Apache 2 0 Conceitos e Projeto de Sistemas

Apache 2. 0 Conceitos e Projeto de Sistemas Distribuídos e Paralelos Seminário Tecnológico Adriano Machado (adrianoc@dcc. ufmg. br) Tiago Macambira (tmacam@dcc. ufmg. br)

Overview Apache HTTPD Server Project Apache 2. 0 – What to expect? Apache 2. 0 Web Server Architecture Site Acceleration Using Standard Modules New Features (Authent. and Authorization. ) Apache 2. 0 Administration Conclusion 2

Apache HTTPD Server Project Collaborative Software Development Effort • • • Managed by a Group of Volunteers 80+ Foundation Members, 100’s Developers All are invited to contribute HTTP Server • • • Freely Available Binaries and Source Code Cross platform implementation Became the #1 Web Server on the Internet in less than a year 3

Apache HTTPD Server Project Web Servers 4

Apache 2. 0 – What to expect? • Unix Threading • • Better multi-processor utilization • • On Unix systems with POSIX threads support, Apache can now run in a hybrid multiprocess, multithreaded mode. This improves scalability for many, but not all configurations. The API for modules has changed significantly for 2. 0. Many of the module-ordering/-priority problems from 1. 3 should be gone. 2. 0 does much of this automatically. Also, new calls have been added that provide additional module capabilities without patching the core Apache server. New Build System - Better performance • • Built on new LIBC libraries More efficient use of APIs through APR 5

Apache 2. 0 – What to expect? • Better thread handling and resource utilization • • • The number of worker threads are dynamic Customized thread handling specifically for different OS More standard modules • Mod_DAV Mod_Deflate • Mod_Auth_LDAP Mod_Cache • Etc. • IPV 6 support • Customized error reporting (multi-language) Additional Startup Options • • • -e – Redirect any startup error to a file -n – Rename the Apache console screen 6

Apache 2. 0 – What to expect? • Better support for non-Unix platforms • • Multiprotocol Support • • Apache 2. 0 is faster and more stable on non-Unix platforms such as Be. OS, OS/2, and Windows. With the introduction of platform-specific multi-processing modules (MPMs) and the Apache Portable Runtime (APR), these platforms are now implemented in their native API, avoiding the often buggy and poorly performing POSIX-emulation layers. Infrastructure in place to support serving multiple protocols Additional Command Line Options • • Settings – Display worker thread information Restart – Quick restart after configuration change Shutdown – Terminates a running instance of Apache 2 Others … 7

Apache 2. 0 – What to expect? • Simplified configuration • • Many confusing directives have been simplified. The often confusing Port and Bind. Address directives are gone; only the Listen directive is used for IP address binding; the Server. Name directive specifies the server name and port number only for redirection and vhost recognition. Filtering • Apache modules may now be written as filters which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers. 8

Apache 2. 0 – What to expect? • Module Enhancements mod_ssl • New module in Apache 2. 0. This module is an interface to the SSL/TLS encryption protocols provided by Open. SSL. mod_dav • New module in Apache 2. 0. This module implements the HTTP Distributed Authoring and Versioning (DAV) specification for posting and maintaining web content. mod_deflate • New module in Apache 2. 0. This module allows supporting browsers to request that content be compressed before delivery, saving network bandwidth. 9

Apache 2. 0 – What to expect? • Module Enhancements mod_auth_ldap • New module in Apache 2. 0. 41. This module allows an LDAP database to be used to store credentials for HTTP Basic Authentication. A companion module, mod_ldap provides connection pooling and results caching. mod_auth_digest • Includes additional support for session caching across processes using shared memory. mod_charset_lite • New module in Apache 2. 0. This experimental module allows for character set translation or recoding. 10

