Apache web server
By. Eng. Ahmed M. ElSayed
[email protected]Apache Web Server Index
1-Introduction
2-Client, Server, and URLs
3-Requests, methods, and responses
4-Apache core, modules, and process model
5-Install apache, configuration, and logs
6-Apache main server configurations
2
Apache Web Server Index
7-Directory directive, options, security.
8-Apache authentication
9-Apache modules, mod_rewrite as an example
10-Virtual Hosts
11-Encrypting Apache traffic using HTTPS
12-php with Apache
3
Apache Web Server 1-Introduction
Is a TCP/IP service that receives a request from the client then processes, and delivers the
request resource (HTML, JavaScript, Image, StyleSheet).
This kind of pages called – Static web pages – . Why?
The client is a web browser software, or a web crawler.
The transfer uses Hyper Text Transfer Protocol.
HTTP is Plain text protocol uses port tcp/80, HTTPS uses tcp/443 for ssl connections.
Stateless protocol, does not maintain information about the connection.
Maps the local directories file system to a server address.
Apache is not HA aware, no built-in protocol for replication.
4
Apache Web Server 2-Client, Server, URLS
Client sends request to a resource to the web server socket using server URL.
The web server receives the request, and extracts the Request URI.
The web server reads in the resource from the URI and gets it from the local file system.
Sends back the response to the client associated with response code.
5
Apache Web Server 2-Client, Server, URLS
URL is a string of characters to identify a resource.
Example 1: http://192.168.1.2/b.php?fname=ahmed&fage=45
Protocol : http
HTTP Host: 192.168.1.2:80 – The port is removed because it is the default port-
URL-Path : b.php
Query String: ?fname=ahmed&fage=45.
/var/www/html called DirectoryRoot
b.php will be relative to the DirectoryRoot
URL-Path/QueryString called Request URI
Example 2: http://192.168.1.3:8080/data/b.php?fname=ahmed&fage=45
Protocol : http
HTTP Host: 192.168.1.2:8080
URL-Path : data/b.php
Query String: ?fname=ahmed&fage=45.
b.php will be under directory data under the DirectoryRoot
URL-Path/QueryString called Request URI
6
Apache Web Server 3-Requests, methods,
and responses
Request:
Client sends the request to access a resource hosted on the web server.
The request called HTTP Request.
The HTTP request is part of the network packet, and resides in the packet data payload.
It contains several information like:
Request URI.
Host name (Web site name).
Type of data to be accepted by the browser.
Users browser type.
Post data if use post method.
7
Apache Web Server 3-Requests, methods,
and responses
HTTP Request packet format captured by wireshark 8
Apache Web Server 3-Requests, methods,
and responses
Response:
Server sends back the requested source to the client
The response called HTTP response.
The HTTP response is part of the network packet, and resides in the packet data payload.
It contains several information like:
Response version.
Status code.
Date.
Server, and Server type, version.
Information about content like, type, length, encoding.
The data returned by the server
9
Apache Web Server 3-Requests, methods,
and responses
10
HTTP Response packet format captured by wireshark
Apache Web Server 3-Requests, methods,
and responses
Methods:
How the data transfer takes place between the client and the server.
Specify what you want to do with the connection.
GET, POST, PUT, HEAD, DELETE, PATCH, OPTIONS, TRACE.
The method specified by the client in the HTTP Request.
Most popular GET, and POST.
11
Apache Web Server 3-Requests, methods,
and responses
GET Method:
Request (Retrieved) data from resource (Not modify)
Data pairs sent in the url (Query String)
Can be cached
Remains in the browser history
Can be bookmarked
Should never used when exchange sensitive data (why)
Has length restrictions
Preferred to be used to improve web page indexing in SEO.
12
Apache Web Server 3-Requests, methods,
and responses
GET Method:
GET method by HTTP Request
13
Apache Web Server 3-Requests, methods,
and responses
POST Method:
Submit data to be processed.
Data pairs sent in the HTTP Request message body.
Can not be cached
Does not remain in the browser history
Can not be bookmarked
Has no length restrictions
Has no impact on SEO.
14
Apache Web Server 3-Requests, methods,
and responses
POST Method:
POST method by HTTP Request 15
Apache Web Server 3-Requests, methods,
and responses
Responses:
The web server return the state of the request.
If no error, the requested object returned in the HTTP Response message body.
Each response has a code indicates the response status
1xx: Informational
2xx: Success
3xx: Redirection
4xx: Client error
5xx: Server error
Examples:
200 : OK
401: Unauthorized
403: Forbidden
404: Not found
500: Internal Server Error 16
Apache Web Server 3-Requests, methods,
and responses
Responses:
17
HTTP Response from wireshark with OK status
Apache Web Server 3-Requests, methods,
and responses
Responses:
18
HTTP Response from wireshark with 404 status
Apache Web Server 4-Apache core, modules,
and process model
Apache is a free and open source package on Linux/unix platforms.
Has a free copy under windows.
Apache has a community called Apache Software Foundation – ASF –
Composed of Apache Core, Compiled static Modules, and Dynamic Modules.
Listen on port 80, and plain text as default.
Simple text configuration file(s).
Configuration file is divided into smaller files and loaded by Include directive.
For Ubuntu, the main configurtion file is /etc/apache2/apache2.conf
For redhat, the main configuration file is /etc/httpd/conf/httpd.conf
19
Apache Web Server 4-Apache core, modules,
and process model
Apache is modular by design.
Modularity allows the administrator to choose which features needed to enable it.
Also, allows administrator to disable the modules with not needed features.
Core : Part of the innermost portions of Apache web server.
MPM : Provided by Multi-Processing Modules.
Modules either:
Base : Loadad at compile time – Static modules –
Extension : Loaded at run-time – Dynamic modules –
20
Apache Web Server 4-Apache core, modules,
and process model
Process model.
Multi-Process Modules helps apache to handle the incoming connections
Affect performance of the web server.
Affect the security of requests.
Must specify at minimum one module.
Master process starts and listen on default port tcp/80 (why must start with root),
from file “/etc/apache2/ports.conf”
Any other process starts with non-privilege account. From /etc/apache2/apache2.conf
Prefork module.
Worker module.
Event module. 21
Apache Web Server 4-Apache core, modules,
and process model
Prefork MPM:
Non threaded pre-forking web server.
Each process answer incoming requests.
Parent process will handle the size of the pool.
Needed for sites compatible with non-thread-safe libraries.
Best for isolating requests.
22
Apache Web Server 4-Apache core, modules,
and process model
Worker MPM:
Hybrid implementation between pre-fork processes and multi-threads
The master process listens for incoming connection to the socket, and pass
the connection to 1st available thread.
Serve large number of requests with fewer system resources.
Master process forks multiple processes, and each process launches multi-threads.
Event MPM:
The same as Worker MPM, but designed to allow more requests to be served.
Leave some processing to be done by the listener process.
23
Apache Web Server 5-Install apache,
configuration, and logs
Install
apt install apache2
systemctl enable apache2
systemctl restart apache2
Configurations:
Main: /etc/apache2/apache2.conf
Apache environment vars: /etc/apache2/envvars
All configured sites: /etc/apache2/sites-available
All enabled sites (Must be configured 1st) : /etc/apache2/sites-enabled
All modules available : /etc/apache2/mods-available/
All enabled modules : /etc/apache2/mods-enabled
Default logs files:
Access log : /var/log/apache2/access.log
Error log: /var/log/apache2/error.log
Any change in configuration must be follow by restarting the apache2 to take effect.
24
Apache Web Server 6-Apache main server
configurations
/etc/apache2/apache2.conf
ServerRoot : Defines the directory contains all configuration files for apache
PidFile : File contains the PID for the master apache process
User, Group : The user and group the apache pre-fork process will start with.
KeepAlive : Allow persistent connections.
DirectoryIndex : The default document if no file name was specified.
AccessFileName : File name with additional information in each directory.
Include and IncludeOptional : During parsing phase, merge the requested conf file
ErrorLog : Name of error log file. If it is relative path, it will be under ServerRoot
/etc/apache2/ports.conf
Listen : Configure the socket that apache will use. 25
Apache Web Server 7-Directory directive,
options, security.
Used to add group of directives to apply for:
Certain directory
Subdirectories
Files
Options, specify which option to enable for that directory (+Indexes,…)
AllowOverride : Specify which options that can be over written by the file AccessFileName
None, All, or certain directive
Order allow, deny : Order of security restrictions based on the client L3 address. The
traffic will be tested by the 1st directive, and the rest will be matched by the 2nd.
Allow from / Deny from : all,IP, Subnet
26
Apache Web Server 7-Directory directive,
options, security.
Example:
<Directory /var/www/iti>
Options +Indexes
AllowOverride None
Order allow,deny
Allow from 172.16.0.0/16
</Directory>
Directory is /var/www/iti
Enable only the option +Indexes.
Do not allow any other options from the AccessFileName
Allow the specified address specified, and then deny all others.
Allow from any host in subnet 172.16.0.0/16
Deny from any other host. 27
Apache Web Server 7-Directory directive,
options, security.
.htaccess
Hypertext access.
Default name of apache directory-level configuration files.
Any changes, does not need to restart the apache service.
Slow down the web server performance.
Used to delegate the directory configuration for the webmaster.
Used to configure any directive.
If a directive from .htaccess conflicts with main server configuration, will return to
AllowOverride.
28
Apache Web Server 8-Apache
authentication.
How to secure part or all of web by username/password.
Can be configured in .conf files or in .htaccess
There are many back-end authentication DBs for apache as (MySQL, LDAP, Files)
Supports many type of authenticaton as (basic, form, digest )
Can restrict valid users to certain user,all , or group of users.
Example:
AuthType Basic
AuthName “Private area’
AuthUserFile /var/www/iti/.htpasswd
Require valid-user
To add a username for the 1st time
htpasswd –c /var/www/iti/.htpasswd ahmed
To add a username after that
htpasswd /var/www/iti/.htpasswd compiler
29
Apache Web Server 9-Apache modules,
mod_rewrite
Enable to disable apache module needs to restart apache2 service.
To enable a module, a2enmod <module name>
To disable a module, a2dismod <module name>
Rewrite module very powerful provides a way to do URL manipulation
RewriteEngine on , turn the engine on, so the rules would take effects
RewriteEngine off, turn the engine off, so the rules would not take effects.
Can be configured in the .conf files or in .htaccess.
RewriteRule used to perform the URL rewrite operations.
RewriteCond used to construct conditions control the URL rewrite operations.
Uses RegEx. 30
Apache Web Server 9-Apache modules,
mod_rewrite
RewriteRule
RewriteRule Pattern Substitution [Flags]
Pattern, what will be rewritten
Substitution, What will be used.
Flags, Options for rewrite.
RewriteRule /?data$ /get1.html
Will rewrite the URL to get the file get1.html if the URL path ends with /data
RewriteRule /?data$ /get1.html [NC]
Will rewrite the URL to get the file get1.html if the URL path ends with /data
with any case
RewriteRule ^/?get/([a-zA-Z_]+)/([0-9]+)/?$ get1.php?fname=$1&fage=$2
Wil convert the directory based URL to Query String
31
Apache Web Server 9-Apache modules,
mod_rewrite
RewriteCond
RewriteCond TestString Condition [Flags]
TestString , what will be tested
Condition, What will be compared with.
Flags, Options for testing.
If the RewriteCond test returns true, it will execute all the incoming RewriteRules till
we get a RewriteCond, or end of RewriteCond/RewriteRule, or RewriteRule with [L]
All subsequent RewriteConds, will be ANDED
To bind them with or, use the flag [OR]
32
Apache Web Server 9-Apache modules,
mod_rewrite
RewriteCond
RewriteCond %{QUERY_STRING} "noha“
RewriteRule .? http://%{HTTP_HOST}/noha.html? [R]
RewriteCond, will test the QUERY_STRING if contains the pattern noha
If returns true, the next RerwriteRule will be executed.
RewriteRule will replace all the url with the new string and terminates the
URL path with ? To remove the QUERY_STRING.
33
Apache Web Server 10-Virtual Hosts
The term VirtualHost refers to that run multiple web sites on the same web server.
The concept, multiple sites on the same socket (IP,Port)
The web server will differentiate between requests using the Host field in HTTP request
To enable a site, use a2ensite <SiteName>
To disable a site, use a2dissite <SiteName>
Each site will have
Directory contains the site pages
Site configuration in /etc/apache2/sites-available
Its own log files (Acess, and Error)
Different RewriteRules if used
Different .htaccess
Different DirectoryIndex
Server Name
Minimum configurations are, DocumentRoot and ServerName 34
Apache Web Server 10-Virtual Hosts
HTTP Request with Host from wireshark 35
Apache Web Server 10-Virtual Hosts
For site ahmed.com, create a file /etc/apache2/sites-available/ahmed.com.conf
<VirtualHost *:80>
ServerName ahmed.com
DocumentRoot /var/ahmed.com
</VirtualHost>
<Directory /var/ahmed.com>
Require all granted
</Directory>
For site ahmed.com, create a file /etc/apache2/sites-available/Mohamed.com.conf
<VirtualHost *:80>
ServerName Mohamed.com
DocumentRoot /var/Mohamed.com
</VirtualHost>
<Directory /var/ahmed.com>
Require all granted
</Directory>
36
Apache Web Server 10-Virtual Hosts
Mkdir /var/ahmed.com /var/Mohamed.com
Echo “Ahmed site” > /var/ahmed.com/index.html
Echo “Mohamed site” > /var/Mohamed.com/index.html
Enable both sites and restart apache2
A2ensite ahmed.com
A2ensite Mohamed.com
Systemctl restart apache2
How to configure authentication for site Mohamed.com using .htaccess?
How to configure www.mohamed.com as another name for mohamed.com?
37
Apache Web Server 11-Encrypting Apache
traffic using HTTPS
HTTP protocol is a plain text protocol by nature.
Enable ssl module to encrypt the packet payload, use https protocol, and port 443.How?
SSL connections based on a certificates.
We will use the default self-signed certificates.
How to use rewrite module to convert any request from http to https?
HTTPs Request from wireshark 38
Apache Web Server 12-php with Apache
Client side scripting.
Scripts are run on the client PC.
Source code transfers from server to client
Javascripts.
Server Side scripting.
Run on the server
Web server use interpreter to executes the script
Can interact to MySQL or any other Database.
The script generates HTML/JS pages
Web server sends back the generated page to the client
Install php
sudo apt install php php-mysql
sudo systemctl restart apache2
Edit file index.php in DocumentRoot and add the following lines
<?php
phpinfo();
?> 39
Apache Web Server 12-php with Apache
Interaction between apache and php
40
Apache Web Server 12-php with Apache
php.ini contains all PHP settings.
May there is more than php.ini
Check for loaded php.ini from phpinfo().
Any changes in the loaded php.ini requires restart apache2 service.
Check for ErrorDisplay, Size of upload files.
Try php –i
PHP has an extension for MySQL Connections.
PHP has a lot of extensions.
41
Apache Web Server 12-php with Apache
Phpmyadmin project, is an open source web application.
Control,configure, administrate MySQL databases from Web.
apt install phpmyadmin php-mbstring php-gettext
Enable php mbstring , sudo phpenmod mbstring
Restart apache2, sudo systemctl restart apache2
Visit your server and add /phpmyadmin
How to secure phpmyadmin ?
42
Apache Web Server 12-php with Apache
Composer:
Dependency manager for PHP
Pull all in all required libraries, dependencies, and manage all in one place.
PEAR established from long time but abandoned by many php devs.
Project by Project and not system-wide.
Install
curl -s https://getcomposer.org/installer | php
Use json files to install any needed package.
To install slim framework, create a file composer.json
{
"require": {
“slim/slim": “3.0.*"
}
}
43
php composer.phar install