Mājas Darbs #2 Rezultāti

Mājas Darbs #2
Rezultāti
Pārbaudīts tika ar
Ubuntu 5.10
 Teksts aiz echo jaliek pedinas, ja ir () u.c.
 AWK nepazīst dažas atslēgas (--assign)
 Komandai mv otrais arg tikai direktorija
 Jānorāda “grep moveme dir/*”
 DOS rindiņas beigas

cat 3.sh | perl -pe 's/\n\r /\n/' > temp
3.sh
 Create script, that will take 2 arguments:

3.sh <directory> <destination>
 Search the files in <directory> for substring “moveme” in
the file content
 Move those files that contain the string to directory
<destination>
 On the standard output, output two lines:


On first line, output the total number of lines that matched
On second line, output the total number of files moved
Elegantākais 3.uzd risinājums
#!/bin/bash
mv `grep -l moveme $1/*` $2
grep moveme $2/* | wc -l
grep -l moveme $2/* | wc -l
Mazais Mājas Darbs #3a
Termiņš: 4.maijs, 2006
Mazais mājas darbs #3a
 Iegūt apstiprinātu BalticGrid sertifikātu, kas būs
nepieciešams Lielajam mājas darbam #3b
 Izpildes termiņš: 4 maijs, 2006

Vēlāk netiks pieņemts, jo tikai sertificētie tiks pievienoti BalticGrid
VO un saistītajām sistēmām, kas būs nepieciešamas md#3b
 Iesniegšanas forma: savu (publisko) BalticGrid sertifikātu
atsūtīt uz [email protected], Subj: MD3a
 Informācija: http://grid.lumii.lv/section/show/12


Domain of the Institution (domain.zz): lumii.lv
Common Name (John Smith): Janis Berzins
Certification Procedure
Creating a Certification Request
BalticGridCA-user.cnf
#
# OpenSSL configuration file for generating certificate requests for Baltic Grid CA.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME
= .
###RANDFILE
= $ENV::HOME/.rnd
[ req ]
default_bits
= 1024
default_keyfile
= userkey.pem
default_md
= sha1
distinguished_name = req_distinguished_name
string_mask = nombstr
[ req_distinguished_name ]
0.domainComponent
0.domainComponent_default
1.domainComponent
1.domainComponent_default
organizationalUnitName
commonName
commonName_max
=
=
=
=
Domain Component
org
Domain Component
balticgrid
= Domain
= Common
= 64
# which md to use.
(org)
(BalticGrid)
of the Institution (domain.zz)
Name (John Smith)
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C280CE744C634255
Result
BrT3IotvrbcpTVeqKssGQnpx2dcnqqGIRb0Jt8pJEUjTX24IsdAg+LxOUEJ70y1a
aXMgQmFyemRpbnMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANepPbidunic
4dq8iKj1eEDlicCZ51cKX43Hn17Ca+IKvS7cTBavbFicm6mkfNoCO+erZWL3nlrh
GXuhUyCHZJctA9Fu37II3ik7SZe6LahCKu55ZrCP9bEXucvQ7giI2FUcgvjEcK/I
9+NnO+chkJwCTafa32SxZsG7MOnwv14XAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
gQC8oV1AQv1jj2D3gb0aBUwA1CaVqJN+bq2wwmeQSP1+rJXicSlfpIEqI8TwoT6F
vEt2EnPAtbXpWMjFtbuM816+tEdkrGLw0wfHdlTCwswcRtHn3QVl4jxA/wReb+CY
GXuhUyCHZJctA9Fu37II3ik7SZe6LahCKu55ZrCP9bEXucvQ7giI2FUcgvjEcK/I
9+NnO+chkJwCTafa32SxZsG7MOnwv14XAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
gQC8oV1AQv1jj2D3gb0aBUwA1CaVqJN+bq2wwmeQSP1+rJXicSlfpIEqI8TwoT6F
vEt2EnPAtbXpWMjFtbuM816+tEdkrGLw0wfHdlTCwswcRtHn3QVl4jxA/wReb+CY
l/OAjuw1hvqYG6ZY6n5zmxZsCnViLMIItW2NMJGBR43CrtJuUHly13hf3eTZiIZq
GVjHrRPzj8GC6AOBzQ9KkG/Gcale4ALU1czmSIjwAABL1DNUc8nF/w==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST----MIIBnjCCAQcCAQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEaMBgGCgmSJomT8ixk
ARkWCmJhbHRpY2dyaWQxETAPBgNVBAsTCGx1bWlpLmx2MRgwFgYDVQQDEw9HdW50
aXMgQmFyemRpbnMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANepPbidunic
4dq8iKj1eEDlicCZ51cKX43Hn17Ca+IKvS7cTBavbFicm6mkfNoCO+erZWL3nlrh
GXuhUyCHZJctA9Fu37II3ik7SZe6LahCKu55ZrCP9bEXucvQ7giI2FUcgvjEcK/I
9+NnO+chkJwCTafa32SxZsG7MOnwv14XAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
gQC8oV1AQv1jj2D3gb0aBUwA1CaVqJN+bq2wwmeQSP1+rJXicSlfpIEqI8TwoT6F
vEt2EnPAtbXpWMjFtbuM816+tEdkrGLw0wfHdlTCwswcRtHn3QVl4jxA/wReb+CY
CSSIx0n3iP6KFP7PMzqLMiGm4jbUVoDiA6ZfKq1HAqPHig==
-----END CERTIFICATE REQUEST-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13 (0xd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=BalticGrid, CN=Baltic Grid Certification Authority
Validity
Not Before: Mar 24 12:30:32 2005 GMT
Not After : Mar 24 12:30:32 2006 GMT
Subject: O=BalticGrid, OU=latnet.lv, CN=Guntis Barzdins
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:54:28:7c:de:67:95:b0:7b:53:24:85:a1:c4:
dd:b3:b3:12:b4:06:c4:b0:13:93:c0:5b:ad:2a:ad:
0a:8a:6c:d7:f3:c1:65:d5:1a:3f:f2:e8:ed:da:37:
a0:52:e0:05:17:3f:ee:45:91:a8:07:8d:8f:7f:96:
aa:fc:7c:4f:27:c6:fc:82:b8:89:54:42:60:ea:18:
ff:fa:a4:1e:f7:00:22:66:b2:5b:bb:85:c9:a8:12:
87:f3:6f:96:c2:05:c8:a0:eb:9c:54:03:f1:05:c3:
f4:27:ab:6b:30:47:dd:4b:12:b8:21:d9:25:fe:e6:
68:70:23:ae:35:15:80:b5:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
B3:0B:DD:96:09:86:37:1F:CF:5D:D5:78:5B:6D:AB:6F:D0:BC:5A:24
X509v3 Authority Key Identifier:
keyid:24:4E:75:31:6A:6C:DF:AA:4D:AD:C6:34:39:23:5F:18:DB:17:47:86
DirName:/O=BalticGrid/CN=Baltic Grid Certification Authority
serial:00
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.19974.11.1.0.1
X509v3 Issuer Alternative Name:
URI:http://grid.eenet.ee/BalticGridCA/
Signature Algorithm: sha1WithRSAEncryption
67:e8:50:7d:28:84:d7:cb:88:de:4a:14:da:f4:09:16:05:38:
4a:55:23:11:b5:87:77:05:7d:07:d8:1c:03:45:19:6f:6f:97:
ef:7d:1b:c8:7f:29:98:c5:d8:35:cf:2e:2e:b2:16:7e:19:8c:
3c:32:79:2d:ed:9a:7b:50:e3:26:df:79:59:84:8f:c6:34:d4:
3a:c1:65:5b:79:2e:6e:eb:62:50:2f:0a:47:00:08:54:ee:54:
6d:91:9f:ff:58:f0:b5:79:aa:68:12:e9:2c:15:9d:06:41:3b:
3f:29:4b:ba:be:e1:ef:e1:aa:7c:83:5b:be:3a:e1:16:5f:02:
65:70:c6:7d:15:7b:e0:43:3e:f9:c1:b3:96:80:fb:a0:aa:a8:
83:79:0e:0b:87:b7:09:b6:60:6d:64:2c:de:de:c3:1c:4c:cc:
e5:54:4c:33:26:d9:31:35:29:30:df:8b:7b:e6:a8:31:6e:a4:
57:ef:51:53:6c:df:7b:f6:6d:8e:d0:ad:ba:72:87:17:47:aa:
d4:fa:ff:4d:d0:cc:45:a5:28:e5:a3:46:84:cf:c4:4b:94:f8:
ba:27:b5:35:e3:79:f8:49:3d:90:b0:41:5d:71:e5:15:6c:25:
d3:61:73:31:c8:c5:3d:5e:a1:68:fe:82:9a:4a:0f:ea:5b:13:
b4:6a:be:be
-----BEGIN CERTIFICATE----MIIDdTCCAl2gAwIBAgIBDTANBgkqhkiG9w0BAQUFADBDMRMwEQYDVQQKEwpCYWx0
aWNHcmlkMSwwKgYDVQQDEyNCYWx0aWMgR3JpZCBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTAeFw0wNTAzMjQxMjMwMzJaFw0wNjAzMjQxMjMwMzJaMEMxEzARBgNVBAoT
yH8pmMXYNc8uLrIWfhmMPDJ5Le2ae1DjJt95WYSPxjTUOsFlW3kubutiUC8KRwAI
VO5UbZGf/1jwtXmqaBLpLBWdBkE7PylLur7h7+GqfINbvjrhFl8CZXDGfRV74EM+
+cGzloD7oKqog3kOC4e3CbZgbWQs3t7DHEzM5VRMMybZMTUpMN+Le+aoMW6kV+9R
U2zfe/ZtjtCtunKHF0eq1Pr/TdDMRaUo5aNGhM/ES5T4uie1NeN5+Ek9kLBBXXHl
FWwl02FzMcjFPV6haP6CmkoP6lsTtGq+vg==
-----END CERTIFICATE-----
Sertifikāts
Essential Network Deamons
Guntis Barzdins
Girts Folkmanis, Arnis Sinka
Juris Krūmiņš
Networking Software
 Good free implementations for:

DNS


SMTP


sendmail, qmail, postfix, exim
POP/IMAP


BIND v8/9, djbdns
qpopper, uwimapd
HTTP


Apache
PHP, mySQL
“If it was hard to develop, it should be hard to install!”
Setting Up a Basic Name Server
 Later versions of BIND use the configuration file
/etc/named.conf
 This file is divided into five sections: options, controls,
three different zones and an include line, which refers to
the rndc security file
 A zone is a part of the DNS domain tree for which the
DNS server has authority to provide information
 Zone information is contained in files referred to in
named.conf
DNS
 Using DNS system




Before Internet network started use DNS system there
was hosts files.
However there are one main disadvantage of using
host file - search time increase exponentially.
This is the main reason why Internet network started
use DNS system.
By the way, DNS system let you use distributed
administrative model in order to delegate
administrative rights to other people.
DNS

You can imagine DNS system structure using image below:
"." (root)
net
ru
host
wsu.ru
com
edu
au
.ru domain
host
gw.wsu.ru
host
gw1.wsu.ru
wsu
gw
gw1
msu
.wsu.ru
domain
DNS
 DNS zones
com
edu
gov
…
terra flora
www
mfg
…
ntserver
servers
Terraflora.com
domain
mfg.terraflora.com
zone
terraflora.com zone
DNS
 DNS request:



Requred information for DNS requests
Making DNS requests
DNS requests types:
Recursive reuqets
 Iterative requests

DNS
IP(crypt.iae.nsk.su) = ?
IP(crypt.iae.nsk.su) = ?
ada.wsu.ru
Root servers
Authoritative server for
nsk.su - ns.nsk.su server
IP(crypt.iae.nsk.su) = ?
212.16.195.98
ns.wsu.ru
ns.nsk.su
Authoritative server for
iae.nsk.su iaebox.iae.nsk.su
IP(crypt.iae.nsk.su) = ?
iaebox.iae.nsk.su
IP(crypt.iae.nsk.su) =
193.124.169.58
IP(crypt.iae.nsk.su) =
193.124.169.58
ada.wsu.ru
DNS
 DNS system planning factors.
 Number of servers and system platforms
 Server types:





Primary server
Secondary servers
Cache servers
Forward servers
Stealth servers
DNS
 DNS database resurce records (RR)
 DNS database RR forms and types
 Standart RR
 DNS database file structure
 IN-ADDR.ARPA zone for reverse address-toname translation
DNS
 RR format





TYPE contain RR type code
CLASS contain RR class code
TTL contain Time to Live value
RDLENGTH – data length
RDATA – data
0
1
2
3
4
5
6
7
8
9
NAME
TYPE
CLASS
TTL
RDLENGTH
RDATA
10 11 12 13 14 15
DNS
 DNS RR types












A
NS
MX
MD
MF
CNAME
SOA
WKS
SRV
TXT
PTR
…
• DNS CLASS
types
–
–
–
–
IN
CS
CH
HS
DNS
 BIND server configuration
acl – define access control list in order to control access to server resources
Controls – define control channel for rndc control utility.
Include - can be used to merge a lot of configuration file in one.
Key – use information to check identity using TSIG technology.
Logging – use to control logging options of DNS server.
Options - different DNS server options. Use mainly for global server configuration.
Server - certain server configuration options.
trusted-keys - used for DNSSEC protocol to hold trusted keys.
View - define view options.
Zone – define zone option.
DNS
Split DNS example:
…
view "internal" {
match-clients { 10.0.0.0 / 8 ; };
recursion yes;
zone "example.com" {
type master;
file "example-internal.db";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "example.com" {
type master;
file "example-external.db";
};
};
….
DNS
DNS configuration file example:
logging {
category lame-servers { null; };
};
options {
directory "/var/named";
allow-transfer { 195.13.160.52; 195.244.128.2;
10.196.5.130; };
recursive-clients 2000;
notify yes;
};
acl "internals" {
127.0.0.1; 10.196.0.0/16; 10.1.72.0/24;
10.129.24.0/24; 10.130.24.0/24;
};
view "internal" {
match-clients { "internals"; };
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
1
file "named.local";
allow-update { none; };
};
zone "test.lv" {
type master;
file "test.lv.zone";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};
zone "test.lv" {
type master;
file "test.lv.public.zone";
};
};
2
DNS
DNS server database file:
$ORIGIN .
$TTL 3600
test.lv
; 1 hour
IN SOA ns1.test.lv. jurisk.test.lv. (
2006040301 ; serial
28800 ; refresh (8 hours)
1800
; retry (5 minutes)
1209600 ; expire (2 weeks)
28800 ; minimum (1 hour)
)
NS ns1.test.lv.
A
10.196.5.131
MX 10 eproxy.test.lv.
MX 20 eproxy1.test.lv.
MX 30 eproxy2.test.lv.
$ORIGIN test.lv.
router
A
10.196.5.1
eproxy
A
10.196.5.187
eproxy1
A
10.196.5.188
eproxy2
A
10.196.5.189
ns1
A
10.196.5.131
mail
CNAME ns1
nais
A
10.196.2.11
;
; test WWW on Lattelekom servers
;
www
A
81.198.40.10
admin
A
81.198.40.10
editor
A
81.198.40.10
www
A
81.198.40.11
tavro
A
81.198.40.10
tekno
A
81.198.40.11
$ORIGIN it.test.lv.
router
A
10.196.5.1
$ORIGIN test.lv.
proxy2
A
10.196.5.8
help
A
10.196.5.10
ssiahq01
A
10.196.5.31
nw1
A
10.196.5.58
DNS
Reverse DNS zone in-addr.arpa
$ORIGIN .
$TTL 3600
; 1 hour
5.196.10.in-addr.arpa IN SOA ns1.test.lv. root.ns1.test.lv. (
2006012401 ; serial
3600
; refresh (1 hour)
300
; retry (5 minutes)
3600000 ; expire (5 weeks 6 days 16 hours)
3600
; minimum (1 hour)
)
NS ns1.test.lv.
$ORIGIN 5.196.10.in-addr.arpa.
1
PTR router.it.test.lv.
7
PTR instructor.it2.test.lv.
8
PTR proxy2.test.lv.
10
PTR help.test.lv.
31
PTR ssiahq01.test.lv.
58
PTR nw1.test.lv.
60
PTR sandbox.test.lv.
77
PTR rs6000f50.test.lv.
119
PTR risc6000f30.test.lv.
Restart named
 sudo /sbin/service named restart
Password:
Stopping named:
Starting named:
[ OK ]
$ sudo tail /var/log/messages
Jan 28 22:36:22 womnibook named[11333]: loading configuration from '/etc/named.conf'
Jan 28 22:36:22 womnibook named[11333]: no IPv6 interfaces found
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth0, 192.168.1.74#53
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth1, 192.168.2.5#53
Jan 28 22:36:22 womnibook named[11333]: command channel listening on 127.0.0.1#953
Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: loaded serial 142
Jan 28 22:36:22 womnibook named[11333]: running
Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: sending notifies (serial 142)
Jan 28 22:36:22 womnibook named: named startup succeeded
DNS
 Usefull utilities:






