Apache 2.0Conceitos e Projeto de Sistemas Distribuídos e Paralelos

Seminário Tecnológico

Adriano Machado (adrianoc@dcc.ufmg.br)Tiago Macambira (tmacam@dcc.ufmg.br)

2

Overview

Apache HTTPD Server Project

Apache 2.0 – What to expect?

Apache 2.0 Web Server Architecture

Site Acceleration Using Standard

Modules

New Features (Authent. and

Authorization.)

Apache 2.0 Administration

Conclusion

3

Apache HTTPD Server Project

Collaborative Software Development Effort• Managed by a Group of Volunteers• 80+ Foundation Members, 100’s Developers• All are invited to contribute

HTTP Server• Freely Available Binaries and Source Code• Cross platform implementation• Became the #1 Web Server on the Internet in

less than a year

4

Apache HTTPD Server Project

Web Servers

5

Apache 2.0 – What to expect?

• Unix Threading • On Unix systems with POSIX threads support, Apache

can now run in a hybrid multiprocess, multithreaded mode. This improves scalability for many, but not all configurations.

• Better multi-processor utilization• The API for modules has changed significantly for 2.0.

Many of the module-ordering/-priority problems from 1.3 should be gone. 2.0 does much of this automatically. Also, new calls have been added that provide additional module capabilities without patching the core Apache server.

• New Build System - Better performance• Built on new LIBC libraries• More efficient use of APIs through APR

6

Apache 2.0 – What to expect?

• Better thread handling and resource utilization• The number of worker threads are dynamic• Customized thread handling specifically for different

OS• More standard modules

• Mod_DAV Mod_Deflate• Mod_Auth_LDAP Mod_Cache• Etc.

• IPV6 support

• Customized error reporting (multi-language)• Additional Startup Options

• -e – Redirect any startup error to a file• -n – Rename the Apache console screen

7

Apache 2.0 – What to expect?

• Better support for non-Unix platforms • Apache 2.0 is faster and more stable on non-Unix

platforms such as BeOS, OS/2, and Windows. With the introduction of platform-specific multi-processing modules (MPMs) and the Apache Portable Runtime (APR), these platforms are now implemented in their native API, avoiding the often buggy and poorly performing POSIX-emulation layers.

• Multiprotocol Support• Infrastructure in place to support serving multiple

protocols• Additional Command Line Options

• Settings – Display worker thread information• Restart – Quick restart after configuration change• Shutdown – Terminates a running instance of Apache2• Others …

8

Apache 2.0 – What to expect?

• Simplified configuration• Many confusing directives have been simplified.

The often confusing Port and BindAddress directives are gone; only the Listen directive is used for IP address binding; the ServerName directive specifies the server name and port number only for redirection and vhost recognition.

• Filtering• Apache modules may now be written as filters

which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers.

9

Apache 2.0 – What to expect?

• Module Enhancementsmod_ssl • New module in Apache 2.0. This module is an

interface to the SSL/TLS encryption protocols provided by OpenSSL.

mod_dav • New module in Apache 2.0. This module

implements the HTTP Distributed Authoring and Versioning (DAV) specification for posting and maintaining web content.

mod_deflate • New module in Apache 2.0. This module allows

supporting browsers to request that content be compressed before delivery, saving network bandwidth.

10

Apache 2.0 – What to expect?

• Module Enhancementsmod_auth_ldap • New module in Apache 2.0.41. This module

allows an LDAP database to be used to store credentials for HTTP Basic Authentication. A companion module, mod_ldap provides connection pooling and results caching.

mod_auth_digest • Includes additional support for session caching

across processes using shared memory. mod_charset_lite • New module in Apache 2.0. This experimental

module allows for character set translation or recoding.

11

Apache 2.0 – What to expect?

• Module Enhancementsmod_file_cache • New module in Apache 2.0. This module includes

the functionality of mod_mmap_static in Apache 1.3, plus adds further caching abilities.

mod_headers • This module is much more flexible in Apache 2.0.

