Web Servers

Web Servers

A web server can be: A computer program

Responsible for accepting HTTP requests from clients (web browsers)

Returns HTTP responses with optional data contents

Usually web pages HTML documents Linked objects (images, etc.).

A computer that runs a computer program which provides the above functionality

3

  System Architecture

Multi-tier application (n-tier application) Information tier (data or bottom tier)

Maintains data for the application Stores data in a relational database management

system (RDBMS) Middle tier

Implements business logic and presentation logic Control interactions between application clients and

application data Client tier (top tier)

Application’s user interface Users interact directly with the application through the

client tier

4

Information tier (data or bottom tier)Middle tierClient tier (top tier)

5

Client-Side Scripting versus Server-Side Scripting

Client-side scripts Validate user input Reduce requests needed to be passed to server Access browser JavaScipt, VBScript

Server-side scripts Executed on server Generate custom response for clients Wide range of programmatic capabilities Access to server-side software that extends server

functionality

6

  Accessing Web Servers

Request documents from Web servers know the Host names Local Web servers

Access through machine name or localhost Remote Web servers

Access through machine name Domain name or Internet Protocol (IP)

address Domain name server (DNS): Computer that

maintains a database of host names and their corresponding IP address

Common Features

Common Features

HTTP Accepts HTTP requests from a client Provides HTTP responses to the client

Typically an HTML document Can also be:

Raw text file Image Some other type of document

defined by MIME-types If an error is found in the client request or

while trying to serve the request Web server has to send an error response

May include custom HTML May have text messages to better explain the

problem to end users.

Common Features

Logging Web servers keep detailed information

to log files Client requests Server responses

Allows the webmaster to collect data Running log analyzers

Additional Features

Authentication Optional authorization before allowing

access to some or all resources Requires a user name and password

Handle Static content Dynamic content

Support one or more related interfaces SSI, CGI, SCGI, FastCGI, JSP, PHP, ASP,

ASP .NET, Server API such as NSAPI, ISAPI, etc.

Additional Features

HTTPS support VIA SSL or TLS Allows secure (encrypted) connections

Using port 443 instead of port 80

Content compression I.e. by gzip encoding Reduces the size of the responses

Lower bandwidth usage, etc.

Additional Features Virtual hosting

Serve many web sites using one IP address Large file support

Serve files greater than 2 GB Bandwidth throttling

Limit the speed of responses Do not saturate the network Able to serve more clients

Origin of returned content

Where does it all come from?

Content Origin

The origin of the content may be: Static

Comes from an existing file pre-existing in a file system

Dynamic Dynamically generated by some other

program Script Application Programming Interface (API) called by

the web server Static content is usually delivered much

faster than dynamic content 2 to 100 times Especially if the latter involves data pulled

from a database

Path translation

How does it find it?

Path translation

Web servers map the path component of a Uniform Resource Locator (URL) into: Local file system resource

Static requests Internal or external program name

Dynamic requests

For a static request the URL path specified by the client is relative to the Web server's root directory

Path translation

Consider the following URL requested by a client: http://www.example.com/path/file.html

Client's web browser translates it into a connection to www.example.com with the following HTTP 1.1 request: GET /path/file.html HTTP/1.1 Host:

www.example.com The web server on www.example.com then appends the

given path to the path of its root directory On Unix machines, this is commonly /var/www/htdocs. The result would then be the local file system resource:

/var/www/htdocs/path/file.html Web server then reads the file, if it exists, and sends a

response to the client's web browser Response will describe the content of the file and

contain the file itself

Popular Web Servers

Who’s running the show?What are they?The big two:

Apache

http://en.wikipedia.org/wiki/Apache_web_server We’re number one!

Apache

Apache HTTP Server, referred to simply as Apache: A web server Notable for playing a key role in the initial growth of the

World Wide Web Apache

First viable alternative to Netscape Communications Corporation web server

Currently known as Sun Java System Web Server Evolved to rival other Unix-based web servers

Functionality and performance Since April 1996 Apache has been the most popular

HTTP server on the World Wide Web Since March 2006 however it has experienced a steady

decline of its market share Lost mostly against Microsoft IIS and the .NET platform

September 2007: Apache served 50% of all websites

Apache Project's name was chosen for two reasons:

Respect for the Native American Indian Apache tribe Well-known for their endurance and their skills in warfare

Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation

Available for a wide variety of OSs Microsoft Windows Novell NetWare Unix-like operating systems: e.g. Linux and Mac

OS X Released under the Apache License

Apache is free software / open source software.

