apache 2.0 conceitos e projeto de sistemas distribuídos e paralelos seminário tecnológico adriano...
Post on 19-Dec-2015
222 views
TRANSCRIPT
Apache 2.0Conceitos e Projeto de Sistemas Distribuídos e Paralelos
Seminário Tecnológico
Adriano Machado ([email protected])Tiago Macambira ([email protected])
2
Overview
Apache HTTPD Server Project
Apache 2.0 – What to expect?
Apache 2.0 Web Server Architecture
Site Acceleration Using Standard
Modules
New Features (Authent. and
Authorization.)
Apache 2.0 Administration
Conclusion
3
Apache HTTPD Server Project
Collaborative Software Development Effort• Managed by a Group of Volunteers• 80+ Foundation Members, 100’s Developers• All are invited to contribute
HTTP Server• Freely Available Binaries and Source Code• Cross platform implementation• Became the #1 Web Server on the Internet in
less than a year
4
Apache HTTPD Server Project
Web Servers
5
Apache 2.0 – What to expect?
• Unix Threading • On Unix systems with POSIX threads support, Apache
can now run in a hybrid multiprocess, multithreaded mode. This improves scalability for many, but not all configurations.
• Better multi-processor utilization• The API for modules has changed significantly for 2.0.
Many of the module-ordering/-priority problems from 1.3 should be gone. 2.0 does much of this automatically. Also, new calls have been added that provide additional module capabilities without patching the core Apache server.
• New Build System - Better performance• Built on new LIBC libraries• More efficient use of APIs through APR
6
Apache 2.0 – What to expect?
• Better thread handling and resource utilization• The number of worker threads are dynamic• Customized thread handling specifically for different
OS• More standard modules
• Mod_DAV Mod_Deflate• Mod_Auth_LDAP Mod_Cache• Etc.
• IPV6 support
• Customized error reporting (multi-language)• Additional Startup Options
• -e – Redirect any startup error to a file• -n – Rename the Apache console screen
7
Apache 2.0 – What to expect?
• Better support for non-Unix platforms • Apache 2.0 is faster and more stable on non-Unix
platforms such as BeOS, OS/2, and Windows. With the introduction of platform-specific multi-processing modules (MPMs) and the Apache Portable Runtime (APR), these platforms are now implemented in their native API, avoiding the often buggy and poorly performing POSIX-emulation layers.
• Multiprotocol Support• Infrastructure in place to support serving multiple
protocols• Additional Command Line Options
• Settings – Display worker thread information• Restart – Quick restart after configuration change• Shutdown – Terminates a running instance of Apache2• Others …
8
Apache 2.0 – What to expect?
• Simplified configuration• Many confusing directives have been simplified.
The often confusing Port and BindAddress directives are gone; only the Listen directive is used for IP address binding; the ServerName directive specifies the server name and port number only for redirection and vhost recognition.
• Filtering• Apache modules may now be written as filters
which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers.
9
Apache 2.0 – What to expect?
• Module Enhancementsmod_ssl • New module in Apache 2.0. This module is an
interface to the SSL/TLS encryption protocols provided by OpenSSL.
mod_dav • New module in Apache 2.0. This module
implements the HTTP Distributed Authoring and Versioning (DAV) specification for posting and maintaining web content.
mod_deflate • New module in Apache 2.0. This module allows
supporting browsers to request that content be compressed before delivery, saving network bandwidth.
10
Apache 2.0 – What to expect?
• Module Enhancementsmod_auth_ldap • New module in Apache 2.0.41. This module
allows an LDAP database to be used to store credentials for HTTP Basic Authentication. A companion module, mod_ldap provides connection pooling and results caching.
mod_auth_digest • Includes additional support for session caching
across processes using shared memory. mod_charset_lite • New module in Apache 2.0. This experimental
module allows for character set translation or recoding.
11
Apache 2.0 – What to expect?
