apache Web Server Magic On Ibm I - Neugc€¦ · Apache web server magic on IBM i Alan Seiden Consulting alanseiden.com

Apache web server magic on IBM i

Alan Seiden Consultingalanseiden.com

http://alanseiden.com

Apache Magic for IBM iAlan Seiden Consulting

Alan’s PHP on IBM i focus

• Consultant to innovative IBM i and PHP users

• PHP project leader, Zend/IBM Toolkit

• Contributor, Zend Framework DB2 enhancements

• Award-winning developer

• Authority, web performance on IBM i

2


Founder, Club Seiden

3

club.alanseiden.com

http://club.alanseiden.com


Contact information

Alan Seiden [email protected] 201-447-2437

alanseiden.com twitter: @alanseiden

4

mailto:[email protected]


What can Apache “serve?”

• Web sites and applications ‣ Allows limited access via TCP/IP requests

• APIs, web services • Any kind of file • Static or dynamic data

5


Apache can be extended via modules

6


Requrements, prerequisites

7


Ensure that LICPGM is installed

8

Apache Magic for IBM iAlan Seiden Consulting 9

http://www-01.ibm.com/support/knowlegecenter/ssw_ibm_i_72/

rzaq9/rzap91pp5770dg1wrapper.htm

http://www-01.ibm.com/support/knowlegecenter/ssw_ibm_i_72/rzaq9/rzap91pp5770dg1wrapper.htm




Using Navigator for i

10


Minimum Software Requirements

• Extended base directory support ‣ 5770-SS1 Option 3

• Host Servers ‣ 5770-SS1 Option 12

• Qshell ‣ 5770-SS1 Option 30

• IBM Portable Applications Solutions Environment for i ‣ 5770-SS1 Option 33

• IBM TCP/IP Connectivity Utilities for i ‣ 5770-TC1

• IBM Developer Kit for Java ‣ 5770-JV1 Option 11

11

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/ rzaie/rzaieinstallingprereq.htm

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaieinstallingprereq.htm




Permissions for administrators

• *IOSYSCFG Special Authority • *CHANGE Authority to the library object QUSRSYS • *ALL authority to the following objects: ‣ QUSRSYS/QATMHINSTA ‣ QUSRSYS/QATMHINSTC

• Tip: QATMHINSTC is where the instance really “goes”

• *USE authority for these command objects: ‣ STRTCPSVR, ENDTCPSVR

• *RX authority for: ‣ root (/) ‣ /www

• *RWX authority for directory “/www/server_name/“

12


Let’s create a web server instance

13


Using Navigator for i web administrator

14

Start at port 2001

Redirects to secure port 2005


Find HTTP and DCM tasks

15


Choose web administration

16


Web admin menu

17


Create new HTTP server

18


Proceed with the wizard

19


Finish

20

Hit green start button


It works!

21

•Go to http://i.yourserver.com

•Use actual IP or domain name•Sample HTML page will appear

http://i.yourserver.com


If it didn’t work: debug tips

22

•DSPMSG QSYSOPR will show error message and job number

•Check error log in QTMHHTTP’s spool files: WRKSPLF SELECT(QTMHHTTP)•Common reason for failure: IP/port already allocated


Detailed troubleshooting

23

1. DSPMSG QSYSOPR; find startup error ("HTTP Server instance ZENDSVR6 start up failed.")

2. Put cursor on message; press F1 to see details

3, Within detailed message, look for job info (something like 108846/QTMHHTTP/ZENDSVR6)

4. Copy that info (108846/QTMHHTTP/ZENDSVR6) to your clipboard

5. WRKJOB <the job info>

6. Type "4" to see spool files, the job log of dead job

7. Type "B" to go to the bottom. Then scroll back up till you see a "40" level error.


See active connections

24


Green screen method: NETSTAT

25

NETSTAT *CNN is the shortcut






Navigator for i method

30






Configure it

35


Modifying Configuration Directives

• Change listener ports • Restricting access • Define multiple-domain Virtual Hosts • Enable load balancing • Other security suggestions • More . . .

