Apache 2.0 - PowerPoint PPT Presentation

Loading...

PPT – Apache 2.0 PowerPoint presentation | free to download - id: 1353af-ODIzN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Apache 2.0

Description:

File based authentication ... Apache Web Based Administration ... Web based administration allows the user to administer any Apache Web Server from anywhere ... – PowerPoint PPT presentation

Number of Views:165
Avg rating:3.0/5.0
Slides: 41
Provided by: mckayb
Learn more at: http://homepages.dcc.ufmg.br
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Apache 2.0


1
Apache 2.0
  • Conceitos e Projeto de Sistemas Distribuídos e
    Paralelos
  • Seminário Tecnológico
  • Adriano Machado (adrianoc_at_dcc.ufmg.br) Tiago
    Macambira (tmacam_at_dcc.ufmg.br)

2
Overview
Apache HTTPD Server Project Apache 2.0 What to
expect? Apache 2.0 Web Server Architecture Site
Acceleration Using Standard Modules New Features
(Authent. and Authorization.) Apache 2.0
Administration Conclusion
3
Apache HTTPD Server Project
  • Collaborative Software Development Effort
  • Managed by a Group of Volunteers
  • 80 Foundation Members, 100s Developers
  • All are invited to contribute
  • HTTP Server
  • Freely Available Binaries and Source Code
  • Cross platform implementation
  • Became the 1 Web Server on the Internet in less
    than a year

4
Apache HTTPD Server Project
  • Web Servers

5
Apache 2.0 What to expect?
  • Unix Threading
  • On Unix systems with POSIX threads support,
    Apache can now run in a hybrid multiprocess,
    multithreaded mode. This improves scalability for
    many, but not all configurations.
  • Better multi-processor utilization
  • The API for modules has changed significantly for
    2.0. Many of the module-ordering/-priority
    problems from 1.3 should be gone. 2.0 does much
    of this automatically. Also, new calls have been
    added that provide additional module capabilities
    without patching the core Apache server.
  • New Build System - Better performance
  • Built on new LIBC libraries
  • More efficient use of APIs through APR

6
Apache 2.0 What to expect?
  • Better thread handling and resource utilization
  • The number of worker threads are dynamic
  • Customized thread handling specifically for
    different OS
  • More standard modules
  • Mod_DAV Mod_Deflate
  • Mod_Auth_LDAP Mod_Cache
  • Etc.
  • IPV6 support
  • Customized error reporting (multi-language)
  • Additional Startup Options
  • -e Redirect any startup error to a file
  • -n Rename the Apache console screen

7
Apache 2.0 What to expect?
  • Better support for non-Unix platforms
  • Apache 2.0 is faster and more stable on non-Unix
    platforms such as BeOS, OS/2, and Windows. With
    the introduction of platform-specific
    multi-processing modules (MPMs) and the Apache
    Portable Runtime (APR), these platforms are now
    implemented in their native API, avoiding the
    often buggy and poorly performing POSIX-emulation
    layers.
  • Multiprotocol Support
  • Infrastructure in place to support serving
    multiple protocols
  • Additional Command Line Options
  • Settings Display worker thread information
  • Restart Quick restart after configuration
    change
  • Shutdown Terminates a running instance of
    Apache2
  • Others …

8
Apache 2.0 What to expect?
  • Simplified configuration
  • Many confusing directives have been simplified.
    The often confusing Port and BindAddress
    directives are gone only the Listen directive is
    used for IP address binding the ServerName
    directive specifies the server name and port
    number only for redirection and vhost
    recognition.
  • Filtering
  • Apache modules may now be written as filters
    which act on the stream of content as it is
    delivered to or from the server. This allows, for
    example, the output of CGI scripts to be parsed
    for Server Side Include directives using the
    INCLUDES filter in mod_include. The module
    mod_ext_filter allows external programs to act as
    filters in much the same way that CGI programs
    can act as handlers.

9
Apache 2.0 What to expect?
  • Module Enhancements
  • mod_ssl
  • New module in Apache 2.0. This module is an
    interface to the SSL/TLS encryption protocols
    provided by OpenSSL.
  • mod_dav
  • New module in Apache 2.0. This module implements
    the HTTP Distributed Authoring and Versioning
    (DAV) specification for posting and maintaining
    web content.
  • mod_deflate
  • New module in Apache 2.0. This module allows
    supporting browsers to request that content be
    compressed before delivery, saving network
    bandwidth.