• Module Enhancementsmod_file_cache • New module in Apache 2.0. This module includes
the functionality of mod_mmap_static in Apache 1.3, plus adds further caching abilities.
mod_headers • This module is much more flexible in Apache 2.0.
It can now modify request headers used by mod_proxy, and it can conditionally set response headers.
mod_proxy • The proxy module has been completely rewritten
to take advantage of the new filter infrastructure and to implement a more reliable, HTTP/1.1 compliant proxy.
12
Apache 2.0 – What to expect?
• Module Enhancementsmod_include • New directives allow the default start and end
tags for SSI elements to be changed and allow for error and time format configuration to take place in the main configuration file rather than in the SSI document. Results from regular expression parsing and grouping (now based on Perl's regular expression syntax) can be retrieved using mod_include's variables $0 .. $9.
mod_auth_dbm • Now supports multiple types of DBM-like
databases using the AuthDBMType directive.
13
Apache 2.0 Web Server Architecture
HTTPD server rebuilt from the ground up• Portability and platform customization were
high priorities• HTTPD server contains no platform specific
code• Thread and process handling is customized
through Multi-Processing Modules (MPM) for each platform
Backward Compatibility• Configuration remained basically the same• Internal API’s are very similar• 1.3.x and 2.0.x modules are not compatible
14
Apache 2.0 Web Server Architecture
Apache Web Server
Apache Modules
Other Cross Platform
Applications
Apache Portable Runtime (APR)
Netware Solaris Linux Windows Others…
Apache Portable Runtime Library (APR)• Offers a standard cross platform set of APIs• Each implementation of APR is customized for a
specific platform• Designed to be a general purpose cross platform
library
15
Apache 2.0 Web Server Architecture
Apache 1.3 versus 2.0
16
Apache 2.0 Web Server Architecture
Apache 1.3 versus 2.0
17
Improvements – Using Standard Modules
• Mod_Cache• Increase response time through caching
• Mod_Vhost_Alias• Simplify virtual host creation and maintenance
• Mod_Proxy• Offload heavy weight requests to backend
servers• Load balancing• Centralized authentication and encryption
• RotateLogs• Offload logging tasks and log rotation
18
Mod_Cache
Implements an RFC_2616 compliant HTTPD server content cache
• Refer to: http://httpd.apache.org/docs-2.0/mod/mod_cache.html
http://www.ietf.org/rfc/rfc2616.txt
Depends on one of two different storage sub-modules• Mod_Mem_Cache – Memory based storage manager
• Can be configured to cache file descriptors or actual content
• Can cache locally generated content or backend content for Mod_Proxy
• Mod_Disk_Cache – Disk based storage manager
19
Mod_Cache Example Configuration
• Enable memory based caching and cache all content• Set maximum cache size to 4096• Set maximum number of cached objects to 100• Don’t cache objects smaller than 1 byte or larger than 2048
bytes
LoadModule cache_module modules/mod_cache.nlm<IfModule mod_cache.c> LoadModule mem_cache_module modules/mod_mem_cache.nlm <IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 </IfModule></IfModule>
20
Mod_Cache Performance
CachingNo Caching
21
Mass Virtual Hosting
• Gives the appearance of multiple web servers• Eliminates the need for multiple
<VirtualHost…> blocks in the HTTPD.CONF file• Creates dynamically configured virtual hosts
• Virtual host is determined by the IP address or the Host: header
• Allows for a large number of virtual hosts with similar configurations
• Adding a new virtual host is simply a matter of creating a new directory structure
22
Mass Virtual Hosting
• UseCanonicalName must be set to off• Allows the VHost name to be derived from the Host:
header• Uses a single log file
• Logs can be split on a per-virtual-host bases by the first LogFormat field
• DocumentRoot and ScriptAlias specified through VHost directives
LoadModule vhost_alias_module modules/vhost.nlm<IfModule mod_vhost_alias.c> UseCanonicalName Off LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon CustomLog logs/access_log vcommon VirtualDocumentRoot SYS:/www/hosts/%0/docs VirtualScriptAlias SYS:/www/hosts/%0/cgi-bin </IfModule
23
Load Balancing with Mod_Proxy
• Compliant with HTTP/1.1 including “KeepAlive”
