\chapter{Apache}
\label{cha:apacheMore}
{\mns
\subsection{Objectives}
On completion of this module you should be able to:
\begin{itemize}
\item Set up {\kwd virtual hosts} on the {\pgn Apache} webserver
\item Use access controls
\item Set up basic authentication
\item Configure WebDAV web publishing
\end{itemize}
\section{Two sites and more \ldots}
\label{sec:intro-to-virtual-hosting1}
\begin{itemize}
\item Many companies specialise in \texttt{web hosting}
\item One company may manage thousands of web sites
\item One solution is to buy thousands of servers and set up each
web site on each server.
\begin{itemize}
\item Problem: cost
\item Must be a cheaper way
\end{itemize}
\item There is a simpler way
\begin{itemize}
\item Called {\kwd Virtual Hosting}
\end{itemize}
\item Virtual hosting allows one server to provide many independent
web sites
\begin{itemize}
\item each web site has its own name
\item each web site is independent of the other
\item Apache is better at this than any other web server
\end{itemize}
\end{itemize}
\section{Two sites and more \ldots\ continued}
\label{sec:intro-to-virtual-hosting2}
\begin{itemize}
\item {\pgn Apache} can serve multiple sites easily
\item Known as {\em `Virtual Hosting'}, e.g.
{\myss {\cmdn \begin{verbatim}
DocumentRoot /www/web.test2/docs
ServerName www.test2.co.uk
ServerAdmin www@test2.co.uk
ErrorLog /www/web.test2/logs/error_log
TransferLog /www/web.test2/logs/access_log
\end{verbatim}}}
to make apache answer requests to address {\cmdn 192.168.0.2} from {\fn /www/web.test2/docs}
\item Your machine must answer to this address\footnote{If you don't know how to set up IP aliases ask the instructor}
\item {\pgn Apache} must be listening on the address
\begin{itemize}
\item {\cmdn Listen 80} will make {\pgn Apache} answer to all
available addresses on port 80
\item Note that each virtual web site may have its own logging
\end{itemize}
\item This is known as {\kwd virtual hosting}
\end{itemize}
\section{Virtual Hosting Options}
\label{sec:virtual-hosting-options}
\begin{itemize}
\item IP-based
\begin{itemize}
\item Each site must have a unique, IP address
\item Uses up valuable IP addresses
\item Site accessible by all browsers
\end{itemize}
\item Name-based
\begin{itemize}
\item Sites share an IP address
\item Useful if short of available addresses
\item Some browsers may have problems
\end{itemize}
\item Most use IP-based hosting where possible
\item Ensures maximum accessibility
\item However, Internic are now requiring all sites to use name
based hosting as much as possible to reduce drain on IP addresses.
\item Name based hosting doesn't work with SSL encryption.
\end{itemize}
\section{Name-based hosting}
\label{sec:Name-based-hosting}
\begin{itemize}
\item Name-based hosting looks like:
{\myss {\cmdn \begin{verbatim}
NameVirtualHost 10.1.1.108
DocumentRoot /var/www/foo/docs
ServerName foo.domain.com.hk
ServerAdmin foomaster@domain.com.hk
DocumentRoot /var/www/bar/docs
ServerName bar.domain.com.hk
ServerAdmin barmaster@domain.com.hk
\end{verbatim}}}
\end{itemize}
\section{Name-based hosting (continued)}
\label{sec:Name-based-hosting-2}
\begin{itemize}
\item {\cmdn NameVirtualHost} tells {\pgn Apache} that an IP address can serve multiple hosts
\item {\cmdn VirtualHost} sections describe how documents for each site are served
\begin{itemize}
\item {\pgn Apache} must be able to resolve the names in the {\cmdn } directives to the IP address
\end{itemize}
\item {\pgn Apache} looks at the {\cmdn Host:} header to decide which documents to serve
\begin{itemize}
\item Not sent by all browsers
\end{itemize}
\item Requests on other IP addresses will be processed as normal
\item Can use both IP-based and name-based hosting
\end{itemize}
\section{IP-based hosting}
\label{sec:IP-based-hosting}
\begin{itemize}
\item IP-based hosting looks like:
{\myss {\cmdn \begin{verbatim}
DocumentRoot /var/www/foo/docs
ServerName foo.domain.com.hk
ServerAdmin foomaster@domain.com.hk
DocumentRoot /var/www/bar/docs
ServerName bar.domain.com.hk
ServerAdmin barmaster@domain.com.hk
\end{verbatim}}}
The differences from name-based virtual hosting include:
\begin{itemize}
\item The IP addresses must be different (and Apache must be listening
to them!)
