Configuring the Apache Web Server 566 ✦ ErrorDocument errortype filename: Specifies a file that the server sends when an error of a specific type occurs. You can also provide a text message for an error. Here are some examples: ErrorDocument 403 “Sorry, no access to this directory” ErrorDocument 403 /error/noindex.html ErrorDocument 404 /cgi-bin/bad_link.pl ErrorDocument 401 /new_subscriber.html If you don’t have the ErrorDocument directive, the server sends a built- in error message. The errortype can be one of the following HTTP/1.1 error conditions (see RFC 2616 at www.ietf.org/rfc/rfc2616.txt or www.faqs.org/rfcs/rfc2616.html for more information): • 400: Bad Request • 401: Unauthorized • 402: Payment Required • 403: Forbidden • 404: Not Found • 405: Method Not Allowed • 406: Not Acceptable • 407: Proxy Authentication Required • 408: Request Timeout • 409: Conflict • 410: Gone • 411: Length Required • 412: Precondition Failed • 413: Request Entity Too Large • 414: Request-URI Too Long • 415: Unsupported Media Type • 416: Requested Range Not Satisfiable • 417: Expectation Failed • 500: Internal Server Error • 501: Not Implemented • 502: Bad Gateway • 503: Service Unavailable • 504: Gateway Timeout • 505: HTTP Version Not Supported TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VII Chapter 2 Running a Web Server Configuring the Apache Web Server 567 ✦ TypesConfig filename: Specifies the file that contains the mapping of file extensions to MIME data types. (MIME stands for Multipurpose Internet Mail Extensions, a way to package attachments in a single mes- sage file.) The server reports these MIME types to clients. If you don’t specify a TypesConfig directive, httpd assumes that the TypesConfig file is /etc/mime.types. The following are a few selected lines from the default /etc/mime.types file: application/msword doc application/pdf pdf application/postscript ai eps ps application/x-tcl tcl audio/mpeg mpga mp2 mp3 audio/x-pn-realaudio ram rm audio/x-wav wav image/gif gif image/jpeg jpeg jpg jpe image/png png text/html html htm text/plain asc txt video/mpeg mpeg mpg mpe Each line shows the MIME type (such as text/html), followed by the file extensions for that type (html or htm). Access-control directives Access-control directives enable you to control who can access different direc- tories in the system. These are the global access-configuration directives. You can also have another access-configuration file that uses a name specified by the AccessFileName directive in every directory from which the Apache Web server can serve documents. (That per-directory access-configuration file is named .htaccess by default.) Stripped of most of its comment lines, the access-control directive has this format: # First, we configure the “default” to be a # very restrictive set of permissions. <Directory /> Options FollowSymLinks AllowOverride None </Directory> # The following directory name should # match DocumentRoot in httpd.conf <Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all </Directory> TEAM LinG - Live, Informative, Non-cost and Genuine ! Configuring the Apache Web Server 568 # The directory name should match the # location of the cgi-bin directory <Directory “/srv/www/cgi-bin”> AllowOverride None Options None Order allow,deny Allow from all </Directory> Access-control directives use a different syntax from the other Apache direc- tives. The syntax is like that of HTML. Various access-control directives are enclosed within pairs of tags, such as <Directory> </Directory>. The following list describes some of the access-control directives. In particu- lar, notice the AuthUserFile directive; you can have password-based access control for specific directories. ✦ Options opt1 opt2 : Specifies the access-control options for the directory section in which this directive appears. The options can be one or more of the following: • None disables all access-control features. • All turns on all features for the directory. • FollowSymLinks enables the server to follow symbolic links (short- cuts, in other words). • SymLinksIfOwnerMatch follows symbolic links, only if the same user of the directory owns the linked directory. • ExecCGI enables execution of CGI scripts in the directory. • Includes enables server-side include files in this directory. (The term server-side include refers to directives, placed in an HTML file, that the Web server processes before returning the results to the Web browser.) • Indexes enables clients to request indexes (directory listings) for the directory. • IncludesNOEXEC disables the #exec command in server-side includes. ✦ AllowOverride directive1 directive2 : Specifies which access-control directives can be overridden on a per-directory basis. The directive list can contain one or more of the following: • None stops any directive from being overridden. • All enables overriding of any directive on a per-directory basis. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VII Chapter 2 Running a Web Server Configuring the Apache Web Server 569 • Options enables the use of the Options directive in the directory- level file. • FileInfo enables the use of directives controlling document type, such as AddType and AddEncoding. • AuthConfig enables the use of authorization directives, such as AuthName, AuthType, AuthUserFile, and AuthGroupFile. • Limit enables the use of Limit directives (allow, deny, and order) in a directory’s access-configuration file. ✦ AuthName name: Specifies the authorization name for a directory. ✦ AuthType type: Specifies the type of authorization to be used. The only supported authorization type is Basic. ✦ AuthUserFile filename: Specifies the file in which usernames and passwords are stored for authorization. For example, the following direc- tive sets the authorization file to /etc/httpd/conf/passwd: AuthUserFile /etc/httpd/conf/passwd You have to create the authorization file with the /usr/bin/htpasswd support program. To create the authorization file and add the password for a user named jdoe, specify the following: /usr/bin/htpasswd -c /etc/httpd/conf/passwd jdoe When prompted for the password, enter the password and then confirm it by typing it again. ✦ AuthGroupFile filename: Specifies the file to consult for a list of user groups for authentication. ✦ order ord: Specifies the order in which two other directives — allow and deny — are evaluated. The order is one of the following: • deny,allow causes the Web server to evaluate the deny directive before allow. • allow,deny causes the Web server to evaluate the allow directive before deny. • mutual-failure enables only hosts in the allow list. ✦ deny from host1 host2 : Specifies the hosts denied access. ✦ allow from host1 host2 : Specifies the hosts allowed access. To enable all hosts in a specific domain to access the Web documents in a directory, specify the following: order deny,allow allow from .nws.noaa.gov TEAM LinG - Live, Informative, Non-cost and Genuine ! Configuring the Apache Web Server 570 ✦ require entity en1 en2 : This directive specifies which users can access a directory. entity is one of the following: • user enables only a list of named users. • group enables only a list of named groups. • valid-user enables all users listed in the AuthUserFile access to the directory (provided they enter the correct password). Virtual host setup A useful feature of the Apache HTTP server is that it can handle virtual Web servers. Virtual hosting simply means that a single Web server can respond to many different IP addresses and serve Web pages from different directo- ries, depending on the IP address. That means you can set up a single Web server to respond to both www.big.org and www.tiny.com and serve a unique home page for each host name. A server with this capability is known as a multi-homed Web server, a virtual Web server, or a server with virtual host support. As you might guess, Internet Service Providers (ISPs) use the virtual host feature of Apache Web server to offer virtual Web sites to their customers. You need the following to support virtual hosts: ✦ The Web server must be able to respond to multiple IP addresses (each with a unique domain name) and must enable you to specify document directories, log files, and other configuration items for each IP address. ✦ The host system must be able to associate multiple IP addresses with a single physical network interface. Linux can do so. ✦ Each domain name associated with the IP address must be a unique, reg- istered domain name with proper DNS entries. For the latest information on how to set up virtual hosts in an Apache HTTP server, consult the following URL: http://httpd.apache.org/docs-2.0/vhosts The Apache HTTP server can respond to different host names with different home pages. You have two options when supporting virtual hosts: ✦ Run multiple copies of the httpd program, one for each IP address: In this case, you create a separate copy of the httpd.conf configuration file for each host and use the Listen directive to make the server respond to a specific IP address. ✦ Run a single copy of the httpd program with a single httpd.conf file: In the configuration file, set Listen to a port number only (so the server TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VII Chapter 2 Running a Web Server Configuring the Apache Web Server 571 responds to any IP address associated with the host), and use the VirtualHost directive to configure the server for each virtual host. Run multiple HTTP daemons only if you don’t expect heavy traffic on your system; the system may not be able to respond well because of the overhead associated with running multiple daemons. However, you may need multiple HTTP daemons if each virtual host has a unique configuration need for the following directives: ✦ UserId and GroupId (the user and group ID for the HTTP daemon) ✦ ServerRoot (the root directory of