• Pluggable protocol handlers such as HTTP and FTP
• Utilizes Apache 2.0 filtering to accurately filter the data as it flows through
New features of Mod_Proxy
• Mirror to one or more backend Web servers
• Handle all authentication and SSL services on a single server
• Increase performance by passing more complex requests to the backend servers
Reverse Proxy
24
Reverse Proxy
• All client access must go through the reverse proxy server• The proxy server can handle all authentication and SSL
encryption for all backend servers• Backend web servers don’t have to be Apache servers• Backend web servers do not require any specialized
configurationClients Browser Any Web Server
Apache Proxy Server Firewall
25
Reverse Proxy Example
• Disable forward proxy with “ProxyRequests Off”• Redirect requests to the specific backend servers with
“ProxyPass”• Allow redirection headers to be fixed up with
“ProxyPassReverse”
LoadModule proxy_module modules/proxy.nlm<IfModule mod_proxy.c> LoadModule proxy_http_module modules/proxyhtp.nlm ProxyRequests Off #Reverse proxy to expense reporting web application server ProxyPass /expense/ http://www.expense.com:53080/expense/ ProxyPassReverse /expense/ http://www.expense.com:53080/expense/ #Reverse proxy to my general web application server ProxyPass /webapps/ http://www.webapps.com:53080/webapps/ ProxyPassReverse /webapps/ http://www.webapps.com:53080/webapps/ #Reverse proxy to other applications allow redirects ProxyPass /directapps/ http://www.directapps.com/</IfModule>
26
Stardard Log Rotation
Missing in Apache 1.3
• Used the directives (mutually exclusive):• LogRotateDaily – Rotate log on a daily basis• LogRotateInterval – Rotate log on a time basis
• Only rotates CustomLogs – ErrorLog can not be rotated
27
Apache 2.0 uses the RotateLogs• Functions in the same manner as on other platforms• Can be configured to rotate based on:
– Time – ex. Rotate every 86400 seconds or 24 hours
– – File size – ex. Rotate when the file size reaches 5
meg.
– • Differentiate time from file size by placing an ‘M’
after the size specifier
Log files are simply rotated not moved
Standard Log Rotation
CustomLog "|bin/rotatelogs /var/logs/logfile 86400" common
CustomLog "|bin/rotatelogs /var/logs/logfile 5M" common
28
Rotate Logs Performance
Logs DisabledRotate Logs
Default Logging
29
Authentication and Authorization
Apache provides several different methods of authentication and authorization
• File based authentication– Mod_Auth – Authenticates users by looking up
user names and passwords in a file created by the HTPASSWD utility
– Mod_Auth_Digest – Similar to Mod_Auth except it only accepts digest encrypted credentials
• Database based authentication– Mod_AuthDBM – Authenticates users by
looking up user names and passwords in a database managed by the DBMMANAGE utility
Third party authentication modules• Refer to: http://modules.apache.org
30
• Uses any LDAP compliant directory for authentication• Use of SSL encrypted connection is recommended
since Mod_Auth_LDAP only accepts “AuthType Basic” • Allows for complex authentication policies through
the use of LDAP filters• Caches LDAP operations using the Mod_LDAP sub-
module• Can be configured to use SSL connections to the
LDAP server• Allows for extended and double-byte characters in
the user name
Authentication - Mod_Auth_LDAP
31
Mod_Auth_LDAP Example
• LDAP filters can be specified in the AuthLDAPURL directive• Uses the UID (uniqueID) attribute by default• Other “Require” directive options
• User – only allow a specified user• Group – only allow users within a specific group• DN – only allow users matching the specifed DNs
LoadModule ldap_module modules/utilldap.nlm <IfModule util_ldap.c> LoadModule auth_ldap_module modules/authldap.nlm Alias /secure vol2:/webpages/secure <Directory vol2:/webpages/secure> AuthType Basic AuthName LDAP_Protected_Place AuthLDAPURL ldap://your.LDAPserver.com/o=ctx?cn require valid-user </Directory></IfModule>
32
Authorization - Mod_eDir
• Combines the functionality of Mod_NDS, Mod_RDirs and Mod_HDirs
• Enforces file access rights • Remote server file system access• eDirectory™ based home directory support
• Authorization or access control services only• Relies on Mod_Auth_LDAP for authentication• Enabled through the “Requires” directive (ex.