\item There is no \texttt{NameVirtualHost} directive
\item We may be wasting precious IP addresses!
\end{itemize}
\item The Apache manual contains a very useful and complete guide to
implementing virtual hosts
\begin{itemize}
\item It is installed when you installed Apache
\item On Red Hat, it is available as \url{http://localhost/manual/}
\end{itemize}
\end{itemize}
\section{Block Directives}
\label{sec:apache-block-directives}
\begin{itemize}
\item {\pgn Apache} has several {\em block directives}
\begin{itemize}
\item Limit enclosed directives to apply to a certain set of {\em `things'}
\end{itemize}
\item {\cmdn } is a block directive
\begin{itemize}
\item Enclosed directives apply only to that virtual host
\end{itemize}
\item Others are:
\begin{quote}
{\cmdn ... }\\
{\cmdn ... }\\
{\cmdn ... }\\
{\cmdn ... }\\
{\cmdn ... }\\
{\cmdn ... }
\end{quote}
\end{itemize}
\section{Block Directives (continued)}
\label{sec:apache-block-directives-2}
\begin{itemize}
\item {\cmdn } Limits the enclosed directives to apply to everything below the directory {\fn name}
\begin{itemize}
\item {\fn name} can be anywhere on the filesystem
\item Independent of {\kwd DocumentRoot}
\end{itemize}
\item {\cmdn } is similar but is a URL path rather than a filesystem path
\item {\cmdn } limits directives to files called {\fn name}
\begin{itemize}
\item Path of the file is irrelevant
\item Only checks the file name, not its location
\end{itemize}
\end{itemize}
\section{{\kwd DirectoryMatch}, et al.}
\label{sec:directorymatch-et-al}
\begin{itemize}
\item {\cmdn DirectoryMatch}, {\cmdn FilesMatch} and {\cmdn LocationMatch} are similar
\begin{itemize}
\item Accept regular expressions as arguments, e.g.
{\cmdn \begin{verbatim}
...
\end{verbatim}}
\end{itemize}
\item More flexible
\item Need more thought to match {\em only} intended files
\end{itemize}
\section{Access Control using {\fn .htaccess} files}
\label{sec:access-control-htaccess-files}
\begin{itemize}
\item Create a file in the directory to be protected
\begin{itemize}
\item Usually {\fn .htaccess} or {\fn .acl}
\item Can be anything
\end{itemize}
\item Example:
{\myss {\cmdn \begin{verbatim}
AuthType Basic
AuthName "Members Only"
AuthUserFile /etc/httpd/conf/auth.user
AuthGroupFile /etc/httpd/conf/auth.group
require group testgroup
require user testuser
\end{verbatim}}}
\item Only the user {\cmdn testuser}, or a user in the group {\cmdn testgroup}, may access files in this directory
\item Validation is done on the files {\fn
/etc/httpd/conf/auth.user}\\and\\{\fn /etc/httpd/conf/auth.group}
\end{itemize}
\section{Access Control (continued)}
\begin{itemize}
\item Access control is {\em off} by default
\begin{itemize}
\item Unnecessary for many sites
\end{itemize}
\item Switched on by:
{\myss {\cmdn \begin{verbatim}
AccessFileName .htaccess
AllowOverride AuthConfig
\end{verbatim}}}
\item {\cmdn AccessFileName} identifies which filename(s) constitute an Access Control File
\item Every directory in the request path is checked for a relevant file
\item {\cmdn AllowOverride} says that Access Control files can override authorisation directives only
\begin{itemize}
\item Can have other values
\item Change behaviours through your {\fn .htaccess} file
\item See {\pgn Apache} docs for further details
\end{itemize}
\item Note that there is quite an overhead if turn on {\cmdn
AllowOverride}, since web server has to search for this file
through each directory in the entire path of each document it
fetches.
\end{itemize}
\section{Authorisation Files}
\label{sec:apache-auth-files}
\begin{itemize}
\item Authorisation files are very straightforward
\item Group file is {\cmdn groupname: userlist}
\item For example:
{\myss {\cmdn \begin{verbatim}
firstgroup: user1 user2 user3
secondgroup: user2 user3 user4
othergroup: user4 user5 user6
\end{verbatim}}}
\item Listed users belong to that group
\item Create this file by hand
\end{itemize}
\section{Authorisation Files (continued)}
\label{sec:apache-auth-files-2}
\begin{itemize}
\item User file is a little more complicated
\item Format is {\cmdn username:encryptedpassword}
\item For example:
{\myss {\cmdn \begin{verbatim}
testuser:6SlrYaxUFml
\end{verbatim}}}
\item Create/edit this with {\pgn htpasswd}
\begin{itemize}
\item Part of the {\pgn Apache} distribution
\item Give it an authorisation file and a username
\end{itemize}
{\myss {\cmdn \begin{verbatim}
$ htpasswd -m /etc/httpd/conf/auth.user newuser
New password:
Re-type new password:
Adding password for user newuser
\end{verbatim}}}%$
\end{itemize}
\section{Access Control using {\fn httpd.conf}}
\label{sec:access-control-httpd.conf}
\begin{itemize}
\item As alternative to using {\fn .htaccess} files, can use main
{\fn httpd.conf} configuration file for {\pgn apache}
\begin{itemize}
\item centralised
\end{itemize}
\item Exactly the same as using the {\fn .htaccess} files, but put
into a block directive in {\fn httpd.conf}
\item Refer to the worksheet \emph{How to create a password protected
directory on a web server} for more details.
\end{itemize}
\section{Pros and Cons of using Access Files for Authentication }
\label{sec:pros-cons-of-htaccess}
\begin{itemize}
\item You have a choice to put authentication configuration into {\fn
.htaccess} files or into the main server configuration.
\item Each has advantages and disadvantages.
\end{itemize}
\noindent
{\myss%
\begin{minipage}[t]{0.5\linewidth}
{\centering
\textbf{\texttt{httpd.conf}: advantages}
}
\begin{itemize}
\item The server does not waste time reading all directories looking
for {\fn .htaccess} files
\item The administrator can control all access to the server
\end{itemize}
\end{minipage}%
\begin{minipage}[t]{0.5\linewidth}
{\centering
\textbf{\texttt{.htaccess}: advantages}
}
\begin{itemize}
\item Convenient to modify the configuration; no need to reload the
server, just edit the {\fn .htaccess} file.
\item Easy to delegate access control to other people
\end{itemize}
\end{minipage}\\[3ex]
\begin{minipage}[t]{0.5\linewidth}
{\centering
\textbf{{\fn httpd.conf}: disadvantages}
}
\begin{itemize}
\item Harder to delegate authentication control to others
\item Need to reload the server to read a new configuration
\end{itemize}
\end{minipage}%
\begin{minipage}[t]{0.5\linewidth}
{\centering
\textbf{\texttt{.htaccess}: disadvantages}
}
\begin{itemize}
\item The server needs to check every single directory, starting
with the root directory on the local hard disk of the server, all
the way down to the last directory. This slows the server down
considerably.
\end{itemize}
\end{minipage}}
\section{How Can Users Change Their Password?}
\label{sec:how-users-change-apache-password}
\begin{itemize}
\item Apache provides no solution to this directly
\item Many solutions to this problem are available
\item One of the best is \texttt{user\_manage} by Lincoln Stein,
available at \url{http://stein.cshl.org/~lstein/user_manage/}
\end{itemize}
\section{WebDAV: a protocol for web collaboration}
\label{sec:webDAV-intro}
\begin{itemize}
\item WebDAV is a standard, open protocol for collaboration on the Web
\item Allows authors to write to a web server
\item WebDAV enabled software (such as Microsoft Office 2000) can edit
documents directly on the web server, as if working with a local file
\item Currently provides three main facilities:
\begin{enumerate}
\item Locking: WebDAV prevents two authors writing to the same file
at once
\item Properties: information is stored about each file
\item Namespace manipulation: you can copy and rename files, create
collections (which are basically directories on the web server)
\end{enumerate}
\item Clients include:
\begin{itemize}
\item Microsoft Internet Explorer 5 and later (``Web Folders'')
\item Microsoft Office 2000
\item DreamWeaver 4.0 and later
\item A number of other commercial and Open Source products\ldots
\item \ldots but not FrontPage 2000!
\end{itemize}
\item See \url{http://www.webdav.org/}
\end{itemize}
\section{WebDAV and Apache}
\label{sec:mod_dav}
\begin{itemize}
\item Apache has had support for WevDAV for some time.
\item Consists of an Apache module called {\pgn mod\_dav}
\item Provided with Red Hat 7.0, enabled by default
\item Very stable.
\item See \url{http://www.webdav.org/mod_dav/} and
\url{http://www.webdav.org/mod_dav/install.html}
\end{itemize}
\section{WebDAV Configuration}
\label{sec:WebDAVconfig-directives}
\begin{itemize}
\item {\pgn mod\_dav} requires a directory to store lock and property
information
\item You need to provide authentication
\item Configuration options include:
\begin{tabular}[t]{@{}ll@{}}
\toprule%
\emph{Directive} & \emph{value} \\
\midrule%
DAV & On \\
DAVLockDB & lock file name \\
DAVMinTimeout & minimum lifetime of a lock in seconds \\
\bottomrule
\end{tabular}
\end{itemize}
\section{Apache WebDAV configuration example}
\label{sec:mod_dav-configuration-example}
\begin{itemize}
\item Here is an example section from the {\fn
/etc/httpd/conf/httpd.conf} configuration file:
\begin{verbatim}
DAVLockDB /var/lock/WebDAV/DAVLock
DAV On
Options Indexes
AllowOverride None
AuthType Basic
AuthName "CM Web site management and upload"
AuthUserFile /etc/httpd/conf/passwd
Require valid-user
\end{verbatim}
\item Could instead of \texttt{\ldots }
use:
\begin{verbatim}
Require valid-user
\end{verbatim}
(all on one line)
\end{itemize}
\section{Configuring WebDAV: directories and files}
\label{sec:WebDAV-directory-permissions-config}
\begin{itemize}
\item A web site controlled by WebDAV must be owned and writable by
the process running Apache.
\item You need to create the lock file directory, and make this owned
and writable by the same user.
\begin{itemize}
\item In the example above, you would do:
\begin{verbatim}
$ sudo mkdir /var/lock/WebDAV
$ sudo chown apache.apache /var/lock/WebDAV
\end{verbatim}
\end{itemize}
\end{itemize}
\section{What is WebDAV useful for?}
\label{sec:WebDAV-usees}
\begin{itemize}
\item Useful for a department to collaborate:
\begin{itemize}
\item provide a browsable repository of information
\item members can directly edit these resources
\item A democratised web
\end{itemize}
\item Useful for Home user web publishing. Quote from \emph{WebDAV in 2
Minutes}:
\begin{list}{}{}
\rightmargin \leftmargin\topsep 0pt%
\myss\item[]%
A home user can simplify his or her interface to a web server by
interfacing with it through DAV (assuming support on the server
side). First the user sets up their site on their home computer.
Then, using Internet Explorer 5, they set up a Web Folder through
the Add Web Folders icon. After providing information on their web
server and user id, they can save to and access their directory on
the server transparently by using the Web Folder on their desktop,
which appears and behaves as a typical local folder.
\end{list}
\end{itemize}
\section{What is the future of WebDAV?}
\label{sec:WebDAVfuture}
\begin{itemize}
\item WebDAV is a standard Internet protocol
\begin{itemize}
\item In other words, it is specified by the Internet Engineering
Task Force (IETF)
\end{itemize}
\item IETF is working on specifying the following features:
\begin{itemize}
\item Advanced Collections: support for ordered collections,
referential resources
\item Versioning and Configuration Mangement: support for
maintaining a complete history of all versions of a resource.