the server) ✦ TypesConfig (the MIME type configuration file) For a site with heavy traffic, configure the Web server so that a single HTTP daemon can serve multiple virtual hosts. Of course, this recommendation implies that there is only one configuration file. In that configuration file, use the VirtualHost directive to configure each virtual host. Most ISPs use the VirtualHost capability of Apache HTTP server to pro- vide virtual Web sites to their customers. Unless you pay for a dedicated Web host, you typically get a virtual site where you have your own domain name, but share the server and the actual host with many other customers. The syntax of the VirtualHost directive is as follows: <VirtualHost hostaddr> directives that apply to this host </VirtualHost> With this syntax, you use <VirtualHost> and </VirtualHost> to enclose a group of directives that applies only to the particular virtual host identified by the hostaddr parameter. The hostaddr can be an IP address or the fully qualified domain name of the virtual host. You can place almost any Apache directive within the <VirtualHost> block. At a minimum, Webmasters include the following directives in the <Virtual Host> block: ✦ DocumentRoot, which specifies where this virtual host’s documents reside ✦ Servername, which identifies the server to the outside world (this name is a registered domain name that DNS supports) ✦ ServerAdmin, the e-mail address of this virtual host’s Webmaster ✦ Redirect, which specifies any URLs to be redirected to other URLs ✦ ErrorLog, which specifies the file where errors related to this virtual host are to be logged TEAM LinG - Live, Informative, Non-cost and Genuine ! Configuring the Apache Web Server 572 ✦ CustomLog, which specifies the file where accesses to this virtual host are logged When the server receives a request for a document in a particular virtual host’s DocumentRoot directory, it uses the configuration parameters within that server’s <VirtualHost> block to handle that request. Here is a typical example of a <VirtualHost> directive that sets up the vir- tual host www.lnbsoft.com: <VirtualHost www.lnbsoft.com> DocumentRoot /home/naba/httpd/htdocs ServerName www.lnbsoft.com ServerAdmin webmaster@lnbsoft.com ScriptAlias /cgi-bin/ /home/naba/httpd/cgi-bin/ ErrorLog /home/naba/httpd/logs/error_log CustomLog /home/naba/httpd/logs/access_log common </VirtualHost> Here the name common in the CustomLog directive refers to the name of a format defined earlier in the httpd.conf file by the LogFormat directive, as follows: LogFormat “%h %l %u %t \”%r\” %>s %b” common This format string for the log produces lines in the log file that look like this: dial236.dc.psn.net - - [13/Jul/2004:18:09:00 -0500] “GET / HTTP/1.0” 200 1243 The format string contains two letter tokens that start with a percent sign (%). The meaning of these tokens is shown in Table 2-1. Table 2-1 LogFormat Tokens Token Meaning %b The number of bytes sent to the client, excluding header information %h The host name of the client machine %l The identity of the user, if available %r The HTTP request from the client (for example, GET / HTTP/ 1.0) %s The server response code from the Web server %t The current local date and time %u The username the user supplies (only when access-control rules require username/password authentication) TEAM LinG - Live, Informative, Non-cost and Genuine ! Chapter 3: Setting Up the FTP Server In This Chapter ߜ Installing the FTP server ߜ Configuring the FTP server F ile Transfer Protocol (FTP) is a popular Internet service for transferring files from one system to another. Anonymous FTP is another popular Internet service for distributing files. The neat thing about anonymous FTP is that if a remote system supports anonymous FTP, anyone can use FTP with the anonymous user ID and can download files from that system. Although anonymous FTP is useful for distributing data, it poses a security risk if it’s not set up properly. Linux distributions typically come with several FTP clients and the Very Secure FTP daemon ( vsftpd), written by Chris Evans. The FTP server typi- cally includes the files you need to support anonymous FTP. In this chapter, I show you how to configure the vsftpd FTP server through text configura- tion files and how to control access to the FTP server. Installing the FTP Server Depending on the choices you made during Linux installation, the FTP server vsftpd and its configuration files may already be installed on your system. If vsftpd is not installed, you can easily install it. In Debian and Xandros, type dpkg -l *ftp* to see if the FTP server is installed. In Fedora Core and SUSE, type rpm -qa | grep vsftp and see if the vsftpd package is installed. In Debian, type apt-get install vsftpd to install the FTP server. In Fedora Core, log in as root, mount the DVD, and type cd /mnt/cdrom/Fedora/RPMS followed by rpm -ivh vsftpd*. In SUSE, click Install and Remove Software in the