Apache Magic for IBM iAlan Seiden Consulting
Alan’s PHP on IBM i focus
• Consultant to innovative IBM i and PHP users
• PHP project leader, Zend/IBM Toolkit
• Contributor, Zend Framework DB2 enhancements
• Award-winning developer
• Authority, web performance on IBM i
2
Apache Magic for IBM iAlan Seiden Consulting
Founder, Club Seiden
3
club.alanseiden.com
Apache Magic for IBM iAlan Seiden Consulting
Contact information
Alan Seiden [email protected] 201-447-2437
alanseiden.com twitter: @alanseiden
4
Apache Magic for IBM iAlan Seiden Consulting
What can Apache “serve?”
• Web sites and applications ‣ Allows limited access via TCP/IP requests
• APIs, web services • Any kind of file • Static or dynamic data
5
Apache Magic for IBM iAlan Seiden Consulting
Apache can be extended via modules
6
Apache Magic for IBM iAlan Seiden Consulting
Requrements, prerequisites
7
Apache Magic for IBM iAlan Seiden Consulting
Ensure that LICPGM is installed
8
Apache Magic for IBM iAlan Seiden Consulting 9
http://www-01.ibm.com/support/knowlegecenter/ssw_ibm_i_72/
rzaq9/rzap91pp5770dg1wrapper.htm
Apache Magic for IBM iAlan Seiden Consulting
Using Navigator for i
10
Apache Magic for IBM iAlan Seiden Consulting
Minimum Software Requirements
• Extended base directory support ‣ 5770-SS1 Option 3
• Host Servers ‣ 5770-SS1 Option 12
• Qshell ‣ 5770-SS1 Option 30
• IBM Portable Applications Solutions Environment for i ‣ 5770-SS1 Option 33
• IBM TCP/IP Connectivity Utilities for i ‣ 5770-TC1
• IBM Developer Kit for Java ‣ 5770-JV1 Option 11
11
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/ rzaie/rzaieinstallingprereq.htm
Apache Magic for IBM iAlan Seiden Consulting
Permissions for administrators
• *IOSYSCFG Special Authority • *CHANGE Authority to the library object QUSRSYS • *ALL authority to the following objects: ‣ QUSRSYS/QATMHINSTA ‣ QUSRSYS/QATMHINSTC
• Tip: QATMHINSTC is where the instance really “goes”
• *USE authority for these command objects: ‣ STRTCPSVR, ENDTCPSVR
• *RX authority for: ‣ root (/) ‣ /www
• *RWX authority for directory “/www/server_name/“
12
Apache Magic for IBM iAlan Seiden Consulting
Let’s create a web server instance
13
Apache Magic for IBM iAlan Seiden Consulting
Using Navigator for i web administrator
14
Start at port 2001
Redirects to secure port 2005
Apache Magic for IBM iAlan Seiden Consulting
Find HTTP and DCM tasks
15
Apache Magic for IBM iAlan Seiden Consulting
Choose web administration
16
Apache Magic for IBM iAlan Seiden Consulting
Web admin menu
17
Apache Magic for IBM iAlan Seiden Consulting
Create new HTTP server
18
Apache Magic for IBM iAlan Seiden Consulting
Proceed with the wizard
19
Apache Magic for IBM iAlan Seiden Consulting
Finish
20
Hit green start button
Apache Magic for IBM iAlan Seiden Consulting
It works!
