Chapter 2 Managing the Secure Web Server

  Table of Contents

  Glossary

  Index

This chapter describes the administration tasks available from the Web Server Administration utility that allow you to manage the Secure Web servers.

Access the Web Server Administration utility by logging in to the Administration Web Server that listens on port 8081. The Secure Web Servers currently installed and managed by the administration utility are listed on the top-level Web Server Administration form. When you install additional versions of the Secure Web Server, they are added to the Web Server Administration form. Choosing a Web server on the Web Server Administration form displays the administration tasks for that server. The administration tasks for each Web server differ based upon the Web server version and the Web server type: administration or public.

Administration tasks that apply only to the management of the Administration Web Server:

Administration tasks that apply only to management of the Public Web server:

Administration tasks that apply to both Administration and public Web servers:

Changing Configuration Parameters

A configuration parameter is specified by a directive and is stored in one of the configuration files listed in Table 2-1.

Table 2-1 Configuration Files for Secure Web Servers

ServerConfiguration File
Administration Web Server

/usr/internet/httpd/admin/conf/httpd.conf

Public Web Server 2.0

/usr/opt/hpapache2/conf/httpd.conf

Public Web Server 1.3

/usr/internet/httpd/conf/httpd.conf

 

You can specify the following types of configuration parameters:

Figure 2-1 shows the menu for changing the configuration parameters for the Public Web Server 2.0.

Figure 2-1 Change Configuration Parameters Menu for Public Web Server 2.0

Change Configuration Parameters Menu for Public Web Server 2.0

The Secure Web Server configuration files are read in the following order:

  • httpd.conf

  • ssl.conf (Secure Web Server 2.0 only)

  • srm.conf

  • access.conf

Note:

By default, the access.conf and srm.conf configuration files do not contain any directives. While they remain supported in the Secure Web Server 1.3, all directives are defined in httpd.conf. Directives either exist in the httpd.conf file itself or are included in it by use of the Include directive.

If you specify the same directive in more than one configuration file, the first directive found takes precedence.

In the tables in the following sections, a directive enclosed in angle brackets can be defined using multiple lines and must be delimited by a <directive>...</directive> pair, where directive is the directive name. The following example shows the proper syntax for a multiple-line directive:

<Limit GET POST>
order deny,allow
deny from all
allow from host1.domain.name domain2.name
</Limit>

Through the Change Configuration Parameters menu for each server, the Web Server Administration utility allows you to set many of the frequently used configuration parameters described in this section. If you want to take advantage of more specialized functionality, you must manually edit the Secure Web Server configuration files listed in Table 2-1. Avoid modifying the configuration parameters that are handled by the Administration utility when manually editing these files.

For a complete listing of configuration file directives, see the Apache Web site for the appropriate directives for the Web server version:

For the Secure Web Server 1.3:

http://www.apache.org/docs/mod/directives.html

For Secure Web Server 2.0:

http://httpd.apache.org/docs-2.0/mod/directives.html

Changing Server Tuning Parameters

To change the server tuning parameters:

  1. From the Web Server Administration menu, choose the link to the Web server that you want to change. You can change the configuration parameters on either the Public or Administration Web servers. For example, choose Manage the Public Web Server 2.0 to change the tuning parameters of the Public Web server 2.0.

  2. From the Manage the Public Web Server 2.0 menu, choose Change Configuration Parameters.

  3. From the Change Public Web Server 2.0 Configuration Parameters menu, choose Change Server Tuning Parameters. Figure 2-2 shows the Change Tuning Parameters form for the Public Web server 2.0. A Change Tuning Parameters form is also available for the Public Web Server 1.3, but it has different tuning parameters than the Public Web Server 2.0. A Change Tuning Parameters form is also available for the Administration Web Server. (See Figure 2-13.)

    Figure 2-2 Change Tuning Parameters Form

    Change Tuning Parameters Form
  4. On the Change Server Tuning Parameters form (Figure 2-2), change one or more of the parameters.

    Table 2-2 shows which Web Server directive is associated with each parameter field on the Change Tuning Parameters form and the type of value expected. Parameters that apply only to Public Web Server 2.0 are specified for 2.0 only.

Table 2-2  Server Tuning Parameters and Associated Directives

ParameterDirectiveDescription
Minimum Spare ServersMinSpareServers numberMinimum number of unused server child processes to maintain
Maximum Spare ServersMaxSpareServers numberMaximum number of unused server child processes left running before additional child processes are killed
Start ServersStartServers numberInitial number of server child processes
Server Limit (for 2.0 only)ServerLimit numberUpper limit on configurable number of processes
Thread Limit (for 2.0 only)ThreadLimit numberUpper limit on the configurable number of threads per child process
Maximum ConnectionsMaxClients numberMaximum number of server processes for client connections
Maximum Requests /ConnectionMaxRequestsPerChild numberNumber of requests handled before child process is terminated
Threads Per Child (for 2.0 only)ThreadsPerChild numberThe number of threads created by each server child process
Maximum Spare Threads (for 2.0 only)MaxSpareThreads numberMaximum number of idle threads
Minimum Spare Threads (for 2.0 only)MinSpareThreads numberMinimum number of idle threads available to handle request spikes
Connection Timeout (secs)Timeout numberTime (seconds) to wait for response before terminating a connection
Enable KeepaliveKeepAlive on | offWhether or not to hold open a connection after the initial connection is lost
Keepalive Timeout (secs)KeepAliveTimeout numberTime (seconds) to wait for subsequent connection on a KeepAlive connection
Maximum Keepalive RetriesMaxKeepAliveRequests numberNumber of times to reuse a connection

 

Changing Access Control Entry Parameters

You can change access control entries for any of the installed Web Servers. The steps in this section describe how to change the access control entry for the Public Web server 2.0. The steps are similar for the other Web servers.

  1. From the Change Public Web Server 2.0 Configuration Parameters form, choose Change Access Control Entries. Figure 2-3 shows the Change Access Control Entries form for the Administration Web Server. This form is also available for the Public Web servers.

    Figure 2-3 Change Access Control Entries Form

    Change Access Control Entries Form

  2. By default, each Web server has one main access control entry controlling access to the document root directory of the server. In general, this entry should be the only entry you might want to change, though many access control entries are listed. The access control entries for each Web server's document root are as follows:

  • /usr/internet/httpd/admin/htdocs (Administration Web Server)

  • /usr/internet/httpd/htdocs (Public Web server 1.3).

  • /usr/opt/hpapache2/htdocs (Public Web server 2.0)

You can also change access control entries for the following locations (for the public Web servers only):

  • /server-status

  • /server-info

You can add an access control entry for a directory or location you have created for the Web server.

Table 2-3 shows which Secure Web Server directive is associated with each parameter field on the Change Access Control Entries form and the type of value expected.

Table 2-3 Access Control Parameters and Associated Directives

Parameter DirectiveDescription
Type and Specification
<Directory path >|
<Location name> |
<Files filename>

path, name, and filename can contain wildcards.

Limit Access Methods
<Limit method>

Specify one of the following Limit Access Methods:

  • GET—Standard HTML access; parameters can be passed as part of the URL.

  • POST—Form access; parameters are passed separately.

  • GET POST

  • All Methods

When you choose All Methods (the default), the Limit directive is not specified in the access.conf file for this Type and Specification (directory, location, or file).

Precedence
order[1] deny,allow |
order allow, deny

Specifies the order in which to process the deny from and allow from directives.

Hosts Allowed Access
allow from[1]all |
allow from host_list

List of fully or partially qualified host or domain names, separated by spaces. You cannot use wildcards and you must use complete DNS fields (for example, domain.com does not match mydomain.com).

Hosts Denied Access
deny from[1]all |
deny from host_list

List of fully or partially qualified host or domain names, separated by spaces. You cannot use wildcards and you must use complete DNS fields (for example, domain.com does not match mydomain.com).

User Authentication and Selected Users
require user_list

To authenticate only specific users, set User Authentication to For Selected Users, and select one or more users from the Selected Users list. (These users are defined in the file specified by the AuthDBMUserFile directive. To add a user to this list, use the Change Web Server User Accounts form.)

To authenticate all users, set User Authentication to For All Valid Users.

If no Web server user accounts exist, Authentication is disabled.

Authentication Prompt Name
AuthName string
Portion of the string displayed in the Username/Password dialog box that prompts for user name (“Enter username for name at host:port:”).
CGI Execution
Options ExecCGI[2]
When the Enable CGI Script Execution check box is selected, allows CGI scripts to be executed from within the specified directory.

[1] The Administration utility expects this directive to be defined within the context of the Limit directive.

[2] The Administration utility expects this directive to be defined within the context of the Directory directive.

 

In the following example, the Limit directive allows access to the specified domains and hosts only:

<Limit GET POST>
order deny, allow
deny from all
allow from host1.domain1.name domain2.name
</Limit>

In the following example, access is allowed to everyone except the specified hosts and domains:

<Limit GET POST>
order allow, deny
allow from all
deny from host1.domain1.name domain2.name
</Limit>

Changing Listening Port and IP Address Parameters

Normally, a Web server listens for HTTP requests on all known IP addresses on a system. The default (or primary) port, port 80, is used for each address. The Change Listening Ports and Addresses form allows you to limit the IP addresses and ports a Web server listens to by allowing you to enter specific addresses and ports for the server. If your system has been configured to support the IPv6 protocol, IPv6 style addresses can be entered in this form as well. However, IPv6 addresses can be used only with the Secure Web Server 2.0 public Web server. IPv6 style addresses should not be used in the Change Listening Ports and Addresses form for the Secure Web Server 1.3.

From the Change Public Web Server 2.0 Configuration Parameters form (Figure 2-1), choose Change Listening Ports and Addresses. Figure 2-4 shows the Change Listening Ports and Addresses form for Public Web Server 2.0. A similar form is also available from the Change Administration Web Server Configuration Parameters form. (See Figure 2-13.)

Figure 2-4 Change Listening Ports and IP Addresses Form

Change Listening Ports and IP Addresses Form

Table 2-4 shows which Secure Web Server directive is associated with each parameter field on the Change Listening Ports and Addresses form and the type of value expected.

Table 2-4 Listening Port/IP Address Parameters and Associated Directives

ParameterDirectiveDescription
Active IP Address and Active Port (Primary and Additional)Listen [IP address:]portSpecifies one or more ports or IP addresses to listen on
Active IP Address and Active Port (Primary only)Port portDefines the SERVER_PORT environment variable used by CGI scripts.

 

For example, if your system has eight IP addresses configured, but you want the public Web server to listen on only two of those ports, you can explicitly define these two addresses as the Active IP Addresses for the server. Optionally, you can specify a different port for each address. (Port 80 is normally used.)

If you want to listen to all known IP addresses on more than one port (for example, Ports 80 and 81), specify Active Port 80 and Active Port 81 and leave the Active IP Address field blank for both ports.

Changing Virtual Host Parameters for the Public Web Servers

You can specify virtual host parameters for the public Web servers only.

  1. From the Change Configuration Parameters form for either the Public Web Server 1.3 or Public Web Server 2.0 (for example, see Figure 2-1), choose Change Virtual Hosts. Figure 2-5 shows the Change Public Web Server 1.3 Virtual Hosts form.

    Figure 2-5 Change Public Web Server 1.3 Virtual Hosts Form

    Change Public Web Server 1.3 Virtual Hosts Form

    The first time you access the Change Virtual Hosts form (Figure 2-5), the only choice is to add a new virtual host. Thereafter, each virtual host you add is displayed on this form in the Existing Virtual Hosts list box.

    Note:

    Before you create each virtual host, you must create a Listen directive in the Public Web Server for the virtual host using the Change Listening Ports and Addresses form. If no Listen directive is specified for the virtual host, the Public Web Server will not respond to client requests that match the host names, IP addresses, and ports specified in its virtual host directives. See section Section : Changing Listening Port and IP Address Parameters for information on creating Listen directives for the Public Web Server.

    To add a new virtual host:

    1. Enter the host names and/or IP addresses (with optional port values) into the New Virtual Host field on the form as they would appear in a virtual host Web server directive.

    2. Click on Add. The Add Public Web Server Virtual Host form is displayed. (This form is similar to the Modify Public Web Server Virtual Host form in Figure 2-6).

    3. Specify the type of virtual host (Name-based or IP-based) and any additional directives for the new virtual host:

      • When the value for the Virtual Host Name field matches the hostnames and IP address values you entered, a Name-based virtual host is created.

      • When you set the value of the Virtual Host Name field to NONE, an IP-based virtual host is created.

    4. Click on Submit to add the new virtual host to the Public Web Server.

  2. To change the configuration for an existing virtual host, select the virtual host from the list box and click on Modify. The Modify Public Web Server Virtual Hosts form is displayed (Figure 2-6).

    Figure 2-6 Modify Public Web Server 1.3 Virtual Hosts Form

    Modify Public Web Server 1.3 Virtual Hosts Form

Table 2-5 shows which Secure Web Server directive is associated with each field on the Modify Public Web Server Virtual Hosts form (Figure 2-6) and the type of value expected.

When a field on this form is left blank or when the “use default value” option is selected for the field, the directive associated with the field is not included in (or removed from) the virtual host. In this case, the virtual host inherits the value of the associated directive from the global-specified value of the directive for the Public Web Server:

  • If no global value is specified for the associated directive, the directive's default value is used as the value of the directive in the virtual host.

  • If the default value for the directive is “unspecified” (for example, as with Script Alias), the directive does not apply to the virtual host when the field in the form is left blank.

Table 2-5  Virtual Hosts Parameters and Associated Directives

ParameterDirectiveDescription
Virtual Host Name

NameVirtualHost hostname[:port] | IP address[:port]

Name of the Name-based virtual host. When this directive is not set to NONE, the value should always match the Host Name or IP Address and Port Number of the virtual host. Setting the value to NONE creates an IP-based virtual host by not setting the NameVirtualHost directive.
Host Name or IP Address and Port Number

VirtualHost hostname[:port] | IP address[:port]

Host name or IP address of the virtual host; port number is optional.
Connection Timeout Timeout seconds

The amount of time the server supporting the virtual host will wait for the following events: the total amount of time it takes to receive a GET request, the amount of time between receipt of TCP packets on a POST or PUT request, the amount of time between ACKs on transmissions of TCP packets in responses, the default value of this directive is 300 second.

Keepalive TimeoutKeepAliveTimout seconds

The number of seconds the server supporting the virtual host will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies.

Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

The default value of this directive is 15 seconds.

Enable Keepalive KeepAlive [On | Off | use default value]

Provides for long-lived HTTP sessions that allow multiple requests to be sent over the same TCP connection. These connection types are the default for HTTP 1.1 clients.

To enable KeepAlive connections, set KeepAlive to On.

The default value of this directive is On.

Maximum KeepAlive Retries MaxKeepAliveRequests number

Limits the number of requests allowed on a persistent connection (KeepAlive On) for the virtual host.

The default value of this directive is 100.

Use Canonical Name UseCanonicalName [ On | Off | DNS | use default value]

Configures the way the server serving the virtual host determines its own name and port.

With UseCanonicalName set to On, the server will use the hostname and port specified in the Server Name directive. With UseCanonicalName set to Off, the server will form self-referential URLs using the hostname and port supplied by the clients Host: header. Set UseCanonicalName to DNS for use with mass IP-based virtual hosting when you need to support older client systems that do not provide a Host: header.

The default value for this directive is On.

Server NameServerName hostnameHost name; used in URL parsing.
Server AliasServerAlias hostname [hostname]... Sets the alternate names for the virtual host.
Document RootDocumentRoot path

Full path of the directory containing the default Web homepage for the specified Host Name or IP Address.

The default value for this directive is /usr/local/apache/htdocs.

Virtual Document Root VirtualDocumentRoot interpolated-directory

Dynamically configures the location of the document root for a given virtual host based on the value of server name. If interpolated-directory is set to none, then VirtualDocumentRoot is turned off. This directive cannot be used in the same context as the VirtualDocumentRootIP directive.

This directive applies only to the Secure Web Server 2.0.

Virtual Document Root IP VirtualDocumentRootIP interpolated-directory

Dynamically configures the location of the document root for a given virtual host based on the value of the server IP address. If interpolated-directory is set to none, then VirtualDocumentRootIP is turned off. This directive cannot be used in the same context as the VirtualDocumentRoot.

This directive applies only to the Secure Web Server 2.0.

Script AliasScriptAlias URL-pathfile-path | directory-pathAllows CGI scripts to be stored in the local file system other than under the Document Root. URLs with a (%-decoded) path beginning with URL-path will be mapped to local files beginning with the second argument, which is a full pathname on the local file system.
Virtual Script Alias VirtualScriptAlias interpolated-directory | none

Dynamically configures the location of the CGI directory for a given virtual host based on the value of the server name. If interpolated-directory is set to none then VirtualScriptAlias is turned off. This directive cannot be used in the same context as the VirtualScriptAliasIP directive.

This directive applies only to the Secure Web Server 2.0.

Virtual Script Alias IP VirtualScriptAliasIP interpolated-directory | none

Dynamically configures the location of the CGI directory for a given virtual host based on the value of the server IP address. If interpolated-directory is set to none then VirtualScriptAliasIP is turned off. This directive cannot be used in the same context as the VirtualScriptAlias directive.

This directive applies only to the Secure Web Server 2.0.

Server Admin Mail AddressServerAdmin e-mail addressE-mail address of the Web system administrator.
Log Level LogLevel emerg | alert | crit | error | warn | notice | info | debug | use default value

Adjusts the verbosity of the messages recorded in the ErrorLog file for the virtual host. When set to use default value, the LogLevel directive is not set for the virtual host, and the value is inherited from the global server value.

The default value of this directive is warn.

Error LogErrorLog path

Full or relative path to error log file. Relative paths are specified from the Web server's root directory.

The default value of this directive is logs/error_log.

Log FormatLogFormat format | nickname [nickname]

The LogFormat directive can take one of two forms. In the first form, where only one argument is specified, this directive sets the log format that will be used by logs specified in subsequent TransferLog directives.

The second form of the LogFormat directive associates an explicit format with a nickname. This nickname can then be used in subsequent CustomLog directives. When a nickname is specified, this directive does not affect subsequent TransferLog directives.

The default value of this directive is "%h %l %u %t \"%r\" + .

Transfer LogTransferLog pathFull or relative path of the transfer (access) log file. Relative paths are specified from the Web server root directory.
Custom LogCustomLog pathFull or relative path and format of a log file for the virtual host. Relative paths are specified from the Web server root directory.

 For a comprehensive document on virtual host support, see the following Web sites:

http://www.apache.org/docs/vhosts/index.html (for Secure Web Server 1.3)
http://httpd.apache.org/docs-2.0/vhosts (for Secure Web Server 2.0)

Changing URL Default Parameters for the Public Web Servers

This section describes the steps to change the URL Default Parameters for Public Web Server 1.3. The steps for Public Web Server 2.0 are similar. You can specify the URL default parameters for the public Web server only.

  1. From the Change Public Web Server 1.3 Configuration Parameters form (Figure 2-1), choose Change URL Defaults. Figure 2-7 shows the Change Public Web Server 1.3 URL Defaults form.

    Figure 2-7 Change Public Web Server URL Defaults Form

    Change Public Web Server URL Defaults Form
  2. From the Change Public Web Server URL Defaults form (Figure 2-7), specify the default HTML directory and default homepage (index page) for users on your system. By convention, the default HTML directory is public_html and the default homepage is index.html on UNIX systems.

When the Recognize .cgi Files As CGI Scripts parameter is enabled, files with the .cgi extension in the user's default HTML directory (or in a directory where CGI script execution is enabled) are executed as CGI scripts.

Table 2-6 shows which Secure Web Server directive is associated with each field on the Change URL Defaults form and the type of value expected.

Table 2-6 URL Default Parameters and Associated Directives

ParameterDirectiveDescription
User's HTML Home DirectoryUserDir pathPath relative to a user's home directory for the user's HTML home directory. The default is public_html.
Directory Index Page NameDirectoryIndex filename listOne or more file names, separated by spaces, that define the default page displayed when an HTTP request specifies a directory path only (without a file name).
Recognize .cgi Files As CGI ScriptsAddHandler cgi-script.cgiWhen this field is enabled, the comment character in this line is removed from the httpd.conf file. When this field is disabled, the line is commented out.

 

Changing HTML Directory Alias Parameters for the Public Web Server

You can specify the HTML Directory Alias parameters for the public Web servers only. This section describes the steps to change the HTML Directory Aliases for the Public Web server 1.3. The steps are similar for the Public Web server 2.0.

From the Change Public Web Server 1.3 Configuration Parameters form (Figure 2-1), choose Change HTML Directory Aliases. Figure 2-8 shows the Change Public Web Server 1.3 HTML Directory Aliases form.

Figure 2-8 Change Public Web Server HTML Directory Aliases Form

Change Public Web Server HTML Directory Aliases Form

URL paths are rooted only by aliases, not by actual directories. The system-defined aliases are as follows:

  • icons — Defines the directory to search for browser-specific icons.

    When an HTTP request specifies a directory other than the user's HTML home directory (Table 2-6), the icons used in the resulting display to identify subdirectories and files are obtained from the directory associated with the icons alias.

  • copyrights — Defines the directory in which the copyright information is installed.

  • documents — Defines the directory in which the book files are installed.

Normally, these aliases should not be changed or deleted. However, you can specify a new HTML alias for any directory by providing an alias name and the full path name of the directory you want to associate with the alias.

To add a new HTML alias:

  1. On the Change HTML Directory Aliases form, enter the new alias name in the New Alias Name field and click on Add.

  2. On the Add HTML Directory Aliases form, specify the full pathname for the directory associated with the new alias in the Actual Directory field.

  3. Click on Submit.

    The Web Server Administration utility displays a confirmation message indicating that the configuration file has been successfully updated.

  4. Click on Submit to have the public Web server on the indicated port reread its configuration file. Wait a few seconds before using the navigation bar.

When you determine that an alias is no longer useful, you can remove it by selecting the alias name from the Existing Alias Names list box and clicking on Delete.

Table 2-7 shows which Secure Web Server directive is associated with each field on the Change Public Web Server HTML Directory Aliases form and the type of value expected.

Table 2-7 HTML Directory Alias Parameters and Associated Directives

ParameterDirectiveDescription
Alias Specification and Actual DirectoryAlias aliaspathAlias Specification (New Alias Name) specifies the alias part of the directive and Actual Directory specifies the path.

 

Changing CGI Directory Alias Parameters for the Public Web Server

You can specify the CGI Directory Alias configuration parameters for the public Web server only.

  1. From the Change Public Web Server Configuration Parameters form (Figure 2-1), choose Change CGI Directory Aliases. Figure 2-9 shows the Change Public Web Server 1.3 CGI Directory Aliases form.

    Figure 2-9 Change Public Web Server CGI Directory Aliases Form

    Change Public Web Server CGI Directory Aliases Form
  2. Specify an alias name and the full path name of the directory you want to associate with the alias.

Table 2-8 shows which Secure Web Server directive is associated with each field on the Change Public Web Server CGI Directory Aliases form (Figure 2-9) and the type of value expected.

Table 2-8 CGI Directory Alias Parameter and Associated Directive

ParameterDirectiveDescription
Alias Specification and Actual DirectoryScriptAlias aliaspathAlias Specification (New Alias Name) specifies the alias part of the directive and Actual Directory specifies the path.

 

Changing Logging and Reporting Parameters

Use the Change Logging and Reporting Parameters form to specify the following:

  • The host name associated with an IP address in the log file. (Server performance can decrease when you enable host name lookup.)

  • E-mail address for mail intended for the server administrator (if not specified anywhere else in the configuration files).

  • The URL of the HTML page to display when the browser receives any of the following error codes:

    Note:

    Although both servers are capable of generating the following errors, the Change Logging and Reporting Parameters form for different versions of the Secure Web Server display different lists of errors. Errors that appear only in the Secure Web Server 2.0 Change Logging and Reporting Parameters form are specified for Version 2.0 only.

    • Bad Gateway — The server, when acting as a gateway or proxy, received an invalid response from a server (Version 2.0 only).

    • Bad Request — Usually caused by a malformed URL (Version 2.0 only).

    • Unauthorized — Usually caused by an incorrect user name or password.

    • Forbidden — Access to the directory, location, or file is explicitly prohibited or the file is protected.

    • File Not Found — File or path name alias does not exist.

    • Gone — The requested resource is no longer available at the server (Version 2.0 only).

    • Method Not Allowed — File or path name alias does not exist (Version 2.0 only).

    • Not Implemented — The server does not support the functionality required to fulfill the request (Version 2.0 only).

    • Precondition Failed — The precondition given in one or more of the request-header fields evaluated to false (Version 2.0 only).

    • Request Timeout — The client did not produce a request within the time that the server was prepared to wait (Version 2.0 only).

    • Request Entity Too Large — The request entity is larger than the server is willing or able to process (Version 2.0 only).

    • Service Unavailable — The server is temporarily overloaded or maintenance is required (Version 2.0 only).

    • Server Error — Usually caused by a malformed HTTP header generated by a CGI script.

    • Variant Also Varies —The HTTP variant also varies; the status is not yet defined. (Version 2.0 only).

From the Change Public Web Server 2.0 Configuration Parameters form (Figure 2-1), choose Change Logging and Reporting Parameters.

Figure 2-10 shows the Change Logging and Reporting Parameters form for the Public Web Server 2.0. The form for the Public Web Server 1.3 is has fewer server responses. (See Table 2-9.) This form is also available for the Administration Web Server.

Figure 2-10 Change Public Web Server Logging and Reporting Parameters Form

Change Public Web Server Logging and Reporting Parameters Form

Table 2-9 shows which Secure Web Server directive is associated with each field on the Change Logging and Reporting form (Figure 2-10) and the type of value expected.

Table 2-9 Logging and Reporting Parameters and Associated Directives

ParameterDirectiveDescription
Enable Hostname LookupsHostnameLookups on | offWhen set to on, the server performs DNS lookups on IP addresses to include host names in logging records.
Server Admin Mail AddressServerAdmin e-mail addressE-mail address displayed with some error pages.
“Unauthorized” Error Response URLErrorDocument 401 URL | string

Specifies a page or text string to display upon receiving a “bad password” error. If specified, the URL for 401 errors must be local. (The http://host.domain.name prefix is not permitted.)

“Forbidden” Error Response URLErrorDocument 403 URL | string

Specifies a page or string to display upon receiving a “no authorization” or “file access” error.

“File Not Found” Error Response URLErrorDocument 404 URL | string

Specifies a page or text string to display upon receiving a “file not found” error.

“Server Error” Error Response URLErrorDocument 500 URL | string

Specifies a page or text string to display upon receiving an internal error or CGI format error (most likely related to a problem with HTTP header information).

 

Changing Public Web Server User Accounts

You can establish Secure Web Server user accounts to control access to the public Web servers. You can enable a different level of access to each combination of user name and password that you specify. The password you specify for a Web server user account is not a UNIX system password; that is, you will not find these passwords in the /etc/passwd file.

The first time you access the Change Web Server User Accounts menu, the only option is to add a new Web server user account. Thereafter, each user account you create is displayed on this menu in the Existing Web Server Users list box, allowing you to change the password for the account or delete the account.

To add a Web server user account to control access to the public Web server:

  1. On the Web Server Administration menu, choose the public Web server you want to manage. Figure 2-11 shows the Manage the Public Web Server 1.3 menu and available options.

    Figure 2-11 Manage the Public Web Server Form

    Manage the Public Web Server Form
  2. From the Manage the Public Web Server 1.3 menu, choose Change Web Server User Accounts.

  3. On the Change Public Web Server User Accounts form, enter the account name in the New Web Server User field.

  4. Click on Add. The Add Public Web Server User Account form is displayed.

  5. Enter a password in the New Password field.

  6. Verify the password for the user by typing the same password in the Verify Password field.

  7. Click on Submit.

    The Web Server Administration utility displays a confirmation message indicating that the new user account has been successfully created. You can use the navigation bar at the top of the page to return to the Change Public Web Server User Accounts form.

To change a user's password, select the user name from the Existing Web Server Users list box and click on Modify. Specify a new password, verify the password, and click on Submit.

To delete a user account, select the user name from the Existing Web Server Users list box and click on Delete.

Displaying Public Web Server Status

To display the status of Public Web Server 1.3, from the Manage the Public Web Server 1.3 menu, choose Display Web Server Status. Similarly, to display the status of Public Web Server 2.0, from the Manage the Public Web Server 2.0 menu, choose Display Web Server Status.

The Web Server Status page allows you to see how well your server is performing. The current server statistics are displayed in an easy-to-read form.

The Display Server Status and Display Server Information links under the Manage the Public Web Server menu return a “Forbidden server” error if you try to access them from a remote Web browser after opening up access controls to remote systems on the Administration server. To avoid this problem, open access controls on the Location /server-info and Location /server-status entries for the public Web server in the Change Access Control Entries form under Change Configuration Parameters.

For more information on the data displayed on the Web Server Status page, go to one of the following Apache Web site URLs:

http://www.apache.org/docs/mod/mod_status.html (for Secure Web Server 1.3)

http://httpd.apache.org/docs-2.0/mod/mod_status.html (for Secure Web Server 2.0)

Displaying Public Web Server Information

To display information for the public Web server, on the Manage the Pubic Web Server menu (1.3 or 2.0), choose Display Web Server Information.

The Web Server Information page displays a comprehensive overview of the server configuration, including all installed modules and directives in the configuration files.

The Display Server Status and Display Server Information links under the Manage the Public Web Server menu return a “Forbidden server” error if you try to access them from a remote Web browser after opening up access controls to remote systems on the Administration server. To avoid this problem, open access controls on the Location /server-info and Location /server-status entries for the public Web server in the Change Access Control Entries form under Change Configuration Parameters.

For more information on the data displayed on the Web Server Information page, go to one of the following Apache Web site URLs:

http://www.apache.org/docs/mod/mod_status.html (for Secure Web Server 1.3)

http://httpd.apache.org/docs-2.0/mod/mod_status.html (for Secure Web Server 2.0)

Viewing Web Server Reports and Log Files

During its normal operation, the Web server puts information in two log files. The access log keeps track of requests for use of this server and the information requested. The error log maintains a record of errors that occurred since the log file was last refreshed. You should periodically save and recreate these log files so they do not get too large. See Section : Refreshing the Administration Web Server Log Files.

To view the access log file or error log file for a Web server:

  1. From the Web Server Administration menu, choose the Manage form for the version of the server whose log you want to view (for example, the Public Web Server 1.3). In this case, the Manage the Public Web Server 1.3 menu is displayed. See Figure 2-11.

  2. From the Manage the Public Web Server 1.3 menu, choose View Server Reports and Log Files. The Report and Log Files for the Public Web Server 1.3 menu is displayed (Figure 2-12).

    Figure 2-12 Reports and Log Files for the Public Web Server

    Reports and Log Files for the Public Web Server
  3. Choose the item corresponding to the log file you want to view.

    The entries in the chosen log file are shown 100 lines at a time with the most recent entries first. You can use the navigation bar at the top of each page to return to the Report and Log Files menu.

To generate the activity reports for any one of the Web Server instances:

  1. From the Web Server Administration menu, choose the server for which you want to generate activity statistics; for example, the Administration Web Server. The Manage the Administration Web Server menu is displayed (Figure 2-13).

    Figure 2-13 Manage the Administration Web Server Menu

    Manage the Administration Web Server Menu
  2. From the Manage the Administration Web Server menu, choose View Server Reports and Log Files. The Report and Log Files for the Administration Web Server menu is displayed (Figure 2-14). This menu contains more reports than listed on the Reports and Log Files for the Public Web Server menu.

    Figure 2-14 Reports and Log Files for the Administration Web Server Menu

    Reports and Log Files for the Administration Web Server Menu
  3. From the Reports and Log Files for the Administration Web Server menu, click on Generate a Summary Report.

    For your convenience, a link to the Analog HTML documentation is also provided at the bottom of the page; look for This analysis was produced by analogx.xx, where x.xx indicates the version number.

    The activity reports are generated using analog, an Open Source utility that analyzes log files. The analog configuration file is located in /usr/internet/httpd/admin/analog/analog.cfg.

    Table 2-10 describes the various activity reports that you can generate for the public and administration instances of the Secure Web Server:

Table 2-10 Activity Reports for the Secure Web Servers

ReportDescription
Summary ReportFor the time period shown at the top of the page, the following statistics are shown: the total requests that were completed, failed, and redirected; the number of distinct hosts served; the number of corrupt log file entries; and the total bytes transferred.
Monthly ReportShows how many requests were processed by month.
Daily Summary ReportShows how many requests were processed each day since the last time the server was started.
Hourly Summary ReportShows how many requests were processed each hour.
Domain ReportShows all domains with any traffic, sorted by amount of traffic.
Directory ReportShows all directories to depth 1 with at least 0.01% of the traffic, sorted by amount of traffic.

 

For more information, visit the analog Web site:

http://www.analog.cx

Refreshing the Administration Web Server Log Files

To refresh the access log, the error log, or both, follow these steps:

  1. From the Secure Web Server Administration menu, choose the server for which you want to refresh the log files; for example, the Administration Web Server. The Manage the Administration Web Server menu is displayed. (See Figure 2-13.)

  2. From the Manage the Administration Web Server menu, choose Refresh Server Log Files.

  3. On the Refresh Server Log Files form, select the check box corresponding to the log file you want to refresh. You can select one file or more files.

  4. Click on Submit.

    For each log file you select, the Web Server Administration utility makes a backup copy of the log file and creates an empty file to replace it. The Web Server Administration utility also restarts the httpd server daemon.

Starting and Stopping the Secure Web Server

To stop or restart the Secure Web Server instances:

  1. From the Web Server Administration menu, choose the server you want to start or stop; for example, the Administration Web Server. The Manage the Administration Web Server menu is displayed (Figure 2-13).