10
Apache 2.0 What to expect?
  • Module Enhancements
  • mod_auth_ldap
  • New module in Apache 2.0.41. This module allows
    an LDAP database to be used to store credentials
    for HTTP Basic Authentication. A companion
    module, mod_ldap provides connection pooling and
    results caching.
  • mod_auth_digest
  • Includes additional support for session caching
    across processes using shared memory.
  • mod_charset_lite
  • New module in Apache 2.0. This experimental
    module allows for character set translation or
    recoding.

11
Apache 2.0 What to expect?
  • Module Enhancements
  • mod_file_cache
  • New module in Apache 2.0. This module includes
    the functionality of mod_mmap_static in Apache
    1.3, plus adds further caching abilities.
  • mod_headers
  • This module is much more flexible in Apache 2.0.
    It can now modify request headers used by
    mod_proxy, and it can conditionally set response
    headers.
  • mod_proxy
  • The proxy module has been completely rewritten to
    take advantage of the new filter infrastructure
    and to implement a more reliable, HTTP/1.1
    compliant proxy.

12
Apache 2.0 What to expect?
  • Module Enhancements
  • mod_include
  • New directives allow the default start and end
    tags for SSI elements to be changed and allow for
    error and time format configuration to take place
    in the main configuration file rather than in the
    SSI document. Results from regular expression
    parsing and grouping (now based on Perl's regular
    expression syntax) can be retrieved using
    mod_include's variables 0 .. 9.
  • mod_auth_dbm
  • Now supports multiple types of DBM-like databases
    using the AuthDBMType directive.

13
Apache 2.0 Web Server Architecture
  • HTTPD server rebuilt from the ground up
  • Portability and platform customization were high
    priorities
  • HTTPD server contains no platform specific code
  • Thread and process handling is customized through
    Multi-Processing Modules (MPM) for each platform
  • Backward Compatibility
  • Configuration remained basically the same
  • Internal APIs are very similar
  • 1.3.x and 2.0.x modules are not compatible

14
Apache 2.0 Web Server Architecture
  • Apache Portable Runtime Library (APR)
  • Offers a standard cross platform set of APIs
  • Each implementation of APR is customized for a
    specific platform
  • Designed to be a general purpose cross platform
    library

Other Cross Platform Applications
Apache Web Server
Apache Modules
Apache Portable Runtime (APR)
Netware
Solaris
Linux
Windows
Others…
15
Apache 2.0 Web Server Architecture
  • Apache 1.3 versus 2.0

16
Apache 2.0 Web Server Architecture
  • Apache 1.3 versus 2.0

17
Improvements Using Standard Modules
  • Mod_Cache
  • Increase response time through caching
  • Mod_Vhost_Alias
  • Simplify virtual host creation and maintenance
  • Mod_Proxy
  • Offload heavy weight requests to backend servers
  • Load balancing
  • Centralized authentication and encryption
  • RotateLogs
  • Offload logging tasks and log rotation

18
Mod_Cache
  • Implements an RFC_2616 compliant HTTPD server
    content cache
  • Refer to
  • http//httpd.apache.org/docs-2.0/mod/mod_cache.ht
    ml
  • http//www.ietf.org/rfc/rfc2616.txt
  • Depends on one of two different storage
    sub-modules
  • Mod_Mem_Cache Memory based storage manager
  • Can be configured to cache file descriptors or
    actual content
  • Can cache locally generated content or backend
    content for Mod_Proxy
  • Mod_Disk_Cache Disk based storage manager

19
Mod_Cache Example Configuration
LoadModule cache_module modules/mod_cache.nlm ltIfM
odule mod_cache.cgt LoadModule
mem_cache_module modules/mod_mem_cache.nlm
ltIfModule mod_mem_cache.cgt CacheEnable
mem / MCacheSize 4096
MCacheMaxObjectCount 100
MCacheMinObjectSize 1 MCacheMaxObjectSize
2048 lt/IfModulegt lt/IfModulegt
  • Enable memory based caching and cache all content
  • Set maximum cache size to 4096
  • Set maximum number of cached objects to 100
  • Dont cache objects smaller than 1 byte or larger
    than 2048 bytes

20
Mod_Cache Performance
Caching
No Caching
21
Mass Virtual Hosting
  • Gives the appearance of multiple web servers
  • Eliminates the need for multiple ltVirtualHost…gt
    blocks in the HTTPD.CONF file
  • Creates dynamically configured virtual hosts
  • Virtual host is determined by the IP address or
    the Host header
  • Allows for a large number of virtual hosts with
    similar configurations
  • Adding a new virtual host is simply a matter of
    creating a new directory structure

