Upload
webhostingguy
View
1.910
Download
0
Tags:
Embed Size (px)
Citation preview
Understanding Apache 2.2 Configuration
Brad NicholesSenior Software Engineer, Novell Inc.Member, Apache Software [email protected]
© Novell Inc. All rights reserved
2
Agenda
• Apache 2.2 Status• Multi-Processing Modules• Common Configuration Directives• Tips and Tricks• Authentication & Authorization• What’s new in Apache 2.3
© Novell Inc. All rights reserved
3
Apache Web Server Status
• Shipping:– Apache 1.3.37 – Maintenance mode, no new development
– Apache 2.0.59 – Maintenance mode, no new development
– Apache 2.2.4 – Current release
• Development:– Apache 2.2.5-dev – Stable
– Apache 2.3.x-dev – Unstable, all new development happens here first
© Novell Inc. All rights reserved
4
Apache 2.2 for NetWare
• Apache 1.3 ported to NetWare in 2000• All current versions of Apache including 2.2.x and 2.3.x are fully functional on the NetWare platform
• Apache 2.0 became generally available on NetWare 6.5
• New releases are available from the Apache HTTP project download site: http://www.apache.org/dist/httpd/binaries/
• Installed by default on SYS:/Apache2
© Novell Inc. All rights reserved
5
Apache 2.2 on SuSE Linux
• File Locations– Modules - /usr/lib/apache2– Configuration - /etc/apache2– Logs - /var/log/apache2– Cgi-bin - /srv/www/cgi-bin– DocumentRoot - /srv/www/htdocs– Binary - /usr/sbin/httpd2 (symlink to actual binary)
> /usr/sbin/httpd2-worker
> /usr/sbin/httpd2-prefork
– Other support binaries - /usr/sbin– Startup script – /usr/sbin/rcapache2
> Symlink to /etc/init.d/apache2
© Novell Inc. All rights reserved
6
Multi-Processing Modules
• Accommodate a wide variety of operating environments on different platforms
• Responsible for:– Binding to network ports
– Accepting requests
– Dispatching worker threads to handle requests
• Allows customization for particular sites– Scalability in a threaded environment – Worker MPM
– Compatibility with older modules – Prefork MPM
– Platform custom – NetWare MPM, WinNT MPM
© Novell Inc. All rights reserved
7
Worker MPM
• Combines multi-process and multi-threaded models– Variable number of processes (parents)
– Fixed number of threads
• Each child process handles many concurrent connections
• Stability of multiple processes• Performance of multiple threads• Reduces the memory footprint
© Novell Inc. All rights reserved
8
Multi-Processing Modules
• Worker MPM - Multi-Processing Module implementing a hybrid multi-threaded / multi-process web server
– StartServers - Number of child server processes created at startup– MinSpareThreads - Minimum number of idle threads allowed before
additional worker threads are created– MaxSpareThreads - Maximum number of idle threads allowed before
excess worker threads are destroyed– MaxClients - Maximum number of worker threads allowed– MaxMemFree - Maximum amount of memory that the main allocator
is allowed to hold without calling free()– ThreadsPerChild - Number of threads created by each child process
• http://httpd.apache.org/docs/2.2/mod/worker.html
© Novell Inc. All rights reserved
9
Prefork MPM
• Stable but slower (based on documentation)• One parent (master server)
– many children (workers)
• Each child server is a process itself• Each child handles one connection at a time• Uses more memory• Similar to the NetWare MPM but using processes instead of threads
© Novell Inc. All rights reserved
10
Multi-Processing Modules
• Prefork MPM - Implements a non-threaded, pre-forking web server
– StartServers - Number of child server processes created at startup
– MinSpareServers - Minimum number of idle child server processes
– MaxSpareServers - Maximum number of idle child server processes
– MaxClients - Maximum number of child processes that will be created to serve requests
– MaxMemFree - Maximum amount of memory that the main allocator is allowed to hold without calling free()
• http://httpd.apache.org/docs/2.2/mod/prefork.html
© Novell Inc. All rights reserved
11
Reading the Documentation
• Online: http://httpd.apache.org/docs/2.2/• Also installed with every instance of Apache• Most directives consist of a name and a single
value– Some directives may have multiple, optional or boolean
values• Example directive:
© Novell Inc. All rights reserved
12
Configuration File Syntax
• The default HTTPD.conf file contains a very good explanation of each directive that is used and why
• The directives are not ordered
• The configuration file contains one directive per line but the “\” may be used to indicate that the directive continues to the next line
• Configuration directives are case-insensitive but some arguments may be case-sensitive
• Lines that begin with “#” are considered to be comments
• <IfDefine> can be used to block out sections of the configuration file that are only used if a specific environment variable has been defined
© Novell Inc. All rights reserved
13
HTTPD.conf Highlights
• ServerRoot – Base directory for the server installation– All relative paths are derived from the ServerRoot