21
•Go to http://i.yourserver.com
•Use actual IP or domain name•Sample HTML page will appear
Apache Magic for IBM iAlan Seiden Consulting
If it didn’t work: debug tips
22
•DSPMSG QSYSOPR will show error message and job number
•Check error log in QTMHHTTP’s spool files: WRKSPLF SELECT(QTMHHTTP)•Common reason for failure: IP/port already allocated
Apache Magic for IBM iAlan Seiden Consulting
Detailed troubleshooting
23
1. DSPMSG QSYSOPR; find startup error ("HTTP Server instance ZENDSVR6 start up failed.")
2. Put cursor on message; press F1 to see details
3, Within detailed message, look for job info (something like 108846/QTMHHTTP/ZENDSVR6)
4. Copy that info (108846/QTMHHTTP/ZENDSVR6) to your clipboard
5. WRKJOB <the job info>
6. Type "4" to see spool files, the job log of dead job
7. Type "B" to go to the bottom. Then scroll back up till you see a "40" level error.
Apache Magic for IBM iAlan Seiden Consulting
See active connections
24
Apache Magic for IBM iAlan Seiden Consulting
Green screen method: NETSTAT
25
NETSTAT *CNN is the shortcut
Apache Magic for IBM iAlan Seiden Consulting 26
Apache Magic for IBM iAlan Seiden Consulting 27
Apache Magic for IBM iAlan Seiden Consulting 28
Apache Magic for IBM iAlan Seiden Consulting 29
Apache Magic for IBM iAlan Seiden Consulting
Navigator for i method
30
Apache Magic for IBM iAlan Seiden Consulting 31
Apache Magic for IBM iAlan Seiden Consulting 32
Apache Magic for IBM iAlan Seiden Consulting 33
Apache Magic for IBM iAlan Seiden Consulting 34
Apache Magic for IBM iAlan Seiden Consulting
Configure it
35
Apache Magic for IBM iAlan Seiden Consulting
Modifying Configuration Directives
• Change listener ports • Restricting access • Define multiple-domain Virtual Hosts • Enable load balancing • Other security suggestions • More . . .
36
Apache Magic for IBM iAlan Seiden Consulting
Editor built into the admin GUI
37
Apache Magic for IBM iAlan Seiden Consulting
Other ways to edit
• GUI editor is “safest” (no CCSID issues), but… • Edit as you would any IFS file • Configuration file ‣ /www/yourserver/conf/httpd.conf
• Connect to IFS via: ‣ Notepad++ ‣ Zend Studio or similar editor, and copy/paste/edit from there
• Edit on your PC and transfer with FTP/SFTP/SSH program (e.g. Filezilla) or IBM i Navigator
38
Apache Magic for IBM iAlan Seiden Consulting
Restart to test any configuration change
39
Restart
Apache Magic for IBM iAlan Seiden Consulting
Setup or Change Listeners/Ports
40
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen
# Apache Default server configuration
# General setup directives Listen *:80
Listen 192.170.2.1:80
Allow requests to IP address 192.170.2.1 through port 80
Allow SSL connections to port 8443 as well [Alan]
Listen 192.170.2.1:80 Listen *:8443 https
Apache Magic for IBM iAlan Seiden Consulting
Multiple “servers” in one configuration
41
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaiemod_vhost_alias.htm?lang=en
NameVirtualHost 111.22.33.44 <VirtualHost 111.22.33.44> ServerName www.domain1.com DocumentRoot /www/domain1 </VirtualHost> <VirtualHost 111.22.33.44> ServerName www.domain2.com ServerAlias domain2.com *.domain2.com DocumentRoot /www/domain2 </VirtualHost>
This example will provide two virtual host configurations under the same web server instance
Apache Magic for IBM iAlan Seiden Consulting
Security tips
42
Apache Magic for IBM iAlan Seiden Consulting
Reverse proxy in front
Reverse proxy: a “front door” that transparently pulls content from another server (i.e. your real server).