YaST Control Center’s Software category. Then use YaST’s search capabil- ity to find vsftpd and install it. In Xandros, first run Xandros Networks, select Edit➪Set Application Sources, and click the Debian Unsupported Site link as a source; then you can use the apt-get install vsftpd command to install the Very Secure FTP server. TEAM LinG - Live, Informative, Non-cost and Genuine ! Configuring the FTP Server 574 Configuring the FTP Server The Very Secure FTP daemon (vsftpd) uses a number of configuration files in the /etc directory (and in the /etc/vsftpd directory in Fedora Core). By default, the vsftpd server is disabled — and if you want to use the FTP server, first you have to enable it. In this section, I show you how. The vsftpd server can be configured to run in standalone mode or under the control of the xinetd server. In Debian and Fedora Core, vsftpd is set to run as a standalone. In SUSE, vsftpd runs under the control of xinetd. In Debian and Fedora Core, you can start vsftpd by typing /etc/init.d/vsftpd start. In SUSE, edit the file /etc/xinetd.d/vsftpd — making sure that it does not have a disable = yes line — then type /etc/init.d/xinetd restart to restart xinetd. To start the vsftpd when the system boots, type update-rc.d vsftpd defaults in Debian. In Fedora Core, enable vsftpd for automatic start by typing chkconfig level 35 vsftpd on. After you start the vsftpd server, the default settings are good enough for the server to be useful. That’s because other FTP clients can now connect and request files from your FTP server. However, you need to know about the configuration files in case you have to customize them some other time. vsftpd configuration files The vsftpd server consults the vsftpd.conf file (located in /etc in Debian, SUSE, and Xandros and in the /etc/vsftpd directory in Fedora Core — remember that you must first install vsftpd in Xandros). That config- uration file may refer to other files in the /etc directory. The vsftpd.conf file controls many aspects of the FTP server, such as whether it runs in standalone mode, who can download files, and whether to allow anony- mous FTP. The key configuration files for vsftpd are the following: ✦ /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf controls how the vsftpd server works (for example, whether it allows anonymous logins, allows file uploads, and so on). ✦ /etc/vsftpd.ftpusers, if it exists, lists names of users who cannot access the FTP server. ✦ /etc/vsftpd.user_list, if it exists, lists names of users who are denied access (not even prompted for password). However, if the userlist_ deny option is set to NO in /etc/vsftpd/vsftpd.conf, these users are allowed to access the FTP server. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VII Chapter 3 Setting Up the FTP Server Configuring the FTP Server 575 In Debian, SUSE, and Xandros, vsftpd uses a single configuration file — /etc/vsftpd.conf. In Fedora Core, the default installation of vsftpd uses the /etc/vsftpd/vsftpd.conf file, as well as /etc/vsftpd.ftpusers and /etc/vsftpd.user_list. You can usually leave most of the vsftpd configuration files with their default settings. However, just in case you have to change something to make vsftpd suit your needs, I explain the configuration files briefly in the next few sections. The vsftpd.conf file To find out what you can have in the vsftpd.conf file and how these lines affect the vsftpd server’s operation, start by looking at the vsftpd.conf file that’s installed by default. The comments in this file tell you what each option does. By default, vsftpd allows almost nothing. By editing the options in vsftpd. conf , you can loosen the restrictions so that users can use FTP. You can decide how loose the settings are. Here are some of the options that you can set in the vsftpd.conf file: ✦ anon_mkdir_write_enable=YES enables anonymous FTP users to create new directories. This option is risky because a malicious user may use up all of your hard drive space by creating too many directories. Therefore, you may want to set this option to NO, even if you allow anonymous users to upload files. ✦ anon_upload_enable=YES means anonymous FTP users can upload files. This option takes effect only if write_enable is already set to YES and the directory has write permissions for everyone. Remember: Allowing anonymous users to write on your system can be very risky because the users could fill up the disk or use your disk for their per- sonal storage. ✦ anonymous_enable=YES enables anonymous FTP. (Users can log in with the username anonymous and provide their e-mail address as a password.) Comment out this line if you don’t want anonymous FTP. ✦ ascii_download_enable=YES enables file downloads in ASCII mode. Unfortunately, a malicious remote user can issue the SIZE command with the name of a huge file and essentially cause the FTP server to waste huge amounts of resources opening that file and determining its size. This technique is used in a Denial of Service attack. (For more infor- mation about Denial of Service [DOS] attacks, see Chapter 1 of Book VI.) ✦ ascii_upload_enable=YES enables file uploads in ASCII mode (for text files). TEAM LinG - Live, Informative, Non-cost and Genuine ! [...]