Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
473 views41 pages

Building A Secure Web Server

This document provides information on building a secure web server using Apache and Tomcat. It discusses the major components of a web server, including the web server and servlet container. It describes how Apache and Tomcat can be configured to work together, with Tomcat running as an add-on module to Apache. The document outlines the build and installation process for Apache and Tomcat, including configuration of modules, ports, and file system mappings between the two servers.

Uploaded by

S R Krishnan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
473 views41 pages

Building A Secure Web Server

This document provides information on building a secure web server using Apache and Tomcat. It discusses the major components of a web server, including the web server and servlet container. It describes how Apache and Tomcat can be configured to work together, with Tomcat running as an add-on module to Apache. The document outlines the build and installation process for Apache and Tomcat, including configuration of modules, ports, and file system mappings between the two servers.

Uploaded by

S R Krishnan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 41

Building a Secure

Web Server

Distributed Systems Department


Ernest Orlando Lawrence Berkeley National Laboratory
June 4, 2001

Grid Portal Developers Workshop


Or ganiza tio n

 Major Components
 Overview of the Build Process
 Configuration
 URL to File System Mappings
 Starting/Stopping Web Server Processes
 More Information

Grid Portal Developers Workshop


Web Serve r
Co mponents
 Web server: application that responds to HTTP requests by
returning ‘web’ resources (e.g., HTML files, images,
applets,CGI output, …) over the Internet
 Servlet container (or servlet engine): runtime shell that
invokes servlets on behalf of clients; software that runs
servlets and manages them through their lifecycle

Grid Portal Developers Workshop


Se rvle t Co ntainers

Servlet containers can be partitioned as:


 Standalone: Integral part of web server (as
when using a Java-based web server)
 Add-on component to web server: Java
container implementation + web server plugin
 Servlet code runs inside Java container
 Java container runs inside of JVM
 Web server plugin opens JVM

Grid Portal Developers Workshop


Ap ache a nd To mcat

Apache: “Industrial strength” HTTP/1.1 compliant web server


• Highly configurable
• Implements many features in addition to the core
functionality (e.g., security/access control, virtual hosting,
CGI script execution, …)
• Extensible with third-party modules (e.g., servlet engine,
security, WebDAV, …)

Grid Portal Developers Workshop


Ap ache a nd To mcat
Tomcat: Java-based servlet container w/ JSP environment
 Execution modes:
 Standalone: default mode for Tomcat
 In-process add-on: web server plugin opens JVM inside web
server’s address space; plugin passes servlet/JSP requests to
servlet container via JNI
 Out-of-process add-on: web server plugin opens JVM outside
web server; plugin and JVM communicate using IPC mechanism
(TCP/IP sockets and)

Grid Portal Developers Workshop


Tomcat Executi on Mod es
Standalone
 Not as fast as Apache for static pages
 Not as configurable as Apache
 Not as robust as Apache
 May not support functionality found only
in Apache modules (e.g., Perl, PHP,
security)
 Mainly for development and debugging
Grid Portal Developers Workshop
Tomcat Execut ion Modes
In-process add-on
 Suitable for multi-threaded single-
process servers
 Provides good performance
 Limited in scalability

Grid Portal Developers Workshop


Tomcat Executi on Mod es

Out-of-process add-on
 Poorer response time than for in-process
servlet container
 Better scalability
 Better stability

Grid Portal Developers Workshop


To mcat a nd Ap ache

Communication mechanism between


Tomcat and Apache:
 Termed “web server adapter” or
“connector”
 Implemented as library (e.g.,
mod_jserv.so, mod_jk.so)
 Uses/manages TCP connections
 Uses the AJPV12/AJPV13
communication protocol
Grid Portal Developers Workshop
To mcat vs. J se rv

Tomcat’s mod_jserv != Apache Jserv


 Jserv for Apache (www.apache.org/jserv)
 Older; in maintenance-only mode
 Servlet API 2.0-compliant container
 Tomcat’s mod_jserv
 Servlet API 2.2 and JSP 1.1-compliant container
 Supports Apache, IIS, and Netscape servers

Grid Portal Developers Workshop


Ou r Ba sic In sta lla tion

http/80
Apache
https/443
mod_ssl Tomcat
mod_jserv/
mod_jk
mod_dav AJPV12/13
8007

Web Server Host

Grid Portal Developers Workshop


How Apache & Tomcat
Interoperate
1
http://server/path/to/resource
Apache
Client Tomcat
resource adapter
3
5 2
AJPV12/13
TCP/8007

Apache in standalone mode; Tomcat in out-of-


process add-on mode

Grid Portal Developers Workshop


Bui ldi ng an d Instal ling
Apache and Tom cat
 Apache supports statically-linked and
dynamically-linked modules (DSOs)
 Our builds were done under Solaris 2.7 and
Linux Redhat 6.2
 Script to automate the build/configure process
available at www-itg-
lbl.gov/Grid/projects/WebServer-SG.html
 Step-by-step procedure available at www-
itg.lbl.gov/Private/apache_build.html

