Apache web server

By. Eng. Ahmed M. ElSayed

compiler@aast.edu
Apache Web Server Index

1-Introduction
2-Client, Server, and URLs
3-Requests, methods, and responses
4-Apache core, modules, and process model
5-Install apache, configuration, and logs
6-Apache main server configurations

2
Apache Web Server Index

7-Directory directive, options, security.

8-Apache authentication

9-Apache modules, mod_rewrite as an example

10-Virtual Hosts

11-Encrypting Apache traffic using HTTPS

12-php with Apache

3
Apache Web Server 1-Introduction
 Is a TCP/IP service that receives a request from the client then processes, and delivers the
request resource (HTML, JavaScript, Image, StyleSheet).

 This kind of pages called – Static web pages – . Why?

 The client is a web browser software, or a web crawler.

 The transfer uses Hyper Text Transfer Protocol.

 HTTP is Plain text protocol uses port tcp/80, HTTPS uses tcp/443 for ssl connections.

 Stateless protocol, does not maintain information about the connection.

 Maps the local directories file system to a server address.

 Apache is not HA aware, no built-in protocol for replication.

4
Apache Web Server 2-Client, Server, URLS
 Client sends request to a resource to the web server socket using server URL.

 The web server receives the request, and extracts the Request URI.

 The web server reads in the resource from the URI and gets it from the local file system.

 Sends back the response to the client associated with response code.

5
Apache Web Server 2-Client, Server, URLS
 URL is a string of characters to identify a resource.

 Example 1: http://192.168.1.2/b.php?fname=ahmed&fage=45
 Protocol : http
 HTTP Host: 192.168.1.2:80 – The port is removed because it is the default port-
 URL-Path : b.php
 Query String: ?fname=ahmed&fage=45.
 /var/www/html called DirectoryRoot
 b.php will be relative to the DirectoryRoot
 URL-Path/QueryString called Request URI

 Example 2: http://192.168.1.3:8080/data/b.php?fname=ahmed&fage=45
 Protocol : http
 HTTP Host: 192.168.1.2:8080
 URL-Path : data/b.php
 Query String: ?fname=ahmed&fage=45.
 b.php will be under directory data under the DirectoryRoot
 URL-Path/QueryString called Request URI

6
Apache Web Server 3-Requests, methods,
and responses
 Request:

 Client sends the request to access a resource hosted on the web server.

 The request called HTTP Request.

 The HTTP request is part of the network packet, and resides in the packet data payload.

 It contains several information like:

 Request URI.
 Host name (Web site name).
 Type of data to be accepted by the browser.
 Users browser type.
 Post data if use post method.

7
Apache Web Server 3-Requests, methods,
and responses

HTTP Request packet format captured by wireshark 8

Apache Web Server 3-Requests, methods,
and responses
 Response:

 Server sends back the requested source to the client

 The response called HTTP response.

 The HTTP response is part of the network packet, and resides in the packet data payload.

 It contains several information like:

 Response version.
 Status code.
 Date.
 Server, and Server type, version.
 Information about content like, type, length, encoding.

 The data returned by the server

9
Apache Web Server 3-Requests, methods,
and responses

10
HTTP Response packet format captured by wireshark
Apache Web Server 3-Requests, methods,
and responses
 Methods:

 How the data transfer takes place between the client and the server.

 Specify what you want to do with the connection.

 GET, POST, PUT, HEAD, DELETE, PATCH, OPTIONS, TRACE.

 The method specified by the client in the HTTP Request.

 Most popular GET, and POST.

11
Apache Web Server 3-Requests, methods,
and responses
 GET Method:

 Request (Retrieved) data from resource (Not modify)

 Data pairs sent in the url (Query String)

 Can be cached

 Remains in the browser history

 Can be bookmarked

 Should never used when exchange sensitive data (why)

 Has length restrictions

 Preferred to be used to improve web page indexing in SEO.

12
Apache Web Server 3-Requests, methods,
and responses
 GET Method:

GET method by HTTP Request

13
Apache Web Server 3-Requests, methods,
and responses
 POST Method:

 Submit data to be processed.

 Data pairs sent in the HTTP Request message body.

 Can not be cached

 Does not remain in the browser history

 Can not be bookmarked

 Has no length restrictions

 Has no impact on SEO.