It can now modify request headers used by mod_proxy, and it can conditionally set response headers.

mod_proxy • The proxy module has been completely rewritten

to take advantage of the new filter infrastructure and to implement a more reliable, HTTP/1.1 compliant proxy.

12

Apache 2.0 – What to expect?

• Module Enhancementsmod_include • New directives allow the default start and end

tags for SSI elements to be changed and allow for error and time format configuration to take place in the main configuration file rather than in the SSI document. Results from regular expression parsing and grouping (now based on Perl's regular expression syntax) can be retrieved using mod_include's variables $0 .. $9.

mod_auth_dbm • Now supports multiple types of DBM-like

databases using the AuthDBMType directive.

13

Apache 2.0 Web Server Architecture

HTTPD server rebuilt from the ground up• Portability and platform customization were

high priorities• HTTPD server contains no platform specific

code• Thread and process handling is customized

through Multi-Processing Modules (MPM) for each platform

Backward Compatibility• Configuration remained basically the same• Internal API’s are very similar• 1.3.x and 2.0.x modules are not compatible

14

Apache 2.0 Web Server Architecture

Apache Web Server

Apache Modules

Other Cross Platform

Applications

Apache Portable Runtime (APR)

Netware Solaris Linux Windows Others…

Apache Portable Runtime Library (APR)• Offers a standard cross platform set of APIs• Each implementation of APR is customized for a

specific platform• Designed to be a general purpose cross platform

library

15

Apache 2.0 Web Server Architecture

Apache 1.3 versus 2.0

16

Apache 2.0 Web Server Architecture

Apache 1.3 versus 2.0

17

Improvements – Using Standard Modules

• Mod_Cache• Increase response time through caching

• Mod_Vhost_Alias• Simplify virtual host creation and maintenance

• Mod_Proxy• Offload heavy weight requests to backend

servers• Load balancing• Centralized authentication and encryption

• RotateLogs• Offload logging tasks and log rotation

18

Mod_Cache

Implements an RFC_2616 compliant HTTPD server content cache

• Refer to: http://httpd.apache.org/docs-2.0/mod/mod_cache.html

http://www.ietf.org/rfc/rfc2616.txt

Depends on one of two different storage sub-modules• Mod_Mem_Cache – Memory based storage manager

• Can be configured to cache file descriptors or actual content

• Can cache locally generated content or backend content for Mod_Proxy

• Mod_Disk_Cache – Disk based storage manager

19

Mod_Cache Example Configuration

• Enable memory based caching and cache all content• Set maximum cache size to 4096• Set maximum number of cached objects to 100• Don’t cache objects smaller than 1 byte or larger than 2048

bytes

LoadModule cache_module modules/mod_cache.nlm<IfModule mod_cache.c> LoadModule mem_cache_module modules/mod_mem_cache.nlm <IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 </IfModule></IfModule>

20

Mod_Cache Performance

CachingNo Caching

21

Mass Virtual Hosting

• Gives the appearance of multiple web servers• Eliminates the need for multiple

<VirtualHost…> blocks in the HTTPD.CONF file• Creates dynamically configured virtual hosts

• Virtual host is determined by the IP address or the Host: header

• Allows for a large number of virtual hosts with similar configurations

• Adding a new virtual host is simply a matter of creating a new directory structure

22

Mass Virtual Hosting

• UseCanonicalName must be set to off• Allows the VHost name to be derived from the Host:

header• Uses a single log file

• Logs can be split on a per-virtual-host bases by the first LogFormat field

• DocumentRoot and ScriptAlias specified through VHost directives

LoadModule vhost_alias_module modules/vhost.nlm<IfModule mod_vhost_alias.c> UseCanonicalName Off LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon CustomLog logs/access_log vcommon VirtualDocumentRoot SYS:/www/hosts/%0/docs VirtualScriptAlias SYS:/www/hosts/%0/cgi-bin </IfModule