Apache History

History

The first version of the Apache web server was created by Robert McCool Heavily involved with the National Center for

Supercomputing Applications web server Known simply as NCSA HTTPd

When Rob left NCSA in mid-1994 Development of httpd stalled Left a variety of patches for improvements circulating

through e-mails Rob McCool was not alone in his efforts

Several other developers helped form the original "Apache Group":

Brian Behlendorf, Roy T. Fielding, Rob Hartill, David Robinson, Cliff Skol nick, Randy Terbush, Robert S. Thau, Andrew Wilson, Eric Hagberg, Frank Peters, and Nicolas Pioch

History

Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code Strong focus on further modularization and the

development of a portability layer, the Apache Portable Runtime

Apache 2.x core: several major enhancements over Apache 1.x:

UNIX threading Better support for non-Unix platforms New Apache API IPv6 support

First alpha release of Apache March 2, 2000 First general availability release on April 6, 2002

Version 2.2 introduced a new authorization API that allows for more flexibility Also features improved cache modules and proxy

modules

Features

Features

Apache supports a variety of features Many implemented as compiled modules

which extend the core functionality Range from server-side programming

language support to authentication schemes:

Common language interfaces support mod_perl, mod_python, Tcl(Tool Command

Language), and PHP Popular authentication modules include

mod_access, mod_auth, and mod_digest.

Features

Virtual hosting allows one Apache installation to serve many different actual websites For example, one machine, with one Apache

installation could simultaneously serve: www.example.com www.test.com test47.test-server.test.com etc.

Apache features Configurable error messages DBMS-based authentication databases Content negotiation

It is also supported by several graphical user interfaces (GUIs)

Permit easier, more intuitive configuration of the server

Usage

Usage

Apache is used to serve both static content and dynamic Web pages Many web applications are designed expecting

the environment and features that Apache provides

Apache is the web server component of the popular XAMPP web server application stack Partners with

MySQL PHP/Perl/(Python) programming languages

Usage

Apache is redistributed as part of various proprietary software packages including the Oracle Database IBM WebSphere application server

Mac OS X integrates Apache Its built-in web server Support for its WebObjects application server

It is also supported by Borland Kylix and Delphi development tools

Usage

Apache is included with Novell NetWare 6.5 Default web server

Apache is used for many other tasks where content needs to be made available in a secure and reliable way Sharing files from a personal computer over the

Internet A user who has Apache installed on their desktop

can put arbitrary files in the Apache's document root which can then be shared

Programmers developing web applications Locally installed version of Apache Preview and test code as it is being developed

License

License

The software license under which software from the Apache Foundation is distributed is a distinctive part of the Apache HTTP Server's history and presence in the open source software community The Apache License allows for the distribution of

both open and closed source derivations of the source code

The Free Software Foundation does not consider the Apache License to be compatible with version 2 of the GNU General Public License (GPL) Software licensed under the Apache License

cannot be integrated with software that is distributed under the GPL

License

It is a free software license Incompatible with the GPL

Has a specific requirement that is not in the GPL Has certain patent termination cases that the

GPL does not require However, version 3 of the GPL includes a

provision (Section 7e) which allows it to be compatible with licenses that have patent retaliation clauses, including the Apache License

The name Apache is a registered trademark and may only be used with the trademark holder's express permission

Microsoft IIS

http://en.wikipedia.org/wiki/IIS We’re # 2…

IIS

Microsoft Internet Information Services (IIS) Formerly called Internet Information Server Set of Internet-based services for servers using

Microsoft Windows World's second most popular web server in terms of

overall websites September 2007: it served 34.94% of all websites

and 36.63% of all active websites Services currently include:

FTP SMTP NNTP(Network News Transport protocol) HTTP/HTTPS

History of IIS

IIS initially released as additional set of Internet based services for Windows NT 3.51 IIS 2.0 added support for the Windows NT

4.0 IIS 3.0 introduced the Active Server Pages

dynamic scripting environment IIS 4.0 dropped support for the Gopher

protocol Bundled with Windows NT as a separate "Option

Pack" CD-ROM

History of IIS

Current shipping versions of IIS: 8.0 for windows 8 7.0 for Windows Vista 6.0 for Windows Server 2003

Added support for IPv6 5.1 for Windows XP Professional

IIS 5.1 for Windows XP is a restricted version of IIS that supports only 10 simultaneous connections and a single web site

History of IIS

FastCGI module available for IIS5.1, IIS6 and IIS7

Windows Vista does not install IIS 7.0 by default Can be selected among the list of optionally

installed components IIS 7.0 on Vista does not limit the number of

connections allowed Restricts performance based on active

concurrent requests

Security

Security

Earlier versions of IIS had lot of vulnerabilities Chief among them CA-2001-19

Led to the infamous Code Red worm

Version 7.0 currently has no reported issues In perspective, as of 11 September 2007, the

free software Apache web server has one unpatched reported issue Affecting only MS Windows systems Rated "less critical“