22
Mass Virtual Hosting
LoadModule vhost_alias_module modules/vhost.nlm ltI
fModule mod_vhost_alias.cgt UseCanonicalName
Off LogFormat "V h l u t \"r\" s b"
vcommon CustomLog logs/access_log vcommon
VirtualDocumentRoot SYS/www/hosts/0/docs
VirtualScriptAlias SYS/www/hosts/0/cgi-bin
lt/IfModule
  • UseCanonicalName must be set to off
  • Allows the VHost name to be derived from the
    Host header
  • Uses a single log file
  • Logs can be split on a per-virtual-host bases by
    the first LogFormat field
  • DocumentRoot and ScriptAlias specified through
    VHost directives

23
Load Balancing with Mod_Proxy
New features of Mod_Proxy
Reverse Proxy
  • Compliant with HTTP/1.1 including KeepAlive
  • Pluggable protocol handlers such as HTTP and FTP
  • Utilizes Apache 2.0 filtering to accurately
    filter the data as it flows through
  • Mirror to one or more backend Web servers
  • Handle all authentication and SSL services on a
    single server
  • Increase performance by passing more complex
    requests to the backend servers

24
Reverse Proxy
  • All client access must go through the reverse
    proxy server
  • The proxy server can handle all authentication
    and SSL encryption for all backend servers
  • Backend web servers dont have to be Apache
    servers
  • Backend web servers do not require any
    specialized configuration

Clients Browser
Any Web Server
Apache Proxy Server
Firewall
25
Reverse Proxy Example
LoadModule proxy_module modules/proxy.nlm ltIfModul
e mod_proxy.cgt LoadModule proxy_http_module
modules/proxyhtp.nlm ProxyRequests Off
Reverse proxy to expense reporting web
application server ProxyPass /expense/
http//www.expense.com53080/expense/
ProxyPassReverse /expense/ http//www.expense.com
53080/expense/ Reverse proxy to my general web
application server ProxyPass /webapps/
http//www.webapps.com53080/webapps/
ProxyPassReverse /webapps/ http//www.webapps.com
53080/webapps/ Reverse proxy to other
applications allow redirects ProxyPass
/directapps/ http//www.directapps.com/ lt/IfModule
gt
  • Disable forward proxy with ProxyRequests Off
  • Redirect requests to the specific backend servers
    with ProxyPass
  • Allow redirection headers to be fixed up with
    ProxyPassReverse

26
Stardard Log Rotation
  • Missing in Apache 1.3
  • Used the directives (mutually exclusive)
  • LogRotateDaily Rotate log on a daily basis
  • LogRotateInterval Rotate log on a time basis
  • Only rotates CustomLogs ErrorLog can not be
    rotated

27
Standard Log Rotation
  • Apache 2.0 uses the RotateLogs
  • Functions in the same manner as on other
    platforms
  • Can be configured to rotate based on
  • Time ex. Rotate every 86400 seconds or 24 hours
  • File size ex. Rotate when the file size reaches
    5 meg.
  • Differentiate time from file size by placing an
    M after the size specifier
  • Log files are simply rotated not moved

CustomLog "bin/rotatelogs /var/logs/logfile
86400" common
CustomLog "bin/rotatelogs /var/logs/logfile 5M"
common
28
Rotate Logs Performance
Logs Disabled
Rotate Logs
Default Logging
29
Authentication and Authorization
  • Apache provides several different methods of
  • authentication and authorization
  • File based authentication
  • Mod_Auth Authenticates users by looking up user
    names and passwords in a file created by the
    HTPASSWD utility
  • Mod_Auth_Digest Similar to Mod_Auth except it
    only accepts digest encrypted credentials
  • Database based authentication
  • Mod_AuthDBM Authenticates users by looking up
    user names and passwords in a database managed by
    the DBMMANAGE utility
  • Third party authentication modules
  • Refer to http//modules.apache.org

30
Authentication - Mod_Auth_LDAP
  • Uses any LDAP compliant directory for
    authentication
  • Use of SSL encrypted connection is recommended
    since Mod_Auth_LDAP only accepts AuthType Basic
  • Allows for complex authentication policies
    through the use of LDAP filters
  • Caches LDAP operations using the Mod_LDAP
    sub-module
  • Can be configured to use SSL connections to the
    LDAP server
  • Allows for extended and double-byte characters in
    the user name