23

Load Balancing with Mod_Proxy

• Compliant with HTTP/1.1 including “KeepAlive”

• Pluggable protocol handlers such as HTTP and FTP

• Utilizes Apache 2.0 filtering to accurately filter the data as it flows through

New features of Mod_Proxy

• Mirror to one or more backend Web servers

• Handle all authentication and SSL services on a single server

• Increase performance by passing more complex requests to the backend servers

Reverse Proxy

24

Reverse Proxy

• All client access must go through the reverse proxy server• The proxy server can handle all authentication and SSL

encryption for all backend servers• Backend web servers don’t have to be Apache servers• Backend web servers do not require any specialized

configurationClients Browser Any Web Server

Apache Proxy Server Firewall

25

Reverse Proxy Example

• Disable forward proxy with “ProxyRequests Off”• Redirect requests to the specific backend servers with

“ProxyPass”• Allow redirection headers to be fixed up with

“ProxyPassReverse”

LoadModule proxy_module modules/proxy.nlm<IfModule mod_proxy.c> LoadModule proxy_http_module modules/proxyhtp.nlm ProxyRequests Off #Reverse proxy to expense reporting web application server ProxyPass /expense/ http://www.expense.com:53080/expense/ ProxyPassReverse /expense/ http://www.expense.com:53080/expense/ #Reverse proxy to my general web application server ProxyPass /webapps/ http://www.webapps.com:53080/webapps/ ProxyPassReverse /webapps/ http://www.webapps.com:53080/webapps/ #Reverse proxy to other applications allow redirects ProxyPass /directapps/ http://www.directapps.com/</IfModule>

26

Stardard Log Rotation

Missing in Apache 1.3

• Used the directives (mutually exclusive):• LogRotateDaily – Rotate log on a daily basis• LogRotateInterval – Rotate log on a time basis

• Only rotates CustomLogs – ErrorLog can not be rotated

27

Apache 2.0 uses the RotateLogs• Functions in the same manner as on other platforms• Can be configured to rotate based on:

– Time – ex. Rotate every 86400 seconds or 24 hours

– – File size – ex. Rotate when the file size reaches 5

meg.

– • Differentiate time from file size by placing an ‘M’

after the size specifier

Log files are simply rotated not moved

Standard Log Rotation

CustomLog "|bin/rotatelogs /var/logs/logfile 86400" common

CustomLog "|bin/rotatelogs /var/logs/logfile 5M" common

28

Rotate Logs Performance

Logs DisabledRotate Logs

Default Logging

29

Authentication and Authorization

Apache provides several different methods of authentication and authorization

• File based authentication– Mod_Auth – Authenticates users by looking up

user names and passwords in a file created by the HTPASSWD utility

– Mod_Auth_Digest – Similar to Mod_Auth except it only accepts digest encrypted credentials

• Database based authentication– Mod_AuthDBM – Authenticates users by

looking up user names and passwords in a database managed by the DBMMANAGE utility

Third party authentication modules• Refer to: http://modules.apache.org

30

• Uses any LDAP compliant directory for authentication• Use of SSL encrypted connection is recommended

since Mod_Auth_LDAP only accepts “AuthType Basic” • Allows for complex authentication policies through

the use of LDAP filters• Caches LDAP operations using the Mod_LDAP sub-

module• Can be configured to use SSL connections to the

LDAP server• Allows for extended and double-byte characters in

the user name

Authentication - Mod_Auth_LDAP

31

Mod_Auth_LDAP Example

• LDAP filters can be specified in the AuthLDAPURL directive• Uses the UID (uniqueID) attribute by default• Other “Require” directive options

• User – only allow a specified user• Group – only allow users within a specific group• DN – only allow users matching the specifed DNs