Benefits: • Extra layer of protection ‣ Don’t reveal the real server’s address ‣ Give your real server a private address
• Access from inside only
• Provide a “united front” to multiple web servers ‣ A single web site can pull from many other sites, transparently
• A way to add features (e.g. SSL) to web servers when you can’t control them directly
• Caching and content manipulation ‣ Some are optimized for this (e.g. Varnish)
43
Apache Magic for IBM iAlan Seiden Consulting
Options for reverse proxy
• Appliance ‣ Runs in your network ‣ http://bluecoat.com is a popular one
• Cloud-based ‣ http://cloudflare.com ‣ Includes CDN, optimizer, more
• Your own IBM i partition in the DMZ ‣ Easy to administer
• Separate server (e.g. Linux) if you have the skills
44
Apache Magic for IBM iAlan Seiden Consulting
IBM i reverse proxy configuration
LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_ftp_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/ZSRCORE.SRVPGM
LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
# URL path /prod/ will pull content from server .200
<Location /prod/> ProxyPass http://192.168.0.200/
ProxyPassReverse http://192.168.0.200/
</Location>
# URL path /test/ will pull content from server .201
<Location /test/> ProxyPass http://192.168.0.201/ ProxyPassReverse http://192.168.0.201/
</Location>
45
Apache Magic for IBM iAlan Seiden Consulting
Restrict access to particular IP addresses
46
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny
Allow from ibm.com Allow from 10.0 Allow from 192.168
Directive Syntax: Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] …
Deny from all
Directive Syntax: Deny from all|host|env=[!]env-variable [host|env=[!]env-variable] …
Apache Magic for IBM iAlan Seiden Consulting
Restricting…continued
47
http://httpd.apache.org/docs/2.2/mod.mod_authz_host.html
<Directory /www/yourserver/htdocs>
Order Deny, Allow
Deny from all
Allow from ibm.com
Allow from 10.0
Allow from 192.168
</Directory>
This example will allow access to the docroot folder only from connections originating from ibm.com subdomains and from addresses matching 10.0.*.* or 192.168.*.*
Apache Magic for IBM iAlan Seiden Consulting
Set permissions on directories
48
•Secure programmer and QTMHHTTP access after making changes or creating instances.
•QTMHHTTP is default web server user
•WRKLNK with option 9 or these commands
CHGAUT OBJ(‘/www/yourserver‘) USER(JANPGMR) DTAAUT(*RX) OBJAUT(*NONE) SUBTREE(*ALL) CHGAUT OBJ(‘/www/yourserver/htdocs‘) USER(JANPGMR) DTAAUT(*RWX) OBJAUT(*NONE) SUBTREE(*ALL)
CHGAUT OBJ(‘/www/yourserver/htdocs‘) USER(QTMHHTTP) DTAAUT(*RX) OBJAUT(*NONE) SUBTREE(*ALL)
Apache Magic for IBM iAlan Seiden Consulting
Other security suggestions
49
http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
http:httpd.apache.org/docs/2.2/mod/mod_authz_host.html
Do not divulge information about the server’s operating system or Apache version
ServerTokens Prod
Do not show directory index page
<Directory /www/yourwebsite>
Options -Indexes
Order Allow, Deny
Allow from all
</Directory>
Apache Magic for IBM iAlan Seiden Consulting
Enable Secure Sockets Layer (SSL)
50
Apache Magic for IBM iAlan Seiden Consulting
Types of domain certificates
51
• Single domain certificate• Multiple domain certificate• Wildcard certificate (i.e. *.yourserver.com)
• Standard (verifies business identity and domain ownership)• Extended Validation (additional level of verification)• Encryption (128 or 256 bit/SHA-1 or SHA-2)
Apache Magic for IBM iAlan Seiden Consulting
Enable SSL
52
Apache Magic for IBM iAlan Seiden Consulting 53
Apache Magic for IBM iAlan Seiden Consulting
Digital Certificate Manager (DCM)
54
Apache Magic for IBM iAlan Seiden Consulting
Go into *SYSTEM certificate store
55
Apache Magic for IBM iAlan Seiden Consulting
We want a Server certificate
56
Apache Magic for IBM iAlan Seiden Consulting
Create “certificate signing request” (CSR)
57
Specify:
•Minimum 2048 bits•Exact “Common name”
Apache Magic for IBM iAlan Seiden Consulting
Submit CSR to a CA vendor
58
many more...
Apache Magic for IBM iAlan Seiden Consulting
CA vendor’s form
59
Follow the steps required by the Certificate Provider. Be prepared to provide account information including organization details, contact names and information, payment information and domain specific details. In most cases a representative of the certificate issuer will be contacting and verifying information provided to assert the authenticity of the request for the domain being requested.
Apache Magic for IBM iAlan Seiden Consulting
Save certs to IFS on IBM i
60
Certificate Factory Magic
● Certificate (Your Certificate) ● Intermediate Certificate 1 ** ● Intermediate Certificate 2 ** ● Root CA Certificate ***
** You may need to download this certificate from the certificate provider *** Root CA certificate may already exist
Apache Magic for IBM iAlan Seiden Consulting 61
Root Certificates may already be included in the store
Apache Magic for IBM iAlan Seiden Consulting
Import root and intermediate certificates
• Provide paths of CA certs you had copied to IFS
62
Apache Magic for IBM iAlan Seiden Consulting
Import your “server” certificate
63
Apache Magic for IBM iAlan Seiden Consulting
Assign cert to “applications”
64
With the certificate imported into the store now its time to assign it to the applications that will use it.
Select your new certificate from the list provided
Note: Only applications already defined to use SSL will be shown on the list. Once you enable security for a Web Server instance it is then added to the application list showing the servers available for certificate assignment.
Apache Magic for IBM iAlan Seiden Consulting
Success!
65
Restart
Restart Web Servers to activate new SSL certificate
Almost there…
Apache Magic for IBM iAlan Seiden Consulting
Optional: combine virtual host with SSL
# specify IP address the server is running on <VirtualHost xx.xx.xx.xx:443> # server application name set up earlier SSLAppName QIBM_HTTP_SERVER_DEFAULT SSLEngine On SSLCacheDisable </VirtualHost>
Listen xx.xx.xx.xx:443 NameVirtualHost xx.xx.xx.xx:443
66
Apache Magic for IBM iAlan Seiden Consulting
It works!
• How to tell if SSL is working ‣ Try in a browser; page should appear ‣ “Lock” icon appears ‣ Click the “lock” for more information
67
Apache Magic for IBM iAlan Seiden Consulting
URL Magic
68
Apache Magic for IBM iAlan Seiden Consulting
“Rewrite rules”
• Why change a URL? ‣ Use “friendly” URLs
• Replace /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEVwith /literature/request
‣ Use consistent URLs • ‘www.’ vs. no www
‣ Redirect to another URL
69
Apache Magic for IBM iAlan Seiden Consulting
I changed my mind on a URL name
• I made the name too long ‣ /articles-and-publications-by-alan-seiden
• Now I want to shorten it ‣ /articles-and-publications ‣ …but not “break” my site for anyone
• RewriteRule to the rescue ‣ Both URLs point to the same place now
# Map old directory to new RewriteRule ^articles-and-publications-by-alan-seiden(/)?$ /articles-and-publications/ [R=301,L]
70
Apache Magic for IBM iAlan Seiden Consulting
Search engine optimization trick
• Some people type ‘www.’ Some omit it
• Some web sites will link to me with ‘www’ and some not ‣ www.alanseiden.com, alanseiden.com
• I want search engine credit combined as one site, not split as two
# Example used on alanseiden.com
# Google and browsers will see ‘www’ site as the definitive address. # R=301: permanent redirect RewriteCond %{HTTP_HOST} ^alanseiden.com RewriteRule (.*) http://www.alanseiden.com/$1 [R=301,L]
71
Apache Magic for IBM iAlan Seiden Consulting
Redirect to https (SSL)
# non-SSL
Listen 192.168.5.22:80 <VirtualHost 192.168.5.22:80>
# redirect to HTTPS
RewriteEngine On RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
# SSL
Listen 192.168.5.22:443 <VirtualHost 192.168.5.22:443>
SSLEngine On # whatever “application name” you defined
SSLAppName QIBM_HTTP_SERVER_DEFAULT
SetEnv HTTPS_PORT 443 DocumentRoot /www/yourserver/htdocs
