(4) Server Rules

• Web servers are server-side implementations of HTTP
• Running them requires a set of rules
  • on which port to listen for incoming requests
  • from where to accept incoming requests
  • where to read documents from
  • how to allow/deny access to documents
  • what to do with those documents
  • how to return them in HTTP responses
• Rules might apply to the whole server [General Server Setup (1)] or on a per-directory basis [Overriding Server Setup (1)]

(5) General Server Setup

• Server start means reading the configuration file
  • there typically is a compiled default location
  • it is also possible to set the location ar runtime

  /usr/local/apache/bin/httpd -f /usr/local/apache/conf/httpd.conf

• Server start may fail due to a variety of reasons
  • it is not allowed to use the specified network port
  • some other program is already bound to the specified network port
  • access to required files (e.g., log file) is not possible

(6) Restricting Access

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
Listen 127.0.0.1:80
#Listen 80

(7) Document Root

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "C:/Documents and Settings/dret/Desktop"

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/Documents and Settings/dret/Desktop">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks Includes ExecCGI MultiViews
   
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Order deny,allow
    Deny from all
    Allow from localhost

</Directory>

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.php4 index.php3 index.cgi index.pl index.html index.htm index.shtml index.phtml
</IfModule>

(8) File Handling and Processing

DefaultType text/plain

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

text/html   html htm

    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
   AddType text/html .shtml
   AddOutputFilter INCLUDES .shtml

(9) What's Going On?

68.204.118.125 - - [05/Apr/2010:20:30:12 +0200] "GET /lectures/mobapp-spring10/hotspot/hotspot/layout/ischool/ischool/circles.gif HTTP/1.1" 200 4789 "http://dret.net/lectures/mobapp-spring10/hotspot/hotspot/layout/ischool/ischool.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
95.108.156.251 - - [05/Apr/2010:20:30:16 +0200] "GET /glossary/dqdb HTTP/1.1" 200 20860 "-" "Yandex/1.01.001 (compatible; Win16; I)"
207.46.204.196 - - [05/Apr/2010:20:30:21 +0200] "GET /glossary/pop HTTP/1.1" 200 20751 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
207.46.12.156 - - [05/Apr/2010:20:30:36 +0200] "GET /glossary/base16 HTTP/1.1" 200 16147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.204.182 - - [05/Apr/2010:20:30:40 +0200] "GET /rfc-index/reference/RFC3145 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
207.46.12.156 - - [05/Apr/2010:20:30:42 +0200] "GET /wwwwmap/nicetitle.js HTTP/1.1" 200 6012 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.12.156 - - [05/Apr/2010:20:30:45 +0200] "GET /wwwwmap/nicetitle.css HTTP/1.1" 200 299 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.12.156 - - [05/Apr/2010:20:30:48 +0200] "GET /glossary.css HTTP/1.1" 200 3641 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
59.149.193.49 - - [05/Apr/2010:20:30:50 +0200] "GET /lectures/web-fall08/variants+analysis HTTP/1.1" 200 33891 "http://images.google.com.hk/imgres?imgurl=http://dret.net/lectures/web-fall08/img/swot.png&imgrefurl=http://dret.net/lectures/web-fall08/variants%2Banalysis&usg=__ZiBLsfKY9gAN-IMbwP0Cc2rLdVs=&h=275&w=279&sz=32&hl=zh-TW&start=56&itbs=1&tbnid=cI15G4HQUyLaZM:&tbnh=112&tbnw=114&prev=/images%3Fq%3DSWOT%26start%3D40%26hl%3Dzh-TW%26safe%3Dstrict%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbs%3Disch:1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:30:50 +0200] "GET /lectures/web-fall08/img/swot.png HTTP/1.1" 200 32044 "http://images.google.com.hk/imgres?imgurl=http://dret.net/lectures/web-fall08/img/swot.png&imgrefurl=http://dret.net/lectures/web-fall08/variants%2Banalysis&usg=__ZiBLsfKY9gAN-IMbwP0Cc2rLdVs=&h=275&w=279&sz=32&hl=zh-TW&start=56&itbs=1&tbnid=cI15G4HQUyLaZM:&tbnh=112&tbnw=114&prev=/images%3Fq%3DSWOT%26start%3D40%26hl%3Dzh-TW%26safe%3Dstrict%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbs%3Disch:1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:30:52 +0200] "GET /favicon.ico HTTP/1.1" 200 958 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:31:06 +0200] "GET /lectures/web-fall08/img/swot.png HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
207.46.13.52 - - [05/Apr/2010:20:31:10 +0200] "GET /rfc-index/reference/RFC5469 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
95.108.156.251 - - [05/Apr/2010:20:31:21 +0200] "GET /glossary/oeb HTTP/1.1" 200 17538 "-" "Yandex/1.01.001 (compatible; Win16; I)"
91.144.37.6 - - [05/Apr/2010:20:31:31 +0200] "GET /glossary/shttp HTTP/1.0" 200 24811 "http://www.google.com.sa/search?hl=ar&rlz=1T4SKPB_en___SY373&q=%D8%A8%D8%B1%D9%88%D8%AA%D9%88%D9%83%D9%88%D9%84+SHTTP&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:32 +0200] "GET /wwwwmap/nicetitle.js HTTP/1.0" 200 6012 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:37 +0200] "GET /wwwwmap/nicetitle.css HTTP/1.0" 200 299 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:37 +0200] "GET /glossary.css HTTP/1.0" 200 3641 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.85.167.115 - - [05/Apr/2010:20:31:38 +0200] "GET /biblio/reference/rdfainhtml HTTP/1.0" 200 6101 "-" "Wget/1.11.4"
91.144.37.6 - - [05/Apr/2010:20:31:52 +0200] "GET /wwwwmap/nicetitle-bg.png HTTP/1.0" 200 914 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
67.195.112.227 - - [05/Apr/2010:20:31:54 +0200] "GET /glossary/pim HTTP/1.0" 200 17303 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.227 - - [05/Apr/2010:20:32:02 +0200] "GET /biblio/reference/rfc2300 HTTP/1.0" 200 4897 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
90.149.198.109 - - [05/Apr/2010:20:32:12 +0200] "GET /lectures/web-fall09/img/web-browser-usage.png HTTP/1.1" 200 24356 "http://images.google.no/images?hl=no&q=WebOS%20Browser&um=1&ie=UTF-8&sa=N&tab=wi" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1045 Safari/532.5"
207.46.13.93 - - [05/Apr/2010:20:32:15 +0200] "GET /rfc-index/reference/RFC2046 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
95.108.156.251 - - [05/Apr/2010:20:32:26 +0200] "GET /glossary/sdds HTTP/1.1" 200 22476 "-" "Yandex/1.01.001 (compatible; Win16; I)"
67.195.112.227 - - [05/Apr/2010:20:32:33 +0200] "GET /biblio/reference/sci2003.html HTTP/1.0" 200 4520 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
207.46.13.96 - - [05/Apr/2010:20:32:42 +0200] "GET /biblio/reference/rfc2985 HTTP/1.1" 304 - "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
77.83.223.27 - - [05/Apr/2010:20:32:58 +0200] "GET /projects/xslidy/ HTTP/1.1" 200 6841 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.366.2 Safari/533.4"

