Difference between revisions of "OPS335 Web Server Lab"

From CDOT Wiki
Jump to: navigation, search
m (Added warning about shellshock)
m (Updating host names for winter semester.)
Line 4: Line 4:
 
{{Admon/important|Prerequisites|
 
{{Admon/important|Prerequisites|
 
Your hard drive should have Centos 6.5, 64 bit already installed.<br />
 
Your hard drive should have Centos 6.5, 64 bit already installed.<br />
You have Fedora 20, 64bit version on VM01, VM02, and VM03.<br />
+
You have Fedora 20, 64bit version on VM1, VM2, and VM3.<br />
 
Both your host and all VMs should have SELinux enabled.<br />
 
Both your host and all VMs should have SELinux enabled.<br />
 
Both host and all VMs should have all software updated.<br />
 
Both host and all VMs should have all software updated.<br />
Line 15: Line 15:
 
*Ensure you can access the web on your host machine and all your VMs.
 
*Ensure you can access the web on your host machine and all your VMs.
  
=== Install and test Apache on your VM01 and VM03 ===
+
=== Install and test Apache on your VM1 and VM3 ===
*Login to vm01 and install the following packages:
+
*Login to vm1 and install the following packages:
 
   yum install httpd httpd-tools
 
   yum install httpd httpd-tools
*Still on vm01 you can now start your web server with this command and enable the service to start at boot.
+
*Still on vm1 you can now start your web server with this command and enable the service to start at boot.
 
  systemctl start httpd.service
 
  systemctl start httpd.service
 
  systemctl enable httpd.service
 
  systemctl enable httpd.service
* Using a text browser such as lynx on vm01 go to localhost. You should get the "Fedora Test Page" which indicates your web server is running on the local virtual machine.
+
* Using a text browser such as lynx on vm1 go to localhost. You should get the "Fedora Test Page" which indicates your web server is running on the local virtual machine.
*backup your existing iptables rules on vm01 (make sure it still meets the specifications set out in the earlier labs) and add a rule to allow new traffic to your http server.
+
*backup your existing iptables rules on vm1 (make sure it still meets the specifications set out in the earlier labs) and add a rule to allow new traffic to your http server.
*Using Firefox on the <b>host</b> go to address for vm01 "192.168.X.2" (your ip addressing may differ). You should get the "Fedora Test Page" which indicates you can access your web server on VM01 via network connection. Do not continue until this step works.
+
*Using Firefox on the <b>host</b> go to address for vm1 "192.168.X.2" (your ip addressing may differ). You should get the "Fedora Test Page" which indicates you can access your web server on VM1 via network connection. Do not continue until this step works.
 
**Once you have this working, save your iptables.
 
**Once you have this working, save your iptables.
*You should also be able to open the webpage using the hostname of vm01.
+
*You should also be able to open the webpage using the hostname of vm1.
 
*Now create your <b>own</b> test page named index.html in the directory /var/www/html/. This does not have to anything fancy, just a [http://validator.w3.org/docs/help.html#validation_basics valid] html page with enough content for you to recognize it as your own.  Reload the web page on the host - you should see your own test page now instead of the default page from apache.
 
*Now create your <b>own</b> test page named index.html in the directory /var/www/html/. This does not have to anything fancy, just a [http://validator.w3.org/docs/help.html#validation_basics valid] html page with enough content for you to recognize it as your own.  Reload the web page on the host - you should see your own test page now instead of the default page from apache.
*Repeat the above steps for vm03.  Remember that it is using a different firewall.
+
*Repeat the above steps for vm3.  Remember that it is using a different firewall.
*Now, as root on the gateway/host, try to forward incoming http connections to your host to the web server on vm01. Use an iptables command something like this
+
*Now, as root on the gateway/host, try to forward incoming http connections to your host to the web server on vm1. Use an iptables command something like this
 
  iptables -t nat -A PREROUTING -i *yourinterface* -p tcp --dport 80 -j DNAT --to 192.168.X.2
 
  iptables -t nat -A PREROUTING -i *yourinterface* -p tcp --dport 80 -j DNAT --to 192.168.X.2
 
*You will also need to create a rule in the FORWARD chain in the default table to accept connections to port 80.
 
*You will also need to create a rule in the FORWARD chain in the default table to accept connections to port 80.
 