Security

IIS 6.0 opted to change the behavior of pre-installed ISAPI handlers Many of which were culprits in the

vulnerabilities on 4.0 and 5.0 Reduced the attack surface of IIS IIS 6.0 added a feature called "Web

Service Extensions“ Prevents IIS from launching any program

without explicit permission by an administrator

Security

IIS 7.0 the components were modularized Only the required components have to

be installed Further reducing the attack surface Security features such as URLFiltering

were added Rejects suspicious URLs based on a user

defined rule set

Security

In IIS 5.1 and lower: By default all websites were run

In-process Under the System account

a default Windows account with elevated rights

Security

In IIS 6.0 all request handling processes have been brought under a Network Services account Has significantly fewer privileges If there is an exploit in a feature or custom code

Wouldn't necessarily compromise the entire system

Given the sandboxed environment the processes run

Contains a new kernel HTTP stack (http.sys) Stricter HTTP request parser and response cache

for both static and dynamic content

Authentication mechanisms

Authentication mechanisms

IIS 5.0 and higher support the following authentication mechanisms: Basic access authentication Digest access authentication Integrated Windows Authentication .NET Passport Authentication

Internet Information Services 7.0

Internet Information Services 7.0

Debuting with Windows Vista To be included in Windows Server 2008

IIS 7.0 features a modular architecture Instead of a monolithic server which features all

services IIS 7 has a core web server engine Modules offering specific functionality can be

added to the engine to enable its features Advantages

Only the features required need be enabled The functionalities can be extended by using

custom modules

Internet Information Services 7.0

IIS 7 will ship with a handful of modules Microsoft will make other modules available

online The following sets of modules are slated to ship

with the server: HTTP Modules Security Modules Content Modules Compression Modules Caching Modules Logging and Diagnostics Modules that

integrates with the new configuration store, as well as the new management environment

Internet Information Services 7.0

A significant change from previous versions: All web server configuration information is stored

solely in XML configuration files Instead of in the metabase

The server has a global configuration file Provides defaults Each virtual web's document root (and any

subdirectory thereof) may contain a web.config Containing settings that augment or override the

defaults

Internet Information Services 7.0

Changes to these files take effect immediately Marks a significant departure from previous

versions whereby web interfaces, or machine administrator access, were required to change simple settings such as default document, active modules and security/authentication

It also eliminates the need to perform metabase synchronization between multiple servers in a farm of web servers

Internet Information Services 7.0

Features a completely rewritten administration interface Takes advantage of modern MMC

features such as Task panes Asynchronous operation

Configuration of ASP.NET is more fully integrated into the administrative interface.

Internet Information Services 7.0

Other changes: PICS content ratings, support for Microsoft Passport,

and server-side image maps are no longer included Executing commands via server-side includes is no

longer permitted. IISRESET -reboot has been removed The CONVLOG tool, which converts IIS log files into

NCSA format, has been removed Support for enabling a folder for "Web Sharing" via the

Windows Explorer interface has been removed. IIS Media Pack, which allows IIS to be used as a bare-

bones media server, without using Windows Media Services

New FTP module, that integrates with the new configuration store, as well as the new management environment

Web caching

Web caching is the storage of Web objects near the user to allow fast access, thus improving the user experience of the Web surfer. Examples of some Web objects are Web pages (the HTML itself), images in Web pages, etc.

Browser cache

Browsers’ cache Web objects on the user’s machine. A browser first looks for objects in its cache before requesting them from the website. Caching frequently used Web objects, speeds up Web surfing. For example, I often use google.com and yahoo.com. If their logos and navigation bars are stored in my browser’s cache, then the browser will pick them up from the cache and will not have to get them from the respective websites. Getting the objects from the cache is much faster than getting them from the websites.

Proxy cache

A proxy cache is installed near the Web users, say within an enterprise. Users in the enterprise are told to configure their browsers to use the proxy.Requests for objects from a website are intercepted and handled by the proxy cache. If they are not in the cache, the proxy gets them from another cache or from the website itself.

Reverse (inverse) proxy cache

To reduce the load on a website, a proxy cache, called the “reverse” proxy, is placed in front of the website server(s).The reverse proxy intercepts browser’s requests to the websites. If the reverse proxy does not have the requested Web object, it gets the object from another cache or from the website itself

Advantages of Web Caching?

Web caching has the following advantages: Faster delivery of Web objects to the end

user. Reduces bandwidth needs and cost. It

benefits the user, the service provider and the website owner.

Reduces load on the website servers.

Summary

Concentrated on HTTP servers Apache and IIS are the main web

serving tools Apache still king

IIS Up and coming Web Caching