Web Server

Administration
Husni
Husni.trunojoyo.ac.id

Based on Randy Connolly and Ricardo Hoar

Fundamentals of Web Development, Pearson Education, 2015
Objectives

1 Web Server Hosting

Options 2 Domain and Name
Server Administration

3 Linux and Apache

Configuration 4 Apache
Request/Response

5 Web Monitoring
and Analytics

2
Section 1 of 5
WEB SERVER HOSTING OPTIONS
3
Hosting
Development vs Production

Since you have been working with PHP, you have

already worked with some sort of web server.
However, most server tools that simplify matters
for development purposes (like XAMP) gloss over
the nitty-gritty details of an Apache server.
In a real-world scenario, you must be aware of
advanced configuration options, ideas, and tools
that ensure your server is deployed and
maintained according to established best
practices.
4
Types of Hosting
3 categories

The three broad categories of web hosting are:

• Shared Hosting
• Collocated Hosting
• Dedicated Hosting

5
Shared Hosting
Cost effective Hosting

Shared hosting is renting space for your site on a

server that will host many sites on the same
machine

6
Shared Hosting
Sharing is ok

Shared hosting is normally the least expensive, least

functional, and most common type of hosting
solution, especially for small websites.
This class of hosting is divided into two categories:
• simple shared hosting and
• virtualized shared hosting.

7
Simple Shared Hosting
The Cheapest

Simple shared hosting is a hosting environment in

which clients receive access to a folder on a web
server, but cannot increase their privileges to
configure any part of the operating system, web
server, or database.
The disadvantages of simple shared hosting are
many. Lack of control, poor performance, and
security threats make shared hosting a bad idea for
a serious website.

8
Virtualized Shared Hosting
Better, but still cost effective

Virtualized shared hosting is a variation on the shared

hosting scheme, where instead of being given a
username and a home directory on a shared server, you
are given a virtual server, with root access

9
Dedicated Hosting
Almost your machine

Dedicated hosting is when a server is rented to you

in its entirety inside the data center

10
Dedicated Hosting
Almost your machine

Data centers are normally located to take advantage

of nearby Internet Exchange Points and benefit from
redundant connections.
You are given a complete physical machine to
control, removing the possible inequity that can
arise when you share the CPU and RAM with other
users.
The disadvantage of dedicated hosting is the lack of
control over the hardware, and a restriction on
accessing the hardware.
11
Collocated Hosting
Touch the machine

Collocated hosting is almost like dedicated hosting,

except rather than rent a machine, you outright
build, own, and manage the machine yourself.
The advantage of collocated hosting goes beyond a
dedicated server with not only full control over the
OS, software version, firewalls, and policies but also
the physical machine.
The disadvantage of collocated systems is that you
must control everything yourself, with little to no
support from a third party and they are costly
12
In House Hosting
Do everything yourself

Many companies do use a low-cost, in-house hosting

environment for development, preproduction, and sandbox
environments.
In practice, though, many small companies’ in-house data
centers are just closets with an air conditioner, unsecured,
and without any redundancies.

13
Cloud Hosting
Ignore the man behind the curtain

Cloud hosting is the newest buzzword in shared hosting

services.
The advantages are
• scalability, where more computing and data storage are
needed and
• The redundancy of a distributed solution
Unfortunately, many providers are cashing in on the latest
buzzwords without the benefits.
At the end of the day a request for your website has to be
answered by a physical machine with access to RAM, file
system, and an OS. 14
Section 2 of 5
DOMAIN AND NAME SERVER
ADMINISTRATION
15
Domain Name System
Better than remembering IP addresses

16
Registering a Domain Name
Step one to your fortune

You only lease the right to use the name exclusively

for a period, and must renew periodically.
Registrars are companies that register domain
names, on your behalf (the registrant), under the
oversight of ICANN.
Some popular registrars include GoDaddy, TuCows,
and Network Solutions, where you can expect to pay
from $10.00 per year per domain name.

17
Registering a Domain Name
WHOIS

The registrars must collect and maintain your

information in a database of WHOIS records that
includes three levels of contact (registrant,
technical, and billing), who are often the same
person.
Anyone can try and find out who owns a domain by
running the WHOIS command and reading the
output.

18
Whois
A Visualization

19
Whois
Private Visualization

Many registrars provide private registration

services, which broker a deal with a private
company as an intermediary to register the domain
on your behalf.
The private registration company keeps your real
contact information on their own servers because
they must know who to contact if the need arises.
These private registrants will turn your information
over to authorities upon request

20
Whois
Private Visualization

21
Updating the Name Servers
Easy to use, a little tricky to update

The single most important thing you do with your

registrar is control the name servers associated with
the domain name.
Your web host will provide name servers which then
have to get registered with the registrar you used
when you leased the domain.
When you update your name server, the registrar,
on your behalf, updates your name server records
on the top-level domain (TLD) name servers

22
Checking Name Servers
Some little tricks

Updating records in DNS may require at least 48

hours to ensure that the changes have propagated
throughout the system.
After updating your name servers with the registrar,
it’s a good practice to “dig” on your TLD servers to
confirm that the changes have been made.
Dig is a command that lets you ask a particular
name server about records of a particular type for
any domain.

23
Checking Name Servers
Dig it

24
DNS Record Types
Host, Mail Server, Name Server, Alias, …

In practice, all of a domain’s records are stored in a single file

called the DNS zone file.
There are six primary types of records
• A/AAA,
• CName,
• MX,
• NS,
• SOA, and
• TXT/SPF
25
DNS Record Types
Zone file

26
DNS Record Types
A and AAAA Records

A records and AAAA records are identical except A records

use IPv4 addresses and AAAA records use IPv6.

Both of them simply associate a hostname with an IP

address.
These are the most common queries, performed whenever
a user requests a domain through a browser.

27
 DNS Record Types
CNAME Records

Canonical Name (CName) records is allow you to point

multiple subdomains to an existing A record.
This allows you to update all your domains at once by
changing the one A record. However, it doubles the number
of queries required to get resolution for your domain,
making A records the preferred technique.
It is sometimes called an alias.

The new alias An A Record exists for this

28
 DNS Record Types
CNAME Records

Canonical Name (CName) records is allow you to point

multiple subdomains to an existing A record.
This allows you to update all your domains at once by
changing the one A record. However, it doubles the number
of queries required to get resolution
It is sometimes called an alias.

The new alias An A Record exists for this

29
DNS Record Types
Mail Records

Mail Exchange (MX) records are the records that provide the
location of the Simple Mail Transfer Protocol (SMTP) servers
to receive email for this domain.
SMTP allows redundant mail servers for load distribution or
backup purposes. To support that feature, MX records not
only require an IP address but also a ranking.
When trying to deliver mail, the lowest numbered servers
are tried first, and only if they are down, will the higher ones
be used.

ranking 30
DNS Record Types
Authoritative Records

Name server (NS) records are the essential records that

tell everyone what name servers to use for this domain.
There can be (and should be) multiple name servers
listed for redundancy.

Start of Authority (SOA) record contains information

about how long this record is valid [called time to live
(TTL)], together with a serial number that gets
incremented with each update to help synchronize DNS
31
DNS Record Types
Start of Authority (SOA) record

32
DNS Record Types
Validation Records

TXT and Sender Policy Framework (SPF) records are

used to reduce email spam by providing another
mechanism to validate your mail servers for the
domain.
SPF records appear as both SPF and TXT records.
The value is a string, enclosed in double quotes (" ")
that starts with v=spf1 (the version) and uses space-
separated selectors with modifiers to define which
machines should be allowed to send email as this
domain.
33
DNS Record Types
Validation Records

34
 Reverse DNS
in-addr.apra

Reverse DNS is the reverse process, whereby you get a

domain name from an IP address
A pointer (PTR) record is created with the IP address
prepended in reverse order to the domain in-addr.arpa
66.147.244.79 becomes the PTR entry
funwebdev.com PTR 79.244.147.66.in-addr.apra
Now, when a mail server wants to determine if a received
email is spam or not, they recreate the in-addr.apra
hostname from the IP in the email and resolve it like any
other DNS request based on the domain it claims to be from.
35
Section 3 of 5
LINUX AND APACHE CONFIGURATION

36
Apache
The world’s most popular webserver

Web server software like Apache is responsible for

handling HTTP requests on your server.

37
Apache
Configuration

Apache can be configured through two key locations

• When Apache is started or restarted, it parses the root
configuration file, which is normally writable by only
root users (stored in /etc/httpd.conf, or somewhere
similar).
• Directory-level configuration files are permitted
which can change the behavior of the server without
having to restart Apache. The files are normally
named .htaccess (hypertext access), and they can
reside inside any of the public folders served by
Apache.
38
Daemons
Apache runs all the time

A daemon is software that runs forever in the background of

an operating system and normally provides one simple
service. Daemons on Linux include sshd, httpd, mysqld, as
well as many others.
To start, stop and restart the Apache daemon from the
command line in Linux, the root user can enter these
commands:
/etc/init.d/httpd start
/etc/init.d/httpd stop
/etc/init.d/httpd restart
39
 Managing Daemons
Make sure it starts on boot

You can check to see what is running on boot by typing:

chkconfig –list
The output will show the daemon name and a run level 0–6
httpd is apache

40
 Run Levels
Linux Runlevels

Linux defines multiple “levels” in which the operating system can run,
which correspond to different levels of service. Although the details
vary between distributions they are generally considered to be:
0. Halt (shut down)
1. Single-user mode
2. Multiuser mode, no networking
3. Multiuser mode with networking
4. Unused
5. Multiuser mode with networking and GUI (Windows)
6. Reboot
41
Run Levels
Linux Runlevels

In practice, we normally consider only two run levels,

• run level 3 (headless production machine)
• run level 5 (development machine with GUI)
Since many services are needed on all levels, you can easily
turn on the Apache daemon for levels 2, 3, 4, and 5 at boot by
typing the command:
chkconfig httpd on
Similarly, to turn off an FTP service one can type the command:
chkconfig ftpd off
42
Applying configuration changes
Restarting Apache

Every time you make a change to a configuration file, you

must restart the daemon in order for the changes to take
effect.
/etc/init.d/httpd restart
However, if there’s an error in your configuration file, the
server will stop, and then not restart!
Always check your configuration before restarting using:
/etc/init.d/httpd configtest
This command will literally output Syntax OK
43
Connection Management
And observation

The netstat -t command shows which daemons are running

and listening to network ports

In addition to being aware of which services are listening in

general, you can manage numerous configuration options
related to the number and type of connections for Apache.

44
Connection Management
Fine tuning your server

45
Connection Management
Fine tuning your server

These options permit a detailed tuning of your server for

various loads using configuration directives stored in the
Apache configuration files.
• Timeout defines how long, in seconds, the server waits for
receipts from the client (remember, delivery is guaranteed).
• KeepAlive is a Boolean value that tells Apache whether or
not to allow more than one request per connection.
• MaxKeepAliveRequests sets how many requests to allow
per persistent connection.
• KeepAliveTimeout tells the server how long to keep a
connection alive between requests.
46
Connection Management
Fine tuning your server

It’s a balancing act with no single solution.

• Open connections take resources that could go toward
serving new requests
• Allowing multiple requests from the same client to be
served by the same connection saves resources by not
having to spawn a new connection for each request
Additional directives like StartServers, MaxClients,
MaxRequestsPerChild, and ThreadsPerChild provide
additional control over the number of threads, processes,
and connections per thread.
47
Ports
Listen

In Apache terminology, the server is said to listen for requests

on specific ports.
Recall that the various TCP/IP protocols are assigned port
numbers. For instance,
• The FTP protocol is assigned port 21, while
• The HTTP protocol is assigned port 80
In Apache, the Listen directive tells the server which IP/Port
combinations to listen on.
Listen 80
If you want to have websites on different ports, you can use
multiple Listen directives. 48
Data Compression
Saving bandwidth

The HTTP headers allow client and server to know

whether compression can be used.
Deciding whether to compress data may at first
glance seem like an easy decision but some files like
.jpg files are already compressed, and re-
compressing them will use up CPU time needlessly.
The Apache directive below adds compression
(when agreed to with the client) to items of type
text/html
AddOutputFilterByType DEFLATE text/html
49
Encryption and SSL
Remember the cryptography from Chapter 16?

All encrypted traffic requires the use of an X.509 public key

certificate, which contains cryptographic keys as well as
information about the site (identity).
creating your own certificates is very straightforward, as
illustrated by the shell script below

50
Encryption and SSL
Certificate Signing

Self-signed certificates work; it’s just that the user

will have to approve an exception to the strict rules
configured by most browsers.

51
Encryption and SSL
Apache configuration details

Signed certificates generally require uploading the

certificate signing request generated in Listing 19.3 to
get a server.crt file returned by email.
However you sign, you will have two files that are used
by Apache
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
Remember, you must also Listen on port 443 in order to
get Apache to work correctly using secure connections.
52
File Ownership and Permissions
A review for many

Apache runs as its own user (sometimes called Apache,

WWW, or HTTP depending on configuration). In to serve
files, Apache needs permission to access them.
Typically, newly created PHP files are granted 644 octal
permissions so that the owner can read and write, while
the group and world can read. This means that no
matter what username Apache is running under, it can
read the file.

53
File Ownership and Permissions
Security risk

A security risk can arise on a shared server if you set a

file to world writable.
This means users on the system who can get access to
that file can write their own content to it,
circumventing any authentication you have in place.
Many shared hosts have been “hacked” by a user
simply overwriting the index.php file with a file of
their choosing.
This is why you should never set permissions to 777,
especially on a simple shared host.
54
Section 4 of 5
APACHE REQUEST AND RESPONSE
MANAGEMENT
55
Managing Multiple Domains
On One Webserver

A web server can easily be made to serve multiple

sites from the same machine.
Having multiple sites running on a single server can
be a great advantage to companies or individuals
hosting multiple small websites.
A VirtualHost is an Apache configuration directive
that associates a particular combination of server
name and port to a folder on the server.

56
Managing Multiple Domains
VirtualHost Directive

Each distinct VirtualHost must specify

• which IP and port to listen on
• what file system location to use as the root for that domain.
• NameVirtualHost allows you to use domain names instead of
IP addresses. This means many domains on 1 IP address!

57
Managing Multiple Domains
VirtualHost Visualization

58
Handling Directory Requests
The index files

In practice, users normally request a domain’s

homepage URL without specifying what file they
want.
There are times when clients are requesting a folder
path, rather than a file path. The domain root is a
special case of the folder question, where the folder
being requested is the root folder for that domain.
However a folder is requested, the server must be
able to determine what to serve in response

59
Handling Directory Requests
What to serve?

The server could choose

• a file to serve
• display the directory contents
• return an error code
You can control this by adding DirectoryIndex and
Options directives to the Apache configuration file.

60
Handling Directory Requests
What to serve?

61
Handling Directory Requests
How did it come to pass that we use index.php

The DirectoryIndex directive configures the server to

respond with a particular file

in this case index.php, and if it’s not present, index.html

The Options directives can be used to tell the server to
build a clickable index page from the content of the
folder in response to a folder request.
62
Responding to File Requests
Static and Dynamic

The most basic operation a web server performs is

responding to an HTTP request for a static file.
Having mapped the request to a particular file
location using the connection management options
above, the server sends the requested file, along
with the relevant HTTP headers to signify that this
request was successfully responded to.
dynamic file requests must be interpreted at
request time rather than sent back directly as
responses
63
Responding to File Requests
Which files get interpreted

A web server associates certain file extensions with

MIME types that need to be interpreted. When you
install Apache for PHP, this is done automatically,
but can be overridden through directives.
If you wanted files with PHP as well as HTML
extensions to be interpreted (so you could include
PHP code inside them), you would add the directive
below, which uses the PHP MIME types:
AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .html
64
URL Redirection
We’ve come across this before…

In Apache, there are two major classes of redirection,

• public redirection and
• internal redirection (also called URL rewriting).

65
Public Redirection

In public redirection, you may have a URL that no

longer exists or has been moved.
If users have bookmarks to old URLs, they will get
404 error codes when requesting them
It is a better practice to inform users that their old
pages have moved, using a HTTP 302 header
In Apache such URL redirection is easily achieved,
using Apache directives

66
Public Redirection
Two requests required, and everybody knows

67
Public Redirection
There are Apache Directives

Using RedirectMatch foo.html is publically redirected

to bar.php
RedirectMatch /foo.html /FULLPATH/bar.php
Alternatively the RewriteEngine module can be
invoked to create an equivalent rule:
RewriteEngine on
RewriteRule ^/foo\.html$ /FULLPATH/bar.php [R]

68
Public Redirection
The RedirectRule Directive

RewriteRule directive consists of three parts:

• the pattern to match,
• the substitution, and
• Flags
Use can use regular expression syntax to capture back-
references for use in the substitution.

69
Internal Redirection
One fewer requests

70
Internal Redirection
One fewer requests

To enable such a case, simply modify the rewrite

rule’s flag from redirect (R) to pass-through (PT),
which indicates to pass-through internally and not
redirect.
RewriteEngine on
RewriteRule ^/foo\.html$ /FULLPATH/bar.php [PT]

71
Conditional ReWriting
Internal or Public

RewriteCondition combined with the RewriteRule

can be thought of as a conditional statement.
If more than one rewrite condition is specified, they
must all match for the rewrite to execute.
The RewriteCond consists of three parts,
• a test string
• and a conditional pattern.
• Sometimes flags, is also used.
72
Conditional ReWriting
Internal or Public

The example below allows us to redirect if the request

is coming from an IP that begins with 192.168.

73
 Conditional ReWriting
An advanced example

To prevent hot-linking of your image files consider a conditional

redirect that only allows images to be returned if the
HTTP_REFERER header is from our domain: NC – Case insensitive

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)? funwebdev\.com/.*$ [NC]
RewriteRule \.(jpg|gif|bmp|png)$ - [F]
F - Forbidden

To return a small static image for all invalid requests use the
following directives:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?funwebdev\.com/.*$ [NC]
RewriteRule \.(jpg|gif|bmp|png)$ http://funwebdev.com/stopIt.png
74
Managing Access with .htaccess
Should have done his a long time ago (maybe you did)

.htaccess files are the directory-level configuration files

used by Apache to store directives to apply to this
particular folder.
While most websites will track and manage users using a
database with PHP authentication scripts, a simpler
mechanism exists when you need to quickly password
protect a file or folder.

75
Managing Access with .htaccess
Add a file to the folder and point to a password file

To create a new password file, you would type the

following command:
htpasswd –c passwordFile ricardo
This will create a file named passwordFile and prompt you
for a password for the user ricardo (I chose password).
.htaccess, can now point to that password file

76
Server Caching
Another Cache

Server caching is distinct from:

• HTTP caching built into the HTTP protocol
• The caching technique using PHP described in
Chapter 13
Apache caching supplements provides another
caching mechanism (in the form of a module,
mod_cache) that allows you to save copies of HTTP
responses on the server so that the PHP script that
created them won’t have to run again.
77
Server Caching
Another Cache

There are two types of server cache,

• a memory cache
• a disk cache.
The memory cache is faster, but of course the server
RAM is limited. The disk cache is slower, but can
support more data.
Caching is based on URLs so that every cached page is
associated with a particular URL.

78
Server Caching
Directives – in brief

Some important directives related to the mod_cache module are:

• CacheEnable turns caching on. You include whether to use disk or
memory caching and the location. To cache all requests for a
subdomain archive.funwebdev.com, you would type the
directive.

CacheEnable disk archive.funwebdev.com

• CacheRoot defines the folder on your server to store all the
cached resources. You might save cached files in a high-speed,
solid-state mounted disk, for instance, as follows:

CacheRoot /fastdisk/cache/
• CacheDefaultExpire determines how long in seconds something
in cache is stored before the cached copy expires. 79
Section 5 of 5
WEB MONITORING AND ANALYTICS
80
Monitoring
Internal and External

Internal monitoring reads the outputted logs of all

the daemons to look for potential issues.
External monitoring is installed off of the server
and checks to see that connections to required
services are open.

81
Internal Monitoring
Apache Logging

Logging relates closely to Apache, since Apache directives

determine what information goes into the WWW logs.
You can define a log file using the directive CustomLog:
CustomLog /var/log/funwebdev/access_log nickname

82
Internal Monitoring
Log rotation

If no maintenance of your log files is ever done, then the logs

would keep accumulating and the file would grow in size until
eventually it would start to impact performance or even use up
all the space on the system.
logrotate is the daemon running on most systems by default to
handle this task.

83
External Monitoring
Test the network

Monitoring software like Nagios can check for uptime and

immediately notify the administrator if a service goes down.
Much like internal logs, external monitoring logs can be used to
generate uptime reports and other visual summaries of your
server.

84
Internal Analytics
Build on your logs

Analysis packages such as AWStats and Webalizer allow you

to easily set up periodic analysis of the log files to create bar
graphs; pie charts; and lists of top users, browsers, countries,
and more

85
Third-Party Analytics
Put in a little piece of JavaScript

Third-party systems like Google Analytics provide

much of the same data, but rather than collect it
from your logs, they embed a small piece of
JavaScript into each page of your site.
These statistics can be more robust than the free
tools, but require every visit to the site to execute
another script, slowing performance.

86
Third-Party Support Tools
Let us help

These tools provide information about

• Indexed terms and weights
• Indexing errors that were encountered
• Search ranking and traffic
• Frequency of being crawled
• Response time during the crawls
To sign up for these tools, go to
www.google.com/webmasters/tools/ and
http://www.bing.com/toolbox/webmaster.

87
Third-Party Support Tools
Screenshot of Google’s Webmaster Tools

88
What You’ve Learned

1 Web Server Hosting

Options 2 Domain and Name
Server Administration

3 Linux and Apache

Configuration 4 Apache
Request/Response

5 Web Monitoring
and Analytics

89