Presentation on theme: "Seminário Tecnológico"— Presentation transcript:
1 Seminário Tecnológico Apache 2.0Conceitos e Projeto de Sistemas Distribuídos e ParalelosSeminário TecnológicoAdriano Machado Tiago Macambira
2 Overview Apache HTTPD Server Project Apache 2.0 – What to expect? Apache 2.0 Web Server ArchitectureSite Acceleration Using Standard ModulesNew Features (Authent. and Authorization.)Apache 2.0 AdministrationConclusion
3 Apache HTTPD Server Project Collaborative Software Development EffortManaged by a Group of Volunteers80+ Foundation Members, 100’s DevelopersAll are invited to contributeHTTP ServerFreely Available Binaries and Source CodeCross platform implementationBecame the #1 Web Server on the Internet in less than a year
5 Apache 2.0 – What to expect? Unix Threading On Unix systems with POSIX threads support, Apache can now run in a hybrid multiprocess, multithreaded mode. This improves scalability for many, but not all configurations.Better multi-processor utilizationThe API for modules has changed significantly for 2.0. Many of the module-ordering/-priority problems from 1.3 should be gone. 2.0 does much of this automatically. Also, new calls have been added that provide additional module capabilities without patching the core Apache server.New Build System - Better performanceBuilt on new LIBC librariesMore efficient use of APIs through APR
6 Apache 2.0 – What to expect?Better thread handling and resource utilizationThe number of worker threads are dynamicCustomized thread handling specifically for different OSMore standard modulesMod_DAV Mod_DeflateMod_Auth_LDAP Mod_CacheEtc.IPV6 supportCustomized error reporting (multi-language)Additional Startup Options-e – Redirect any startup error to a file-n – Rename the Apache console screen
7 Apache 2.0 – What to expect? Better support for non-Unix platforms Apache 2.0 is faster and more stable on non-Unix platforms such as BeOS, OS/2, and Windows. With the introduction of platform-specific multi-processing modules (MPMs) and the Apache Portable Runtime (APR), these platforms are now implemented in their native API, avoiding the often buggy and poorly performing POSIX-emulation layers.Multiprotocol SupportInfrastructure in place to support serving multiple protocolsAdditional Command Line OptionsSettings – Display worker thread informationRestart – Quick restart after configuration changeShutdown – Terminates a running instance of Apache2Others …
8 Apache 2.0 – What to expect? Simplified configuration Filtering Many confusing directives have been simplified. The often confusing Port and BindAddress directives are gone; only the Listen directive is used for IP address binding; the ServerName directive specifies the server name and port number only for redirection and vhost recognition.FilteringApache modules may now be written as filters which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers.
9 Apache 2.0 – What to expect? Module Enhancements mod_ssl New module in Apache 2.0. This module is an interface to the SSL/TLS encryption protocols provided by OpenSSL.mod_davNew module in Apache 2.0. This module implements the HTTP Distributed Authoring and Versioning (DAV) specification for posting and maintaining web content.mod_deflateNew module in Apache 2.0. This module allows supporting browsers to request that content be compressed before delivery, saving network bandwidth.
10 Apache 2.0 – What to expect? Module Enhancements mod_auth_ldap New module in Apache This module allows an LDAP database to be used to store credentials for HTTP Basic Authentication. A companion module, mod_ldap provides connection pooling and results caching.mod_auth_digestIncludes additional support for session caching across processes using shared memory.mod_charset_liteNew module in Apache 2.0. This experimental module allows for character set translation or recoding.
11 Apache 2.0 – What to expect? Module Enhancements mod_file_cache New module in Apache 2.0. This module includes the functionality of mod_mmap_static in Apache 1.3, plus adds further caching abilities.mod_headersThis module is much more flexible in Apache 2.0. It can now modify request headers used by mod_proxy, and it can conditionally set response headers.mod_proxyThe proxy module has been completely rewritten to take advantage of the new filter infrastructure and to implement a more reliable, HTTP/1.1 compliant proxy.
12 Apache 2.0 – What to expect? Module Enhancements mod_include New directives allow the default start and end tags for SSI elements to be changed and allow for error and time format configuration to take place in the main configuration file rather than in the SSI document. Results from regular expression parsing and grouping (now based on Perl's regular expression syntax) can be retrieved using mod_include's variables $0 .. $9.mod_auth_dbmNow supports multiple types of DBM-like databases using the AuthDBMType directive.
13 Apache 2.0 Web Server Architecture HTTPD server rebuilt from the ground upPortability and platform customization were high prioritiesHTTPD server contains no platform specific codeThread and process handling is customized through Multi-Processing Modules (MPM) for each platformBackward CompatibilityConfiguration remained basically the sameInternal API’s are very similar1.3.x and 2.0.x modules are not compatible
14 Apache 2.0 Web Server Architecture Apache Portable Runtime Library (APR)Offers a standard cross platform set of APIsEach implementation of APR is customized for a specific platformDesigned to be a general purpose cross platform libraryApache Web ServerOther Cross Platform ApplicationsApache ModulesApache Portable Runtime (APR)NetwareSolarisLinuxWindowsOthers…
15 Apache 2.0 Web Server Architecture Apache 1.3 versus 2.0
16 Apache 2.0 Web Server Architecture Apache 1.3 versus 2.0
17 Improvements – Using Standard Modules Mod_CacheIncrease response time through cachingMod_Vhost_AliasSimplify virtual host creation and maintenanceMod_ProxyOffload heavy weight requests to backend serversLoad balancingCentralized authentication and encryptionRotateLogsOffload logging tasks and log rotation
18 Mod_Cache Implements an RFC_2616 compliant HTTPD server content cache Refer to:Depends on one of two different storage sub-modulesMod_Mem_Cache – Memory based storage managerCan be configured to cache file descriptors or actual contentCan cache locally generated content or backend content for Mod_ProxyMod_Disk_Cache – Disk based storage manager
19 Mod_Cache Example Configuration LoadModule cache_module modules/mod_cache.nlm <IfModule mod_cache.c> LoadModule mem_cache_module modules/mod_mem_cache.nlm <IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize MCacheMaxObjectCount MCacheMinObjectSize MCacheMaxObjectSize </IfModule> </IfModule>Enable memory based caching and cache all contentSet maximum cache size to 4096Set maximum number of cached objects to 100Don’t cache objects smaller than 1 byte or larger than 2048 bytes
21 Mass Virtual Hosting Gives the appearance of multiple web servers Eliminates the need for multiple <VirtualHost…> blocks in the HTTPD.CONF fileCreates dynamically configured virtual hostsVirtual host is determined by the IP address or the Host: headerAllows for a large number of virtual hosts with similar configurationsAdding a new virtual host is simply a matter of creating a new directory structure
22 Mass Virtual Hosting LoadModule vhost_alias_module modules/vhost.nlm <IfModule mod_vhost_alias.c>UseCanonicalName OffLogFormat "%V %h %l %u %t \"%r\" %s %b" vcommonCustomLog logs/access_log vcommonVirtualDocumentRoot SYS:/www/hosts/%0/docsVirtualScriptAlias SYS:/www/hosts/%0/cgi-bin</IfModuleUseCanonicalName must be set to offAllows the VHost name to be derived from the Host: headerUses a single log fileLogs can be split on a per-virtual-host bases by the first LogFormat fieldDocumentRoot and ScriptAlias specified through VHost directives
23 Load Balancing with Mod_Proxy New features of Mod_ProxyReverse ProxyCompliant with HTTP/1.1 including “KeepAlive”Pluggable protocol handlers such as HTTP and FTPUtilizes Apache 2.0 filtering to accurately filter the data as it flows throughMirror to one or more backend Web serversHandle all authentication and SSL services on a single serverIncrease performance by passing more complex requests to the backend servers
24 Reverse ProxyAll client access must go through the reverse proxy serverThe proxy server can handle all authentication and SSL encryption for all backend serversBackend web servers don’t have to be Apache serversBackend web servers do not require any specialized configurationClients BrowserAny Web ServerApache Proxy ServerFirewall
25 Reverse Proxy Example Disable forward proxy with “ProxyRequests Off” LoadModule proxy_module modules/proxy.nlm<IfModule mod_proxy.c>LoadModule proxy_http_module modules/proxyhtp.nlmProxyRequests Off#Reverse proxy to expense reporting web application serverProxyPass /expense/ProxyPassReverse /expense/#Reverse proxy to my general web application serverProxyPass /webapps/ProxyPassReverse /webapps/#Reverse proxy to other applications allow redirectsProxyPass /directapps/</IfModule>Disable forward proxy with “ProxyRequests Off”Redirect requests to the specific backend servers with “ProxyPass”Allow redirection headers to be fixed up with “ProxyPassReverse”
26 Stardard Log Rotation Missing in Apache 1.3 Used the directives (mutually exclusive):LogRotateDaily – Rotate log on a daily basisLogRotateInterval – Rotate log on a time basisOnly rotates CustomLogs – ErrorLog can not be rotated
27 Standard Log Rotation Apache 2.0 uses the RotateLogs Functions in the same manner as on other platformsCan be configured to rotate based on:Time – ex. Rotate every seconds or 24 hoursFile size – ex. Rotate when the file size reaches 5 meg.Differentiate time from file size by placing an ‘M’ after the size specifierLog files are simply rotated not movedCustomLog "|bin/rotatelogs /var/logs/logfile 86400" commonCustomLog "|bin/rotatelogs /var/logs/logfile 5M" common
