Mini Servers: Apache 2.2.9 Portable: Difference between revisions
m (→Download) |
m (Text replace - "projects/uniformserver" to "projects/miniserver") |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 10: | Line 10: | ||
This write-up shows how to install, configure Apache 2.2.9 and to minimise the risk of unauthorized access. | This write-up shows how to install, configure Apache 2.2.9 and to minimise the risk of unauthorized access. | ||
== Specification == | == Specification == | ||
The server has the following specification: | The server has the following specification: | ||
* Server | * Server must be portable. | ||
* Only static HTML pages shall be served. | * Only static HTML pages shall be served. | ||
* The server | * The server will log all web requests. | ||
* All unused modules shall be disabled. | * All unused modules shall be disabled. | ||
The specification dictates using the minimum number of Apache (2.2.9) modules. You may be interested in the final disk size for such a solution | The specification dictates using the minimum number of Apache (2.2.9) modules. You may be interested in the final disk size for such a solution. Surprisingly its only 1MB for a server meeting our specification. | ||
Don’t be deceived by the size! It is a fully functioning production server. I have removed complexity to highlight security issues. | Don’t be deceived by the size! It is a fully functioning production server. I have removed complexity to highlight security issues. | ||
Take the last line of the specification; it states only modules required shall be installed. This increases security | Take the last line of the specification; it states only modules required shall be installed. This increases security; any unused but installed modules have the capability to interact with others. It requires only one security vulnerability in any one of these unused modules to put the whole system at risk. Knowing our functionality requirements allows a list of required modules to be prepared and to exclude all unused modules. | ||
In terms of security always ask the question do we need that module | In terms of security, always ask the question, do we need that module? If not, don’t install it. The same argument applies to any other software. \if its not required uninstall it. | ||
== Modules == | == Modules == | ||
Line 60: | Line 58: | ||
|Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) Note without this module the file will be served as plain text. DefaultType text/plain | |Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) Note without this module the file will be served as plain text. DefaultType text/plain | ||
|} | |} | ||
== Configuring Apache == | == Configuring Apache == | ||
Line 205: | Line 201: | ||
|} | |} | ||
A word of caution | A word of caution. Although the server is very secure it is not possible to guarantee one hundred percent. Added to this a real problem of running on a machine populated with other software this increases the security risk. It requires only one security vulnerability in any of these programs to compromise the whole system. | ||
''Try not to be over paranoid with security issues then again do not be complacent. No single site on the Internet and that includes this one can ever cover all security issues. My personal advice is to get out there and research the subject, seek out what the professionals advise.'' | ''Try not to be over paranoid with security issues then again do not be complacent. No single site on the Internet and that includes this one can ever cover all security issues. My personal advice is to get out there and research the subject, seek out what the professionals advise.'' | ||
=== Access control === | === Access control === | ||
Each time a module is added Apache’s configuration file increases in complexity. Our minimalist solution reduces this complexity while still harnessing the power of Apache to great effect. Now take another look at that access control block, encapsulated in such a small space are very powerful control features. I have only scratched the surface of this block, for detailed information go to Apache’s web site. The real point I am trying to make, for this server, '''implementing security is clean neat and visible'''. | Each time a module is added Apache’s configuration file increases in complexity. Our minimalist solution reduces this complexity while still harnessing the power of Apache to great effect. Now take another look at that access control block, encapsulated in such a small space are very powerful control features. I have only scratched the surface of this block, for detailed information go to Apache’s web site. The real point I am trying to make, for this server, '''implementing security is clean neat and visible'''. | ||
== Support files == | == Support files == | ||
Line 219: | Line 213: | ||
=== Download === | === Download === | ||
Download this server from SourceForge [http://sourceforge.net/ | Download this server from SourceForge [http://sourceforge.net/projects/miniserver/files/MiniServer/MiniServer_%20Apache%202.2.9%20Portable/ Project Page] save the file '''mini_server_1.exe''' to any folder of your choice. | ||
'''''[[ | '''''Note'':''' Check out the mini server's [[Mini Servers: Support and download|support and download page]], detailing how to obtain full binaries for Apache. | ||
=== Extract files === | === Extract files === | ||
Double click on mini_server_1.exe, starts the extraction process. No need to change the folder destination | Double click on mini_server_1.exe, starts the extraction process. No need to change the folder destination. Click extract; this creates a new folder '''mini_server_1''' containing two files and one folder. | ||
# '''server_start.bat''' - Double click to start the server | # '''server_start.bat''' - Double click to start the server | ||
Line 232: | Line 224: | ||
# '''udrive''' - Folder containing server and your web site. | # '''udrive''' - Folder containing server and your web site. | ||
=== Test === | === Test === | ||
Line 243: | Line 234: | ||
# Stop the server by double clicking on '''server_stop.bat''' | # Stop the server by double clicking on '''server_stop.bat''' | ||
== Change Virtual Drive == | == Change Virtual Drive == | ||
Line 249: | Line 239: | ||
You can override this in one of two ways: | You can override this in one of two ways: | ||
# Start the server using a drive parameter for example: '''server_start.bat z''' | # Start the server using a drive parameter, for example: '''server_start.bat z'''. This forces the server to use drive z | ||
# Edit server_start.bat, locate the following line:<br> '''rem set Disk=w''' <br>Remove the rem and replace w with the letter you want to use for example:<br> '''set Disk=x''' Forces the server to use drive letter x | # Edit server_start.bat, locate the following line:<br> '''rem set Disk=w''' <br>Remove the rem and replace w with the letter you want to use for example:<br> '''set Disk=x''' Forces the server to use drive letter x | ||
== Change server default port == | == Change server default port == | ||
Line 265: | Line 255: | ||
If port already in use try any value above 2000 | If port already in use try any value above 2000 | ||
== Multi Servers == | == Multi Servers == | ||
If you wish to run several mini servers at the same time create a new folder for each server and copy contents of mini_server_1 into each of these. | If you wish to run several mini servers at the same time, create a new folder for each server and copy contents of mini_server_1 into each of these. | ||
Change the server port for each server to be unique. The servers may be started in any order. | Change the server port for each server to be unique. The servers may be started in any order. | ||
'''''Note'':''' You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first. | '''''Note'':''' You can run the mini servers alongside The Uniform Server 3.5-Apollo however you must start The Uniform Server first. | ||
== Your web site == | == Your web site == | ||
Open the folder www located in folder '''*mini_server_1\udrive\www''' (Note * is the path to the folder you extracted the server files) delete everything in '''www''' and copy your site into it. | Open the folder www located in folder '''*mini_server_1\udrive\www''' (Note: * is the path to the folder you extracted the server files) delete everything in '''www''' and copy your site into it. | ||
'''''Note'':''' Make sure one of your pages in folder www is named '''index.html''' or '''index.htm''', otherwise you will need to type a page name in every time to access your site. | '''''Note'':''' Make sure one of your pages in folder www is named '''index.php''', '''index.html''' or '''index.htm''', otherwise you will need to type a page name in every time to access your site. | ||
e.g. <nowiki>http://localhost:8081/somepage.html</nowiki> | e.g. <nowiki>http://localhost:8081/somepage.html</nowiki> | ||
== Putting the server on-line == | == Putting the server on-line == | ||
If connected to the Internet by a router to put the server on-line you need to forward port 8081 (or the port you have chosen to run the server on). | If connected to the Internet by a router to put the server on-line you need to forward port 8081 (or the port you have chosen to run the server on). | ||
== Summary == | == Summary == | ||
Don’t be deceived by this mini server's size, remember | Don’t be deceived by this mini server's size, remember it's powered by Apache and very secure. For a quick test I loaded UniCenter and put the server on-line. | ||
I was surprised how fast it was. | I was surprised at how fast it was. In oOne final test I could not resist, I dumped the entire server straight onto a USB memory stick and put that on-line. The speed was slightly slower, but I was using a cheapo memory stick. I was more than impressed with this dynamic duo. Apache and The Uniform Server's method of portability make an excellent basic portable server. | ||
If you want a more permanent installation install the server as a service covered on [[Mini Servers: Apache 2.2.9 Service|the next page page]]. | If you want a more permanent installation install the server as a service is covered on [[Mini Servers: Apache 2.2.9 Service|the next page page]]. | ||
Perhaps you would like to protect the server with a name and password I cover this with [[Mini Servers: Apache 2.2.9 Portable - Authentication|Mini Server 3]]. | Perhaps you would like to protect the server with a name and password. I cover this with [[Mini Servers: Apache 2.2.9 Portable - Authentication|Mini Server 3]]. | ||
---- | ---- | ||
Line 307: | Line 290: | ||
|} | |} | ||
[[Category: Mini Servers]] | [[Category: Mini Servers]] | ||
Latest revision as of 16:12, 17 October 2012
Mini Servers: Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems |
Mini Servers: Compact but fully functional. |
Mini Server 1 uses Apache 2.2.9 Core
A mini server with all the power of Apache and the portability of Uniform Server what a mix, one very neat compact server. (see support files for download)
Its one of those interesting facts of life! Things progress, a few years ago, mention of this server’s specification running on a laptop would have made me a serious candidate for the funny farm. That’s no longer true! I mean the spec however the....
Security
This write-up shows how to install, configure Apache 2.2.9 and to minimise the risk of unauthorized access.
Specification
The server has the following specification:
- Server must be portable.
- Only static HTML pages shall be served.
- The server will log all web requests.
- All unused modules shall be disabled.
The specification dictates using the minimum number of Apache (2.2.9) modules. You may be interested in the final disk size for such a solution. Surprisingly its only 1MB for a server meeting our specification.
Don’t be deceived by the size! It is a fully functioning production server. I have removed complexity to highlight security issues.
Take the last line of the specification; it states only modules required shall be installed. This increases security; any unused but installed modules have the capability to interact with others. It requires only one security vulnerability in any one of these unused modules to put the whole system at risk. Knowing our functionality requirements allows a list of required modules to be prepared and to exclude all unused modules.
In terms of security, always ask the question, do we need that module? If not, don’t install it. The same argument applies to any other software. \if its not required uninstall it.
Modules
A complete list with a full description of Apache modules can be found here Apache Docs . Modules we require are listed below, note the core module is part of the main binary (program) and loaded by default.
Highlighted in bold are separate modules these are loaded using Apache's configuration file httpd.conf.
Module name | Description |
---|---|
core |
Core Apache HTTP Server features that are always available included in the binary (program). |
mpm_winnt.c | WinNT MPM part of the Windows Apache core. A Multi-Processing Module (MPM) it is the default for Windows NT operating systems. Uses a single control process which launches a single child process which in turn creates threads to handle requests. (This is the reason you will see two Apache processes in task manager) |
authz_host_module |
Group authorizations based on host (name or IP address). Required to restrict access to folders etc. |
mod_dir | Provides for "trailing slash" redirects and serving directory index files. (Optional but nice to have otherwise a user needs to type index.html on entry to a folder or for initial web site access. It prevents this error message: The requested URL / was not found on this server.) |
mod_log_config | Logging of the requests made to the server. (Not required for server operation however extremely useful to see what the server is doing. ) |
mod_mime | Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) Note without this module the file will be served as plain text. DefaultType text/plain |
Configuring Apache
When starting Apache you supply it with the location and name of a configuration file this overrides the default location compiled into the program. Its common practice to name the file httpd.conf and place it in a sub-folder named conf.
Before running Apache, we need to create a configuration file with the following content:
Note: Apache’s example configuration file contains a lot of detailed information I personally find this confusing and prefer to remove this detail. Chose whatever file format you are happy with.
httpd.conf located in folder: *\udrive\usr\local\apache2\conf | Comments |
---|---|
# File name: http.conf |
General information a reminder for what the configuration is for. |
# ================================================ |
Lists all modules you wish to load. Note: For some modules the order is important. Order of priority is from bottom to top; hence if a module is dependent on another it should come first in the list. |
# ======================================== |
These settings are common to the main server. Most settings in this section have defaults however I like to see what I am using hence list them regardless. Listen: Server listening port, standard is port 80 change this to move the server to another port. ServerName: For reliability always specify a host name and port. Note: localhost is valid however if you have a DNS entry use your fully qualified domain name eg www.fred.com Alternatively you can leave this as localhost and use your fully qualified domain name in a Vost section (not covered in this server example). ServerRoot: Path where the Apache program is located. DocumentRoot: Folder where your web-site will be served from. DirectoryIndex: When a user requests a page supplying only a folder name (example fred.com) the index page is automatically returned by default. Note you can have more than one index page in the same folder with a different file extension. Order of priority left to right, first one found in the list is returned, all others are ignored. |
# ======================================== |
Most settings in this section have defaults however again I like to see what I am using hence list them regardless. ThreadsPerChild 64 if your server is slow to respond increase this to 250. |
# ======================================== <Directory "/www"> |
Each directory to which Apache has access can be configured with respect to which services and features are allowed and/or disabled in that directory (and its subdirectories). Apache has access to all folders and files on the drive it is installed on. The first directive is very restrictive: Options None: Turns off, directory browsing, server side includes, CGI execution, follow symbolic links. AllowOverride None: Turns off support for .htaccess files Deny from all: No one allowed access. The only way to gain access is to target each folder in turn and open it up as required. We target folder www and allow access from all. (It’s the folder containing your web site) |
# ======================================== |
In conjunction with the mime_module the directive TypesConfig is used to specify a file which maps extensions onto MIME types. Note without the module and this file served pages will be in plain text. |
# ======================================== |
This sets up the appropriate log format (what details are logged) and specifies the log file name and location. Note: debug eats disk space hence warn is a reasonable setting. |
A word of caution. Although the server is very secure it is not possible to guarantee one hundred percent. Added to this a real problem of running on a machine populated with other software this increases the security risk. It requires only one security vulnerability in any of these programs to compromise the whole system.
Try not to be over paranoid with security issues then again do not be complacent. No single site on the Internet and that includes this one can ever cover all security issues. My personal advice is to get out there and research the subject, seek out what the professionals advise.
Access control
Each time a module is added Apache’s configuration file increases in complexity. Our minimalist solution reduces this complexity while still harnessing the power of Apache to great effect. Now take another look at that access control block, encapsulated in such a small space are very powerful control features. I have only scratched the surface of this block, for detailed information go to Apache’s web site. The real point I am trying to make, for this server, implementing security is clean neat and visible.
Support files
Each mini server is complete and zipped into a single self-extracting archive file.
Download
Download this server from SourceForge Project Page save the file mini_server_1.exe to any folder of your choice.
Note: Check out the mini server's support and download page, detailing how to obtain full binaries for Apache.
Extract files
Double click on mini_server_1.exe, starts the extraction process. No need to change the folder destination. Click extract; this creates a new folder mini_server_1 containing two files and one folder.
- server_start.bat - Double click to start the server
- server_stop.bat - Double click to stop server
- udrive - Folder containing server and your web site.
Test
Testing is straight forward.
- Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
- Start a web browser.
- Type http://localhost:8081/ into the browser address bar.
- An index page is displayed, check out the test site MPG1.
- Stop the server by double clicking on server_stop.bat
Change Virtual Drive
The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:
- Start the server using a drive parameter, for example: server_start.bat z. This forces the server to use drive z
- Edit server_start.bat, locate the following line:
rem set Disk=w
Remove the rem and replace w with the letter you want to use for example:
set Disk=x Forces the server to use drive letter x
Change server default port
- Open file: httpd.conf (Located in folder: \mini_server_1\udrive\usr\local\apache2\conf)
- Locate the lines:
Listen 8081
ServerName localhost:8081 - Change to:
Listen 8080
ServerName localhost:8080
This moves the server to the standard secondary web server port
Note: Type http://localhost:8080 into a browser to view the site.
If port already in use try any value above 2000
Multi Servers
If you wish to run several mini servers at the same time, create a new folder for each server and copy contents of mini_server_1 into each of these.
Change the server port for each server to be unique. The servers may be started in any order.
Note: You can run the mini servers alongside The Uniform Server 3.5-Apollo however you must start The Uniform Server first.
Your web site
Open the folder www located in folder *mini_server_1\udrive\www (Note: * is the path to the folder you extracted the server files) delete everything in www and copy your site into it.
Note: Make sure one of your pages in folder www is named index.php, index.html or index.htm, otherwise you will need to type a page name in every time to access your site.
e.g. http://localhost:8081/somepage.html
Putting the server on-line
If connected to the Internet by a router to put the server on-line you need to forward port 8081 (or the port you have chosen to run the server on).
Summary
Don’t be deceived by this mini server's size, remember it's powered by Apache and very secure. For a quick test I loaded UniCenter and put the server on-line.
I was surprised at how fast it was. In oOne final test I could not resist, I dumped the entire server straight onto a USB memory stick and put that on-line. The speed was slightly slower, but I was using a cheapo memory stick. I was more than impressed with this dynamic duo. Apache and The Uniform Server's method of portability make an excellent basic portable server.
If you want a more permanent installation install the server as a service is covered on the next page page.
Perhaps you would like to protect the server with a name and password. I cover this with Mini Server 3.
Ric |