<Directory /www/yourserver/htdocs> Allow from all
</Directory>
</VirtualHost>
72
Apache Magic for IBM iAlan Seiden Consulting
Hide your underyling technology
• Which do you prefer? ‣ /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEV
or ‣ /literature/request
• Show “friendly” URLs that call your programs ‣ https://i.yourserver.com/literature/request
#Map a “friendly” URL to another internal address (in this case, LANSA for the web) RewriteRule ^/literature/request$ /cgi-bin/lansaweb?PROCFUN+JOKPUBW+JOKPW03+DEV [PT,L]
73
Apache Magic for IBM iAlan Seiden Consulting
Let your imagination run free
• Rewrite rules are powerful and can be complex ‣ http://httpd.apache.org/docs/current/mod/
mod_rewrite.html#rewriterule
‣ They use Regular Expressions ‣ Experiment here:
• www.myregextester.com • Regular expression tester
74
Apache Magic for IBM iAlan Seiden Consulting
Performance
75
Apache Magic for IBM iAlan Seiden Consulting
Request-response protocol
• Client (browser) requests a file; server responds • One file at a time (at most 2–6 in parallel) • Browser requests HTML file, then as it parses
HTML, finds other file names to request (images, css, js...)
76
Apache Magic for IBM iAlan Seiden Consulting
Requests can be “blocking” in browser
• Browsers typically limit themselves to 2–6 parallel requests to a given server
• File requests stack up, blocked by prev. requests •
• Above, even “304 not modified” files caused blocking • Solution: reduce number of images or improve caching
via “Expires” headers • http://httpd.apache.org/docs/2.0/mod/mod_expires.html
77
Apache Magic for IBM iAlan Seiden Consulting
Example: “Expires” headers (caching)
• For aggressive caching, place these directives in Apache config file
• Can specify file types ExpiresActive On # A2592000 means expire after a month in the client's cache ExpiresByType text/css A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType text/html A2592000 ExpiresByType image/png A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/jpeg A2592000
• Many options: http://httpd.apache.org/docs/2.0/mod/mod_expires.html
78
Apache Magic for IBM iAlan Seiden Consulting
More ways to reduce “blocking”
• If many .js or .css files are used: ‣ Combine them into fewer files ‣ Move contents of smaller .js or .css files inline to your pages,
eliminating those external files ‣ Page Speed tool will help you decide
79
Apache Magic for IBM iAlan Seiden Consulting
Create a favicon for your site
• Browsers always look for a file called favicon.ico in your document root
• Those little icons that appear in the browser
• Once found, will be “remembered” by browser • If not found, will be requested every time • How to create a favicon: ‣ http://www.alanseiden.com/2007/05/25/brand-your-site-with-a-
favicon/
80
Apache Magic for IBM iAlan Seiden Consulting
Keep HTTP connections alive
‣ Enable “KeepAlive” setting in Apache
‣ The TCP connection will stay open, waiting for you ‣ Good when downloading many images, css, js files ‣ You’ll reduce the number of three-way “handshakes” that
establish a connection ‣ Even more important with longer SSL handshakes
81
Apache Magic for IBM iAlan Seiden Consulting
KeepAlive details
• Configurable by number of seconds, number of files to be downloaded, before closing connection
• Recommended settings for average site ‣ KeepAlive On ‣ KeepAliveTimeout 15
• Details: ‣ http://httpd.apache.org/docs/2.0/mod/core.html#keepalive
• Don’t overdo it—you are locking out other users from that HTTP job while it’s dedicated to you
82
Apache Magic for IBM iAlan Seiden Consulting
Connecting takes time
• Clues that Keepalive is off ‣ “Connection: close”, “Connecting”
• Example bottom right: 3.6 seconds “Connecting” (longer than average but it really happened)
83
Apache Magic for IBM iAlan Seiden Consulting
What you see when Keep-alive is on
• Firebug’s “Net” tab shows “Connection: Keep-Alive”, and, here, timeout=300 seconds (5 minutes)
Zero seconds to connect
Keep-alive is working!
