If your server handles a single large site, you might want to point this at a different location on a partition dedicated to Web files. Note When you reference another file in httpd.conf, Apache prepends the ServerRoot to it unless you begin the filename with a slash (/). For example, if your ServerRoot is /usr/local, docs/cgi-bin would become “/usr/local/docs/cgi-bin”, while /usr/local/etc/apache/vhost.conf would remain unchanged. Document Root Path ………………………………………………………………………………………. DocumentRoot “/usr/local/www/data” ………………………………………………………………………………………. The HTML documents for the main Web site go in the DocumentRoot directory. Httpd Servers ………………………………………………………………………………………. MinSpareServers 5 MaxSpareServers 10 StartServers 5 ………………………………………………………………………………………. If you do a ps -ax on your server, You’ll see a number of httpd processes because each request to the Web server is handled by a separate process. When a dozen people all type in your Web server’s URL and hit ENTER simultaneously, a separate process handles each request. This is part of how Apache can handle such a high load. When Apache first starts, it fires up a number of httpd processes equal to the StartServers value. Every so often, it checks to see how many httpd processes are running, and how many are actually serving content. In order to guarantee that there are enough httpd processes to handle additional requests, Apache keeps MinSpareServers and MaxSpareServers around. If your Web server suffers from sudden floods of traffic, you might want to increase the MinSpareServers and MaxSpareServers values. The StartServers value shouldn’t need to be increased, though, because even if you were to shut down and restart Apache, it can handle several hundred httpd processes in just a few seconds. Maximum Number of Clients ………………………………………………………………………………………. MaxClients 150 338
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
To properly administer Apache, you need to understand what each of these files is for and how to manage them. Mime.types The mime.types file contains a list of all standard file types and their identifying characteristics. All Web servers must identify the type of file they are transmitting to the client, so that the client can take appropriate actions. For example, most Web browsers open up a PDF reader when they download a PDF. The mappings contained in mime.types give Apache the information it needs to support this functionality. You should almost never have to touch this file, unless you are specifically told to in a program’s documentation. Magic This file contains identifying characteristics for a variety of unusual file types that the mime.types file cannot cope with. Because the mime.types file can’t deal with all of the file types in the world, Apache’s built-in mime_magic module uses the magic file to try to identify unknown files. You should never have to touch the magic file, unless a program’s installation documentation explicitly tells you to. Httpd.conf The httpd.conf file controls the Web server’s behavior, and it’s where the interesting things happen. This file is well commented (any line beginning with pound sign (#) is a comment), so we won’t discuss it in much detail; we’ll leave the discussion of every possible Apache configuration for much bigger books. Most of Apache’s configuration takes place in this file, however, so we can’t escape it entirely. Configuring Apache The best way to create an Apache configuration file is to edit and use the sample primary configuration file (httpd.conf). But whatever you do, don’t touch what you don’t understand. Unlike your DNS server, you don’t want to create an Apache configuration from scratch! The default httpd.conf contains large sections that control things like character-set handling, and unless you really want your Web server’s handling of the Chinese language to be completely different from any other Web server on the planet, your best bet is to leave these settings alone. Note The arrangement of the default httpd.conf file is a bit irregular. While it probably makes sense to the authors, the rest of us are left scratching our heads if we try to just sit down and read it. (It doesn’t help that the default file is over 1,000 lines long!) That said, we’ll discuss the configuration options in a more sensible order. Server-Wide Settings The following configuration options define general server behavior. Server Root Path The ServerRoot setting specifies the path to the main Web site files. ………………………………………………………………………………………. ServerRoot “/usr/local” ………………………………………………………………………………………. 337
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Linux Web Hosting services
FreeBSD includes several Web servers, but the most popular on the Internet, by far, is Apache. The Apache Web Server If you look under /usr/ports/www, you’ll see several different ports with “apache” in their names. Most of these are slightly different versions of the Apache Web server, and before installing anything, you’ll need to pick a version. Here’s a brief look at your options. apache-jserv This is an Apache server with a Java servlet engine. You can use this to handle JavaServer Pages. apache13 This is probably the version you’ll want: Apache version 1.3 without any advanced features. Still, some Apache setups require massive or far-reaching changes in Apache itself. Check the other Apache ports to see if one of them will better fit your needs. apache13+ipv6 This is Apache patched to support IPv6 connections. Use this if you’re using IPv6. apache13-fp Microsoft FrontPage Server Extensions are a popular Web development platform, but installing FrontPage Extensions can be a pain. Use this port if you want to support FrontPage. apache13-modssl This port includes modular Secure Sockets Layer (SSL) support, for secure Web sites. The secure connection component, mod_ssl, is based upon OpenSSL. Use this to support secure connections. apache13-ssl This includes integrated (nonmodular) SSL support, which is considered obsolete; use mod_ssl instead. apache2 This isn’t merely a cutting edge Web server, it’s bleeding edge. This version of Apache may well scalp you. Apache 2 is well worth installing just to keep up on the technology, but you probably don’t want it in production use yet. Also, many Apache modules have not yet been ported to apache2. If you want a bland, basic Web server with a bleeding-edge back end, this will make you happy. To build the programs in the most efficient manner possible, you can choose to build Apache from ports. This takes longer to build, but results in a stronger, better, faster Web server. To enable this option, set APACHE_PERF_TUNING=YES when building your chosen port: ………………………………………………………………………………………. # make APACHE_PERF_TUNING=YES all install ………………………………………………………………………………………. Apache Configuration Files You’ll find Apache’s main configuration files in /usr/local/etc/apache. There are five main files: access.conf, httpd.conf, magic, mime.types, and srm.conf. Originally, Apache used all five files extensively, but these days httpd.conf, magic, and mime.types are the ones most often used. (The functions in access.conf and srm.conf have been rolled into httpd.conf; the original files remain mostly for us older admins who expect to find them.) 336
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
Chapter 15: Web and FTP Services Overview Although the Internet started back in the 1970s, it wasn’t until the advent of Web pages in the mid-1990s that the Internet became a household name. The Netscape Corporation took the open-source Web browser Mosaic and turned it into a commercial product. The result was an information and communication revolution that is still going on. While many dot-com companies have crashed and burned, an age of person-to-person communication began with the Netscape Web browser. Technologies such as peer-to-peer are expanding the Internet even further, but the Web is still what comes to mind when people think of the Internet. FreeBSD’s Web server performance is legendary. For many years, some Microsoft subsidiaries even used FreeBSD in preference to their own Windows NT platform. (The very day I write this, the Wall Street Journal announced that Microsoft is still using FreeBSD internally, despite corporate protestations to the contrary.) This has led to Microsoft releasing a shared-source “.NET for FreeBSD” toolkit. Yahoo! runs FreeBSD, as do a wide variety of other high-demand Web server farms. The Apache Web server, the most popular Web server in the world, is developed on FreeBSD. This chapter will discuss building your own high-performance Web and FTP server with FreeBSD. How a Web Server Works A basic Web server is fairly straightforward: A Web browser requests a page and a Web server spits it out then closes the connection. That’s the easy part. Things get considerably more complicated when you start to use modules, dynamic pages, and so on, but we’ll discuss the basics in this chapter. The Web uses Hypertext Transfer Protocol, or HTTP, a very simple protocol like POP3. Over the last few years, functions have been added to HTTP to make it more complicated, but basic HTTP operations are simple enough to be performed by hand. Let’s try it: We’ll telnet(1) to connect to port 80 on a server, and type GET /. ………………………………………………………………………………………. # telnet blackhelicopters.org 80 Trying 209.69.178.18… Connected to blackhelicopters.org. Escape character is ‘^]’. GET / Nothing to see here. This is not the site you’re looking for. Connection closed by foreign host. # ………………………………………………………………………………………. If you’ve ever looked at any HTML, the output from this command should look very familiar to you. If not, you might check the “view source” option on your Web browser the next time you call up a Web page. You’ll see that this is the actual HTML that generates the pretty picture in your browser. (If you can’t get this much from your Web server, it probably isn’t working. Check your error logs.) 335
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
set tls-cipher-list = bf,des,des3 ………………………………………………………………………………………. These tls-cipher-list settings are the cryptographic ciphers that your system will support. You can get a complete list of ciphers your system supports by running openssl list-cipher-commands. The preceding example supports most email clients. ………………………………………………………………………………………. set tls-server-cert-file = /usr/local/etc/qpopper/server.cert ………………………………………………………………………………………. This tls-server-cert-file setting specifies the location of your signed certificate file. We created a signed server certificate in the previous chapter. After setting these options, you should be all set to provide pop3ssl services. This is by far the most preferable method, and easy enough to do. Qpopper Security Qpopper has a questionable security record, but it has undergone an extensive code audit and is now as secure as any POP3 server daemon. You still need to keep up on security advisories, however, just as you would for any program that transmits user data across the network. Since qpopper runs out of inetd, you can use TCP Wrappers to help secure it. [3]You can do something called a “brute force attack,” where you try to find a text string that has a cryptographic collision with the password. This takes a lot of CPU time, and a lot of time, and is utterly inappropriate for a server protocol. 334