*To test this setup you'll need to ask a classmate on another PC to try to use Firefox to view your web page. S/he'll have to enter your host's external interface IP number (142.204.141.yyy) in Firefox's address window.
 
*To test this setup you'll need to ask a classmate on another PC to try to use Firefox to view your web page. S/he'll have to enter your host's external interface IP number (142.204.141.yyy) in Firefox's address window.
*Login to your vm01 (and then vm03) as root, edit the Apache configuration file and change the port your webserver is listening for incoming connections from 80 to 8080.
+
*Login to your vm1 (and then vm3) as root, edit the Apache configuration file and change the port your webserver is listening for incoming connections from 80 to 8080.
 
  vi /etc/httpd/conf/httpd.conf
 
  vi /etc/httpd/conf/httpd.conf
*Change your firewall rules on vm01 (and also vm03) to allow connections to this port (8080), and remove the previous rule to allow connections to port 80.
+
*Change your firewall rules on vm1 (and also vm3) to allow connections to this port (8080), and remove the previous rule to allow connections to port 80.
*Restart the apache server on vm01 and vm03 (this may take a minute).
+
*Restart the apache server on vm1 and vm3 (this may take a minute).
*Go back to the host and redo your iptables command to forward connections to port 80 (on your host) to the new port 8080 on vm01, removing the previous rule for port 80.
+
*Go back to the host and redo your iptables command to forward connections to port 80 (on your host) to the new port 8080 on vm1, removing the previous rule for port 80.
 
*Verify that other students on their PCs can still view your web page.
 
*Verify that other students on their PCs can still view your web page.
  
 
=== Load balancing using iptables ===
 
=== Load balancing using iptables ===
*Iptables can be used for load balancing connections. On your host machine add a rule(s) to the PREROUTING chain that will alternate connections bound for port 80 on your host machine to vm01 and vm03 (remove the other prerouting rules you created before doing this).
+
*Iptables can be used for load balancing connections. On your host machine add a rule(s) to the PREROUTING chain that will alternate connections bound for port 80 on your host machine to vm1 and vm3 (remove the other prerouting rules you created before doing this).
 
  iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j DNAT --to-destination 192.168.X.4:8080
 
  iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j DNAT --to-destination 192.168.X.4:8080
 
  iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.X.2:8080
 
  iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.X.2:8080
Line 47: Line 47:
 
=== Add missing DNS resource records ===
 
=== Add missing DNS resource records ===
 
* Edit your forward look-up zone file and add the following resource records.
 
* Edit your forward look-up zone file and add the following resource records.
** A mail exchange record that points mail for the domain to vm02.
+
** A mail exchange record that points mail for the domain to vm2.
 
** Alases as follows:
 
** Alases as follows:
 
***host  - alias router
 
***host  - alias router
***vm02 - alias mail
+
***vm2 - alias mail
***vm01 - alias www1
+
***vm1 - alias www1
***vm03 - alias www2
+
***vm3 - alias www2
 
**Add text records that identify the roles on each of these machines and a text record for the domain "This is < your full name here>'s OPS335 Domain".
 
**Add text records that identify the roles on each of these machines and a text record for the domain "This is < your full name here>'s OPS335 Domain".
 
**Once these records have been added, be sure to increment your Serial number for the zone file. While not crucial for the lab as we do not yet have a slave DNS server, getting into the habit ensures slaves will be informed of the changes.
 
**Once these records have been added, be sure to increment your Serial number for the zone file. While not crucial for the lab as we do not yet have a slave DNS server, getting into the habit ensures slaves will be informed of the changes.
Line 58: Line 58:
  
 
=== Adding Webmail to your domain ===
 
=== Adding Webmail to your domain ===
*In order for our domain to offer webmail services to its users you will need to install the following packages on vm02
+
*In order for our domain to offer webmail services to its users you will need to install the following packages on vm2
 
  yum install squirrelmail httpd dovecot
 
  yum install squirrelmail httpd dovecot
 
*The SquirrelMail files are in /usr/share/squirrelmail, create the a symbolic link to share those files on the internet.
 
*The SquirrelMail files are in /usr/share/squirrelmail, create the a symbolic link to share those files on the internet.
Line 76: Line 76:
 
  chmod 0600 /var/mail/*
 
  chmod 0600 /var/mail/*
 
*you should now start and enable dovecot, httpd and restart postfix if it was already running.
 