– If you have multiple installations of the web server, make sure that the ServerRoot points to the respective install locations
• PidFile - File where the server records the process ID of the daemon
– If an error message occurs when starting Apache on Linux indicating that HTTPD is already running, it may be that an old httpd.pid file was orphaned after an abnormal shutdown (ie. Kill -9)
© Novell Inc. All rights reserved
14
HTTPD.conf Highlights
• Timeout – Amount of time the server will wait for send or receive events before failing a request (Default 300 seconds or 5 minutes)
– If Apache appears to hang during a shutting down on NetWare, it may be that a worker thread is waiting for data from the client. After the timeout period has expired, Apache will shutdown normally.
• KeepAlive – Enable persistent connections (ie. Avoids having to reconnect with the same client on sub-requests)
– If the connection is not properly terminated by the client, the connection will be held for the duration of the KeepAliveTimeout value. This could cause unecessary latency when responding to new requests on a busy server
© Novell Inc. All rights reserved
15
HTTPD.conf Highlights
• Listen – Binds Apache to a specific IP address and/or port– If only a port is specified, Apache will listen to that port on all IP
addresses assigned to the box
• LoadModule – Loads an external Apache module– <IfModule> - Should surround module specific directives to prevent
invalid configuration if a module has not been loaded
• UseCanonicalName – Determines how Apache constructs self-referencing URLs (ie. Redirects)
– ServerName – Used to construct a self-referencing URL when UseCanonicalName is set to ON. Otherwise Apache uses the host name supplied by the client
© Novell Inc. All rights reserved
16
HTTPD.conf Highlights
• DocumentRoot – Default location from which all documents are served
– If an alias for a URI is not found, Apache will attempt to serve the page from the DocumentRoot
• Options – Configures the features that are available in a specific directory
– Indexes – Allows a directory listing > AddIcon - Specifies the location and file name of the icon that should be displayed for
a given file type
– Multiviews – Allows language negotiation
– ExecCGI – Allow CGI binaries or scripts to be executed
– Includes – Enables Server-Side includes or parsed HTML
© Novell Inc. All rights reserved
17
HTTPD.conf Highlights
• Order/Allow/Deny – Specifies access control restrictions
– The Order directive determines whether Apache should be inclusive or exclusive when applying access control
– Both Allow and Deny can be used to restrict access based on full or partial IP addresses, network masks or environment variables
• DirectoryIndex – Specifies the default file name(s) to serve when no page is specifed in the request
– The file index.html.var can be used to specify additional language negotiation rules rather than an actual web page
© Novell Inc. All rights reserved
18
HTTPD.conf Highlights
• CustomLog – Defines the location and format of a custom log file
– When used with the LogFormat directive, the contents of the log file as well as the format can be specified
– Multiple log files can be defined containing different information or layouts (Warning: specifying additional log files may hurt performance)
• Alias – Associates a URI prefix with a physical directory location
– <Directory>/<Location>/<Files> - Should accompany the Alias directive to indicate how files are accessed from the aliased location
© Novell Inc. All rights reserved
19
HTTPD.conf Highlights
• ErrorDocument – Defines a custom or user friendly response to an HTTP error
– The response can be in plain text, local redirect or external redirect
– If the response is a redirect, the language can be negotiated so that it is appropriate for the request
• BrowserMatch – Customizes the request handling for particular browsers
– Can be used to force a response to HTTP 1.0 rather than 1.1 or to turn off keepalive connections for older browsers
© Novell Inc. All rights reserved
20
Modularizing the Configuration
• Functional blocks of directives can be put into a separate configuration file
• Use the “Include” directive to instruct Apache to read additional configuration files
• If the “Include” directive specifies a directory, all files within the directory will be read as additional configuration files
• Wildcards can be used to specify a certain set of additional configuration files (include conf/*.conf)
© Novell Inc. All rights reserved
21
Virtual Hosts
• Apache supports two types of virtual hosts– Name-based virtual host
> Selects a virtual host configuration based on the domain name of the request
> Allows more that one virtual host per IP address
– IP-based virtual> Selects a virtual host configuration based on the IP address of the request
> Each IP address belongs to a specific virtual host
• Each virtual host can be configured independently – ServerName, DocumentRoot, Aliases, log files, etc.
