Upload
oswin-sydney-cook
View
221
Download
0
Embed Size (px)
Citation preview
Web Servers
Web Servers
A web server can be: A computer program
Responsible for accepting HTTP requests from clients (web browsers)
Returns HTTP responses with optional data contents
Usually web pages HTML documents Linked objects (images, etc.).
A computer that runs a computer program which provides the above functionality
3
System Architecture
Multi-tier application (n-tier application) Information tier (data or bottom tier)
Maintains data for the application Stores data in a relational database management
system (RDBMS) Middle tier
Implements business logic and presentation logic Control interactions between application clients and
application data Client tier (top tier)
Application’s user interface Users interact directly with the application through the
client tier
4
Information tier (data or bottom tier)Middle tierClient tier (top tier)
5
Client-Side Scripting versus Server-Side Scripting
Client-side scripts Validate user input Reduce requests needed to be passed to server Access browser JavaScipt, VBScript
Server-side scripts Executed on server Generate custom response for clients Wide range of programmatic capabilities Access to server-side software that extends server
functionality
6
Accessing Web Servers
Request documents from Web servers know the Host names Local Web servers
Access through machine name or localhost Remote Web servers
Access through machine name Domain name or Internet Protocol (IP)
address Domain name server (DNS): Computer that
maintains a database of host names and their corresponding IP address
Common Features
Common Features
HTTP Accepts HTTP requests from a client Provides HTTP responses to the client
Typically an HTML document Can also be:
Raw text file Image Some other type of document
defined by MIME-types If an error is found in the client request or
while trying to serve the request Web server has to send an error response
May include custom HTML May have text messages to better explain the
problem to end users.
Common Features
Logging Web servers keep detailed information
to log files Client requests Server responses
Allows the webmaster to collect data Running log analyzers
Additional Features
Authentication Optional authorization before allowing
access to some or all resources Requires a user name and password
Handle Static content Dynamic content
Support one or more related interfaces SSI, CGI, SCGI, FastCGI, JSP, PHP, ASP,
ASP .NET, Server API such as NSAPI, ISAPI, etc.
Additional Features
HTTPS support VIA SSL or TLS Allows secure (encrypted) connections
Using port 443 instead of port 80
Content compression I.e. by gzip encoding Reduces the size of the responses
Lower bandwidth usage, etc.
Additional Features Virtual hosting
Serve many web sites using one IP address Large file support
Serve files greater than 2 GB Bandwidth throttling
Limit the speed of responses Do not saturate the network Able to serve more clients
Origin of returned content
Where does it all come from?
Content Origin
The origin of the content may be: Static
Comes from an existing file pre-existing in a file system
Dynamic Dynamically generated by some other
program Script Application Programming Interface (API) called by
the web server Static content is usually delivered much
faster than dynamic content 2 to 100 times Especially if the latter involves data pulled
from a database
Path translation
How does it find it?
Path translation
Web servers map the path component of a Uniform Resource Locator (URL) into: Local file system resource
Static requests Internal or external program name
Dynamic requests
For a static request the URL path specified by the client is relative to the Web server's root directory
Path translation
Consider the following URL requested by a client: http://www.example.com/path/file.html
Client's web browser translates it into a connection to www.example.com with the following HTTP 1.1 request: GET /path/file.html HTTP/1.1 Host:
www.example.com The web server on www.example.com then appends the
given path to the path of its root directory On Unix machines, this is commonly /var/www/htdocs. The result would then be the local file system resource:
/var/www/htdocs/path/file.html Web server then reads the file, if it exists, and sends a
response to the client's web browser Response will describe the content of the file and
contain the file itself
Popular Web Servers
Who’s running the show?What are they?The big two:
Apache
http://en.wikipedia.org/wiki/Apache_web_server We’re number one!
Apache
Apache HTTP Server, referred to simply as Apache: A web server Notable for playing a key role in the initial growth of the
World Wide Web Apache
First viable alternative to Netscape Communications Corporation web server
Currently known as Sun Java System Web Server Evolved to rival other Unix-based web servers
Functionality and performance Since April 1996 Apache has been the most popular
HTTP server on the World Wide Web Since March 2006 however it has experienced a steady
decline of its market share Lost mostly against Microsoft IIS and the .NET platform
September 2007: Apache served 50% of all websites
Apache Project's name was chosen for two reasons:
Respect for the Native American Indian Apache tribe Well-known for their endurance and their skills in warfare
Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation
Available for a wide variety of OSs Microsoft Windows Novell NetWare Unix-like operating systems: e.g. Linux and Mac
OS X Released under the Apache License
Apache is free software / open source software.