\item Access Control: the ability to set and clear access control
lists.
\end{itemize}
\item This will allow WebDAV to replace many current Internet
protocols, such as POP3, IMAP and CVS.
\item Will have potential to help democratise the Web.
\end{itemize}
\section{Information about WebDAV}
\label{sec:webDAVinfo}
\begin{itemize}
\item The best sources of information about WebDAV include:
\begin{itemize}
\item The home page: \url{http://www.webdav.org/}
\item The WebDAV FAQ: \url{http://www.webdav.org/other/faq.html}
\item WebDAV in 2 Minutes: \url{http://www.fileangel.org/docs/DAV_2min.html}
\end{itemize}
\end{itemize}
\section{Other useful directives}
\begin{itemize}
\item There are around 200 Apache directives
\begin{itemize}
\item More if you add modules e.g. {\pgn mod\_ssl}
\end{itemize}
\item The previous ones are the {\em essentials}
\item Some other useful directives are given below: \\ \bigskip
{\myfs
\begin{tabular}{|>{\PBS\rr}p{120pt}|>{\PBS\rr}p{223pt}|} \hline
Directive & Action \\ \hline \hline
Redirect {\cmdn url-path} {\cmdn new-url} & Redirect Requests to {\cmdn url-path} to {\cmdn new-url} \\ \hline
RewriteRule {\cmdn pattern new-pattern} & Rewrite requests, replace {\cmdn pattern} with {\cmdn new-pattern} \\ \hline
AddEncoding type ext & Serve up documents with extension ext with encoding type type \\ \hline
ForceType type & Force all documents to be served up with MIME type type \\ \hline
HostNameLookups on|off|double & Whether to do DNS lookups for logging purposes \\ \hline
ExpiresDefault & Set the default expiry time of documents \\ \hline
\end{tabular}
}
\end{itemize}
\section{Examples}
{\myfs \begin{verbatim}
Redirect permanent /ents/theatre/fab-gere http://www.fabgere.com
Redirect /gbdirect/logo.gif http://www.gbdirect.co.uk/logo.gif
Redirect permanent /gbdirect http://www.gbdirect.co.uk/
RewriteEngine on
RewriteRule ^/linuxtraining.*\.htm /ltcu_moved.htm
AddEncoding x-gzip gz
ForceType text/plain
HostNameLookups off
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "access plus 1 week"
\end{verbatim}}
\section {Exercises}
%% FIXME: Need more exercises (LW)
{\normalsize
\begin{enumerate}
\item {\em IP based hosting}
\begin{enumerate}
\item Start with the default installation file and add an IP based
virtual host:
\begin{enumerate}
\item Add an IP alias for your machine (Ensure it doesn't clash
with any others on your network!) Here are two methods:
\begin{itemize}
\item The simplest is to use the {\cmdn ifconfig} program
directly:
\begin{alltt}
$ sudo ifconfig eth0:0\usb ipaddress
\end{alltt}%$
where {\usb ipaddress} is the second IP address. If you want
to add another alias, use \texttt{eth0:1}; use \texttt{eth0:2}
for the next alias,\ldots
\item The other method uses the {\cmdn netcfg} program:
\begin{enumerate}
\item Use {\cmdn sudo netcfg}, then click on the
Interfaces tab, select the ethernet device, and click
on the Alias button.
\item Save your changes, activate the alias, and check that your
address works, first by typing {\cmdn ifconfig}, then see if
you can ping the address.
\item If the interface was not started, then do so with {\cmdn
sudo ifup eth0}, or {\cmdn sudo ifup eth0:0}
\end{enumerate}
\end{itemize}
\item Create a dummy index page so you will be able to tell the
difference between your two sites. Call the page {\fn
index.html}. Copy them to the document root for each site.
\item Set up Apache to serve this site and check from a browser
that everything works (for both sites) as you expected.
\end{enumerate}
\end{enumerate}
\item {\em Name based hosting}
\begin{enumerate}
\item Set up your apache so that it will serve the same sites but on
a single IP address (Name-based virtual hosting).
\begin{enumerate}
\item First, edit your hosts table using {\cmdn sudo emacs
/etc/hosts}.