14
Apache Web Server 3-Requests, methods,
and responses
 POST Method:

POST method by HTTP Request 15

Apache Web Server 3-Requests, methods,
and responses
 Responses:

 The web server return the state of the request.

 If no error, the requested object returned in the HTTP Response message body.

 Each response has a code indicates the response status

 1xx: Informational
 2xx: Success
 3xx: Redirection
 4xx: Client error
 5xx: Server error

 Examples:
 200 : OK
 401: Unauthorized
 403: Forbidden
 404: Not found
 500: Internal Server Error 16
Apache Web Server 3-Requests, methods,
and responses
 Responses:

17
HTTP Response from wireshark with OK status
Apache Web Server 3-Requests, methods,
and responses
 Responses:

18
HTTP Response from wireshark with 404 status
Apache Web Server 4-Apache core, modules,
and process model
 Apache is a free and open source package on Linux/unix platforms.

 Has a free copy under windows.

 Apache has a community called Apache Software Foundation – ASF –

 Composed of Apache Core, Compiled static Modules, and Dynamic Modules.

 Listen on port 80, and plain text as default.

 Simple text configuration file(s).

 Configuration file is divided into smaller files and loaded by Include directive.

 For Ubuntu, the main configurtion file is /etc/apache2/apache2.conf

 For redhat, the main configuration file is /etc/httpd/conf/httpd.conf

19
Apache Web Server 4-Apache core, modules,
and process model
 Apache is modular by design.

 Modularity allows the administrator to choose which features needed to enable it.

 Also, allows administrator to disable the modules with not needed features.

 Core : Part of the innermost portions of Apache web server.

 MPM : Provided by Multi-Processing Modules.

 Modules either:
 Base : Loadad at compile time – Static modules –
 Extension : Loaded at run-time – Dynamic modules –

20
Apache Web Server 4-Apache core, modules,
and process model
 Process model.

 Multi-Process Modules helps apache to handle the incoming connections

 Affect performance of the web server.

 Affect the security of requests.

 Must specify at minimum one module.

 Master process starts and listen on default port tcp/80 (why must start with root),
from file “/etc/apache2/ports.conf”

 Any other process starts with non-privilege account. From /etc/apache2/apache2.conf

 Prefork module.

 Worker module.

 Event module. 21
Apache Web Server 4-Apache core, modules,
and process model
 Prefork MPM:

 Non threaded pre-forking web server.

 Each process answer incoming requests.

 Parent process will handle the size of the pool.

 Needed for sites compatible with non-thread-safe libraries.

 Best for isolating requests.

22
Apache Web Server 4-Apache core, modules,
and process model
 Worker MPM:

 Hybrid implementation between pre-fork processes and multi-threads

 The master process listens for incoming connection to the socket, and pass
the connection to 1st available thread.

 Serve large number of requests with fewer system resources.

 Master process forks multiple processes, and each process launches multi-threads.

 Event MPM:

 The same as Worker MPM, but designed to allow more requests to be served.

 Leave some processing to be done by the listener process.

23
Apache Web Server 5-Install apache,
configuration, and logs
 Install
 apt install apache2
 systemctl enable apache2
 systemctl restart apache2

 Configurations:
 Main: /etc/apache2/apache2.conf
 Apache environment vars: /etc/apache2/envvars
 All configured sites: /etc/apache2/sites-available
 All enabled sites (Must be configured 1st) : /etc/apache2/sites-enabled
 All modules available : /etc/apache2/mods-available/
 All enabled modules : /etc/apache2/mods-enabled

 Default logs files:

 Access log : /var/log/apache2/access.log
 Error log: /var/log/apache2/error.log

 Any change in configuration must be follow by restarting the apache2 to take effect.
24
Apache Web Server 6-Apache main server
configurations
 /etc/apache2/apache2.conf
 ServerRoot : Defines the directory contains all configuration files for apache

 PidFile : File contains the PID for the master apache process

 User, Group : The user and group the apache pre-fork process will start with.

 KeepAlive : Allow persistent connections.

 DirectoryIndex : The default document if no file name was specified.

 AccessFileName : File name with additional information in each directory.

