Copyright © 2002-2008
EscapeBox Germany
|
|
The actual web server (Apache) is hidden behind an accelerator, kind
of a web cache for only one web server. Only that it does not have a
disk cache in our setup. Its purpose is to deal efficiently with many
parallel web connections.
Normally, Apache would start lots of processes that basically idle
most of the time, waiting for the data just sent to trickle down slow
dialup lines. This is bad for server performance.
Instead, we let the accelerator deal with all these slow connections.
It is made for this. The accelerator works like a concentrator by
funnelling many slow Internet connections into just a few highspeed
(local) connections to the actual Apache web server. So only a
handful of Apache processes need to run, saving vast amounts of system
memory. Also, a few busy processes are more efficient on the CPU than
many mostly idling ones.
The accelerator takes over SSL encryption too, since it can deal with
that more efficiently than Apache as well. In case of an SSL connection
it passes a header line 'X-HTTPS' to the web server, with a value of
'on'. The web server in turn sets the environment variable 'HTTPS'
to a value of 'on' for SSL connections (as mod_ssl would do which
normally handles SSL for Apache).
This comes in handy if the web server needs to know whether the web
connection is originally encrypted or not. We actually use this
feature in the 'boxweb.conf' section (included into 'httpd.conf')
that deals with our "Server Box Information Area", to enforce an
SSL connection before we pass authentication data. Take a look at
it if you would like to find out how to achieve that.
The web server daemon (Apache) is equipped with a number of popular
and useful moduls, in their DSO form. That is, you can add and
upgrade them without having to recompile the whole web server.
Here is a list of the preinstalled modules:
mod_access_referer
mod_auth_mysql
mod_auth_pam
mod_extract_forwarded
mod_fastcgi (disabled by default)
mod_gzip
mod_jk (disabled by default)
mod_layout
mod_perl
mod_php3
mod_php4 + eAccelerator
mod_php5 + eAccelerator
mod_put
mod_python
mod_sed
mod_text2html
mod_ticket
Some do not need much explanation because they are well-known.
All modules except for 'mod_fastcgi' and 'mod_jk' are enabled
by default. Some, however, need additional configuration directives
to actually do something useful.
- mod_access_referer
-
Provides access control based on 'Referer' header
lines in requests. This module allows you to grant access to
web objects only via links you approve of. It helps prevent unauthorized
deep-linking from other sites if you do not like that.
- mod_auth_pam
-
Allows for automatic authentication against existing
user accounts, so you normally do not need any extra password files
for the web server (no 'AuthUserFile' and 'AuthGroupFile' directives
necessary). You can enforce use of the conventional '.htpasswd'
method by putting an 'AuthPAM_Enabled off' directive at the top of the
respective directory hierarchy, or 'AuthPAM_FallThrough on' if you would
like to combine both methods.
- mod_extract_forwarded
-
Makes it possible that, although an accelerator
sits in front of the web server and therefore obscures its view onto
the original IP address of the requester, the proper IP addresses
nevertheless show up in log files and are used for access control.
This is achieved by an additional header line the accelerator provides
that contains the necessary information.
- mod_fastcgi
-
Lets you run CGIs in a daemon like mode, without
contantly starting new instances. Gives a major performance boost
for busy sites. This module uses a number of resources even when idle,
and since not everyone needs it we disabled it by default ('httpd.conf').
To enable it just uncomment the two lines dealing with 'mod_fastcgi'
in Apache's 'httpd.conf', or rather its template 'httpd.conf.eperl' under
'/box/bin'.
- mod_gzip
-
Compresses configurable object types on the fly. With
HTML pages full of redundancy like line indentations we have seen
compression rates down to 10% or less of the actual size. Not only
is this a major bandwidth saver, it also gives a snappier impression
to the viewer because of much less data transmitted. Precompressed
versions (gzip) can be deployed beside the original objects to
save CPU time for frequently requested objects.
- mod_jk
-
Interface to Apache's Jakarta Tomcat Java Servlet/JSP Suite.
Since it starts a fullblown Java virtual machine, and probably few
users need it, we disabled it by default. To enable it you need to
activate one of the start/stop scripts '300.jakarta-tomcat3.sh',
'300.jakarta-tomcat41.sh' or '300.jakarta-tomcat50.sh' under
'/usr/local/etc/rc.d', and also uncomment the 'Include' line dealing
with 'mod_jk' in Apache's 'httpd.conf', or rather its template
'httpd.conf.eperl' under '/box/bin'. Additionally, by altering
the symlinks '/usr/local/bin/tomcat3ctl', '/usr/local/bin/tomcat41ctl'
and '/usr/local/bin/tomcat50ctl' you can select which JDK revision to
use for Tomcat. Also, in case of Tomcat 4.1 the symlink
'/usr/local/jakarta-tomcat4.1/common/lib/tools.jar' needs to point
to the matching JDK directory hierarchy. Check and alter it
accordingly if necessary. The same goes for Tomcat 5.0, where the symlink is
'/usr/local/jakarta-tomcat5.0/common/lib/tools.jar'.
- mod_layout
-
Provides you with a mechanism to insert headers and
footers into existing pages. It allows for banner ads, but also
for a portal like uniform look of a whole site, without having to
use frames.
You can wrap pages from many different sources, even CGI, SSI and
PHP. The "Server Box Information Area" has been built with this module.