LoadModule ldap_module modules/utilldap.nlm <IfModule util_ldap.c> LoadModule auth_ldap_module modules/authldap.nlm Alias /secure vol2:/webpages/secure <Directory vol2:/webpages/secure> AuthType Basic AuthName LDAP_Protected_Place AuthLDAPURL ldap://your.LDAPserver.com/o=ctx?cn require valid-user </Directory></IfModule>

32

Authorization - Mod_eDir

• Combines the functionality of Mod_NDS, Mod_RDirs and Mod_HDirs

• Enforces file access rights • Remote server file system access• eDirectory™ based home directory support

• Authorization or access control services only• Relies on Mod_Auth_LDAP for authentication• Enabled through the “Requires” directive (ex.

Requires edir-user)• Uses LDAP for all eDirectory access

• Requires a user name and password for access• Can be configured to run in anonymous mode

33

Mod_eDir Remote Directory Example

HTTPD.CONF: LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c>   include sys:/secure/edirauth.conf   Alias /rdocs "remotesrv/data:/webpages/remote"   <Directory "data:/webpages/remote">      Options Indexes MultiViews      Order allow,deny      Allow from all   </Directory></IfModule> EDIRAUTH.CONF (secured) <IfModule mod_edir.c>   eDirServer MY_SERVER   eDirUserAccount cn=apache_server.o=admin_context   eDirPassword secret</IfModule>

34

Mod_eDir Home Directory Example

LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> hDirSearchContexts o=ctx, o=other_ctx

   include sys:/secure/edirauth.conf   <Directory "data:/users/">      Options Indexes MultiViews IncludesNoExec      Order allow,deny      Allow from all   </Directory></IfModule>

• hDirSearchContexts directives lists the set of contexts that will be searched

• All listed contexts and sub-contexts are searched• Users must be unique within all contexts• Add restrictions to the <Directory…> block as needed

35

Anonymous vs. Authenticated Modes

Uses public rights vs. logging in with a special user ID and password

Anonymous mode requires public access rights to eDirectory attributes• Home Directory – User home directory information• Host Server – Physical server name• Host Resource Name – Physical volume name

Authenticated mode requires a special user object with browse rights to USER and VOLUME objects

36

Anonymous Mode – Pros vs. Cons

• Does not require a special user object

• Easier to configure – requires fewer directives

• User home directory availability can be controlled by allowing or revoking public access rights to an object

Pros Cons

• Requires public access rights to specific eDirectory attributes

• May require administrator intervention before the home directory is available

• Requires a local eDirectory replica on the Apache server box

• Server object of the Apache server box requires “Browse” and “Read” rights on all remote files systems

37

Authenticated Mode – Pros vs. Cons

• Does not require administrator intervention to allow home directory access

• Allows binding directly to LDAP or a remote file system rather than depending on public rights

• Allows the Apache server to acquire home directory information from any LDAP server

• All access to home directories or remote file systems can be controlled through a single Apache user object

Pros Cons

• Requires a special Apache user object in eDirectory

• Requires that a user name and password be stored in a configuration file

38

Apache Web Based Administration

• Can manage any Apache server on any platform that supports an LDAP connection

• Web based administration allows the user to administer any Apache Web Server from anywhere

• Web farm administration is much easier since each server’s configuration is stored in eDirectory

• Configuration directives can be applied to a single server or shared among multiple servers

39

eDirectory based Configuration

• Allows the administrator to define each web server’s configuration in terms of eDirectory objects

• Each Apache Web Server, virtual server, module, directory, location, and file block is described as eDirectory objects

• By describing the Apache configuration in terms of objects, the web server can be configured and managed just like any other eDirectory object

40

Conclusion

• Default web server, very popular• Apache 2.0 has been rebuilt from the ground

up• More efficient use of API through APR• Better multi-processor support• Apply configuration changes without unloading• More shipping features and standard modules• Increased performance with Mod_Cache• LDAP authentication / eDirectory authorization• Web based administration through eDirectory