Apache 2. 0 – What to expect? • Module Enhancements mod_file_cache • New module in Apache 2. 0. This module includes the functionality of mod_mmap_static in Apache 1. 3, plus adds further caching abilities. mod_headers • This module is much more flexible in Apache 2. 0. It can now modify request headers used by mod_proxy, and it can conditionally set response headers. mod_proxy • The proxy module has been completely rewritten to take advantage of the new filter infrastructure and to implement a more reliable, HTTP/1. 1 compliant proxy. 11

Apache 2. 0 – What to expect? • Module Enhancements mod_include New directives allow the default start and end tags for SSI elements to be changed and allow for error and time format configuration to take place in the main configuration file rather than in the SSI document. Results from regular expression parsing and grouping (now based on Perl's regular expression syntax) can be retrieved using mod_include's variables $0. . $9. mod_auth_dbm • • Now supports multiple types of DBM-like databases using the Auth. DBMType directive. 12

Apache 2. 0 Web Server Architecture HTTPD server rebuilt from the ground up • • • Portability and platform customization were high priorities HTTPD server contains no platform specific code Thread and process handling is customized through Multi-Processing Modules (MPM) for each platform Backward Compatibility • • • Configuration remained basically the same Internal API’s are very similar 1. 3. x and 2. 0. x modules are not compatible 13

Apache 2. 0 Web Server Architecture Apache Portable Runtime Library (APR) • • • Offers a standard cross platform set of APIs Each implementation of APR is customized for a specific platform Designed to be a general purpose cross platform library Apache Web Server Apache Modules Other Cross Platform Applications Apache Portable Runtime (APR) Netware Solaris Linux Windows Others… 14

Apache 2. 0 Web Server Architecture Apache 1. 3 versus 2. 0 15

Apache 2. 0 Web Server Architecture Apache 1. 3 versus 2. 0 16

Improvements – Using Standard Modules • Mod_Cache • • Mod_Vhost_Alias • • Simplify virtual host creation and maintenance Mod_Proxy • • Increase response time through caching Offload heavy weight requests to backend servers Load balancing Centralized authentication and encryption Rotate. Logs • Offload logging tasks and log rotation 17

Mod_Cache Implements an RFC_2616 compliant HTTPD server content cache • Refer to: http: //httpd. apache. org/docs-2. 0/mod_cache. html http: //www. ietf. org/rfc 2616. txt Depends on one of two different storage sub-modules • Mod_Mem_Cache – Memory based storage manager • • • Can be configured to cache file descriptors or actual content Can cache locally generated content or backend content for Mod_Proxy Mod_Disk_Cache – Disk based storage manager 18

Mod_Cache Example Configuration Load. Module cache_modules/mod_cache. nlm <If. Module mod_cache. c> Load. Module mem_cache_modules/mod_mem_cache. nlm <If. Module mod_mem_cache. c> Cache. Enable mem / MCache. Size 4096 MCache. Max. Object. Count 100 MCache. Min. Object. Size 1 MCache. Max. Object. Size 2048 </If. Module> • • Enable memory based caching and cache all content Set maximum cache size to 4096 Set maximum number of cached objects to 100 Don’t cache objects smaller than 1 byte or larger than 2048 bytes 19

Mod_Cache Performance Caching No Caching 20

Mass Virtual Hosting • • • Gives the appearance of multiple web servers Eliminates the need for multiple <Virtual. Host…> blocks in the HTTPD. CONF file Creates dynamically configured virtual hosts • • • Virtual host is determined by the IP address or the Host: header Allows for a large number of virtual hosts with similar configurations Adding a new virtual host is simply a matter of creating a new directory structure 21

Mass Virtual Hosting Load. Module vhost_alias_modules/vhost. nlm <If. Module mod_vhost_alias. c> Use. Canonical. Name Off Log. Format "%V %h %l %u %t "%r" %s %b" vcommon Custom. Log logs/access_log vcommon Virtual. Document. Root SYS: /www/hosts/%0/docs Virtual. Script. Alias SYS: /www/hosts/%0/cgi-bin </If. Module • • • Use. Canonical. Name must be set to off • Allows the VHost name to be derived from the Host: header Uses a single log file • Logs can be split on a per-virtual-host bases by the first Log. Format field Document. Root and Script. Alias specified through VHost directives 22

Load Balancing with Mod_Proxy New features of Mod_Proxy • • • Compliant with HTTP/1. 1 including “Keep. Alive” Pluggable protocol handlers such as HTTP and FTP Utilizes Apache 2. 0 filtering to accurately filter the data as it flows through Reverse Proxy • • • Mirror to one or more backend Web servers Handle all authentication and SSL services on a single server Increase performance by passing more complex requests to the backend servers 23

Reverse Proxy • • All client access must go through the reverse proxy server The proxy server can handle all authentication and SSL encryption for all backend servers Backend web servers don’t have to be Apache servers Backend web servers do not require any specialized configuration Clients Browser Any Web Server Apache Proxy Server Firewall 24

Reverse Proxy Example Load. Module proxy_modules/proxy. nlm <If. Module mod_proxy. c> Load. Module proxy_http_modules/ proxyhtp. nlm Proxy. Requests Off #Reverse proxy to expense reporting web application server Proxy. Pass /expense/ http: //www. expense. com: 53080/expense/ Proxy. Pass. Reverse /expense/ http: //www. expense. com: 53080/expense/ #Reverse proxy to my general web application server Proxy. Pass /webapps/ http: //www. webapps. com: 53080/webapps/ Proxy. Pass. Reverse /webapps/ http: //www. webapps. com: 53080/webapps/ #Reverse proxy to other applications allow redirects Proxy. Pass /directapps/ http: //www. directapps. com/ </If. Module> • • • Disable forward proxy with “Proxy. Requests Off” Redirect requests to the specific backend servers with “Proxy. Pass” Allow redirection headers to be fixed up with “Proxy. Pass. Reverse” 25

Stardard Log Rotation Missing in Apache 1. 3 • Used the directives (mutually exclusive): • • • Log. Rotate. Daily – Rotate log on a daily basis Log. Rotate. Interval – Rotate log on a time basis Only rotates Custom. Logs – Error. Log can not be rotated 26

Standard Log Rotation Apache 2. 0 uses the Rotate. Logs • • Functions in the same manner as on other platforms Can be configured to rotate based on: – Time – ex. Rotate every 86400 seconds or 24 hours Custom. Log "|bin/rotatelogs /var/logs/logfile 86400" common – – File size – ex. Rotate when the file size reaches 5 meg. Custom. Log "|bin/rotatelogs /var/logs/logfile 5 M" common – • Differentiate time from file size by placing an ‘M’ after the size specifier Log files are simply rotated not moved 27

Rotate Logs Performance Logs Disabled Rotate Logs Default Logging 28

Authentication and Authorization Apache provides several different methods of authentication and authorization • File based authentication – – • Mod_Auth – Authenticates users by looking up user names and passwords in a file created by the HTPASSWD utility Mod_Auth_Digest – Similar to Mod_Auth except it only accepts digest encrypted credentials Databased authentication – Mod_Auth. DBM – Authenticates users by looking up user names and passwords in a database managed by the DBMMANAGE utility Third party authentication modules • Refer to: http: //modules. apache. org 29

Authentication - Mod_Auth_LDAP • • • Uses any LDAP compliant directory for authentication Use of SSL encrypted connection is recommended since Mod_Auth_LDAP only accepts “Auth. Type Basic” Allows for complex authentication policies through the use of LDAP filters Caches LDAP operations using the Mod_LDAP sub-module Can be configured to use SSL connections to the LDAP server Allows for extended and double-byte characters in the user name 30

Mod_Auth_LDAP Example Load. Module ldap_modules/utilldap. nlm <If. Module util_ldap. c> Load. Module auth_ldap_modules/authldap. nlm Alias /secure vol 2: /webpages/secure <Directory vol 2: /webpages/secure> Auth. Type Basic Auth. Name LDAP_Protected_Place Auth. LDAPURL ldap: //your. LDAPserver. com/o=ctx? cn require valid-user </Directory> </If. Module> • • • LDAP filters can be specified in the Auth. LDAPURL directive Uses the UID (unique. ID) attribute by default Other “Require” directive options • • • User – only allow a specified user Group – only allow users within a specific group DN – only allow users matching the specifed DNs 31

