Tuesday, September 14, 2010

Apache HTTP Server

Introduction

Apache HTTP Server is a famous open source web server.

Installation

yum install httpd

Default Behavior

  1. Server instance name: httpd
  2. Configuration file:
    1. /etc/httpd/conf/httpd.conf
    2. /etc/httpd/conf/conf.d/*
  3. TCP Port: 80
  4. Log files:
    1. /var/log/httpd/access_log
    2. /var/log/httpd/error_log
  5. Working folder: /var/www/html

Configuration

Configuration: Log Level

Default log level for httpd is “warn”.  You may change the log level to debug for more detail log message when you encounter problem with configuration.

For example:

LogLevel debug

Configuration: Server Side Includes (SSI)

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

To enable SSI in Apache HTTP, add the following in conf file:

AddType text/html .shtml 
AddHandler server-parsed .shtml 

<Directory /data/www> 
    Options +Includes 
</Directory>

If the index file is a SSI file, you should add this line too:

DirectoryIndex index.html index.html.var index.shtml

Configuration: Virtual Host

The term Virtual Host refers to the practice of maintaining more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a web server to have their own domains, with web servers accessible as www.company1.com and www.company2.com, without requiring the user to know any extra path information.

In order not to mess up the httpd.conf file, we may store the virtual host configuration in a separate file. (eg: /etc/httpd/conf/httpd-vhosts.conf)

vi /etc/httpd/conf.d/httpd-vhosts.conf
NameVirtualHost *:80 

<Directory /data/www> 
    Options +Includes 
</Directory> 

<VirtualHost *:80> 
    DocumentRoot /data/www 
    ServerName www.company1.com 
    ScriptAlias /cgi-bin/ /data/www/cgi-bin/  
</VirtualHost>

Configuration: HTTPS – Secure HTTP

https is HTTP secure protocol.

Installation:

yum install mod_ssl

You may restart httpd service and verify if secure http service is up and running by:

# netstat -na |grep -i 443
tcp        0      0 :::443                      :::*                        LISTEN

The configuration file for mod_ssl is stored in /etc/httpd/conf.d/ssl.conf.

Remember to exclude port 443 in firewall if you want to publish the service.

Configuration: Basic Authentication

mod_auth_basic is the module for http basic authentication.

The following command will prompt for password and create an entry of user with md5 hashed password:

htpasswd -c password_file username

An example of using the basic password file to protect a folder:

<Location /private/>
  AuthType basic
  AuthName "private area"
  AuthBasicProvider file
  AuthUserFile conf.d/password_file
Require valid-user </Location>

Configuration: Digest Authentication

mod_auth_digest is the module for http digest authentication.  It has similar mechanism as basic authentication except the password sent as MD5 hash value instead of plain text.  httpd.conf should include mod_auth_digest by default.

The following command will prompt for password and create an entry of user with md5 hashed password:

htdigest -c password_file digest-realm username

An example of using the digest password file to protect a folder:

<Location /private/>
  AuthType Digest
  AuthName "digest_realm"
  AuthDigestProvider file
AuthUserFile conf.d/password_file Require valid-user </Location>

Configuration: httpd 2.2 LDAP Authentication and authorisation

httpd 2.2 using a module mod_authnz_ldap to perform ldap authentication and authoisation.

The following example attempt to protect a URL cgi-bin with username/password authentication against a ldap directory server.  The LDAP connection is using TLS.

<Location /cgi-bin>
        Order deny,allow
        Allow from example.com
        AuthType Basic
        AuthName "CVSweb"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPURL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub
?(objectclass=posixAccount) STARTTLS
        Require valid-user
</Location>

The above configuration should work if your LDAP server is working.

If debug log level is used, you may notice the error_log shows something like this:

[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(376): [client 192.168.0.107] [32672] auth_ldap authenticate: using URL ldap://ldap.example.com/ou=example,dc=example,dc=com?uid?sub?(objectclass=posixAccount)
[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(475): [client 192.168.0.107] [32672] auth_ldap authenticate: accepting alice
[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(847): [client 192.168.0.107] [32672] auth_ldap authorise: authorisation denied

A log message of “authorisation denied” sounds like the authorisation fail.  However, you don’t encounter problem accessing resource from web browser.  This message may confuse when checking the log message during troubleshooting session.

The message was a result from a configuration option:

AuthzLDAPAuthoritative off

The httpd security mechanism requires authentication and authorisation processes to be verified before a resource may access by an user.  In this case, the user is authenticated with user name and password via LDAP service.  And the authorisation process is verified by apache configuration.

Setting AuthzLDAPAuthoritative to off means mod_authnz_ldap let other authorization modules attempt to authorize the user, should authorization with this module fail.  That is the reason why the message “authorisation denied” shown in log.  The mod_authnz_ldap denied to perform authorisation here due to “AuthzLDAPAuthoritative off”.

Now, next problem raise.  If mod_authnz_ldap_ldap denied to perform authorisation, why the resource is accessible after valid credential is supplied via web browser?  And why the authorisation seems successfully perform?  Who perform the authorisation?

The key is this setting:

Require valid-user

The above clause performs authorisation.  It simply means authenticated user of mod_authnz_ldap is always valid and is authorised to use the resource.

What if we attempt to set AuthzLDAPAuthoritative to on?  This simply means mod_authnz_ldap will perform authorisation followed by success authentication:

<Location /cgi-bin>
        Order deny,allow
        Allow from example.com
        AuthType Basic
        AuthName "CVSweb"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub?(objectclass=posixAccount) STARTTLS
        Require valid-user
</Location>

Above configuration will cause browser keep prompt for username and password even correct credential is provided.  Log messages something like these will shown:

[Tue Sep 14 16:30:49 2010] [debug] mod_authnz_ldap.c(376): [client 192.168.0.107] [32596] auth_ldap authenticate: using URL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub?(objectclass=posixAccount)
[Tue Sep 14 16:30:50 2010] [debug] mod_authnz_ldap.c(475): [client 192.168.0.107] [32596] auth_ldap authenticate: accepting alice
[Tue Sep 14 16:30:50 2010] [debug] mod_authnz_ldap.c(842): [client 192.168.0.107] [32596] auth_ldap authorise: declining to authorise

The error message is “declining to authorise” as compare to “authorisation denied” in previous case.

In this case, mod_authnz_ldap should attempt to perform authorisation due to “AuthzLDAPAuthoritative  on” clause in configuration.  Again, the reason it “declining to authorise” was due to this clause:

Require valid-user

In this case, mod_authnz_ldap should perform authorisation but valid-user.  However, mod_authnz_ldap do not possess “Require valid-user” and thus it doesn’t know know how to perform authorisation and that lead to “declining to authorise” message logged.

To make mod_authnz_ldap perform authorisation successfully, we may use either:

  1. Require ldap-user
  2. Require ldap-group
  3. Require ldap-dn
  4. Require ldap-attribute
  5. Require ldap-filter

for different cases.  Refer here for more information.

Configuration: WebDAV

mod_dav is the module for HTTPD WebDAV.  it is extremely easy to use WebDAV in Apache HTTPD:

<Location /foo>
  Dav On
</Location>

Just include “Dav On” to Location or Directory block will straight turn on WebDAV share.

Reference

  1. Making Apache 2.2 valid-user work with mod_authnz_ldap.
    URL: http://neptune.ashtech.net/~dmarkle/blog/archives/108-Making-Apache-2.2-valid-user-work-with-mod_authnz_ldap.html

No comments: