Mini Servers: Apache 2.2.9 Portable

Revision as of 14:19, 17 August 2008 by Ric (talk | contribs)

Mini Servers:  Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems

Mini Servers:
Compact but fully functional.

Mini Server 1 uses Apache 2.2.9 Core

Apache 2.2.9
Apache 2.2.9

A mini server with all the power of Apache and the portability of Uniform Server what a mix, one very neat compact server. (see support files for download)

Its one of those interesting facts of life! Things progress, a few years ago, mention of this server’s specification running on a laptop would have made me a serious candidate for the funny farm. That’s no longer true! I mean the spec however the....

Security

This write-up shows how to install, configure Apache 2.2.9 and to minimise the risk of unauthorized access.

Top

Specification

The server has the following specification:

  • Server shall be portable
  • Only static HTML pages shall be served.
  • The server shall log all web requests.
  • All unused modules shall be disabled.

The specification dictates using the minimum number of Apache (2.2.9) modules. You may be interested in the final disk size for such a solution, surprisingly its only 1MB for a server meeting our specification.

Don’t be deceived by the size! It is a fully functioning production server. I have removed complexity to highlight security issues.

Take the last line of the specification; it states only modules required shall be installed. This increases security, any unused but installed modules have the capability to interact with others. It requires only one security vulnerability in any one of these unused modules to put the whole system at risk. Knowing our functionality requirements allows a list of required modules to be prepared and to exclude all unused modules.

In terms of security always ask the question do we need that module if not don’t install it. The same argument applies to any other software, if its not required uninstall it.

Top

Modules

A complete list with a full description of Apache modules can be found here Apache Docs . Modules we require are listed below, note the core module is part of the main binary (program) and loaded by default.

Highlighted in bold are separate modules these are loaded using Apache's configuration file httpd.conf.

Module name Description
core

Core Apache HTTP Server features that are always available included in the binary (program).

mpm_winnt.c WinNT MPM part of the Windows Apache core. A Multi-Processing Module (MPM) it is the default for Windows NT operating systems. Uses a single control process which launches a single child process which in turn creates threads to handle requests. (This is the reason you will see two Apache processes in task manager)
authz_host_module

Group authorizations based on host (name or IP address). Required to restrict access to folders etc.

mod_dir Provides for "trailing slash" redirects and serving directory index files. (Optional but nice to have otherwise a user needs to type index.html on entry to a folder or for initial web site access. It prevents this error message: The requested URL / was not found on this server.)
mod_log_config Logging of the requests made to the server. (Not required for server operation however extremely useful to see what the server is doing. )
mod_mime Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) Note without this module the file will be served as plain text. DefaultType text/plain

Top

Configuring Apache

When starting Apache you supply it with the location and name of a configuration file this overrides the default location compiled into the program. Its common practice to name the file httpd.conf and place it in a sub-folder named conf.

Before running Apache, we need to create a configuration file with the following content:

Note: Apache’s example configuration file contains a lot of detailed information I personally find this confusing and prefer to remove this detail. Chose whatever file format you are happy with.

httpd.conf located in folder: *\udrive\usr\local\apache2\conf Comments

# File name: http.conf
# Created By: The Uniform Server Development Team
# Edited Last By: Mike Gleaves (ric)
# Main Apache 2.2.9 HTTP server configuration file.
# V 1.0 2-8-2008

General information a reminder for what the configuration is for.

# ================================================
# Modules
# ================================================
 LoadModule authz_host_module modules/mod_authz_host.so
 LoadModule dir_module modules/mod_dir.so
 LoadModule log_config_module modules/mod_log_config.so
 LoadModule mime_module modules/mod_mime.so

Lists all modules you wish to load.

Note: For some modules the order is important.
Tip: Check Apache’s example files and list them in that order, avoids any problems.

Order of priority is from bottom to top; hence if a module is dependent on another it should come first in the list.

# ========================================
# Basic settings
# ========================================
 Listen 8081
 ServerName localhost:8081
 ServerAdmin fred@www.somedomain.com
 UseCanonicalName Off
 ServerSignature Off
 HostnameLookups Off
ServerTokens Prod
 ServerRoot "/usr/local/apache2"
 DocumentRoot "/www"
 PidFile /usr/local/apache2/logs/httpd.pid
<IfModule mod_dir.c>
  DirectoryIndex index.html index.htm
</IfModule>

These settings are common to the main server.

Most settings in this section have defaults however I like to see what I am using hence list them regardless.

Listen: Server listening port, standard is port 80 change this to move the server to another port.

ServerName: For reliability always specify a host name and port. Note: localhost is valid however if you have a DNS entry use your fully qualified domain name eg www.fred.com Alternatively you can leave this as localhost and use your fully qualified domain name in a Vost section (not covered in this server example).

ServerRoot: Path where the Apache program is located.

DocumentRoot: Folder where your web-site will be served from.

DirectoryIndex: When a user requests a page supplying only a folder name (example fred.com) the index page is automatically returned by default. Note you can have more than one index page in the same folder with a different file extension. Order of priority left to right, first one found in the list is returned, all others are ignored.