Dig
Host
Nslookup
Rndc
Named-checkzone
Name-checkconfig
Using Command-line Utilities
Mailservers
Maturity
Security
Features
Performance
qmail
medium
high
high
high
Sendmail
high
low
high
low
Postfix
medium
high
medium
high
exim
medium
low
high
medium
Courier
low
medium
high
medium
Bron: Life with qmail, p. 5
Configuring a Basic Email
Server
 Sendmail is the most widely used email server




The sendmail package contains the sendmail daemon
Sendmail is started using a script in /etc/rc.d/init.d
Sendmail is configured using the file /etc/sendmail.cf
Most email administrators prefer to use the m4
program to configure sendmail
Email basics
Mail Server
Mail Server
Email
database
Email
database
SMTP
MTA
MDA
MTA
MDA
POP3/IMAP
Workstation
MUA
SMTP
Workstation
MUA
Simplified Mail Transactions
Mail User
Agent
Mail
Transport
Agent
Mail
Transport
Agent
Mail User
Agent
mbox
Mail
Delivery
Agent
Mail
Delivery
Agent
mbox
 Message composed using an MUA
 MUA gives message to MTA for delivery


If local, the MTA gives it to the local MDA
If remote, transfer to another MTA
Watching sendmail Work
Watching sendmail Work
Structure of qmail
qmail-smtpd
qmail-inject
qmail-queue
Other incoming mail
Incoming SMTP mail
qmail-send
qmail-rspawn
qmail-lspawn
qmail-remote
qmail-local
Installation qmail and qmail-pop3d
tux:~# apt-get update
tux:~# apt-get install qmail
sh -c "start-stop-daemon --start --quiet --user root \
--exec /usr/bin/tcpserver -- \
0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \
/usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &
Configuration of qmail
 Configuration stored in
/var/qmail/control/
 Configure:







Relaying
Multiple host names
Virtual domains
Aliases
qmail-users
Blackhole lists
Mailbox formaat
The qmail security guarantee
In March 1997, I offered $500 to the first person to publish a
verifiable security hole in the latest version of qmail: for example, a
way for a user to exploit qmail to take over another account.
My offer still stands. Nobody has found any security holes in qmail.
D.J.Bernstein
Principles, sendmail vs qmail
 Do as little as possible in setuid programs


Of 20 recent sendmail security holes, 11 worked only because
the entire sendmail system is setuid
Only qmail-queue is setuid

Its only function is add a new message to the queue
 Do as little as possible as root

The entire sendmail system runs as root


Operating system protection has no effect
Only qmail-start and qmail-lspawn run as root.
Principles, sendmail vs qmail
 Programs and files are not addresses

sendmail treats programs and files as addresses


“sendmail goes through horrendous contortions trying to keep
track of whether a local user was responsible for an address. This
has proven to be an unmitigated disaster”
(DJB)
qmail programs and files are not addresses

“The local delivery agent, qmail-local, can run programs or write
to files as directed by ~user/.qmail, but it's always running as that
user. Security impact: .qmail, like .cshrc and .exrc and various
other files, means that anyone who can write arbitrary files as a
user can execute arbitrary programs as that user. That's it.”
(DJB)
Keep it simple
 Parsing

Limited parsing of strings

Minimizes risk of security holes from configuration
errors
 Libraries

Avoid standard C library, stdio

“Write bug-free code” (DJB)
Webmail system (SquirreMail)
Mail Server
Web server
MUA
Webmail
client
(Squirre
Mail)
MTA
Workstation
browser
Email
database
Apache
 what is Apache?
 Apache’s functionality
 installing Apache
 directory structure
 configuration
 tools
Outline
 Apache
 Dynamic Content


CGI
PHP
 MySQL
If you request an HTML file
HTML
1
2
Webserver
Browser
4
3
Web server
 ...is a software program that does the following




Accepts requests for web pages from a browser.
Looks for the requested pages on the server hard drive.
Sends a copy of the the requested web page to the browser.
A web server can only serve HTML and jpg/gif files
 In our case, we use a very popular web server called
Apache.
Apache
 open-source
 very popular (more than 67% of the web sites)
 highly configurable and extensible with third-party
modules
 runs on many operating systems (most of the
Unix)
 is actively being developed
Apache functionality
 DBM databases for authentication
 customized responses to errors and problems
 unlimited flexible URL rewriting and aliasing
 Virtual Hosts
 Configurable Reliable Piped Logs
Apache modules (1)
 mod_access

Access control based on client hostname or IP address
 mod_alias

Mapping different parts of the host filesystem in the document tree, and URL
redirection
 mod_auth

User authentication using text files
 mod_autoindex

Automatic directory listings
 mod_cgi

Invoking CGI scripts
Apache modules (2)
 mod_include

Server-parsed documents
 mod_mime

Determining document types using file extensions
 mod_proxy

Caching proxy abilities
 mod_rewrite

Powerful URI-to-filename mapping using regular expressions
 mod_usertrack

User tracking using Cookies
 mod_vhost_alias

Support for dynamically configured mass virtual hosting
Apache modules (3)
 mod_ssl




This module provides strong cryptography for the Apache 1.3
webserver via the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) protocols by the help of the Open Source
SSL/TLS toolkit OpenSSL.
Requires Apache 1.3.x and OpenSSL 0.9.x
Private and Public keys
Thawte (www.thawte.com), Versisign (www.verisign.com)
Installing Apache
 Unix binary package


RPM
DEB
 Source
 Windows (MSI Installer)
Installing Apache
$ ./configure --prefix=/usr/local/apache
$ make
$ make install
$ /usr/local/apache/bin/apachectl start
Installing Apache
 ./configure –help

--show-layout


--with-layout=GNU


Use GNU style directory layout
--enable-suexec


show GNU style directory layout
Enable suEXEC support for CGI and SSI
--add-module=/path/to/mod_foo.c

compiles, installs and adds module as a Dynamic Shared Object
Testing Apache installation
arnis@perkons:~$ ps aux | grep apache
root
289 0.0 0.2 8400 2564 ?
Ss Nov15 0:02 /usr/local/apache/bin/httpd
root
307 0.0 0.1 8764 1480 ?
Ss Nov15 0:00 /usr/local/apache-ssl/bin/httpd -DSSL
apache- 315 0.0 0.1 14768 1580 ?
S Nov15 0:27 /usr/local/apache-ssl/bin/httpd -DSSL
apache- 13822 0.0 0.2 15224 2644 ?
S Nov15 0:26 /usr/local/apache-ssl/bin/httpd -DSSL
apache 11290 0.0 0.3 16856 3112 ?
S Nov17 0:31 /usr/local/apache/bin/httpd
apache 498 0.2 0.8 12596 8484 ?
S Nov18 8:54 /usr/local/apache/bin/httpd
....
Testing Apache installation
Apache directory layout
 Debian

/etc/init.d/apache


/etc/apache


Apache configuration files
/var/www


Apache control script
Default Document Root
/usr/lib/cgi-bin

Default script directory
Apache directory layout (2)

/var/log/apache


/usr/sbin


htpasswd, htdigest, dbmmanage
/usr/lib/apache/1.3


rotatelogs, ab (Apache Benchmark)
/usr/bin


log files (access.log, error.log)
Apache modules
/usr/lib/apache/suexec
Apache directory layout (3)
 Slackware






/usr/local/apache
/usr/local/apache/conf
/usr/local/apache/htdocs
/usr/local/apache/cgi-bin
/var/log/apache
/usr/local/apache/bin
Apache access log
LogFormat "%v %h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/apache/logs/access_log common







%v – virtual host
%h – remote host
%u – user
%t - time
%r – HTTP request
%>s – status code
%b – size
www.atlants.lv 159.148.85.46 - - [21/Nov/2004:17:23:36 +0200]
"GET /index.php?m=5 HTTP/1.1" 200 32257
Apache error log
ErrorLog /usr/local/apache/logs/error_log
LogLevel warn
[Sun Nov 21 09:13:42 2004] [error] PHP Fatal error: Call to undefined function PN_DBMsgError() in /home/msaule/public_html/referer.
php on line 85
[Sun Nov 21 12:41:09 2004] [error] [client 81.198.145.117] File does not exist: /home/sms/public_html/favicon.ico
php on line 85
[Sun Nov 21 13:02:50 2004] [error] [client 66.249.66.173] File does not exist: /home/code/public_html/robots.txt
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp
Apache configuration
 Edit httpd.conf
 Check configuration “apachectl configtest”
 Restart Apache
 Check changes
http://httpd.apache.org/docs/
Apache configuration
 Virtual host
<VirtualHost *>
ServerName www.jrt.lv
ServerAlias www.jrt.com
CustomLog /usr/local/apache/logs/jrt_access_log common
ErrorLog /usr/local/apache/logs/jrt_error_log
DocumentRoot /home/jrt/public_html
</VirtualHost>
Apache configuration
 .htaccess
AuthType Basic
AuthUserFile /home/someuser/passwd
AuthName "Admin"
require valid-user
 htpasswd
htpasswd -c <password file> <username>
user1:Y90u499mUj6xE
user2:DOrWgcNwzaQUQ
Apache2








Unix Threading
New Build System
Multiprotocol Support
New Apache API
IPv6 Support
Filtering
Multilanguage Error Responses
Regular Expression Library Updated
Dynamic content
HTML
&
Scripts
1
Browser
2
6
Webserver
5
4
Script Engine
(PHP, Perl, ...)
3
Dynamic content
 Scripting engine
 CGI
 PHP
 Apache module vs. CGI
Dynamic content
 Apache only sends content to the user
 What if I need some resources/information from server




Send e-mail
Store some information in file (guestbook)
Execute unix applications
And much more...
 We need programming language
Dynamic content
 Script engine is a software program that does the
following:



Accepts scripts passed along from the web server that
are of the non-HTML type.
Processes these scripts.
Returns the result of this processing to the web server.
Dynamic content
 Two ways how to server dynamic content


CGI
Apache module
 Many programming languages to use

PHP, Perl, Python, C, C++, shell scripts ...
Common gateway interface
(CGI)
A standard for running external programs from a World-Wide Web
HTTP server. CGI specifies how to pass arguments to the
executing program as part of the HTTP request. It also defines a
set of environment variables. Commonly, the program will generate
some HTML which will be passed back to the browser but it can
also request URL redirection.
CGI example
 Shell script
#!/bin/bash
echo "Content-type: text/plain"
echo ""
echo "Hello world!"
echo "Today is:" `date`
CGI example (2)
 Perl script
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
print "Hello world!\n";
print "Today is: " . localtime() . "\n";
Apache modules
 mod_perl
mod_perl brings together the full power of the Perl programming
language and the Apache HTTP server. You can use Perl to
manage Apache, respond to requests for web pages and much
more.
 mod_php
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded
into HTML
 mod_python, OpenASP Module, ...
PHP
 What is PHP?
 Installing PHP
 Configuring PHP
PHP: Hypertext Preprocessor
(PHP)
<html>
<head>
<title>Example</title>
</head>
<body>
<?php
echo "Hi, I'm a PHP script!";
?>
</body>
</html>
 Pros
PHP
easy to learn
 ideal for small projects
 widely used
 no strong typing

 Cons
no strong typing
 code maintenance
 interpreted language
 executes in the Web server process

Installing PHP
 Server-side scripting
 Command line scripting
 Client-side GUI applications
Installing PHP
 Gentoo
# emerge \<apache-2
# USE="-*" emerge php mod_php
# ebuild /var/db/pkg/dev-php/mod_php-<your PHP
version>/mod_php-<your PHP version>.ebuild
config
# nano /etc/conf.d/apache Add "-D PHP4" to
APACHE_OPTS # rc-update add apache default
# /etc/init.d/apache start
Installing PHP
 Source instalation
Install PHP
./configure --with-mysql --with-apxs=/www/bin/apxs
make
make install
cp php.ini-dist /usr/local/lib/php.ini
 Edit your httpd.conf to load the PHP module.
LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c
AddType application/x-httpd-php .php .phtml
 Restart Apache

PHP Configuration
 php.ini read once at web server startup
; any text on a line after an unquoted semicolon
(;) is ignored
[php] ; section markers (text within square
brackets) are also ignored
; Boolean values can be set to either: ; true, on,
yes
; or false, off, no, none
register_globals = off
track_errors = yes
; you can enclose strings in double-quotes
PHP Configuration
 php.ini directives
max_execution_time = 30 ; Maximum execution time of each script, in seconds
max_input_time = 60 ; Maximum amount of time each script may spend parsing
request data
memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)
; - Show all errors except for notices and coding standards warnings
error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
display_errors = Off
log_errors = On
error_log = filename
PHP Configuration
 Apache configuration file
<VirtualHost 10.10.10.10>
DocumentRoot /home/someuser/public_html
ServerName www.somesite.lv
<Directory /home/someuser/public_html/>
php_admin_value open_basedir /home/someuser/:/tmp/:/usr/share/pear/
php_value auto_prepend_file /home/someuser/includes/default.inc
php_value upload_max_filesize 10M
</Directory>
</VirtualHost>
PHP Configuration
 .htaccess file
AddType application/x-httpd-php .php3
php_value include_path .:/home/someuser/includes:/home/someuser/public_html
php_flag register_globals Off
 PHP scripts
<?
ini_set("display_errors", "true");
ini_set("error_log","/home/someuser/log/php.log");
...
Apache module vs. CGI
 Apache module


Good performance
One user for all websites


Other user’s source files can be accessed
PHP safe_mode
 CGI


New process each time
suEXEC – each website under its own user
 fastCGI
Apache, PHP and MySQL
HTML
&
PHP
2
1
Browser
8
Webserver
7
4
PHP Engine
6
5
MySQL Database
Server
3
MySQL
 About MySQL
 Installing MySQL
 MySQL directory structure
 MySQL commands
 Some examples
 PHPMyAdmin
MySQL





Open source
Very fast
Stable
Easy to use
Independant storage engines

Can be run with or without transaction control
 Security


SSL support
Resources configurable per user basis
MySQL 4.x
 Subqueries
 New client-server protocol with prepared
statements
 Unicode and UTF-8 support
 Query cashing
 Much more...
Installing MySQL
 Binary distribution
shell> groupadd mysql
shell> useradd -g mysql mysql
shell> cd /usr/local
shell> gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf shell> ln -s full-path-to-mysql-VERSION-OS mysql
shell> cd mysql
shell> scripts/mysql_install_db --user=mysql
shell> chown -R root .
shell> chown -R mysql data
shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql &
Installing MySQL
 Source distribution
shell> groupadd mysql
shell> useradd -g mysql mysql
shell> gunzip < mysql-VERSION.tar.gz | tar -xvf shell> cd mysql-VERSION
shell> ./configure --prefix=/usr/local/mysql
shell> make
shell> make install
shell> cp support-files/my-medium.cnf /etc/my.cnf
shell> cd /usr/local/mysql
shell> bin/mysql_install_db --user=mysql
shell> chown -R root .
shell> chown -R mysql var
shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql &
Post-Instalation Procedures
 Check instalation

shell> bin/mysqladmin version
 Create system tables

shell> bin/mysql_install_db --user=mysql
 Make nessesary databases and users


CREATE DATABASE
GRANT
MySQL directory structure
 ./

MySQL server control scripts
 bin/

MySQL server, MySQL client and commandline tools
 data/


Databases – directories
Tables – files (MYD, MYI,FRM)
 var/log

Log files
MySQL binaries
 mysql

MySQL client
 mysqladmin

MySQL administration tool
 mysqldump

Tool for creating database dumps
MySQL commands
 CREATE DATABASE <database name>
 DROP
 GRANT ALL PRIVILEGES on database.* to
user@localhost IDENTIFIED BY ‘password’



Privilege type (ALL, ALTER, CREATE, DELETE, INSERT,
SELECT, GRANT, ...)
Privilege level (globa, database, table, column)
User and host (localhost, IP address, network, %)
 REVOKE
PHP and database example
MySQL and SQLite Examples
PHPMyAdmin
phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web
(http://www.phpmyadmin.net/)






CREATE/DROP databases
CREATE/DROP/ALTER tables
Delete/add/edit/search information
Execute SQL queries
Manage privileges
Export data
PHP and SQLite example
<?php
// create new database (OO interface)
$db = new SQLiteDatabase("db.sqlite");
// create table foo and insert sample data
$db->query("BEGIN;
CREATE TABLE foo(id INTEGER PRIMARY KEY, name CHAR(255));
INSERT INTO foo (name) VALUES('Ilia');
INSERT INTO foo (name) VALUES('Ilia2');
INSERT INTO foo (name) VALUES('Ilia3');
COMMIT;");
// execute a query
$result = $db->query("SELECT * FROM foo");
// iterate through the retrieved rows
while ($result->valid()) {
// fetch current row
$row = $result->current();
print_r($row);
// proceed to next row
$result->next();
}
// not generally needed as PHP will destroy the connection
unset($db);
?>
PHP and MySQL example
<?php
// Connecting, selecting database
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
or die('Could not connect: ' . mysql_error());
echo 'Connected successfully';
mysql_select_db('my_database') or die('Could not select database');
// Performing SQL query
$query = 'SELECT * FROM my_table';
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
// Printing results in HTML
echo "<table>\n";
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
echo "\t<tr>\n";
foreach ($line as $col_value) {
echo "\t\t<td>$col_value</td>\n";
}
echo "\t</tr>\n";
}
echo "</table>\n";
// Free resultset
mysql_free_result($result);
// Closing connection
mysql_close($link);
?>