Apache History
History
The first version of the Apache web server was created by Robert McCool Heavily involved with the National Center for
Supercomputing Applications web server Known simply as NCSA HTTPd
When Rob left NCSA in mid-1994 Development of httpd stalled Left a variety of patches for improvements circulating
through e-mails Rob McCool was not alone in his efforts
Several other developers helped form the original "Apache Group":
Brian Behlendorf, Roy T. Fielding, Rob Hartill, David Robinson, Cliff Skol nick, Randy Terbush, Robert S. Thau, Andrew Wilson, Eric Hagberg, Frank Peters, and Nicolas Pioch
History
Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code Strong focus on further modularization and the
development of a portability layer, the Apache Portable Runtime
Apache 2.x core: several major enhancements over Apache 1.x:
UNIX threading Better support for non-Unix platforms New Apache API IPv6 support
First alpha release of Apache March 2, 2000 First general availability release on April 6, 2002
Version 2.2 introduced a new authorization API that allows for more flexibility Also features improved cache modules and proxy
modules
Features
Features
Apache supports a variety of features Many implemented as compiled modules
which extend the core functionality Range from server-side programming
language support to authentication schemes:
Common language interfaces support mod_perl, mod_python, Tcl(Tool Command
Language), and PHP Popular authentication modules include
mod_access, mod_auth, and mod_digest.
Features
Virtual hosting allows one Apache installation to serve many different actual websites For example, one machine, with one Apache
installation could simultaneously serve: www.example.com www.test.com test47.test-server.test.com etc.
Apache features Configurable error messages DBMS-based authentication databases Content negotiation
It is also supported by several graphical user interfaces (GUIs)
Permit easier, more intuitive configuration of the server
Usage
Usage
Apache is used to serve both static content and dynamic Web pages Many web applications are designed expecting
the environment and features that Apache provides
Apache is the web server component of the popular XAMPP web server application stack Partners with
MySQL PHP/Perl/(Python) programming languages
Usage
Apache is redistributed as part of various proprietary software packages including the Oracle Database IBM WebSphere application server
Mac OS X integrates Apache Its built-in web server Support for its WebObjects application server
It is also supported by Borland Kylix and Delphi development tools
Usage
Apache is included with Novell NetWare 6.5 Default web server
Apache is used for many other tasks where content needs to be made available in a secure and reliable way Sharing files from a personal computer over the
Internet A user who has Apache installed on their desktop
can put arbitrary files in the Apache's document root which can then be shared
Programmers developing web applications Locally installed version of Apache Preview and test code as it is being developed
License
License
The software license under which software from the Apache Foundation is distributed is a distinctive part of the Apache HTTP Server's history and presence in the open source software community The Apache License allows for the distribution of
both open and closed source derivations of the source code
The Free Software Foundation does not consider the Apache License to be compatible with version 2 of the GNU General Public License (GPL) Software licensed under the Apache License
cannot be integrated with software that is distributed under the GPL
License
It is a free software license Incompatible with the GPL
Has a specific requirement that is not in the GPL Has certain patent termination cases that the
GPL does not require However, version 3 of the GPL includes a
provision (Section 7e) which allows it to be compatible with licenses that have patent retaliation clauses, including the Apache License
The name Apache is a registered trademark and may only be used with the trademark holder's express permission
Microsoft IIS
http://en.wikipedia.org/wiki/IIS We’re # 2…
IIS
Microsoft Internet Information Services (IIS) Formerly called Internet Information Server Set of Internet-based services for servers using
Microsoft Windows World's second most popular web server in terms of
overall websites September 2007: it served 34.94% of all websites
and 36.63% of all active websites Services currently include:
FTP SMTP NNTP(Network News Transport protocol) HTTP/HTTPS
History of IIS
IIS initially released as additional set of Internet based services for Windows NT 3.51 IIS 2.0 added support for the Windows NT
4.0 IIS 3.0 introduced the Active Server Pages
dynamic scripting environment IIS 4.0 dropped support for the Gopher
protocol Bundled with Windows NT as a separate "Option
Pack" CD-ROM
History of IIS
Current shipping versions of IIS: 8.0 for windows 8 7.0 for Windows Vista 6.0 for Windows Server 2003
Added support for IPv6 5.1 for Windows XP Professional
IIS 5.1 for Windows XP is a restricted version of IIS that supports only 10 simultaneous connections and a single web site
History of IIS
FastCGI module available for IIS5.1, IIS6 and IIS7
Windows Vista does not install IIS 7.0 by default Can be selected among the list of optionally
installed components IIS 7.0 on Vista does not limit the number of
connections allowed Restricts performance based on active
concurrent requests
Security
Security
Earlier versions of IIS had lot of vulnerabilities Chief among them CA-2001-19
Led to the infamous Code Red worm
Version 7.0 currently has no reported issues In perspective, as of 11 September 2007, the
free software Apache web server has one unpatched reported issue Affecting only MS Windows systems Rated "less critical“