Grid Portal Developers Workshop


Bui ldi ng an d Instal ling
Apache and Tom cat
 Our components:
 Binary distribution of Tomcat
 Apache built from source
 Statically-linked Apache modules
(mod_access, mod_cgi, mod_so, mod_dav,
…)
 Dynamically-linked Apache modules
(mod_ssl, mod_jserv, …)

Grid Portal Developers Workshop


Bui ldi ng and I nstal ling
Apache and Tom cat
Assumptions:
• Java already installed (JDK 1.2/JDK1.3)
• APACHE = /usr/local/apache
• TOMCAT = /usr/local/tomcat

2. Build OpenSSL (needed for mod_ssl)


3. Build optional MM shared memory library
4. Configure mod_ssl (build in step 6)
5. Build mod_dav

Grid Portal Developers Workshop


Bui ldi ng and I nstal ling
Apache and Tom cat
1. Build and install Apache w/ DSO
support, mod_ssl, and mod_dav.

Gotcha: Docs describe 2 ways to configure—


in APACHE/src/ w/ ‘Configure’ (APACI
method) or in APACHE/ w/ ‘configure’. The
latter worked better!! See the INSTALL file in
the top-level APACHE directory of the source
distribution.

Grid Portal Developers Workshop


Bui ldi ng and I nst alling
Apache and Tomcat
5. Build and install Apache (cont’d.)

Gotcha: In addition to its binary (httpd), apache


builds tools, one of which is ‘apxs’, used to build
shared objs. If Apache isn’t built w/ DSO support,
you will get an error like this when building *.so:
apxs: Break: Command failed with rc=16711680
Solution: Include the following args to ‘configure’:
--enable-module=so –enable-
rule=SHARED_CORE

Grid Portal Developers Workshop


Buildi ng and I nst all ing
Apache and Tomcat
1. Build and install Apache (cont’d.)

Gotcha: In building mod_ssl, you’ll need to


make a certificate. You can make a
temporary certificate for a quick build and
testing, but remember to get a real certificate
later! See https://idcg-ca.lbl.gov and click
‘SSL Server’ link. Put certs in
APACHE/conf/ssl.* dirs.

Grid Portal Developers Workshop


Buildi ng and I nst all ing
Apache and Tomcat
1. Build the Tomcat’s mod_jserv.so
connector module for Apache

Gotcha: Since the build is done in the


Tomcat src tree, be sure to copy
autochange.so and mod_jserv.so into
Apache’s libexec/ directory!

Grid Portal Developers Workshop


Co nfig uratio n
 Apache:
 httpd.conf (in APACHE/conf/): master config file
 tomcat-apache.conf (generated by tomcat):
included in httpd.conf for mod_jserv
 Tomcat (in TOMCAT/conf/):
 server.xml: global config file
 tomcat.conf: lets web server work with Tomcat
 web.xml: configures Tomcat contexts

Grid Portal Developers Workshop


Co nfig urin g th e Po rts

Default configuration
http/8080

http/80
https/443 Apache
mod_ssl Tomcat
mod_jserv/
mod_jk
mod_dav AJPV12/13
8007

Grid Portal Developers Workshop


Co nfig urin g th e Po rts
server.xml

<!– disable webserver on port 8080


<Connector className=“org.apache.tomcat.service.SimpleTcpConnector”>
<Parameter name=“handler”
value=“org.apache.tomcat.service.http.HttpConnectionHandler”/>
<Parameter name=“port” value=“8080”/>
</Connector>
-->
<Connector className=“org.apache.tomcat.service.SimpleTcpConnector”>
<Parameter name=“handler”
value=“org.apache.tomcat.service.connector.Ajp12ConnectionHandler”/>
<Parameter name=“port” value=“8007”/>
</Connector>

Grid Portal Developers Workshop


Co nfig urin g th e Po rts
tomcat.conf

#Tell Apache to load the shared object communication module


LoadModule jserv_module libexec/mod_jserv.so

# Set communication protocol and port


ApJServDefaultProtocol ajpv12
ApJServDefaultPort 8007

Grid Portal Developers Workshop


Co nfig urin g th e Po rts

httpd.conf
ServerRoot “/usr/local/apache”
# Here’s where we can overwrite default ports
Port 80
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

<VirtualHost _default_:443>

Grid Portal Developers Workshop


Sa mple F ile Syst em

APACHE TOMCAT

bin conf logs libexec (more) bin conf logs lib (more)
htdocs securedocs webapps

Grid Portal Developers Workshop


URL to Fi le Sys tem
Ma pp ings
httpd.conf
DocumentRoot “/usr/local/apache/htdocs”
<IfDefine SSL>
# General setup for the virtual host
DocumentRoot “/usr/local/apache/securedocs”
# Lots of stuff
</IfDefine>
Include /usr/local/tomcat/conf/tomcat-apache.conf
http://hostname / foo/ /usr/local/apache/htdocs/ foo/

https://hostname / foo/ /usr/local/apache/securedocs/ foo/

Grid Portal Developers Workshop


Ap ache Dire ctory
Ac cess
Restrict access on per-directory basis via
httpd.conf.
<Directory />
AllowOverride None
</Directory>
<Directory “/usr/local/apache/htdocs/webDAVdir”>
Order deny, allow
Deny from all
Allow from .lbl.gov
DAV On
</Directory>

