web access chain of events cpte 212 john beckett
TRANSCRIPT
Web AccessChain of Events
CPTE 212John Beckett
The Sequence
• Client looks up hostname in DNS– DNS returns IP address
• Client sends request to IP address– Includes hostname in the request
• Web server software fields request– If hostname not known by server to be a
multidomain host, passes off to default site
– If server knows this as a multidomain host, passes off to configured location
Where Are the Web Materialsfor the Default Site?
Windows• Default Location:
c:\inetpub\wwwroot• Configure:
– IIS Manager– Expand hostname
(nCloud)– Sites…Default Web
site…Edit Site…Basic Settings
(Ubuntu) Linux/Apache• Default Location:
/var/www/html• Configure:
– /etc/apache2/sites-available/000-default.conf• DocumentRoot
– /etc/apache2/apache2.conf• <Directory /var/www>
Set your site up to use FTP for updatesWindows
(we aren’t doing this)• Create user for
updating• Build FTP site that is
accessible to that user• Change IIS
configuration to use that user’s materials
• Upload into that user’s account
Linux/Apache• Create user for updating• Configure FTP to allow
updating by users– /etc/vsftpd.conf “allow
write”• Configure Apache
configuration to use that user’s materials
• Upload into that user’s account
Why Use public_html directory?- The Problem
• If you point the Web server at the user’s main directory (e.g. /home/username), clients can ask the server for any file in that directory structure
• Although good practices will prevent security problems in this case, any slip-up allows an attacker an entry you didn’t need to give them
Why Use public_html directory?- The Solution
• Point the Web Server at a directory within the user’s space– Traditionally, we name this public_html
but you could choose another name• The server-side scripts in that
directory can then reference files in the parent directory with the notation “../filename”