- mod_php4 + eAccelerator
-
PHP4 is the default version used by the web server. It is equipped
with a PHP accelerator (eAccelerator) for a maximum of performance,
and a host of extension modules is already preinstalled. A detailed
list of all the features is available in the Server Box Information
Area built into every box (item "PHP environment" in the navigation
menu). The config file is '/usr/local/etc/php.ini'.
- mod_php5 + eAccelerator
-
PHP5 can be selected as an alternative to PHP4. It is equipped
with a PHP accelerator (eAccelerator) for a maximum of performance.
For added security, it comes with the Suhosin protection system
(Hardened-PHP Project) installed, and also a superset of the extension
modules that we have for PHP4. A detailed list of all the features
is available in the Server Box Information Area built into every
box (item "PHP environment" in the navigation menu). In order
to switch from PHP4 to PHP5 you just need to comment out the lines
"LoadModule php4_module ..." and "AddModule mod_php4.c" and instead
uncomment the lines "LoadModule php5_module ..." and "AddModule mod_php5.c"
in Apache's 'httpd.conf', or rather its template 'httpd.conf.eperl'
under '/box/bin'. In addition, add the path '/usr/local/php5/bin'
to your PATH environment variable (in front of '/usr/local/bin') so that
you pick up the proper version of the command line programs. PHP5's
config file is '/usr/local/php5/etc/php.ini'.
- mod_python
-
There are multiple copies of 'mod_python', one for each version of
Python installed in our system. Which one gets used by Apache is
governed by symlink '/usr/local/libexec/apache/mod_python.so'. Check
and alter it accordingly if necessary.
- mod_ticket
-
By checking for a digitally signed ticket in the URI, mod_ticket allows
passing authenticated sessions from one domain to another in a secure
fashion by way of a shared secret.
Also, it can track an HTTP session through a site without using cookies
in a manner which survives relative URL links.
|
|
|
Our server boxes support 'Host:' header based
virtual web hosting by means of the standard Apache 'VirtualHost' feature.
You would first have to uncomment the 'NameVirtualHost *' near the end
of '/usr/local/etc/apache/httpd.conf', or rather its template file
'/box/bin/httpd.conf.eperl'. Then add the 'VirtualHost' paragraphs
required for the individual domains. The syntax is outlined in the
example at the end of the config file.
In case you would like the '/box' magic
(auto-switch to SSL, authentication) to work for a virtual host
just include the '/box/etc/boxweb.conf' file in the respective
'VirtualHost' paragraph, like we do in the main configuration:
Include /box/etc/boxweb.conf
Note: Always keep '/box/cfg/domains' in sync
with the domain names you define with the 'VirtualHost' mechanism, or
else other services will not be aware that these domains are to be
considered local!
|
|
|
There is a full-blown webmail service built into the "Server Box
Information Area". If you would like to get at your email when you
do not have access to an email client, or if you just like to
use webmail services for their simplicity to set up, all you
need is a web browser (with cookies enabled). Log into the "Server Box
Information Area", select "Webmail" from the menu and log into the mail
server. The preinstalled webmail (SquirrelMail) is IMAP-ready, with
subfolders and all.
In case you want to provide users that do not have access to the "Server
Box Information Area" with the webmail service as well, you can install
a symlink under '/www/data' like this:
cd /www/data
ln -s /usr/local/squirrelmail squirrelmail
Your users can then access it with
https://mydomain.tld/squirrelmail/
Note that we use SSL in this example. You may want to encourage your users
to access their email encrypted because otherwise their passwords travel
over the Internet unprotected. Also note that using the webmail
service consumes considerably more CPU time than managing email
folders with a remote client software.
|
|
|
There is a search engine built into every box. It is installed
ready-to-use and just waits to get integrated into the user's web pages.
To get an impression, try this:
http://mydomain.tld/search.html
Type in 'construction' and watch it come up with the result. Well, initially
there is, of course, only the "Under Construction" page installed, so that is
all it finds. However, if you put your pages under '/www/data' that
will make them searchable too. For a manual update you would run 'updatedig'
(as user 'root'). And if you would like an automatic weekly update as well,
just create an empty file '/usr/local/etc/htdig/updatedig.auto'.
The configuration where you can also make its look and feel
fit your pages is in 'htdig.conf', or rather in its template
'htdig.conf.eperl' under '/box/bin'. Please note that not all web contents
is suited for being traversed by a search engine. Protecting specific
branches of the web hierarchy by 'robots.txt' files may prove necessary.
In order to find out how successful your web site really is, and
which pages are of most interest, a web log analyzing tool (Webalizer)
is built into your box. It runs each night, some time after the
web server rotates its logfiles. To access the statistics just
select "Web usage statistics" from the menu in the "Server Box
Information Area".
Those who also like to show their web site's success to others can
do so with the preinstalled web counter, the ever-popular 'Count.cgi'.
You can find it, or rather the symlink to where it is actually installed,
under '/www/cgi-bin'. If you do not already know how to use it, docs
are at its
official home.
Finally, a number of tools for manipulating
pictures is installed, like the 'ImageMagick', 'netpbm', 'jpeg', 'png'
and 'tiff' packages. They can be used for image format and encoding
conversions, but also (especially 'ImageMagick' and 'netpbm') to bring
down the byte size of pictures and icons, without visible artifacts.
A little experimentation in this area can work wonders for your network
traffic bill!
|
|
|
|
|