Security
IIS 6.0 opted to change the behavior of pre-installed ISAPI handlers Many of which were culprits in the
vulnerabilities on 4.0 and 5.0 Reduced the attack surface of IIS IIS 6.0 added a feature called "Web
Service Extensions“ Prevents IIS from launching any program
without explicit permission by an administrator
Security
IIS 7.0 the components were modularized Only the required components have to
be installed Further reducing the attack surface Security features such as URLFiltering
were added Rejects suspicious URLs based on a user
defined rule set
Security
In IIS 5.1 and lower: By default all websites were run
In-process Under the System account
a default Windows account with elevated rights
Security
In IIS 6.0 all request handling processes have been brought under a Network Services account Has significantly fewer privileges If there is an exploit in a feature or custom code
Wouldn't necessarily compromise the entire system
Given the sandboxed environment the processes run
Contains a new kernel HTTP stack (http.sys) Stricter HTTP request parser and response cache
for both static and dynamic content
Authentication mechanisms
Authentication mechanisms
IIS 5.0 and higher support the following authentication mechanisms: Basic access authentication Digest access authentication Integrated Windows Authentication .NET Passport Authentication
Internet Information Services 7.0
Internet Information Services 7.0
Debuting with Windows Vista To be included in Windows Server 2008
IIS 7.0 features a modular architecture Instead of a monolithic server which features all
services IIS 7 has a core web server engine Modules offering specific functionality can be
added to the engine to enable its features Advantages
Only the features required need be enabled The functionalities can be extended by using
custom modules
Internet Information Services 7.0
IIS 7 will ship with a handful of modules Microsoft will make other modules available
online The following sets of modules are slated to ship
with the server: HTTP Modules Security Modules Content Modules Compression Modules Caching Modules Logging and Diagnostics Modules that
integrates with the new configuration store, as well as the new management environment
Internet Information Services 7.0
A significant change from previous versions: All web server configuration information is stored
solely in XML configuration files Instead of in the metabase
The server has a global configuration file Provides defaults Each virtual web's document root (and any
subdirectory thereof) may contain a web.config Containing settings that augment or override the
defaults
Internet Information Services 7.0
Changes to these files take effect immediately Marks a significant departure from previous
versions whereby web interfaces, or machine administrator access, were required to change simple settings such as default document, active modules and security/authentication
It also eliminates the need to perform metabase synchronization between multiple servers in a farm of web servers
Internet Information Services 7.0
Features a completely rewritten administration interface Takes advantage of modern MMC
features such as Task panes Asynchronous operation
Configuration of ASP.NET is more fully integrated into the administrative interface.
Internet Information Services 7.0
Other changes: PICS content ratings, support for Microsoft Passport,
and server-side image maps are no longer included Executing commands via server-side includes is no
longer permitted. IISRESET -reboot has been removed The CONVLOG tool, which converts IIS log files into
NCSA format, has been removed Support for enabling a folder for "Web Sharing" via the
Windows Explorer interface has been removed. IIS Media Pack, which allows IIS to be used as a bare-
bones media server, without using Windows Media Services
New FTP module, that integrates with the new configuration store, as well as the new management environment
Web caching
Web caching is the storage of Web objects near the user to allow fast access, thus improving the user experience of the Web surfer. Examples of some Web objects are Web pages (the HTML itself), images in Web pages, etc.
Browser cache
Browsers’ cache Web objects on the user’s machine. A browser first looks for objects in its cache before requesting them from the website. Caching frequently used Web objects, speeds up Web surfing. For example, I often use google.com and yahoo.com. If their logos and navigation bars are stored in my browser’s cache, then the browser will pick them up from the cache and will not have to get them from the respective websites. Getting the objects from the cache is much faster than getting them from the websites.
Proxy cache
A proxy cache is installed near the Web users, say within an enterprise. Users in the enterprise are told to configure their browsers to use the proxy.Requests for objects from a website are intercepted and handled by the proxy cache. If they are not in the cache, the proxy gets them from another cache or from the website itself.
Reverse (inverse) proxy cache
To reduce the load on a website, a proxy cache, called the “reverse” proxy, is placed in front of the website server(s).The reverse proxy intercepts browser’s requests to the websites. If the reverse proxy does not have the requested Web object, it gets the object from another cache or from the website itself
Advantages of Web Caching?
Web caching has the following advantages: Faster delivery of Web objects to the end
user. Reduces bandwidth needs and cost. It
benefits the user, the service provider and the website owner.
Reduces load on the website servers.
Summary
Concentrated on HTTP servers Apache and IIS are the main web
serving tools Apache still king
IIS Up and coming Web Caching