Authorization - Mod_e. Dir • Combines the functionality of Mod_NDS, Mod_RDirs and Mod_HDirs • • Authorization or access control services only • • • Enforces file access rights Remote server file system access e. Directory™ based home directory support Relies on Mod_Auth_LDAP for authentication Enabled through the “Requires” directive (ex. Requires edir-user) Uses LDAP for all e. Directory access • • Requires a user name and password for access Can be configured to run in anonymous mode 32

Mod_e. Dir Remote Directory Example HTTPD. CONF: Load. Module edir_modules/mod_edir. nlm <If. Module mod_edir. c> include sys: /secure/edirauth. conf Alias /rdocs "remotesrv/data: /webpages/remote" <Directory "data: /webpages/remote"> Options Indexes Multi. Views Order allow, deny Allow from all </Directory> </If. Module> EDIRAUTH. CONF (secured) <If. Module mod_edir. c> e. Dir. Server MY_SERVER e. Dir. User. Account cn=apache_server. o=admin_context e. Dir. Password secret </If. Module> 33

Mod_e. Dir Home Directory Example Load. Module edir_modules/mod_edir. nlm <If. Module mod_edir. c> h. Dir. Search. Contexts o=ctx, o=other_ctx include sys: /secure/edirauth. conf <Directory "data: /users/"> Options Indexes Multi. Views Includes. No. Exec Order allow, deny Allow from all </Directory> </If. Module> • • h. Dir. Search. Contexts directives lists the set of contexts that will be searched All listed contexts and sub-contexts are searched Users must be unique within all contexts Add restrictions to the <Directory…> block as needed 34

Anonymous vs. Authenticated Modes Uses public rights vs. logging in with a special user ID and password Anonymous mode requires public access rights to e. Directory attributes • • • Home Directory – User home directory information Host Server – Physical server name Host Resource Name – Physical volume name Authenticated mode requires a special user object with browse rights to USER and VOLUME objects 35

Anonymous Mode – Pros vs. Cons Pros • • • Does not require a special user object Easier to configure – requires fewer directives User home directory availability can be controlled by allowing or revoking public access rights to an object Cons • • Requires public access rights to specific e. Directory attributes May require administrator intervention before the home directory is available Requires a local e. Directory replica on the Apache server box Server object of the Apache server box requires “Browse” and “Read” rights on all remote files systems 36

Authenticated Mode – Pros vs. Cons Pros • • Does not require administrator intervention to allow home directory access Allows binding directly to LDAP or a remote file system rather than depending on public rights Allows the Apache server to acquire home directory information from any LDAP server All access to home directories or remote file systems can be controlled through a single Apache user object Cons • • Requires a special Apache user object in e. Directory Requires that a user name and password be stored in a configuration file 37

Apache Web Based Administration • Can manage any Apache server on any platform that supports an LDAP connection • Web based administration allows the user to administer any Apache Web Server from anywhere • Web farm administration is much easier since each server’s configuration is stored in e. Directory • Configuration directives can be applied to a single server or shared among multiple servers 38

e. Directory based Configuration • Allows the administrator to define each web server’s configuration in terms of e. Directory objects • Each Apache Web Server, virtual server, module, directory, location, and file block is described as e. Directory objects • By describing the Apache configuration in terms of objects, the web server can be configured and managed just like any other e. Directory object 39

Conclusion • • • Default web server, very popular Apache 2. 0 has been rebuilt from the ground up More efficient use of API through APR Better multi-processor support Apply configuration changes without unloading More shipping features and standard modules Increased performance with Mod_Cache LDAP authentication / e. Directory authorization Web based administration through e. Directory 40