84
Apache Magic for IBM iAlan Seiden Consulting
Each request passes through several layers
85
Apache Magic for IBM iAlan Seiden Consulting
Compression reduces file size
• Called gzip or mod_deflate, the same for our purposes
• Compresses, speeds up html, javascript, css, favicons, anything text-based
86
Apache Magic for IBM iAlan Seiden Consulting
Netflix improved with gzip/deflate
• Saw 13-25% performance improvement • Cut outbound traffic in half ‣ That saves money for a busy site such as Netflix
• Details: ‣ http://www.slideshare.net/billwscott/improving-netflix-
performance-experience
• It really works!
87
Apache Magic for IBM iAlan Seiden Consulting
My compression test
• http://your-server:10088/Samples/SQL_access/DB2_SQL_example.php
• Before compression: 31.0kb; loaded in 250ms • After compression: 4.4kb; loaded in 109ms. • That’s 14% of the size and 50% of the time!
88
Apache Magic for IBM iAlan Seiden Consulting
Details of deflate/gzip compression
• Apache directives (sample)
# Load IBM i's module that performs compression LoadModule deflate_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
# Specify content types to compress AddOutputFilterByType DEFLATE application/x-httpd-php application/json text/css application/x-javascript application/javascript text/html
• Tutorial on my blog: ‣ http://www.alanseiden.com/2010/08/13/maximize-zend-server-performance-with-apache-
compression/
• Apache reference: ‣ http://httpd.apache.org/docs/2.0/mod/mod_deflate.html
89
Apache Magic for IBM iAlan Seiden Consulting
Maximum simultaneous HTTP requests
• Set “ThreadsPerChild” in httpd.conf • Default: ThreadsPerChild 40
Increase to number of expected HTTP connections
90
Apache Magic for IBM iAlan Seiden Consulting
Load balancer
91
Apache Magic for IBM iAlan Seiden Consulting
Apache as load balancer
• Variation on reverse proxy shown earlier • Send requests to multiple servers • Round-robin • Ignore “dead” servers
• Scaling an application: a single server can “farm out” requests to other servers
• High availability
Details: http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaie/rzaiemod_proxy_balancer.htm
92
Apache Magic for IBM iAlan Seiden Consulting
Load balancer configuration
# All requests (/ root) will be handled by balancerProxyPass / balancer://mycluster/ stickysession=PHPSESSIONID nofailover=Off
# Balancer definition<Proxy balancer://mycluster>BalancerMember http://127.0.0.1:185BalancerMember http://127.0.0.1:186 smax=10
# Less powerful server. Don’t send as many requests thereBalancerMember http://1.2.3.6:8009 smax=1 loadfactor=20</Proxy>
93
Apache Magic for IBM iAlan Seiden Consulting
Apache is your site’s front door
• Make it look nice and clean • Ensure that it is locked
• Dropping the “door” metaphor, you can also… ‣ Improve performance by knowing the directives to use ‣ Improve search engine optimization ‣ Improve ease of use ‣ Offer APIs securely
‣ Share your Apache or other web server stories or questions
94
Apache Magic for IBM iAlan Seiden Consulting
Questions
95
Apache Magic for IBM iAlan Seiden Consulting
Contact
Alan Seiden Alan Seiden Consulting Ho-Ho-Kus, NJ
96
[email protected] ● 201-447-2437 ● twitter: @alanseiden
Free PHP tips: http://alanseiden.com/tips