29 Authentication and Authorization Apache provides several different methods ofauthentication and authorizationFile based authenticationMod_Auth – Authenticates users by looking up user names and passwords in a file created by the HTPASSWD utilityMod_Auth_Digest – Similar to Mod_Auth except it only accepts digest encrypted credentialsDatabase based authenticationMod_AuthDBM – Authenticates users by looking up user names and passwords in a database managed by the DBMMANAGE utilityThird party authentication modulesRefer to:
30 Authentication - Mod_Auth_LDAP Uses any LDAP compliant directory for authenticationUse of SSL encrypted connection is recommended since Mod_Auth_LDAP only accepts “AuthType Basic”Allows for complex authentication policies through the use of LDAP filtersCaches LDAP operations using the Mod_LDAP sub-moduleCan be configured to use SSL connections to the LDAP serverAllows for extended and double-byte characters in the user name
31 Mod_Auth_LDAP Example LoadModule ldap_module modules/utilldap.nlm<IfModule util_ldap.c>LoadModule auth_ldap_module modules/authldap.nlmAlias /secure vol2:/webpages/secure<Directory vol2:/webpages/secure>AuthType BasicAuthName LDAP_Protected_PlaceAuthLDAPURL ldap://your.LDAPserver.com/o=ctx?cnrequire valid-user</Directory></IfModule>LDAP filters can be specified in the AuthLDAPURL directiveUses the UID (uniqueID) attribute by defaultOther “Require” directive optionsUser – only allow a specified userGroup – only allow users within a specific groupDN – only allow users matching the specifed DNs
32 Authorization - Mod_eDir Combines the functionality of Mod_NDS, Mod_RDirs and Mod_HDirsEnforces file access rightsRemote server file system accesseDirectory™ based home directory supportAuthorization or access control services onlyRelies on Mod_Auth_LDAP for authenticationEnabled through the “Requires” directive (ex. Requires edir-user)Uses LDAP for all eDirectory accessRequires a user name and password for accessCan be configured to run in anonymous mode
33 Mod_eDir Remote Directory Example HTTPD.CONF:LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> include sys:/secure/edirauth.conf Alias /rdocs "remotesrv/data:/webpages/remote" <Directory "data:/webpages/remote"> Options Indexes MultiViews Order allow,deny Allow from all </Directory> </IfModule>EDIRAUTH.CONF (secured)<IfModule mod_edir.c> eDirServer MY_SERVER eDirUserAccount cn=apache_server.o=admin_context eDirPassword secret </IfModule>
34 Mod_eDir Home Directory Example LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> hDirSearchContexts o=ctx, o=other_ctx include sys:/secure/edirauth.conf <Directory "data:/users/"> Options Indexes MultiViews IncludesNoExec Order allow,deny Allow from all </Directory> </IfModule>hDirSearchContexts directives lists the set of contexts that will be searchedAll listed contexts and sub-contexts are searchedUsers must be unique within all contextsAdd restrictions to the <Directory…> block as needed
35 Anonymous vs. Authenticated Modes Uses public rights vs. logging in with a special user ID and passwordAnonymous mode requires public access rights to eDirectory attributesHome Directory – User home directory informationHost Server – Physical server nameHost Resource Name – Physical volume nameAuthenticated mode requires a special user object with browse rights to USER and VOLUME objects
36 Anonymous Mode – Pros vs. Cons Does not require a special user objectEasier to configure – requires fewer directivesUser home directory availability can be controlled by allowing or revoking public access rights to an objectRequires public access rights to specific eDirectory attributesMay require administrator intervention before the home directory is availableRequires a local eDirectory replica on the Apache server boxServer object of the Apache server box requires “Browse” and “Read” rights on all remote files systems
37 Authenticated Mode – Pros vs. Cons Does not require administrator intervention to allow home directory accessAllows binding directly to LDAP or a remote file system rather than depending on public rightsAllows the Apache server to acquire home directory information from any LDAP serverAll access to home directories or remote file systems can be controlled through a single Apache user objectRequires a special Apache user object in eDirectoryRequires that a user name and password be stored in a configuration file
38 Apache Web Based Administration Can manage any Apache server on any platform that supports an LDAP connectionWeb based administration allows the user to administer any Apache Web Server from anywhereWeb farm administration is much easier since each server’s configuration is stored in eDirectoryConfiguration directives can be applied to a single server or shared among multiple servers
39 eDirectory based Configuration Allows the administrator to define each web server’s configuration in terms of eDirectory objectsEach Apache Web Server, virtual server, module, directory, location, and file block is described as eDirectory objectsBy describing the Apache configuration in terms of objects, the web server can be configured and managed just like any other eDirectory object
40 Conclusion Default web server, very popular Apache 2.0 has been rebuilt from the ground upMore efficient use of API through APRBetter multi-processor supportApply configuration changes without unloadingMore shipping features and standard modulesIncreased performance with Mod_CacheLDAP authentication / eDirectory authorizationWeb based administration through eDirectory