36


Editor built into the admin GUI

37


Other ways to edit

• GUI editor is “safest” (no CCSID issues), but… • Edit as you would any IFS file • Configuration file ‣ /www/yourserver/conf/httpd.conf

• Connect to IFS via: ‣ Notepad++ ‣ Zend Studio or similar editor, and copy/paste/edit from there

• Edit on your PC and transfer with FTP/SFTP/SSH program (e.g. Filezilla) or IBM i Navigator

38


Restart to test any configuration change

39

Restart


Setup or Change Listeners/Ports

40

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen

# Apache Default server configuration

# General setup directives Listen *:80

Listen 192.170.2.1:80

Allow requests to IP address 192.170.2.1 through port 80

Allow SSL connections to port 8443 as well [Alan]

Listen 192.170.2.1:80 Listen *:8443 https

http://httpd.apache.org/docs/2.2/mod/mpm_common.html%2523listen


Multiple “servers” in one configuration

41

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaiemod_vhost_alias.htm?lang=en

NameVirtualHost 111.22.33.44 <VirtualHost 111.22.33.44> ServerName www.domain1.com DocumentRoot /www/domain1 </VirtualHost> <VirtualHost 111.22.33.44> ServerName www.domain2.com ServerAlias domain2.com *.domain2.com DocumentRoot /www/domain2 </VirtualHost>

This example will provide two virtual host configurations under the same web server instance

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaiemod_vhost_alias.htm?lang=en


Security tips

42


Reverse proxy in front

Reverse proxy: a “front door” that transparently pulls content from another server (i.e. your real server).

Benefits: • Extra layer of protection ‣ Don’t reveal the real server’s address ‣ Give your real server a private address

• Access from inside only

• Provide a “united front” to multiple web servers ‣ A single web site can pull from many other sites, transparently

• A way to add features (e.g. SSL) to web servers when you can’t control them directly

• Caching and content manipulation ‣ Some are optimized for this (e.g. Varnish)

43


Options for reverse proxy

• Appliance ‣ Runs in your network ‣ http://bluecoat.com is a popular one

• Cloud-based ‣ http://cloudflare.com ‣ Includes CDN, optimizer, more

• Your own IBM i partition in the DMZ ‣ Easy to administer

• Separate server (e.g. Linux) if you have the skills

44

http://cloudflare.com


IBM i reverse proxy configuration

LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_ftp_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/ZSRCORE.SRVPGM

LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

# URL path /prod/ will pull content from server .200

<Location /prod/> ProxyPass http://192.168.0.200/

ProxyPassReverse http://192.168.0.200/

</Location>

# URL path /test/ will pull content from server .201

<Location /test/> ProxyPass http://192.168.0.201/ ProxyPassReverse http://192.168.0.201/

</Location>

45


Restrict access to particular IP addresses

46

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny

Allow from ibm.com Allow from 10.0 Allow from 192.168

Directive Syntax: Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] …

Deny from all

Directive Syntax: Deny from all|host|env=[!]env-variable [host|env=[!]env-variable] …

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html%2523allow

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html%2523deny


Restricting…continued

47

http://httpd.apache.org/docs/2.2/mod.mod_authz_host.html

<Directory /www/yourserver/htdocs>

Order Deny, Allow

Deny from all

Allow from ibm.com

Allow from 10.0

Allow from 192.168

</Directory>

This example will allow access to the docroot folder only from connections originating from ibm.com subdomains and from addresses matching 10.0.*.* or 192.168.*.*

http://httpd.apache.org/docs/2.2/mod.mod_authz_host.html


Set permissions on directories

48

•Secure programmer and QTMHHTTP access after making changes or creating instances.

•QTMHHTTP is default web server user

•WRKLNK with option 9 or these commands

CHGAUT OBJ(‘/www/yourserver‘) USER(JANPGMR) DTAAUT(*RX) OBJAUT(*NONE) SUBTREE(*ALL) CHGAUT OBJ(‘/www/yourserver/htdocs‘) USER(JANPGMR) DTAAUT(*RWX) OBJAUT(*NONE) SUBTREE(*ALL)

CHGAUT OBJ(‘/www/yourserver/htdocs‘) USER(QTMHHTTP) DTAAUT(*RX) OBJAUT(*NONE) SUBTREE(*ALL)


Other security suggestions

49

http://httpd.apache.org/docs/2.2/mod/core.html#servertokens

http:httpd.apache.org/docs/2.2/mod/mod_authz_host.html

Do not divulge information about the server’s operating system or Apache version

ServerTokens Prod

Do not show directory index page

<Directory /www/yourwebsite>

Options -Indexes

Order Allow, Deny

Allow from all

</Directory>

http://httpd.apache.org/docs/2.2/mod/core.html%2523servertokens

http://httpd.apache.org/docs/2.2/mod/core.html%2523servertokens


Enable Secure Sockets Layer (SSL)

50


Types of domain certificates

51

• Single domain certificate• Multiple domain certificate• Wildcard certificate (i.e. *.yourserver.com)

• Standard (verifies business identity and domain ownership)• Extended Validation (additional level of verification)• Encryption (128 or 256 bit/SHA-1 or SHA-2)

http://yourserver.com


Enable SSL

52



Digital Certificate Manager (DCM)

54


Go into *SYSTEM certificate store

55


We want a Server certificate

56


Create “certificate signing request” (CSR)

57

Specify:

•Minimum 2048 bits•Exact “Common name”


Submit CSR to a CA vendor

58

many more...


CA vendor’s form

59

Follow the steps required by the Certificate Provider. Be prepared to provide account information including organization details, contact names and information, payment information and domain specific details. In most cases a representative of the certificate issuer will be contacting and verifying information provided to assert the authenticity of the request for the domain being requested.


Save certs to IFS on IBM i

60

Certificate Factory Magic

● Certificate (Your Certificate) ● Intermediate Certificate 1 ** ● Intermediate Certificate 2 ** ● Root CA Certificate ***

** You may need to download this certificate from the certificate provider *** Root CA certificate may already exist


Root Certificates may already be included in the store


Import root and intermediate certificates

• Provide paths of CA certs you had copied to IFS

62


Import your “server” certificate

63


Assign cert to “applications”

64

With the certificate imported into the store now its time to assign it to the applications that will use it.

Select your new certificate from the list provided

Note: Only applications already defined to use SSL will be shown on the list. Once you enable security for a Web Server instance it is then added to the application list showing the servers available for certificate assignment.


Success!

65

Restart

Restart Web Servers to activate new SSL certificate

Almost there…


Optional: combine virtual host with SSL

# specify IP address the server is running on <VirtualHost xx.xx.xx.xx:443> # server application name set up earlier SSLAppName QIBM_HTTP_SERVER_DEFAULT SSLEngine On SSLCacheDisable </VirtualHost>

Listen xx.xx.xx.xx:443 NameVirtualHost xx.xx.xx.xx:443

66


It works!

• How to tell if SSL is working ‣ Try in a browser; page should appear ‣ “Lock” icon appears ‣ Click the “lock” for more information

67


URL Magic

68


“Rewrite rules”

• Why change a URL? ‣ Use “friendly” URLs

• Replace /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEVwith /literature/request

‣ Use consistent URLs • ‘www.’ vs. no www

‣ Redirect to another URL

69


I changed my mind on a URL name

• I made the name too long ‣ /articles-and-publications-by-alan-seiden

• Now I want to shorten it ‣ /articles-and-publications ‣ …but not “break” my site for anyone