31
Mod_Auth_LDAP Example
LoadModule ldap_module modules/utilldap.nlm
ltIfModule util_ldap.cgt LoadModule
auth_ldap_module modules/authldap.nlm Alias
/secure vol2/webpages/secure ltDirectory
vol2/webpages/securegt AuthType Basic
AuthName LDAP_Protected_Place AuthLDAPURL
ldap//your.LDAPserver.com/octx?cn require
valid-user lt/Directorygt lt/IfModulegt
  • LDAP filters can be specified in the AuthLDAPURL
    directive
  • Uses the UID (uniqueID) attribute by default
  • Other Require directive options
  • User only allow a specified user
  • Group only allow users within a specific group
  • DN only allow users matching the specifed DNs

32
Authorization - Mod_eDir
  • Combines the functionality of Mod_NDS, Mod_RDirs
    and Mod_HDirs
  • Enforces file access rights
  • Remote server file system access
  • eDirectory based home directory support
  • Authorization or access control services only
  • Relies on Mod_Auth_LDAP for authentication
  • Enabled through the Requires directive (ex.
    Requires edir-user)
  • Uses LDAP for all eDirectory access
  • Requires a user name and password for access
  • Can be configured to run in anonymous mode

33
Mod_eDir Remote Directory Example
  • HTTPD.CONF
  • LoadModule edir_module modules/mod_edir.nlm  ltIfMo
    dule mod_edir.cgt    include sys/secure/edirauth.c
    onf    Alias /rdocs "remotesrv/data/webpages/remo
    te"    ltDirectory "data/webpages/remote"gt      
    Options Indexes MultiViews       Order
    allow,deny       Allow from all   
    lt/Directorygt lt/IfModulegt
  • EDIRAUTH.CONF (secured)
  • ltIfModule mod_edir.cgt    eDirServer MY_SERVER   
    eDirUserAccount cnapache_server.oadmin_context  
      eDirPassword secret lt/IfModulegt

34
Mod_eDir Home Directory Example
  • LoadModule edir_module modules/mod_edir.nlm  ltIfMo
    dule mod_edir.cgt hDirSearchContexts octx,
    oother_ctx
  •    include sys/secure/edirauth.conf   
    ltDirectory "data/users/"gt       Options Indexes
    MultiViews IncludesNoExec       Order
    allow,deny       Allow from all   
    lt/Directorygt lt/IfModulegt
  • hDirSearchContexts directives lists the set of
    contexts that will be searched
  • All listed contexts and sub-contexts are searched
  • Users must be unique within all contexts
  • Add restrictions to the ltDirectory…gt block as
    needed

35
Anonymous vs. Authenticated Modes
  • Uses public rights vs. logging in with a special
    user ID and password
  • Anonymous mode requires public access rights to
    eDirectory attributes
  • Home Directory User home directory information
  • Host Server Physical server name
  • Host Resource Name Physical volume name

Authenticated mode requires a special user object
with browse rights to USER and VOLUME objects
36
Anonymous Mode Pros vs. Cons
Pros
Cons
  • Does not require a special user object
  • Easier to configure requires fewer directives
  • User home directory availability can be
    controlled by allowing or revoking public access
    rights to an object
  • Requires public access rights to specific
    eDirectory attributes
  • May require administrator intervention before the
    home directory is available
  • Requires a local eDirectory replica on the Apache
    server box
  • Server object of the Apache server box requires
    Browse and Read rights on all remote files
    systems

37
Authenticated Mode Pros vs. Cons
Pros
Cons
  • Does not require administrator intervention to
    allow home directory access
  • Allows binding directly to LDAP or a remote file
    system rather than depending on public rights
  • Allows the Apache server to acquire home
    directory information from any LDAP server
  • All access to home directories or remote file
    systems can be controlled through a single Apache
    user object
  • Requires a special Apache user object in
    eDirectory
  • Requires that a user name and password be stored
    in a configuration file

38
Apache Web Based Administration
  • Can manage any Apache server on any platform that
    supports an LDAP connection
  • Web based administration allows the user to
    administer any Apache Web Server from anywhere
  • Web farm administration is much easier since each
    servers configuration is stored in eDirectory
  • Configuration directives can be applied to a
    single server or shared among multiple servers

39
eDirectory based Configuration
  • Allows the administrator to define each web
    servers configuration in terms of eDirectory
    objects
  • Each Apache Web Server, virtual server, module,
    directory, location, and file block is described
    as eDirectory objects
  • By describing the Apache configuration in terms
    of objects, the web server can be configured and
    managed just like any other eDirectory object

40
Conclusion
  • Default web server, very popular
  • Apache 2.0 has been rebuilt from the ground up
  • More efficient use of API through APR
  • Better multi-processor support
  • Apply configuration changes without unloading
  • More shipping features and standard modules
  • Increased performance with Mod_Cache
  • LDAP authentication / eDirectory authorization
  • Web based administration through eDirectory
About PowerShow.com