 Include and IncludeOptional : During parsing phase, merge the requested conf file

 ErrorLog : Name of error log file. If it is relative path, it will be under ServerRoot

 /etc/apache2/ports.conf
 Listen : Configure the socket that apache will use. 25
Apache Web Server 7-Directory directive,
options, security.
 Used to add group of directives to apply for:
 Certain directory
 Subdirectories
 Files

 Options, specify which option to enable for that directory (+Indexes,…)

 AllowOverride : Specify which options that can be over written by the file AccessFileName
 None, All, or certain directive

 Order allow, deny : Order of security restrictions based on the client L3 address. The
traffic will be tested by the 1st directive, and the rest will be matched by the 2nd.

 Allow from / Deny from : all,IP, Subnet

26
Apache Web Server 7-Directory directive,
options, security.
 Example:
<Directory /var/www/iti>
Options +Indexes
AllowOverride None
Order allow,deny
Allow from 172.16.0.0/16
</Directory>

 Directory is /var/www/iti

 Enable only the option +Indexes.

 Do not allow any other options from the AccessFileName

 Allow the specified address specified, and then deny all others.

 Allow from any host in subnet 172.16.0.0/16

 Deny from any other host. 27

Apache Web Server 7-Directory directive,
options, security.
 .htaccess
 Hypertext access.
 Default name of apache directory-level configuration files.
 Any changes, does not need to restart the apache service.
 Slow down the web server performance.

 Used to delegate the directory configuration for the webmaster.

 Used to configure any directive.

 If a directive from .htaccess conflicts with main server configuration, will return to
AllowOverride.

28
Apache Web Server 8-Apache
authentication.
 How to secure part or all of web by username/password.
 Can be configured in .conf files or in .htaccess
 There are many back-end authentication DBs for apache as (MySQL, LDAP, Files)
 Supports many type of authenticaton as (basic, form, digest )
 Can restrict valid users to certain user,all , or group of users.

 Example:
 AuthType Basic
 AuthName “Private area’
 AuthUserFile /var/www/iti/.htpasswd
 Require valid-user

 To add a username for the 1st time

 htpasswd –c /var/www/iti/.htpasswd ahmed

 To add a username after that

 htpasswd /var/www/iti/.htpasswd compiler

29
Apache Web Server 9-Apache modules,
mod_rewrite
 Enable to disable apache module needs to restart apache2 service.

 To enable a module, a2enmod <module name>

 To disable a module, a2dismod <module name>

 Rewrite module very powerful provides a way to do URL manipulation

 RewriteEngine on , turn the engine on, so the rules would take effects

 RewriteEngine off, turn the engine off, so the rules would not take effects.

 Can be configured in the .conf files or in .htaccess.

 RewriteRule used to perform the URL rewrite operations.

 RewriteCond used to construct conditions control the URL rewrite operations.

 Uses RegEx. 30
Apache Web Server 9-Apache modules,
mod_rewrite
 RewriteRule
 RewriteRule Pattern Substitution [Flags]

 Pattern, what will be rewritten

 Substitution, What will be used.

 Flags, Options for rewrite.

 RewriteRule /?data$ /get1.html

 Will rewrite the URL to get the file get1.html if the URL path ends with /data

 RewriteRule /?data$ /get1.html [NC]

 Will rewrite the URL to get the file get1.html if the URL path ends with /data
with any case

 RewriteRule ^/?get/([a-zA-Z_]+)/([0-9]+)/?$ get1.php?fname=$1&fage=$2

 Wil convert the directory based URL to Query String
31
Apache Web Server 9-Apache modules,
mod_rewrite
 RewriteCond
 RewriteCond TestString Condition [Flags]

 TestString , what will be tested

 Condition, What will be compared with.

 Flags, Options for testing.

 If the RewriteCond test returns true, it will execute all the incoming RewriteRules till
we get a RewriteCond, or end of RewriteCond/RewriteRule, or RewriteRule with [L]

 All subsequent RewriteConds, will be ANDED

 To bind them with or, use the flag [OR]

32
Apache Web Server 9-Apache modules,
mod_rewrite
 RewriteCond
 RewriteCond %{QUERY_STRING} "noha“

 RewriteRule .? http://%{HTTP_HOST}/noha.html? [R]

 RewriteCond, will test the QUERY_STRING if contains the pattern noha

 If returns true, the next RerwriteRule will be executed.