Grid Portal Developers Workshop


Apache Dir ectory
Acces s
Per-directory access restriction (httpd.conf)
<Directory “/usr/local/apache/htdocs/webDAVdir”>
Order deny, allow
<Limit GET POST >
Deny from all
Allow from .lbl.gov
</Limit>
<Limit PUT DELETE MKCOL COPY MOVE LOCK UNLOCK>
Deny from all
Allow from 131.243.2
</Limit>
</Directory>

Grid Portal Developers Workshop


Tomcat Fil e System
TOMCAT

webapps

examples anotherapp

WEB-INF jsp index.html

web.xml classes lib

Grid Portal Developers Workshop


URL to Fi le Syst em
Mappi ngs
tomcat-apache.conf
AddType text/jsp .jsp
AddHandler jserv-servlet .jsp
Alias /examples /usr/local/tomcat/webapps/examples
ApJServMount /examples/servlet /examples
<Location /examples/WEB-INF/ >
AllowOverride none
deny from all
</Location>
ApJServMount /servlet /ROOT
Grid Portal Developers Workshop
URL to Fi le Syst em
Mappi ngs
server.xml:
<Context path=“/examples”
docBase=“webapps/examples” debug=“0”
reloadable=“false”
</Context>

SIDE NOTE: Tomcat docs recommend turning on servlet


auto-reloading only for development. However, specifying
reloadable=“true” did not seem to work. When a servlet was
recompiled, Tomcat had to be restarted.

Grid Portal Developers Workshop


Conf iguri ng a
Cont ex t
web.xml
<web-app>
<servlet>
<servlet-name>MyServlet</servlet-name>
<servlet-class>SimpleServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
</web-app>

Grid Portal Developers Workshop


St arting Ap ache

 Specify user and group to run as (in


httpd.conf):
User nobody
Group cpc
 Remember to add libexec/ to
LD_LIBRARY_PATH
 Start Apache as root:
# cd /usr/local/apache/bin
# ./apachectl startssl
Grid Portal Developers Workshop
Starti ng Apache

Sample startup script: APACHE/start


#!/bin/sh
LD_LIBRARY_PATH=/usr/local/apache/libexec:/u
sr/local/openssl-0.9.6:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
/usr/local/apache/bin/apachectl startssl
echo “Apache started”

Grid Portal Developers Workshop


St arting Ap ache

Usage: APACHE/bin/httpd [-d directory]


[-v] [-h] [-l]…
-d: specify alternative ServerRoot
-v: show version number
-h: list available command line
options
-l: list compiled-in (static) modules

Grid Portal Developers Workshop


St arting Tomc at

 Do NOT start Tomcat as root.


 Create a new user account or use an
existing one.
 Use the ‘startup.sh’ script in
TOMCAT/bin
 If necessary add or modify entries for
JAVA_HOME, TOMCAT_HOME, and
CLASSPATH.
Grid Portal Developers Workshop
Tomcat Startup Scri pt
TOMCAT/bin/startup

#!/bin/sh
TOMCAT_HOME=/usr/local/tomcat
export TOMCAT_HOME
PATH=/usr/local/java/bin:$PATH
export PATH
CLASSPATH=$CLASSPATH:/usr/local/MyJavaPkg:.
export CLASSPATH
BASEDIR=`dirname $0`
$BASEDIR/tomcat.sh start “$@”
Grid Portal Developers Workshop
St opping
Ap ache/To mcat
 Tomcat
 As ‘tomcat user’ run TOMCAT/bin/shutdown.sh
 Apache
 As root, use apachectl (or write a ‘stop’ script):
# cd /usr/local/apache/bin
# ./apachectl stop
OR
# cd /usr/local/apache
# ./stop

Grid Portal Developers Workshop


Mo re I nformation

 Wainright, P., “Professional Apache,”


Wrox Press Ltd.
 http://www.webdav.org/
 http://httpd.apache/org/docs/
 http://jakarta.apache.org/tomcat/
 http://java.sun.com/products/servlet/2.2/
download Java Servlet Specification, v 2.2

Grid Portal Developers Workshop


Mo re I nformation

 http://jakarta.apache.org/tomcat/jakarta-
tomcat/src/doc/
uguide/tomcat_ug.html (Tomcat – A Minimalistic
User’s Guide)
tomcat-apache-howto.html (Tomcat-Apache
HOWTO)
mod_jk-howto.html (Working with mod_jk)
Tomat FAQ (from links in above pages)

Grid Portal Developers Workshop

You might also like