• RewriteRule to the rescue ‣ Both URLs point to the same place now

# Map old directory to new RewriteRule ^articles-and-publications-by-alan-seiden(/)?$ /articles-and-publications/ [R=301,L]

70


Search engine optimization trick

• Some people type ‘www.’ Some omit it

• Some web sites will link to me with ‘www’ and some not ‣ www.alanseiden.com, alanseiden.com

• I want search engine credit combined as one site, not split as two

# Example used on alanseiden.com

# Google and browsers will see ‘www’ site as the definitive address. # R=301: permanent redirect RewriteCond %{HTTP_HOST} ^alanseiden.com RewriteRule (.*) http://www.alanseiden.com/$1 [R=301,L]

71

http://www.alanseiden.com

http://alanseiden.com


Redirect to https (SSL)

# non-SSL

Listen 192.168.5.22:80 <VirtualHost 192.168.5.22:80>

# redirect to HTTPS

RewriteEngine On RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

</VirtualHost>

# SSL

Listen 192.168.5.22:443 <VirtualHost 192.168.5.22:443>

SSLEngine On # whatever “application name” you defined

SSLAppName QIBM_HTTP_SERVER_DEFAULT

SetEnv HTTPS_PORT 443 DocumentRoot /www/yourserver/htdocs

<Directory /www/yourserver/htdocs> Allow from all

</Directory>

</VirtualHost>

72


Hide your underyling technology

• Which do you prefer? ‣ /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEV

or ‣ /literature/request

• Show “friendly” URLs that call your programs ‣ https://i.yourserver.com/literature/request

#Map a “friendly” URL to another internal address (in this case, LANSA for the web) RewriteRule ^/literature/request$ /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEV [PT,L]

73


Let your imagination run free

• Rewrite rules are powerful and can be complex ‣ http://httpd.apache.org/docs/current/mod/

mod_rewrite.html#rewriterule

‣ They use Regular Expressions ‣ Experiment here:

• www.myregextester.com • Regular expression tester

74

http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule


Performance

75


Request-response protocol

• Client (browser) requests a file; server responds • One file at a time (at most 2–6 in parallel) • Browser requests HTML file, then as it parses

HTML, finds other file names to request (images, css, js...)

76


Requests can be “blocking” in browser

• Browsers typically limit themselves to 2–6 parallel requests to a given server

• File requests stack up, blocked by prev. requests •

• Above, even “304 not modified” files caused blocking • Solution: reduce number of images or improve caching

via “Expires” headers • http://httpd.apache.org/docs/2.0/mod/mod_expires.html

77

http://httpd.apache.org/docs/2.0/mod/mod_expires.html


Example: “Expires” headers (caching)

• For aggressive caching, place these directives in Apache config file

• Can specify file types ExpiresActive On # A2592000 means expire after a month in the client's cache ExpiresByType text/css A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType text/html A2592000 ExpiresByType image/png A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/jpeg A2592000

• Many options: http://httpd.apache.org/docs/2.0/mod/mod_expires.html

78

http://httpd.apache.org/docs/2.0/mod/mod_expires.html


More ways to reduce “blocking”

• If many .js or .css files are used: ‣ Combine them into fewer files ‣ Move contents of smaller .js or .css files inline to your pages,

eliminating those external files ‣ Page Speed tool will help you decide

79


Create a favicon for your site

• Browsers always look for a file called favicon.ico in your document root

• Those little icons that appear in the browser

• Once found, will be “remembered” by browser • If not found, will be requested every time • How to create a favicon: ‣ http://www.alanseiden.com/2007/05/25/brand-your-site-with-a-

favicon/

80


Keep HTTP connections alive

‣ Enable “KeepAlive” setting in Apache

‣ The TCP connection will stay open, waiting for you ‣ Good when downloading many images, css, js files ‣ You’ll reduce the number of three-way “handshakes” that

establish a connection ‣ Even more important with longer SSL handshakes

81


KeepAlive details

• Configurable by number of seconds, number of files to be downloaded, before closing connection

• Recommended settings for average site ‣ KeepAlive On ‣ KeepAliveTimeout 15

• Details: ‣ http://httpd.apache.org/docs/2.0/mod/core.html#keepalive

• Don’t overdo it—you are locking out other users from that HTTP job while it’s dedicated to you

82


Connecting takes time

• Clues that Keepalive is off ‣ “Connection: close”, “Connecting”

• Example bottom right: 3.6 seconds “Connecting” (longer than average but it really happened)

83


What you see when Keep-alive is on

• Firebug’s “Net” tab shows “Connection: Keep-Alive”, and, here, timeout=300 seconds (5 minutes)

Zero seconds to connect

Keep-alive is working!

84


Each request passes through several layers

85


Compression reduces file size

• Called gzip or mod_deflate, the same for our purposes

• Compresses, speeds up html, javascript, css, favicons, anything text-based

86


Netflix improved with gzip/deflate

• Saw 13-25% performance improvement • Cut outbound traffic in half ‣ That saves money for a busy site such as Netflix

• Details: ‣ http://www.slideshare.net/billwscott/improving-netflix-

performance-experience

• It really works!

87


My compression test

• http://your-server:10088/Samples/SQL_access/DB2_SQL_example.php

• Before compression: 31.0kb; loaded in 250ms • After compression: 4.4kb; loaded in 109ms. • That’s 14% of the size and 50% of the time!

88

http://your-server:10088/Samples/SQL_access/DB2_SQL_example.php


Details of deflate/gzip compression

• Apache directives (sample)

# Load IBM i's module that performs compression LoadModule deflate_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

# Specify content types to compress AddOutputFilterByType DEFLATE application/x-httpd-php application/json text/css application/x-javascript application/javascript text/html

• Tutorial on my blog: ‣ http://www.alanseiden.com/2010/08/13/maximize-zend-server-performance-with-apache-

compression/

• Apache reference: ‣ http://httpd.apache.org/docs/2.0/mod/mod_deflate.html

89

http://httpd.apache.org/docs/2.0/mod/mod_deflate.html


Maximum simultaneous HTTP requests

• Set “ThreadsPerChild” in httpd.conf • Default: ThreadsPerChild 40

Increase to number of expected HTTP connections

90


Load balancer

91


Apache as load balancer

• Variation on reverse proxy shown earlier • Send requests to multiple servers • Round-robin • Ignore “dead” servers

• Scaling an application: a single server can “farm out” requests to other servers

• High availability

Details: http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaie/rzaiemod_proxy_balancer.htm

92

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaie/rzaiemod_proxy_balancer.htm


Load balancer configuration

# All requests (/ root) will be handled by balancerProxyPass / balancer://mycluster/ stickysession=PHPSESSIONID nofailover=Off

# Balancer definition<Proxy balancer://mycluster>BalancerMember http://127.0.0.1:185BalancerMember http://127.0.0.1:186 smax=10

# Less powerful server. Don’t send as many requests thereBalancerMember http://1.2.3.6:8009 smax=1 loadfactor=20</Proxy>

93


Apache is your site’s front door

• Make it look nice and clean • Ensure that it is locked

• Dropping the “door” metaphor, you can also… ‣ Improve performance by knowing the directives to use ‣ Improve search engine optimization ‣ Improve ease of use ‣ Offer APIs securely

‣ Share your Apache or other web server stories or questions

94


Questions

95


Contact

Alan Seiden Alan Seiden Consulting Ho-Ho-Kus, NJ

96

[email protected] ● 201-447-2437 ● twitter: @alanseiden

Free PHP tips: http://alanseiden.com/tips

mailto:[email protected]

http://alanseiden.com/tips

Documents

apache Web Server Magic On Ibm I - Neugc€¦ · Apache web server magic on IBM i Alan Seiden Consulting alanseiden.com