# ========================================
# HTTP and performance settings
# ========================================
 Timeout 300
 KeepAlive On
 MaxKeepAliveRequests 100
 KeepAliveTimeout 15
<IfModule mpm_winnt.c>
  ThreadsPerChild 64
  MaxRequestsPerChild 0
</IfModule>

Most settings in this section have defaults however again I like to see what I am using hence list them regardless.

ThreadsPerChild 64 if your server is slow to respond increase this to 250.

# ========================================
# Access control
# ========================================
<Directory />
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
</Directory>

<Directory "/www">
  Order allow,deny
  Allow from all
</Directory>

Each directory to which Apache has access can be configured with respect to which services and features are allowed and/or disabled in that directory (and its subdirectories).

Apache has access to all folders and files on the drive it is installed on. The first directive is very restrictive:

Options None: Turns off, directory browsing, server side includes, CGI execution, follow symbolic links.

AllowOverride None: Turns off support for .htaccess files

Deny from all: No one allowed access.

The only way to gain access is to target each folder in turn and open it up as required. We target folder www and allow access from all. (It’s the folder containing your web site)

# ========================================
# MIME encoding
# ========================================
 DefaultType text/plain
 TypesConfig /usr/local/apache2/conf/mime.types

In conjunction with the mime_module the directive TypesConfig is used to specify a file which maps extensions onto MIME types. Note without the module and this file served pages will be in plain text.

# ========================================
# Logs: debug, info, notice, warn, error, crit
# ========================================
 LogLevel warn
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
 \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent
 ErrorLog "logs/error_log"
 CustomLog "logs/access.log" combined
# ========================================

This sets up the appropriate log format (what details are logged) and specifies the log file name and location.

Note: debug eats disk space hence warn is a reasonable setting.

A word of caution although the server is very secure it is not possible to guarantee one hundred percent. Added to this a real problem of running on a machine populated with other software this increases the security risk. It requires only one security vulnerability in any of these programs to compromise the whole system.

Try not to be over paranoid with security issues then again do not be complacent. No single site on the Internet and that includes this one can ever cover all security issues. My personal advice is to get out there and research the subject, seek out what the professionals advise.

Top

Access control

Each time a module is added Apache’s configuration file increases in complexity. Our minimalist solution reduces this complexity while still harnessing the power of Apache to great effect. Now take another look at that access control block, encapsulated in such a small space are very powerful control features. I have only scratched the surface of this block, for detailed information go to Apache’s web site. The real point I am trying to make, for this server, implementing security is clean neat and visible.

Top

Support files

Each mini server is complete and zipped into a single self-extracting archive file.

Download

Download this server from SourceForge Project Page save the file mini_server_1.exe to any folder of your choice.

Note: Check out the mini server's support and download page detailing how to obtain full binaries for Apache.

Top

Extract files

Double click on mini_server_1.exe, starts the extraction process. No need to change the folder destination, click extract, this creates a new folder mini_server_1 containing two files and one folder.

  1. server_start.bat - Double click to start the server
  2. server_stop.bat - Double click to stop server
  3. udrive - Folder containing server and your web site.

Top

Test

Testing is straight forward.

  1. Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
  2. Start a web browser.
  3. Type http://localhost:8081/ into the browser address bar.
  4. An index page is displayed, check out the test site MPG1.
  5. Stop the server by double clicking on server_stop.bat

Top

Change Virtual Drive

The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:

  1. Start the server using a drive parameter for example: server_start.bat z this forces the server to use drive z
  2. Edit server_start.bat, locate the following line:
      rem set Disk=w
    Remove the rem and replace w with the letter you want to use for example:
      set Disk=x  Forces the server to use drive letter x

Top

Change server default port

  • Open file: httpd.conf (Located in folder: \mini_server_1\udrive\usr\local\apache2\conf)
  • Locate the lines:
    Listen 8081
    ServerName localhost:8081
  • Change to:
    Listen 8080
    ServerName localhost:8080

This moves the server to the standard secondary web server port

Note: Type http://localhost:8080 into a browser to view the site.

If port already in use try any value above 2000

Top

Multi Servers

If you wish to run several mini servers at the same time create a new folder for each server and copy contents of mini_server_1 into each of these.

Change the server port for each server to be unique. The servers may be started in any order.

Note: You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first.

Top

Your web site

Open the folder www located in folder *mini_server_1\udrive\www (Note * is the path to the folder you extracted the server files) delete everything in www and copy your site into it.

Note: Make sure one of your pages in folder www is named index.html or index.htm, otherwise you will need to type a page name in every time to access your site.

e.g. http://localhost:8081/somepage.html

Top

Putting the server on-line

If connected to the Internet by a router to put the server on-line you need to forward port 8081 (or the port you have chosen to run the server on).

Top

Summary

Don’t be deceived by this mini server's size, remember its powered by Apache and very secure. For a quick test I loaded UniCenter and put the server on-line.

I was surprised how fast it was. One final test I could not resist, dumped the entire server straight onto a USB memory stick and put that on-line. The speed was slightly slower, note I was using a cheapo memory stick. I was more than impressed with this dynamic duo Apache and Uniform Server's method of portability make an excellent basic portable server.

If you want a more permanent installation install the server as a service covered on the next page page.

Perhaps you would like to protect the server with a name and password I cover this with Mini Server 3.

Top


  Ric