... sendmail in this chapter If sendmail is not installed, you can easily install it In Debian and Xandros, type dpkg -l sendmail* to see if sendmail is installed In Fedora Core and SUSE, type rpm -qa | grep sendmail and see if the sendmail package is installed TEAM LinG - Live, Informative, Non-cost and Genuine ! 580 Installing the Mail Server In Debian, type apt-get install sendmail to install the sendmail... dedicated to developing and maintaining open source Internet software, such as BIND (an implementation of Domain Name System), DHCP (Dynamic Host Configuration Protocol), and INN Rich Salz originally wrote INN; ISC took over the development of INN in 199 6 You can find out more about INN and can access other resources at ISC’s INN Web page at www isc.org/products/INN InterNetNews components INN includes several... have to install INN In Debian and Xandros, type dpkg -l inn* to see if inn is installed In Fedora Core and SUSE, type rpm -q inn and see if the inn package is installed TEAM LinG - Live, Informative, Non-cost and Genuine ! Managing Mail and News Servers The first line says that mail addressed to barkakati is delivered to the user named naba on the local system The second line indicates that mail for naba... and News Servers In This Chapter ߜ Installing and using sendmail ߜ Testing mail delivery manually ߜ Configuring sendmail ߜ Installing the InterNetNews (INN) server ߜ Configuring and starting INN ߜ Setting up local newsgroups E lectronic mail (e-mail) is one of the popular services available on Internet hosts E-mail software comes in two parts: a mail-transport agent (MTA), which physically sends and... /etc/mail/sendmail.cf file by running the sendmail.mc file through the m4 macro processor with the following command (you have to log in as root): 588 Installing the Mail Server Here are some key points to note about the /etc/mail/sendmail.mc file: ✦ VERSIONID(‘setup for Red Hat Linux ) macro inserts the version information enclosed in quotes into the output ✦ OSTYPE( linux ) specifies Linux as the operating system You... include(‘/usr/share/sendmail-cf/m4/cf.m4’)dnl VERSIONID(‘setup for Red Hat Linux )dnl OSTYPE( linux )dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # dnl define(‘confLOG_LEVEL’, 9 )dnl dnl # TEAM LinG - Live, Informative, Non-cost and Genuine ! Installing the Mail Server dnl dnl dnl dnl 587 # Uncomment and edit the following line if your outgoing mail needs to # be sent... indicates that mail for naba really is sent to the username naba on the lnbsoft system The last line defines all as the alias for the five users naba, leha, ivy, emily, and ashley That means mail sent to all goes to these five users Book VII Chapter 4 594 Configuring and Starting the INN Server In Debian, type apt-get install inn to install the INN server In Fedora Core, log in as root, mount the DVD,... to run the mail command again and read the message TEAM LinG - Live, Informative, Non-cost and Genuine ! Installing the Mail Server 581 Thus, the initial sendmail configuration file is adequate for sending and receiving e-mail, at least within your Linux system External mail delivery also works, provided that your Linux system has an Internet connection and a registered domain name If you have an ISP... system by listing a complete e-mail address For example, I added a forward file with the following line to send my messages (addressed to my username, naba) to the mail address naba@comcast.net: naba@comcast.net TEAM LinG - Live, Informative, Non-cost and Genuine ! Installing the INN Server 593 Now suppose I want to keep a copy of the message on the original system, in addition to forwarding to the address... explanation, you can understand the meaning of the control lines in sendmail.cf Each sendmail control line begins with a single-letter operator that defines the meaning of the rest of the line A line that begins with a space or a tab is considered a continuation of the previous line Blank lines and lines beginning with a pound sign (#) are comments Often, no space is between the single-letter operator and the . Servers In This Chapter ߜ Installing and using sendmail ߜ Testing mail delivery manually ߜ Configuring sendmail ߜ Installing the InterNetNews (INN) server ߜ Configuring and starting INN ߜ Setting. is installed. TEAM LinG - Live, Informative, Non-cost and Genuine ! Installing the Mail Server 580 In Debian, type apt-get install sendmail to install the sendmail server. In Fedora Core, log in. newsgroups for your corporate intranet (or even your home network). Installing the Mail Server Depending on the choices you made during Linux installation, you may have already installed the mail