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
Listing Users If a user runs the following command, it tells him whether he is in the APOP user database. If root runs this as qpopauth -list ALL, it lists every APOP user: ………………………………………………………………………………………. # qpopauth -list ………………………………………………………………………………………. Enabling APOP When you set up APOP, you need to decide whether plain-text POP3 will still be permitted. If you want to allow people to use either plain POP3 or APOP, you need to change the clear-text-password option. (The default lets people use plain-text passwords only if they are not set up as APOP users.) Use the set clear-text-password option in your qpopper configuration file to require the use of APOP. ………………………………………………………………………………………. set clear-text-password = always ………………………………………………………………………………………. Supporting APOP Allowing both APOP and plain POP3 can cause password confusion because the APOP user database and /etc/master.passwd are not synchronized by anything except administrator intervention. When a user calls and says that she can’t get her mail, you’ll have to find out if she’s using APOP or POP3. The user probably won’t know, so you’ll have to walk her through her mail client to find out, or just change both passwords to a known value. APOP is a better idea all around. A better idea still is pop3ssl. Configuring Pop3ssl The POP3-over-SSL process is similar to the default POP3 protocol. Instead of sending a username, however, the client sends a request for SSL. If your server can grant it, the remaining steps of the process are all encrypted. All of the performance options are set as if you’re running standard POP3. You need to set several configuration options to use pop3ssl, however, as follows. ………………………………………………………………………………………. set clear-text-password = tls ………………………………………………………………………………………. With this clear-text-password option, you can use clear-text passwords if you’re using SSL encryption. A user could use APOP or pop3ssl, but not vanilla POP3. ………………………………………………………………………………………. 333
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
APOP Setup APOP uses a challenge-response system. When a user connects to the POP3 server, the server takes the user’s known password and computes a challenge based upon it. This challenge is sent to the client. The client takes the challenge, combines it with the password, computes a response, and sends it back to the server. The server, meanwhile, has performed the same calculation and it compares the client’s response to its own result. If they match, the client has proven that it has the password. Mail download is permitted. Why go to all this trouble? Well, the password itself has never passed over the network. This eliminates any chance for password theft via qpopper requests. Web browsing, telnet, and so on, all give other opportunities for password theft. APOP Password Database Since APOP computes a shared secret based on the user’s password, qpopper must have access to the user’s password. In UNIX, password encryption is a one-way trip; even given the /etc/master.passwd file, you cannot extract the password.[3]. APOP therefore requires a separate username and password database. This APOP user database is kept in /usr/local/etc/qpopper/pop.auth.db, and it should only be readable by root. You administer the APOP user database with qpopauth(8). Before you can do anything, you must initialize the database: ………………………………………………………………………………………. # qpopauth -init ………………………………………………………………………………………. Once you have a database, you can use qpopauth to manage users. Adding Users This command adds a user to the database: ………………………………………………………………………………………. # qpopauth -user username ………………………………………………………………………………………. You’ll be prompted for a password. If the user does not exist on the main system, qpopauth will not let you add the user. Deleting Users The following command deletes the specified user from the database: ………………………………………………………………………………………. # qpopauth -delete username ………………………………………………………………………………………. 332
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
Username Case If you have a variety of users, some of them will type their username in all capital letters. That’s how usernames appear in the movies, after all! By putting the following line in your configuration, usernames received from clients are transformed into all lowercase before qpopper attempts to authenticate them. ………………………………………………………………………………………. set downcase-user = true ………………………………………………………………………………………. This can reduce your technical support calls. Mail Spool Handling A POP3 client can choose to either copy all messages from the server, download and delete all messages from the server, or delete some messages from the server while leaving the rest. The first two choices (leave everything and delete everything) are typical of core mail-server functionality. The third, a mix of saving and deleting, is a lot of work, and it is set with the following line: ………………………………………………………………………………………. set server-mode = false ………………………………………………………………………………………. Server mode assumes that the client will either save all its mail or delete all its mail. This makes qpopper much faster, and reduces server disk I/O. If you enable server mode, you greatly increase qpopper’s efficiency. You also make some promises to qpopper when you enable server mode, however. Qpopper will assume that mail is only delivered to clients by qpopper. This is where the “mixing local mail readers and POP3″ problem appears. If you use a local mail reader to check mail on an account, and someone pops that account’s mail while you’re reading it, you can damage users’ mail. You don’t want to do that. If you don’t combine POP3 and local mail clients, and don’t read your users’ mail, setting this to true is perfectly safe and will improve performance. Reducing Disk Activity If you set the following option, you will decrease your disk activity by a third: ………………………………………………………………………………………. set fast-update = false ………………………………………………………………………………………. This setting doesn’t mix with local mail readers, however. You will also break UNIX programs that notify you of new mail on the UNIX system. This is perfectly safe on a POP-only mail server. 331