  2. From the Manage the Administration Web Server menu, choose Start/Stop the Administration Web Server.

    If the server is running, the Web Server Administration utility shows you the current status of the server and offers the following operations:

    • Stop—Shuts down the server daemon listening on the port shown in the title of the form. Use this operation to prevent the server from responding to requests.

    • Restart—Restarts the server daemon listening on the port shown in the title of the form. Use this operation to enable any change to the server configuration files.

    Figure 2-15 shows the Start/Stop the Administration Web Server form when the server is running.

    Figure 2-15 Start/Stop the Administration Web Server Form

    Start/Stop the Administration Web Server Form

    If the server is not running, the utility offers the following control operations:

    • Start — Starts the server daemon listening on the port shown in the title of the form.

    • Restart — Stops and restarts the server daemon listening on the port shown in the title of the form. Use this operation to enable any change to the server configuration files.

  3. Click on the button corresponding to the operation you want to perform. The Web Server Administration utility confirms the request and performs the operation.

The Start/Stop form for Public Web Server 1.3 or Public Web Server 2.0 offers the following additional control operation:

Save Options — Saves the Web server daemon command line options. The options are displayed in the text field labeled "Start with options" in the Start/Stop form. Changing the options displayed in the "Start with options" text field changes the options that will be saved. These options take affect the next time the Web server is started. Clicking on the Start or Restart button in the form also saves the displayed options.

Changing the Password for the Administration Web Server

To change the password used for the Administration Web Server:

  1. From the Web Server Administration menu, choose Change the Password for All Administration Servers. The Change the Password for All Administration Servers form is displayed (Figure 2-16).

    Figure 2-16 Change the Password for All Administration Servers Form

    Change the Password for All Administration Servers Form
  2. Enter the new password in the New Password field and again in the Verify New Password field.

  3. Click on Submit. The new password takes effect immediately.

If you decide not to change the password, cancel the operation by clicking on one of the following:

  • The Clear button at the bottom of the form

  • One of the links on the navigation bar at the top of the form to go to another Administration menu

Allowing Remote Access to the Administration Web Server

The installation procedure installs the Administration Web Server on port 8081 and initially allows access to the server from the local system only.

Note:

Using a Web server on a remote system to manage user accounts and other system services poses a security risk. That is, unless the Secure Socket Layer (SSL) is enabled on your Web server, all data, including passwords, is transmitted between the Web server and the browser in clear text. This unencrypted data is subject to interception by network snooping.

Carefully evaluate the security risks to your system before you enable remote access to the Administration utility or other server administration. See Chapter 5 for information on setting up your Web server with SSL.

To allow access to the Administration Web Server from remote systems:

  1. From the Web Server Administration menu, choose Manage the Administration Web Server. The Manage the Administration Web Server menu is displayed (Figure 2-13).

  2. From the Manage the Administration Web Server menu, choose Change Configuration Parameters. The Change Administration Web Server Configuration Parameters menu is displayed (Figure 2-17).

    Figure 2-17 Change Administration Web Server Configuration Parameters Menu

    Change Administration Web Server Configuration Parameters Menu
  3. From the Change Administration Web Server Configuration Parameters menu, choose Change Access Control Entries (Figure 2-3).

  4. On the Change Access Control Entries menu, select Directory /usr/internet/httpd/admin/htdocs from the Existing Access Control Entries list box, then click on Modify. The Modify Administration Web Server Access Control Entry form is displayed (Figure 2-18).

    Figure 2-18 Modify Administration Web Server Access Control Entry Form

    Modify Administration Web Server Access Control Entry Form
  5. In the Hosts Allowed Access field, enter one of the following:

    • host.domain.name for a specific host

    • .domain.name for a specific domain

    • all for any remote host

    For more information on the Allow command, see the Apache documentation at the following Web site:

    http://www.apache.org/

  6. Click on Submit.

    The Web Server Administration utility displays a confirmation message.

  7. On the confirmation page, click on Submit to reload the Administration Web Server configuration file.

Dynamically Adding and Removing Server Modules

This section describes how to dynamically add or remove server modules. Appendix A lists the standard Apache Version 1.3 modules and Appendix B lists the standard Apache Version 2.0 modules provided with this release.

To dynamically add or remove server modules, follow these steps:

  1. From the Secure Web Server Administration menu, choose the server for which you want to refresh the log files; for example, the Administration Web Server. The Manage the Administration Web Server menu is displayed. (See Figure 2-13.)

  2. From the Manage the Administration Web Server menu, choose Manage Public Web Server 2.0.

  3. On the Manage Public Web Server page, choose Dynamically Add/Remove Server Modules.

    A form (Figure 2-19) is displayed that shows the available server modules.

    Figure 2-19 Dynamically Add/Remove Server Module Form

    Dynamically Add/Remove Server Module Form
  4. To add a server module, check in the corresponding check box. To remove a sever module, uncheck the corresponding check box.

  5. Click on Submit.

Not all modules can be added or removed. If the add/remove operation reports an error, check the module error log.