© Novell Inc. All rights reserved
22
Name-Based Virtual Host
NameVirtualHost *:80<VirtualHost *:80>ServerName www.domain.comServerAlias domain.com *.domain.comDocumentRoot /www/domain
</VirtualHost>
<VirtualHost *:80>ServerName www.otherdomain.comDocumentRoot /www/otherdomain
</VirtualHost>
• NameVirtualHost specifies the IP address that will be shared• ServerAlias directive allows access to a specific virtual host by
different domain names• Apache uses the ServerName directive to decide which virtual
host configuration applies
© Novell Inc. All rights reserved
23
IP-Based Virtual Host<VirtualHost www.smallco.com> ServerAdmin [email protected] DocumentRoot /groups/smallco/www ServerName www.smallco.com ErrorLog /groups/smallco/logs/error_log CustomLog /groups/smallco/logs/access_log combined
</VirtualHost>
<VirtualHost www.baygroup.org> ServerAdmin [email protected] DocumentRoot /groups/baygroup/www ServerName www.baygroup.org ErrorLog /groups/baygroup/logs/error_log CustomLog /groups/baygroup/logs/access_log combined
</VirtualHost>
• Apache determines which virtual host to use based off of the IP address
• Almost any configuration directive can be put in a virtual host block with the exception of some of the process creation directives
© Novell Inc. All rights reserved
24
Language Negotiation
• A single instance of the Apache Web server can be used to serve page content in multiple languages
• Language negotiation does not depend on the server installed language
• The <Directory> or <Location> block must contain one of the following:
– “Option Multiviews” to enable language file matching– “AddHandler type-map var” to specify a type-map file that
contains language definitions
• Each HTML file encoded for a different language, must append the corresponding language extention
– Example: index.html.en – English, index.html.fr – French
© Novell Inc. All rights reserved
25
Language Negotiation
• The following directives are used by the language negotiation functionality:
– - AddLanguage - DefaultLanguage
– - LanguagePriority - ForceLanguagePriority
– - AddDefaultCharset - AddCharset
• Each browser request contains an “accept-language” header that indicates the language(s) that the client will accept
• The languages are usually specified by either 2 or 4 character keys (en, en-us, fr, de, es, ...)