 RewriteRule will replace all the url with the new string and terminates the
URL path with ? To remove the QUERY_STRING.

33
Apache Web Server 10-Virtual Hosts

 The term VirtualHost refers to that run multiple web sites on the same web server.

 The concept, multiple sites on the same socket (IP,Port)

 The web server will differentiate between requests using the Host field in HTTP request

 To enable a site, use a2ensite <SiteName>

 To disable a site, use a2dissite <SiteName>

 Each site will have

 Directory contains the site pages
 Site configuration in /etc/apache2/sites-available
 Its own log files (Acess, and Error)
 Different RewriteRules if used
 Different .htaccess
 Different DirectoryIndex
 Server Name
 Minimum configurations are, DocumentRoot and ServerName 34
Apache Web Server 10-Virtual Hosts

HTTP Request with Host from wireshark 35

Apache Web Server 10-Virtual Hosts
 For site ahmed.com, create a file /etc/apache2/sites-available/ahmed.com.conf
 <VirtualHost *:80>
 ServerName ahmed.com
 DocumentRoot /var/ahmed.com
 </VirtualHost>

 <Directory /var/ahmed.com>
 Require all granted
 </Directory>
 For site ahmed.com, create a file /etc/apache2/sites-available/Mohamed.com.conf
 <VirtualHost *:80>
 ServerName Mohamed.com
 DocumentRoot /var/Mohamed.com
 </VirtualHost>

 <Directory /var/ahmed.com>
 Require all granted
 </Directory>
36
Apache Web Server 10-Virtual Hosts

 Mkdir /var/ahmed.com /var/Mohamed.com

 Echo “Ahmed site” > /var/ahmed.com/index.html
 Echo “Mohamed site” > /var/Mohamed.com/index.html
 Enable both sites and restart apache2
 A2ensite ahmed.com
 A2ensite Mohamed.com
 Systemctl restart apache2
 How to configure authentication for site Mohamed.com using .htaccess?
 How to configure www.mohamed.com as another name for mohamed.com?

37
Apache Web Server 11-Encrypting Apache
traffic using HTTPS
 HTTP protocol is a plain text protocol by nature.

 Enable ssl module to encrypt the packet payload, use https protocol, and port 443.How?

 SSL connections based on a certificates.

 We will use the default self-signed certificates.

 How to use rewrite module to convert any request from http to https?

HTTPs Request from wireshark 38

Apache Web Server 12-php with Apache
 Client side scripting.
 Scripts are run on the client PC.
 Source code transfers from server to client
 Javascripts.

 Server Side scripting.

 Run on the server
 Web server use interpreter to executes the script
 Can interact to MySQL or any other Database.
 The script generates HTML/JS pages
 Web server sends back the generated page to the client

 Install php
 sudo apt install php php-mysql
 sudo systemctl restart apache2
 Edit file index.php in DocumentRoot and add the following lines
 <?php
 phpinfo();
 ?> 39
Apache Web Server 12-php with Apache

Interaction between apache and php

40
Apache Web Server 12-php with Apache
 php.ini contains all PHP settings.

 May there is more than php.ini

 Check for loaded php.ini from phpinfo().

 Any changes in the loaded php.ini requires restart apache2 service.

 Check for ErrorDisplay, Size of upload files.

 Try php –i

 PHP has an extension for MySQL Connections.

 PHP has a lot of extensions.

41
Apache Web Server 12-php with Apache
 Phpmyadmin project, is an open source web application.

 Control,configure, administrate MySQL databases from Web.

 apt install phpmyadmin php-mbstring php-gettext

 Enable php mbstring , sudo phpenmod mbstring

 Restart apache2, sudo systemctl restart apache2

 Visit your server and add /phpmyadmin

 How to secure phpmyadmin ?

42
Apache Web Server 12-php with Apache
 Composer:
 Dependency manager for PHP

 Pull all in all required libraries, dependencies, and manage all in one place.

 PEAR established from long time but abandoned by many php devs.

 Project by Project and not system-wide.

 Install
 curl -s https://getcomposer.org/installer | php
 Use json files to install any needed package.
 To install slim framework, create a file composer.json
{
 "require": {
 “slim/slim": “3.0.*"
 }
}
43
 php composer.phar install