Requires edir-user)• Uses LDAP for all eDirectory access
• Requires a user name and password for access• Can be configured to run in anonymous mode
33
Mod_eDir Remote Directory Example
HTTPD.CONF: LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> include sys:/secure/edirauth.conf Alias /rdocs "remotesrv/data:/webpages/remote" <Directory "data:/webpages/remote"> Options Indexes MultiViews Order allow,deny Allow from all </Directory></IfModule> EDIRAUTH.CONF (secured) <IfModule mod_edir.c> eDirServer MY_SERVER eDirUserAccount cn=apache_server.o=admin_context eDirPassword secret</IfModule>
34
Mod_eDir Home Directory Example
LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> hDirSearchContexts o=ctx, o=other_ctx
include sys:/secure/edirauth.conf <Directory "data:/users/"> Options Indexes MultiViews IncludesNoExec Order allow,deny Allow from all </Directory></IfModule>
• hDirSearchContexts directives lists the set of contexts that will be searched
• All listed contexts and sub-contexts are searched• Users must be unique within all contexts• Add restrictions to the <Directory…> block as needed
35
Anonymous vs. Authenticated Modes
Uses public rights vs. logging in with a special user ID and password
Anonymous mode requires public access rights to eDirectory attributes• Home Directory – User home directory information• Host Server – Physical server name• Host Resource Name – Physical volume name
Authenticated mode requires a special user object with browse rights to USER and VOLUME objects
36
Anonymous Mode – Pros vs. Cons
• Does not require a special user object
• Easier to configure – requires fewer directives
• User home directory availability can be controlled by allowing or revoking public access rights to an object
Pros Cons
• Requires public access rights to specific eDirectory attributes
• May require administrator intervention before the home directory is available
• Requires a local eDirectory replica on the Apache server box
• Server object of the Apache server box requires “Browse” and “Read” rights on all remote files systems
37
Authenticated Mode – Pros vs. Cons
• Does not require administrator intervention to allow home directory access
• Allows binding directly to LDAP or a remote file system rather than depending on public rights
• Allows the Apache server to acquire home directory information from any LDAP server
• All access to home directories or remote file systems can be controlled through a single Apache user object
Pros Cons
• Requires a special Apache user object in eDirectory
• Requires that a user name and password be stored in a configuration file
38
Apache Web Based Administration
• Can manage any Apache server on any platform that supports an LDAP connection
• Web based administration allows the user to administer any Apache Web Server from anywhere
• Web farm administration is much easier since each server’s configuration is stored in eDirectory
• Configuration directives can be applied to a single server or shared among multiple servers
39
eDirectory based Configuration
• Allows the administrator to define each web server’s configuration in terms of eDirectory objects
• Each Apache Web Server, virtual server, module, directory, location, and file block is described as eDirectory objects
• By describing the Apache configuration in terms of objects, the web server can be configured and managed just like any other eDirectory object
40
Conclusion
• Default web server, very popular• Apache 2.0 has been rebuilt from the ground
up• More efficient use of API through APR• Better multi-processor support• Apply configuration changes without unloading• More shipping features and standard modules• Increased performance with Mod_Cache• LDAP authentication / eDirectory authorization• Web based administration through eDirectory