directory security measures, you can add new directory trees to the list by clicking the Add button; you can then give different directories different access properties.

For now, simply highlight the root directory and click the Edit button to display the Directory Options dialog box, as shown in Figure 34.7.

Figure 34.7. Using the Directory Options dialog box, you can give specific security properties to directories within your web content directory tree.


Several settings on the left side of the Directory Options dialog box are related to access control based on the IP address or domain name of connecting hosts. These settings are configured as follows:

  • If you want all visitors to be able to access this directory, check Let All Hosts Access This Directory. If you want to restrict access only to certain hosts, choose either Process Deny List before Allow List or Process Allow List before Deny List (you'll create lists of denied or allowed hosts in a moment).

  • The Deny List and Allow List options are used in conjunction with the previously discussed option to create rules (and, if you so desire, exceptions) about which hosts should or shouldn't be able to access content stored in the directory in question. You can enter hosts as IP numbers, partial IP numbers, or partial domains. The configuration shown in Figure 34.7 would allow only hosts in the domain mycompany.com to access content in the root directory and its children.

In the Options list box, you can choose from a number of options to enable or disable certain capabilities for the specified directory. Select or deselect check boxes to control the following capabilities:

  • If the ExecCGI box is checked, scripts requested from files in this directory will be called. If it is not checked, they won't.

  • If the FollowSymLinks box is checked, symbolic links in this directory that point to other files or directories will be followed and used. If it is not checked, they will be ignored.

  • If the Includes box is checked, server-side includes in content files will be honored. If it is not checked, they will be ignored.

  • If the IncludesNOEXEC box is checked, requests in server-side includes to use #exec will not be honored.

  • If the Indexes box is checked, the contents of the directory (a directory index) will be displayed to the web visitor requesting the index if no index file is present in the directory. If it is not checked, attempts to visit directories without an index file will return an error.

  • If the Multiview box is checked, content-negotiated multiviews will be allowed. If it is not checked, they will not be allowed.

  • If the SymLinksIfOwnerMatch box is checked, symbolic links in the directory will be followed only if the destination file or directory has the same owner as the symbolic link itself.

Don't Change Options Lightly

Do not check any option box unless you know for sure that you need the capability it provides. Each of these options represents additional vulnerability that could conceivably be exploited by a malicious web user.


Near the bottom of the dialog, you'll also find a check box labeled Let .htaccess Override Directory Options. If this box is checked and Apache finds a file called .htaccess in the directory in question, configuration directives in the .htaccess file will override the configuration you've specified in the configuration tool.

When you finish configuring the host security options for the directory in question, click the OK button to save your changes and return to the Virtual Host Properties dialog box's Directory pane. If you want to configure additional security properties for other directories within your web content tree, click the Add button to bring the Directory Options dialog box back up. In the Directory box of the Directory Options dialog box, enter the name of the directory to which these options should apply and then set the options for that directory just as you did for your root content directory.

When you finish making changes to your Apache configuration, click OK in the Virtual Host Properties dialog box and click OK in the Apache Configuration tool to exit and save your changes.

Additional Apache Configuration Information

The Apache web server can also be configured using your favorite text editor. To do this, edit the files stored in /etc/httpd/conf and /etc/httpd/conf.d. These files are large and fairly involved, however, so you shouldn't venture into editor-based configuration unless you have an Apache reference volume handy.

Because the Apache web server is a relatively complex application, further Apache configuration is beyond the scope of a beginning-level book like this one. A great deal of in-depth documentation for Apache can be found on the main Apache website, at http://httpd.apache.org/docs-2.0/.



    SAMS Teach Yourself Red Hat(r) Fedora(tm) 4 Linux(r) All in One
    Cisco ASA and PIX Firewall Handbook
    ISBN: N/A
    EAN: 2147483647
    Year: 2006
    Pages: 311
    Authors: David Hucaby

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net