- AddLanguage - DefaultLanguage
- LanguagePriority - ForceLanguagePriority
- AddDefaultCharset - AddCharset
© Novell Inc. All rights reserved
26
How Language Negotiation Works
• Multiviews enabled negotiation– Apache matches the “accept-language” key to a file extension through the
“AddLanguage” directives in the HTTPD.conf file– Apache first searches for an exact match of the specified file– Apache next searches for the specified file with the 2 or 4 character appended
language extension • Type-Map enabled negotiation
– Apache searches for the specified file with the type-map extension (usually .var)
– Apache reads the .var file and selects the file name that is associated with the appropriate language
• If a language file is not found, Apache will fallback to the LanguagePriority and ForceLanguagePriority directives to determine how to handle the request
• More info: – http://httpd.apache.org/docs/2.2/content-negotiation.html
© Novell Inc. All rights reserved
27
<Directory> vs. <Location>
• Directives enclosed in a <Directory> block apply to the specified file system directory and sub-directories
• Directives enclosed in a <Location> block apply to the specified web space container
– <Location /private> would apply to any URL-path that begins with “/private”
http://your.domain.com/privatehttp://your.domain.com/private123http://your.domain.com/private/mydocs/index.html
– Able to apply directives to locations that don't physically exist such as a module handler<Location /server-status>SetHandler server-status
</Location>
© Novell Inc. All rights reserved
28
SSL Encryption
• Default SSL port for an HTTP server is 443• All SSL requests and responses are handled through the MOD_SSL module (NetWare handles SSL natively)
• SSL configuration is done by creating a virtual host that listens the designated SSL port
• Example SSL configuration is found in conf/extra/httpd-ssl.conf of the Apache HTTPD distribution
• Additional documentation can be found at:– http://httpd.apache.org/docs/2.2/ssl
– http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
© Novell Inc. All rights reserved
29
Modular Authentication Architecture
• Terms / Authentication Elements:• Authentication Type – Type of encryption used during transport of the
authentication credentials (Basic or Digest)• Authentication Method/Provider – Process by which a user is verified
to be who they say they are• Authorization – Process by which authenticated users are granted or
denied access based on specific criteria
• Previous to Apache 2.2, every authentication module had to implement all three elements
– Choosing an AuthType limited which authentication and authorization methods could be used
– Potential for inconsistencies across authentication modules
• Note: Pay close attention to the words Authentication vs. Authorization
© Novell Inc. All rights reserved
30
New Modules - Introduction
• The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2
• Overlapping functionality among the modules was simply eliminated in favor of a base implementation
• The module name indicates which element of the authentication functionality it performs
– Mod_auth_xxx – Implements an Authentication Type
– Mod_authn_xxx – Implements an Authentication Method or Provider
– Mod_authz_xxx – Implements an Authorization Method
© Novell Inc. All rights reserved
31
New Modules – Authentication Type
Modules Directives
Mod_Auth_BasicBasic authentication – User credentials are received by the server as unencrypted data
• AuthBasicAuthoritative• AuthBasicProvider
Mod_Auth_DigestMD5 Digest authentication – User credentials are received by the server in encrypted format
• AuthDigestAlgorithm• AuthDigestDomain• AuthDigestNcCheck• AuthDigestNonceFormat• AuthDigestNonceLifetime• AuthDigestProvider• AuthDigestQop• AuthDigestShmemSize
© Novell Inc. All rights reserved
32
New Modules – Authentication Providers
Modules Directives
Mod_Authn_AnonAllows “anonymous” user access to authenticated areas
• Anonymous• Anonymous_LogEmail• Anonymous_MustGiveEmail• Anonymous_NoUserID
• Anonymous_VerifyEmail
Mod_Authn_DBMDBM file based user authentication
• AuthDBMType
• AuthDBMUserFile
Mod_Authn_DefaultAuthentication fallback module
• AuthDefaultAuthoritative
© Novell Inc. All rights reserved
33
New Modules – Authentication Providers
Modules Directives
Mod_Authn_FileFile based user authentication
• AuthUserFile
Mod_Authnz_LDAPLDAP directory based authentication
• AuthLDAPBindDN• AuthLDAPBindPassword• AuthLDAPCharsetConfig• AuthLDAPDereferenceAliases• AuthLDAPRemoteUserIsDN• AuthLDAPUrl
© Novell Inc. All rights reserved
34
New Modules - Authorization
Modules Directives
Mod_Authnz_LDAPLDAP directory based authorization