(10) What Went Wrong?

[Mon Apr 05 20:09:13 2010] [error] [client 207.46.13.87] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:09:52 2010] [error] [client 207.46.13.88] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:12:00 2010] [error] [client 65.55.218.158] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:12:40 2010] [error] [client 207.46.204.231] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:13:42 2010] [error] [client 207.46.13.91] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:14:41 2010] [error] [client 207.46.13.40] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:14:57 2010] [error] [client 136.152.139.79] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-us.js, referer: http://dret.net/lectures/mobapp-spring10/project-example
[Mon Apr 05 20:15:06 2010] [error] [client 193.63.197.246] File does not exist: /home/dret/public_html/lectures/web-fall08/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/web-fall08/unicode
[Mon Apr 05 20:17:40 2010] [error] [client 207.46.199.49] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:17:49 2010] [error] [client 207.46.13.50] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:10 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:10 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:45 2010] [error] [client 207.46.204.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:20:14 2010] [error] [client 67.174.253.46] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/mobapp-spring10/geolocation
[Mon Apr 05 20:20:45 2010] [error] [client 207.46.204.242] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:20:53 2010] [error] [client 174.129.131.200] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:21:16 2010] [error] [client 207.46.204.189] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:21:18 2010] [error] [client 207.46.204.234] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:21:43 2010] [error] [client 207.46.204.228] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:22:18 2010] [error] [client 207.46.199.48] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:22:41 2010] [error] [client 207.46.204.238] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:23:08 2010] [error] [client 174.129.136.94] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:23:31 2010] [error] [client 174.129.136.94] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:24:09 2010] [error] [client 207.46.204.180] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:26:19 2010] [error] [client 220.181.94.237] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:26:53 2010] [error] [client 184.73.71.238] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:27:11 2010] [error] [client 207.46.204.182] File does not exist: /home/dret/public_html/lectures/infosys-ws06/xml-quickref.pdf
[Mon Apr 05 20:27:17 2010] [error] [client 67.195.112.227] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:27:51 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:30 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:33 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:39 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:29:42 2010] [error] [client 207.46.204.228] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:30:11 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:30:11 2010] [error] [client 68.204.118.125] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/mobapp-spring10/history
[Mon Apr 05 20:30:40 2010] [error] [client 207.46.204.182] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:31:10 2010] [error] [client 207.46.13.52] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:32:15 2010] [error] [client 207.46.13.93] File does not exist: /home/dret/public_html/rfc-index/reference