\item Add one line for each web site: put your main IP address
first, then the name for the site. Example:
\begin{verbatim}
10.1.1.39 www.nice.com
10.1.1.39 www.acme.com
10.1.1.125 sales.acme.com
\end{verbatim}
\item set up name based virtual hosting for the sites with the
same IP address. Verify that you can read them.
\end{enumerate}
\end{enumerate}
\item {\em Access control}
\begin{enumerate}
\item Create two directories on one of your sites and set up access
controls so that anyone can see the main index page, testuser can
see the first directory and anyone in group testgroup can see the
second.
\end{enumerate}
\item \emph{WebDAV}
\begin{enumerate}
\item Configure your main directory with WebDAV, then demonstrate
that you can access this directory using the Web Folders option
from Internet Explorer (File $\rightarrow$ Open) on one of the
Windows 2000 clients. Make sure that the directory is protected
using Basic Authentication.
\item Demonstrate that you can edit and save a file on the
WebDAV-enabled server directly using Microsoft Word.
\end{enumerate}
\end{enumerate}
}
\section{Solutions}
{\normalsize
\begin{enumerate}
\item {\em IP based hosting}
\begin{enumerate}
%% FIXME, remove redhat-isms about adding IP alias (LW)
\item The first thing that you will have to do is set up an IP alias
for your machine so that it has two distinct IP addresses. You
might find it easiest to use the Red Hat program {\pgn netcfg} for
this. If you aren't sure how to achieve this ask the instructor. A
list of spare IP addresses will be made available. An example from
a working multi-hosted Apache is given below
{\myfs
\begin{verbatim}
Listen 192.168.0.3:80
Listen 192.168.0.2:80
ServerAdmin webmaster@gbdirect.co.uk
DocumentRoot /home/www/web.llord/docs
ServerName llord.gbdirect.co.uk
ErrorLog /home/www/web.llord/logs/error-log
TransferLog /home/www/web.llord/logs/access-log
ServerAdmin webmaster@gbdirect.co.uk
DocumentRoot /home/www/web.trainingpages/docs
ServerName trainingpages.gbdirect.co.uk
ErrorLog /home/www/web.trainingpages/logs/error-log
TransferLog /home/www/web.trainingpages/logs/access-log
\end{verbatim}}
\end{enumerate}
\pagebreak
\item {\em Name based hosting}
\begin{enumerate}
\item An equivalent example using name-based hosting would be:
{\myfs \begin{verbatim}
NameVirtualHost 192.168.0.2
ServerAdmin webmaster@gbdirect.co.uk
DocumentRoot /home/www/web.llord/docs
ServerName llord.gbdirect.co.uk
ErrorLog /home/www/web.llord/logs/error-log
TransferLog /home/www/web.llord/logs/access-log
ServerAdmin webmaster@gbdirect.co.uk
DocumentRoot /home/www/web.trainingpages/docs
ServerName trainingpages.gbdirect.co.uk
ErrorLog /home/www/web.trainingpages/logs/error-log
TransferLog /home/www/web.trainingpages/logs/access-log
\end{verbatim}}
Note that the two names given {\cmdn llord.gbdirect.co.uk} and {\cmdn trainingpages.gbdirect.co.uk} should both resolve to 192.168.0.2
\end{enumerate}
\item {\em Access Control}
\begin{enumerate}
\item You should create a file called {\fn .htaccess} in both
directories, the first should be:
\begin{verbatim}
AuthType Basic
AuthName "First Directory"
AuthUserFile /etc/httpd/conf/auth.user
AuthGroupFile /etc/httpd/conf/auth.group
require user testuser
\end{verbatim}
and the second should be:
\begin{verbatim}
AuthType Basic
AuthName "Second Directory"
AuthUserFile /etc/httpd/conf/auth.user
AuthGroupFile /etc/httpd/conf/auth.group
require group testgroup
\end{verbatim}
\end{enumerate}
\end{enumerate}}
} % end {\mns from chapter start
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "0_masterfile"
%%% End: