<?xml version="1.0" encoding="UTF-8"?>
<chapter annotations="slide" version="5.1" xml:id="sdiApache"
xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<title>Apache web server</title>
<section xml:id="sdiApachePrelim">
<title>Preliminaries</title>
<figure xml:id="sdi_webserver_documentation">
<title>External documentation</title>
<itemizedlist>
<listitem>
<para><link xlink:href="https://httpd.apache.org/docs/2.4">Apache
HTTP Server Version 2.4 Documentation</link></para>
</listitem>
</itemizedlist>
<tip>
<para>Whenever searching for <productname>Apache</productname> related
documentation <emphasis>always</emphasis> include <quote>2.4</quote>
in your query: Configuration file syntax changed considerably with
respect to <productname>Apache</productname> version 2.2.</para>
</tip>
</figure>
<figure xml:id="sdi_webserver_uri2fs">
<title>URI to filesystem mapping</title>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Webserver/assetMapping.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_webserver_virtualHostPrinciple">
<title>Virtual hosting</title>
<itemizedlist>
<listitem>
<para>One physical host system</para>
</listitem>
<listitem>
<para>Serving multiple sites e.g.:</para>
<itemizedlist>
<listitem>
<para><uri>https://www.foo.org</uri></para>
</listitem>
<listitem>
<para><uri>https://www.second.org</uri></para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_webserver_virtualHostImplementations">
<title>Implementing virtual hosting</title>
<orderedlist>
<listitem>
<para>Port based virtual hosting</para>
</listitem>
<listitem>
<para>IP based virtual hosting</para>
</listitem>
<listitem>
<para>Name based virtual hosting</para>
<para>Typically using <emphasis role="red">S</emphasis>erver
<emphasis role="red">N</emphasis>ame <emphasis
role="red">I</emphasis>ndication (<xref linkend="glo_SNI"/>)</para>
</listitem>
</orderedlist>
</figure>
<figure xml:id="sdi_webserver_IpBasedVhost">
<title>IP based virtual hosting</title>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Webserver/ipBasedVirtual.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_webserver_IpBasedVhostProCons">
<title>IP based, pros / cons</title>
<itemizedlist>
<listitem>
<para>Host system: One IP per site to serve</para>
</listitem>
<listitem>
<para>Pro: <xref linkend="glo_TLS"/> handshake without <xref
linkend="glo_SNI"/>.</para>
<para>Supporting older clients.</para>
</listitem>
<listitem>
<para>Downside:</para>
<itemizedlist>
<listitem>
<para>IP address waste</para>
</listitem>
<listitem>
<para>Host system <xref linkend="glo_NIC"/> configuration
required</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_webserver_NameBasedVhost">
<title>Name based virtual hosting</title>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Webserver/nameBasedVirtual.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_webserver_NameBasedVhostProCons">
<title>Name based, pros / cons</title>
<itemizedlist>
<listitem>
<para>Host system: Common IP address</para>
</listitem>
<listitem>
<para>Pro</para>
<itemizedlist>
<listitem>
<para>IP address waste</para>
</listitem>
<listitem>
<para>Host system <xref linkend="glo_NIC"/> configuration
required</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Cons: Excluding older non <xref linkend="glo_SNI"/> supporting
clients.</para>
<para>(Internet Explorer on <productname>Windows XP</productname>,
Android below V. 2.3)</para>
</listitem>
<listitem>
<para><xref linkend="glo_SNI"/> allows for eavesdropping requested
site's name.</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdi_webserver_ldapAuth">
<title><xref linkend="glo_LDAP"/> backed authentication</title>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Webserver/ldapAuth.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
<figure xml:id="sdi_webserver_phpFpm">
<title><abbrev>PHP</abbrev> <abbrev>FPM</abbrev> server</title>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Webserver/phpFpm.multi.svg"/>
</imageobject>
</mediaobject>
</figure>
</section>
<section xml:id="sdiApacheExercise">
<title>Exercises</title>
<para>The Apache web server <package>apache2</package> software package
may have already been installed depending on other exercises
<abbrev>e.g.</abbrev> <xref linkend="glo_LDAP"/> administration
frontend:</para>
<screen>aptitude install apache2</screen>
<section xml:id="sdiApacheFirstSteps">
<title>First Steps</title>
<orderedlist>
<listitem>
<para>Access your web server by a browser client and read the
server's root page which contains useful information regarding
<productname>Apache</productname> integration into
<orgname>Ubuntu</orgname>.</para>
</listitem>
<listitem>
<para>Move the original <xref linkend="glo_HTML"/> start document to
a backup location <filename>doc.html. What do you observe when
accessing your server?</filename></para>
</listitem>
<listitem>
<para>Provide your own root <filename>index.html</filename> document
and access your server's root again.</para>
</listitem>
<listitem>
<para>Install the Apache documentation being contained in the
<orgname>Ubuntu</orgname> package <package>apache2-doc</package>.
How do you find your server's URL access path to it (Apart from
asking <orgname>Google</orgname> or
<orgname>Stackoverflow</orgname>)?</para>
<tip>
<para>The <command
xlink:href="https://linux.die.net/man/1/dpkg">dpkg</command>
command may be used to browse a given package's file content. One
of these files belonging to <package>apache2-doc</package> will
give you a clue.</para>
</tip>
</listitem>
<listitem>
<para>Upload your current HTML documentation to a directory
<filename>/home/sdidoc</filename>. Then modify your web server's
configuration accordingly to access this directory by the <xref
linkend="glo_URL"/>
<uri>http://sdi....mi.hdm-stuttgart.de/xy123</uri> replacing
<quote>xy123</quote> by your user name.</para>
</listitem>
</orderedlist>
</section>
<section xml:id="sdiApacheVirtualHosts">
<title>Virtual hosts</title>
<para>Your Apache installation currently serves at least
<uri>http://sdi....mi.hdm-stuttgart.de/xy123</uri> and
<uri>http://sdi....mi.hdm-stuttgart.de/manual</uri>. Move these to
virtual host definitions by:</para>
<orderedlist>
<listitem>
<para>Define two <xref linkend="glo_DNS"/> aliases
<quote>xy123</quote> and <quote>manual</quote> for your virtual
machine. Configure your client machine to use your (private)
nameserver.</para>
<tip>
<para>On a Linux system this typically requires root privileges to
alter the <filename>/etc/resolv.conf</filename> file.</para>
</tip>
</listitem>
<listitem>
<para>Supply two <link
xlink:href="https://httpd.apache.org/docs/2.4/vhosts">virtual host
directives</link> enabling
<uri>http://xy123.mi.hdm-stuttgart.de</uri> and
<uri>http://manual.mi.hdm-stuttgart.de</uri> to serve your
documents.</para>
<tip>
<para>Follow the <productname>Apache</productname> manual's
description. With respect to access rights you'll need the usual
<code><Directory "/..."></code> section. Read about the
roles of /etc/apache2/conf-available and /etc/apache2/conf-enabled
and the corresponding commands <command>a2enconf</command> and
<command>a2disconf</command>.</para>
</tip>
</listitem>
</orderedlist>
</section>
<section xml:id="sdiApacheSsl">
<title>SSL / <xref linkend="glo_TLS"/> Support</title>
<para><xref linkend="glo_SSL"/> may be enabled by adding self-signed
certificates. However a more clever approach involves:</para>
<orderedlist>
<listitem>
<para>Create a certificate authority (CA) prior to generating any
<xref linkend="glo_SSL"/> certificates.</para>
</listitem>
<listitem>
<para>Import this CA to any client accessing your <xref
linkend="glo_SSL"/> host.</para>
</listitem>
<listitem>
<para>Create an <xref linkend="glo_SSL"/> certificate for any
desired service.</para>
</listitem>
</orderedlist>
<para>It fully suffices to get the <productname>firefox</productname>
browser working this way. <productname>Google-Chrome</productname> is
known for additional security restrictions.</para>
<para>The following docs may help you:</para>
<tip>
<itemizedlist>
<listitem>
<para>Using <xref linkend="glo_SSL"/> with Apache requires the
activation of the corresponding module. The <xref
linkend="glo_Ubuntu"/> version of Apache comes with two commands
<command>a2enmod</command> and <command>a2dismod</command> for
enabling and disabling modules by managing symbolic links from
<filename>/etc/apache2/mods-enabled</filename> to
<filename>/etc/apache2/mods-available</filename>.</para>
</listitem>
<listitem>
<para><link
xlink:href="https://httpd.apache.org/docs/2.4/ssl">Apache SSL/TLS
Encryption</link></para>
</listitem>
<listitem>
<para><link
xlink:href="http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority">Creating
Your Own SSL Certificate Authority (and Dumping Self Signed
Certs)</link></para>
</listitem>
<listitem>
<para>The previously linked recipe may fail for
<productname>Google Chrome</productname> being pickier about
certificates than <acronym>i.e.</acronym> the <productname>Firefox
browser</productname>. Consider <link
xlink:href="https://stackoverflow.com/questions/30977264/subject-alternative-name-not-present-in-certificate#answer-47779814">stackoverflow.com</link>
for providing a <quote>Subject Alternative Name</quote> extension
when creating your certificate signing request. The subsequent
certificate creation may require a <code>keyUsage =
nonRepudiation, digitalSignature, keyEncipherment</code>
configuration as being proposed by <link
xlink:href="https://superuser.com/questions/1451895/err-ssl-key-usage-incompatible-solution#answer-1466427">superuser.com</link>.</para>
</listitem>
</itemizedlist>
</tip>
</section>
<section xml:id="sdiApacheLdapAuth">
<title><xref linkend="glo_LDAP"/> authentication</title>
<para>Limit access to the manual directory by providing <xref
linkend="glo_LDAP"/> based authentication. Follow the subsequent
steps:</para>
<orderedlist>
<listitem>
<para>Create a test user account <quote>tuser</quote> on your local
<xref linkend="glo_LDAP"/> server and provide a SMD5 hashed password
of your choice using Apache Directory Studio.</para>
</listitem>
<listitem>
<para>Test <xref linkend="glo_LDAP"/> bind access by user using
Apache Directory Studio.</para>
</listitem>
<listitem>
<para>Configure <code>Require valid-user</code> in your apache
configuration as being shown in <quote
xlink:href="https://httpd.apache.org/docs/current/howto/auth.html#multprovider">Using
multiple providers</quote> (but using just <xref
linkend="glo_LDAP"/> authentication rather than enabling
<quote>file</quote> as well).</para>
<para>Note: <xref linkend="glo_LDAP"/> support in Apache requires
the activation of a corresponding module.</para>
</listitem>
</orderedlist>
<tip>
<para>You may want to set <code>olcLogLevel: stats</code> (or similar)
in <filename>/etc/ldap/slapd.d/cn\=config.ldif</filename> to watch
related messages in /var/log/syslog and the Apache related logs in
case of a misconfiguration.</para>
</tip>
</section>
<section xml:id="sdiSectMysqlAdmin">
<title><xref linkend="glo_Soft_Mysql"/> database administration</title>
<orderedlist>
<listitem>
<para>Install a <xref linkend="glo_Soft_Mysql"/> database server
instance.</para>
</listitem>
<listitem>
<para>Install <link
xlink:href="https://sourceforge.net/projects/phpmyadmin">PhpMyadmin</link>
(using the package manager) to administer your <xref
linkend="glo_Soft_Mysql"/> server.</para>
</listitem>
</orderedlist>
</section>
<section xml:id="sdiLdapWebManagement">
<title>Providing WEB based user management to your LDAP Server</title>
<para>Using Apache Directory Studio is a good choice during installation
and may serve development and debugging purposes as well. However it is
not an adequate tool for day to day administration tasks with respect to
user management. We need a separate (WEB based) administration
tool.</para>
<para>Install <productname
xlink:href="https://www.ldap-account-manager.org">LDAP Account
Manager</productname> on top of an Apache Web Server.
<productname>Ubuntu</productname> allows for <link
xlink:href="https://www.ldap-account-manager.org/static/doc/manual/ch01.html">package
based installation</link>.</para>
</section>
<section xml:id="sdiSectDocbookPublish">
<title>Publish your documentation</title>
<para>One of your group's project servers is about to provide your
documentation. For this purpose you have to:</para>
<orderedlist>
<listitem>
<para>Provide a web <acronym>url</acronym> e.g.
<uri>http://sdiXa.mi.hdm-stuttgart.de/doc</uri>.</para>
</listitem>
<listitem>
<para>Use the default location or map the above
<acronym>url</acronym> to some directory on your web server.</para>
</listitem>
<listitem>
<para>Transfer the set of HTML files to your web server. Use <link
xlink:href="http://www.thegeekstuff.com/2011/07/rsync-over-ssh-without-password">rsync
via ssh</link> transfer for this purpose.</para>
<tip>
<para>You need the <command
xlink:href="http://linux.die.net/man/1/rsync">rsync</command>
binary on your server's side as well!</para>
</tip>
</listitem>
</orderedlist>
</section>
</section>
</chapter>