*you should now start and enable dovecot, httpd and restart postfix if it was already running.
*test your connection to SquirrelMail by opening a browser and navigating to vm02/mail. You should see a log in page. Sign in using your login credentials on vm02.
+
*test your connection to SquirrelMail by opening a browser and navigating to vm2/mail. You should see a log in page. Sign in using your login credentials on vm2.
 
**You may receive an error stating: 'Error connecting to IMAP server: localhost.  13 : Permission denied'.  If you do, run the command 'setsebool -P httpd_can_network_connect=1'.  This will set an SELinux boolean to allow httpd connections across the network.
 
**You may receive an error stating: 'Error connecting to IMAP server: localhost.  13 : Permission denied'.  If you do, run the command 'setsebool -P httpd_can_network_connect=1'.  This will set an SELinux boolean to allow httpd connections across the network.
 
*You will need to open ports on your firewall to allow connections to the webserver, and port forwarding on the host so that any web traffic sent to it will be redirected to your VM2.
 
*You will need to open ports on your firewall to allow connections to the webserver, and port forwarding on the host so that any web traffic sent to it will be redirected to your VM2.
Line 93: Line 93:
 
#What user/group does Apache run under on Fedora 20?
 
#What user/group does Apache run under on Fedora 20?
 
#What % share of the web server market was running apache as of December 2013?
 
#What % share of the web server market was running apache as of December 2013?
#What specific command (give full details) would you need to use on your host to forward all ssh connections to vm01?
+
#What specific command (give full details) would you need to use on your host to forward all ssh connections to vm1?
 
#What is the web site for Apache?
 
#What is the web site for Apache?
 
#What is Apache's highest version number? What is the version running on your system?
 
#What is Apache's highest version number? What is the version running on your system?

Revision as of 13:13, 25 February 2015

Basic Apache (Web Server) Setup

This lab will show you how to set up the Apache Web server using a Fedora 20 installed PC.

Important.png
Prerequisites

Your hard drive should have Centos 6.5, 64 bit already installed.
You have Fedora 20, 64bit version on VM1, VM2, and VM3.
Both your host and all VMs should have SELinux enabled.
Both host and all VMs should have all software updated.

Ensure the clocks on both machines are set to the correct date and time.
Important.png
Security Issue
Due to a recently discovered security issue regarding bash and CGI, it is imperative that you update your machines before proceeding with this lab.

Testing your network

  • Start Firefox on your host and authenticate yourself on Senenet.
  • Ensure you can access the web on your host machine and all your VMs.

Install and test Apache on your VM1 and VM3

  • Login to vm1 and install the following packages:
 yum install httpd httpd-tools
  • Still on vm1 you can now start your web server with this command and enable the service to start at boot.
systemctl start httpd.service
systemctl enable httpd.service
  • Using a text browser such as lynx on vm1 go to localhost. You should get the "Fedora Test Page" which indicates your web server is running on the local virtual machine.
  • backup your existing iptables rules on vm1 (make sure it still meets the specifications set out in the earlier labs) and add a rule to allow new traffic to your http server.
  • Using Firefox on the host go to address for vm1 "192.168.X.2" (your ip addressing may differ). You should get the "Fedora Test Page" which indicates you can access your web server on VM1 via network connection. Do not continue until this step works.
    • Once you have this working, save your iptables.
  • You should also be able to open the webpage using the hostname of vm1.
  • Now create your own test page named index.html in the directory /var/www/html/. This does not have to anything fancy, just a valid html page with enough content for you to recognize it as your own. Reload the web page on the host - you should see your own test page now instead of the default page from apache.
  • Repeat the above steps for vm3. Remember that it is using a different firewall.
  • Now, as root on the gateway/host, try to forward incoming http connections to your host to the web server on vm1. Use an iptables command something like this
iptables -t nat -A PREROUTING -i *yourinterface* -p tcp --dport 80 -j DNAT --to 192.168.X.2
  • You will also need to create a rule in the FORWARD chain in the default table to accept connections to port 80.
  • To test this setup you'll need to ask a classmate on another PC to try to use Firefox to view your web page. S/he'll have to enter your host's external interface IP number (142.204.141.yyy) in Firefox's address window.
  • Login to your vm1 (and then vm3) as root, edit the Apache configuration file and change the port your webserver is listening for incoming connections from 80 to 8080.
vi /etc/httpd/conf/httpd.conf
  • Change your firewall rules on vm1 (and also vm3) to allow connections to this port (8080), and remove the previous rule to allow connections to port 80.
  • Restart the apache server on vm1 and vm3 (this may take a minute).
  • Go back to the host and redo your iptables command to forward connections to port 80 (on your host) to the new port 8080 on vm1, removing the previous rule for port 80.
  • Verify that other students on their PCs can still view your web page.

Load balancing using iptables

  • Iptables can be used for load balancing connections. On your host machine add a rule(s) to the PREROUTING chain that will alternate connections bound for port 80 on your host machine to vm1 and vm3 (remove the other prerouting rules you created before doing this).
iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j DNAT --to-destination 192.168.X.4:8080
iptables -t nat -I PREROUTING -p tcp --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.X.2:8080
  • Again ask another student to test that load balancing is indeed working.

Add missing DNS resource records

  • Edit your forward look-up zone file and add the following resource records.
    • A mail exchange record that points mail for the domain to vm2.
    • Alases as follows:
      • host - alias router
      • vm2 - alias mail
      • vm1 - alias www1
      • vm3 - alias www2
    • Add text records that identify the roles on each of these machines and a text record for the domain "This is < your full name here>'s OPS335 Domain".
    • Once these records have been added, be sure to increment your Serial number for the zone file. While not crucial for the lab as we do not yet have a slave DNS server, getting into the habit ensures slaves will be informed of the changes.
    • Use the tools you have learned in earlier labs (e.g. ping, host, lynx, etc.) to make sure these records work.

Adding Webmail to your domain

  • In order for our domain to offer webmail services to its users you will need to install the following packages on vm2
yum install squirrelmail httpd dovecot
  • The SquirrelMail files are in /usr/share/squirrelmail, create the a symbolic link to share those files on the internet.
ln -s /usr/share/squirrelmail /var/www/html/mail
  • Change directories and run the configuration script for SquirrelMail
cd /usr/share/squirrelmail/config
./conf.pl
  • Use the menu to select #2 - Server Settings. Edit #1 Domain - choosing your domain name, and #3 Selecting SMTP. Ensure you have saved the data then return to the main menu. From the main menu select option D - Set pre-defined settings for specific IMAP servers, then enter 'dovecot'.
  • From the main menu select '1. Organization Preferences', then select option #1 'Organization Name' and change this to your domain name.
  • Check The Postfix configuration file and find the below line and make sure "$mydomain" is listed to ensure delivery of emails sent to the domain and not just the host name.
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
  • Edit the dovecot configuration file (use dovecot -n to find out where it is) and uncomment the following line
protocols = imap pop3 lmtp
  • And add to the bottom of the file
mail_location = mbox:~/mail:INBOX=/var/mail/%u
  • You will need to change the permissions on the mail directories for the users from the default 660 to 600.
chmod 0600 /var/mail/*
  • you should now start and enable dovecot, httpd and restart postfix if it was already running.
  • test your connection to SquirrelMail by opening a browser and navigating to vm2/mail. You should see a log in page. Sign in using your login credentials on vm2.
    • You may receive an error stating: 'Error connecting to IMAP server: localhost. 13 : Permission denied'. If you do, run the command 'setsebool -P httpd_can_network_connect=1'. This will set an SELinux boolean to allow httpd connections across the network.
  • You will need to open ports on your firewall to allow connections to the webserver, and port forwarding on the host so that any web traffic sent to it will be redirected to your VM2.

Completing the Lab

Upon completing this lab you have gained experience in balancing traffic between several servers, and in routing traffic from one server to another. You have also made use of some more advanced resource records in your DNS server.

Remove the prerouting that were balancing web traffic between your VMs. While the rules themselves are fine, the iptables-save command will break them when it saves them, preventing your tables from working properly.

Exploration questions:

  1. Where are the apache log files stored? What does each one log?
  2. What does the server root parameter determine? What is its default value?
  3. What does the document root parameter determine? What is its default value?
  4. What is the default configuration file for the Apache web server on Fedora 20? Give the absolute path.
  5. What is the maximum number of connections allowed on the server by default?
  6. What user/group does Apache run under on Fedora 20?
  7. What % share of the web server market was running apache as of December 2013?
  8. What specific command (give full details) would you need to use on your host to forward all ssh connections to vm1?
  9. What is the web site for Apache?
  10. What is Apache's highest version number? What is the version running on your system?