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
Config Files and Inetd The obvious place on a FreeBSD system to put the qpopper configuration file is under /usr/local/etc/qpopper. By default, only root can access the qpopper directory. More advanced qpopper implementations will also store user databases and security certificates in this directory. To tell qpopper to take its settings from a file in this directory, use the -f flag. You can make all your other changes in the configuration file, and never have to touch /etc/inetd.conf again. This would make your inetd.conf entry look like this (and despite the page width, this is all on one line): ………………………………………………………………………………………. pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -f /usr/local/etc/qpopper/qpopper.conf ………………………………………………………………………………………. Qpopper.conf Now that you’ve told your system how to run qpopper, you need to create the configuration file. Each configuration statement in qpopper.conf appears on its own line, preceded by the word set. Any of these options can be combined with APOP and pop3ssl. Qpopper Mode The most important option you have is how qpopper is going to work. The following setting controls whether qpopper will accept clear-text passwords, as used in the manual test earlier. ………………………………………………………………………………………. set clear-text-password = default ………………………………………………………………………………………. You have a few different options here. We’re going to look at the most common. By default, qpopper checks to see if the user is set up for APOP. If so, then clear-text passwords are not allowed. If the user is not set up for APOP, then clear-text passwords are permitted. Use this for standard services. Specifying always as the setting means that qpopper will accept clear-text passwords, even if the user is set up for APOP. You might need to use this in an ISP environment; while you’d like the user to use APOP, some users have email clients that simply cannot handle it. Specifying never means that clear-text passwords will not work, even if you’re using pop3ssl. You must use APOP to get your mail. Specifying tls means that clear-text passwords are acceptable if you’re running over an encrypted connection (such as SSL). After all, the entire connection is encrypted! We’ll discuss APOP and POP3 over SSL later (in “APOP Setup” and “Configuring Pop3ssl,” respectively.) 330
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
support it. While the authentication information is secure, the email itself isn’t. Pop3ssl Pop3ssl is the newest version of the POP3 protocol, as well as funnels, the connection over SSL. This is the most secure type of POP3 service you can have today. We’ll consider each type of POP3 in turn. In order to use either APOP or pop3ssl, you need to have a basic POP3 setup anyway. Qpopper Preconfiguration Questions Before you configure qpopper, you need to settle two questions: What kind of users will you have and will you be using local mail readers? User Types If you’re providing corporate mail services via qpopper, you are ultimately responsible for setting up the clients (or, at best, working with the people who have to set up the clients). You can insist upon things like “All users must type their usernames in lowercase” and “Mail must remain on the server.” You can also insist that they use APOP or pop3ssl instead of default POP3. If you’re providing services for hundreds or thousands of people, you need a configuration that allows more user mistakes and handles a wider variety of email clients. You won’t keep your users long if you insist that they use one of your approved email readers instead of the mail program that they’ve used for years! Local Mail Readers ome users read email locally on the server, using a UNIX-based email client, such as mutt(1) or pine(1). These clients change the users’ mail file directly on the server. If qpopper can safely assume that the mail spool will not change out from underneath it, it can make several optimizations that will greatly improve performance. This isn’t a big deal for systems administrators many sysadmins don’t use POP3, relying instead on ssh and a local mail reader. Some power users might want to use both, however. If you don’t allow the combination of local mail readers and POP3, you can optimize qpopper. Default Qpopper Configuration A raw install of qpopper will give you basic POP3 functionality, as demonstrated earlier. Users will be able to connect and download their mail. You can do various things to improve performance, however, and you can enhance your setup rather easily. Earlier versions of qpopper were configured entirely by options on the command line in /etc/inetd.conf. This worked well when qpopper was a simple program that only supported default POP3. As APOP and pop3ssl became more common, however, command-line configuration became less and less practical. Once the command-line arguments start to wrap around the screen two or three times, you really need to convert your program to use a configuration file. While a vanilla POP3 qpopper install doesn’t need a config file, we’re going to use one. 329
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services