• Require ldap-user• Require ldap-group• Require ldap-dn• Require ldap-attribute• Require ldap-filter • AuthLDAPCompareDNOnServer• AuthLDAPGroupAttribute• AuthLDAPGroupAttributeIsDN• AuthzLDAPAuthoritative
Mod_Authz_DefaultAuthorization fallback module
• AuthzDefaultAuthoritative
© Novell Inc. All rights reserved
35
New Modules - Authorization
Modules Directives
Mod_Authz_DBMDBM file based group authorization
• Require file-group*• Require group• AuthDBMGroupFile• AuthzDBMAuthoritative• AuthzDBMType
Mod_Authz_GroupFileFile based group authorization
• Require file-group*• Require group• AuthGroupFile
• AuthzGroupFileAuthoritative
Mod_Authz_HostGroup authorization based on host (name or IP address)
• Allow• Deny• Order
© Novell Inc. All rights reserved
36
New Modules - Authorization
Modules Directives
Mod_Authz_OwnerAuthorization based on file ownership
• Require file-owner• AuthzOwnerAuthoritative
Mod_Authz_UserUser authorization
• Require valid-user• Require user• AuthzUserAuthoritative
© Novell Inc. All rights reserved
37
Differences Between Apache 2.0 & 2.2
• New Directives– AuthBasicProvider On|Off|provider-name [provider-name]…
– AuthDigestProvider On|Off|provider-name [provider-name]…
– AuthzXXXAuthoritative On|Off
• Renamed Directives– AuthBasicAuthoritative On|Off
• Multiple modules must be loaded (auth, authn, authz) rather than a single mod_auth_xxx module
© Novell Inc. All rights reserved
38
Differences – More Authorization Types
• Apache 2.0– Require Valid-User
– Require User user-id [user-id] …
– Require Group group-name [group-name] …
• Apache 2.2– Same as Apache 2.0
– LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute
– GroupFile – file-group*
– DBM – file-group*
– Owner – file-owner
• Since multiple authorization methods can be used, in most cases the type names should be unique
© Novell Inc. All rights reserved
39
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat require valid-user</Directory>
Configuring Simple Authentication
The authentication provider is file based and the authorization method is any
valid-user
© Novell Inc. All rights reserved
40
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require group my-valid-group</Directory>
Requiring Group Authorization
The authentication provider is file based but the authorization
method is group file based
© Novell Inc. All rights reserved
41
Multiple Authentication Providers
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file ldap AuthUserFile /www/users/users.dat AuthLDAPURL ldap://ldap.server.com/o=my-context AuthzLDAPAuthoritative off require valid-user</Directory>
The authentication includes both file and LDAP providers with
the file provider taking
precedence followed by
LDAP
© Novell Inc. All rights reserved
42
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat
AuthzLDAPAuthoritative OFF AuthGroupFile /www/users/group.dat AuthLDAPURL ldap://ldap.server.com/o=my-context require ldap-group cn=public-users,o=my-context require group my-valid-group</Directory>
Multiple Authorization Methods
Set AuthzLDAPAuthoritative to “OFF” to allow
the LDAP authorization method to defer if necessary
© Novell Inc. All rights reserved
43
New Features Already in Apache 2.3
• Moving from hook-based to provider-based authorization
• “AND/OR/NOT” logic in authorization• Host Access Control as an authorization type
– Require IP …, Require Host …, Require Env …
– Require All Granted, Require All Denied
– “Order Allow/Deny”, “Satisfy” where did they go?
– Backward compatibility with the 2.0/2.2 Host Access Control, use the Mod_Access_Compat module
© Novell Inc. All rights reserved
44
Adding “AND/OR/NOT” Logic to Authorization
• Allows authorization to be granted or denied based on a complex set of “Require…” statements
• New Directives– <SatisfyAll> … </SatisfyAll> - Must satisfy all of the
encapsulated statements
– <SatisfyOne> … </SatisfyOne> - Must satisfy at least one of the encapsulated statements
– <RequireAlias> … </RequireAlias> - Defines a ‘Require’ alias
– Reject – Reject all matching elements
© Novell Inc. All rights reserved
45
Authorization using ‘AND/OR’ Logic
Configuration
<Directory /www/mydocs> Authname ... AuthType ... AuthBasicProvider ... ... Require user John <SatisfyAll> Require Group admins Require ldap-group cn=mygroup,o=foo <SatisfyOne>
Require ldap-attribute dept="sales“ Require file-group </SatisfyOne> </SatisfyAll>
</Directory>
Authorization Logic
if ((user == "John") ||
((Group == "admin") &&
(ldap-group <contains user>) &&
((ldap-attribute dept=="sales")||
(file-group contains user))))
then Authorization Granted
else Authorization Denied
Questions
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.