(11) Overriding Server Setup

• httpd.conf is the global server configuration
  • it can be more reasonable to outsource certain configurations
  • for community servers some users might want to add/change the configuration
• Apache allows to make configurations on a per-directory basis
  • .htaccess [http://httpd.apache.org/docs/2.2/howto/htaccess.html] files are read before a request is processed
  • they can only change what has been allowed on AllowOverride [http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride]
  • using .htaccess has a noticeable performance impact (for high load)
• .htaccess uses the same configuration syntax as httpd.conf

(13) Identification

• Identity is required for any non-anonymous communications
  • groups can have an identity (facebook members see more than non-members)
  • pseudonyms are hidden identities (the real identity is not visible)
  • personal identity should be tied to a person itself
• Proof of Identity is important for any privileged operation
  • signatures and seals are traditional ways
  • traditional ways are mostly protected by law (but not really safe)
  • more modern ways often include technical methods for Authentication [Authentication]
• Client identity on the Web can be bound in three ways:
  1. Computer (most of the time identified by an Internet Addressing [Geolocation; Internet Addressing (1)])
  2. Browser (in the form of a stored cookie [Local Storage; Cookies (1)])
  3. User (identified through some authentication method [Authentication])

(14) Authentication

• Authentication is the process of verifying an identity
  • the weakest form of authentication is simply trust
  • legal consequences can make it more risky to falsify authentication
  • technical measures should make it hard or impossible to falsify authentication
• Authentication on the Web comes in different flavors
  • implicitly by accessing a server from some Internet Addressing [Geolocation; Internet Addressing (1)] range
  • presenting a cookie [Local Storage; Cookies (1)] from a previous formal authentication
  • presenting a password as a proof of identity
  • proving that you are owning additional authentication hardware (often PIN [http://en.wikipedia.org/wiki/Personal_identification_number]-enabled)
• Risk and potential damage should justify authentication methods

(15) Authorization

• Authorization is the question of allowing operations
  • Identification [Identification (1)] is necessary to identify the initiator
  • Authentication [Authentication] is necessary to verify the initiator's identity
  • if the initiator is authorized, the operation can be performed
• Web pages often are public or restricted
  • public web pages do not require any identification (and thus authentication)
  • restricted access Web pages can be group pages (internal company pages)
  • personal access is another popular scenario (email, facebook, online banking)
• Web servers have well-defined ways of performing authentication [Web Foundations (URI & HTTP); HTTP Authentication (1)]

(17) HTTP Sessions

• HTTP is a stateless protocol
  • each individual request is independent of others
• Authentication often is based on state/sessions
  • users provide credentials and enter a trusted state
  • based on some method the trusted state can be left
• Cookies [Local Storage; Cookies (1)] were invented to simulate sessions
  • they can be set by servers and thus are state kept with the client
  • cookies are popular for browsers but not so popular for other clients
• HTTP has its own methods of supporting authentication
  • not used by many Web sites (because of browser inconveniences)
  • a simple and standardized option for Web-based services

(18) Logging In

• Clients ask for a resource that is access controlled
• Servers respond with an HTTP header asking for authentication
• Clients ask the user to provide the required information
• The request is repeated with the user credentials
• Servers check for proper authorization and respond accordingly
• Clients are allowed to remember the credentials for the realm

(19) Logging Out

• You cannot logout because you never logged in
  • HTTP has no session concept
  • repeating authentication for each request is not an option
  • clients store authentication credentials and repeat them for the user
• Logging out is entirely under the control of the client
  • when does the client discards the credentials?
  • easier to decide in APIs than in browser implementations

(20) Browser Controls