Introduction: Over the year’s internet and the internet based applications had revolutioned our life. They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a major factor for online success or failure.
Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host. Hence, securing web server is as important as securing the website or web application itself. If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.
What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:
*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.
The security implementation inside the web server is implemented in two different steps:-
1) Installation of SSL Certificate
2) By following the security guide lines
Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:
1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal
For a webserver generate a CSR and a private key, use the following command: openssl req -config openssl.cnf -new -out my-server.csr
2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:
rsa -in privkey.pem -out my-server.key
3. Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)
Restart the Apache server and access the applications with the SSL mode.
Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-
1) Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)
2) Hide the Apache Version number, and other sensitive information as below inside httpd.conf:
<strong><span style="text-decoration: underline">Note</span></strong>: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
3) Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:
4) Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):
Deny from all
Allow from all
5) In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:
mkdir /usr/local/apache cd /usr/local/apache mkdir bin conf logs chown 0 . bin conf logs chgrp 0 . bin conf logs chmod 755 . bin conf logs
6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.
7) Allowing users to execute ***CGI scripts in any directory should only be considered if:
Ø You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
Ø You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
Ø You have no users, and nobody ever visits your server
8) Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
<em><span style="text-decoration: underline">Note</span></em>: /usr/local/apache is Apache installation directory
9) Lower the time out and restrict request body requests as follows:
10) Restrict the accessing of resource by using the IP restriction:
Deny from all
Allow from 127.0.0.1
Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.
***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users
Apache is case sensitive. When you application is hosted in case-insensitive webserver(like IIS) and moved to case-sensitive webserver (like Apache) you may get some problems related to non availability of URLS(HTTP 404 error). Apach provides a module which helps to make URLs case-insensitive.
Open httpd.conf(your apache configuration file) and find out the below line
LoadModule speling_module modules/mod_speling.so
If the above module is avilable with your apache, turn on the CheckSpelling directive
How to monitor Apache server status?
There is a built in module mod_status available in apache which helps to get server status from a web browser
To monitor Apache webserver,
Open httpd.conf(Placed at <Apache Install Dir>/conf/httpd.conf)
Set the Location directive as below. It will alow only from 18.104.22.168
Deny from all
Allow from 22.214.171.124
Set ExtendendStatus to on
Save the httpd.conf and restart the webserver
Now you can monitor your apache webserver with http://servername/server-status from 126.96.36.199 browser
How to know whether a library is built on 32-bit or 64-bit?
The term “Proxy Servers” is mostly popular among our middleware techies as: “Server which forwards the request”.
But, for simple multiple reasons, this one lined defined server is vastly used in each and every environment in multiple forms like Forward Proxy Server, Reverse Proxy Server and Open Proxy Server.
The basic purpose of this document is to cover what is a proxy server, understanding of different proxy servers, configuration of Reverse proxy server.
Defining Proxy Server: Proxy Server is an intermediary server between your web browser (client) which requests for some information/data and your server (web server/Application server) that process the data.
Following is the schematic representation of the proxy server:-
Types of Proxy Server: They are three different types of proxy servers. They are as follows:
1) Forward Proxy Server
2) Open Proxy Server
3) Reverse Proxy Server
Forward Proxy Servers: Forward Proxy Server is a server which forwards the request from the intranet clients (web browser) to the internet servers. These proxy servers are present in the same network of your client. Schematically, we can represent any forward proxy servers as follows:
Open Proxy Server: An open proxy is a proxy server which is accessible by any Internet user. Any proxy server that doesn’t restrict its client base to its own set of clients and allows any other client to connect to it is known as an “Open Proxy”. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. They are in numerous open proxy servers present in Internet. For converting any flavor of proxy servers to Open Proxy servers we just have to enable the flag “ProxyRequests On” in the configuration file.
Following is the pictorial view of understanding our open proxy servers:
Reverse Proxy Server: A Proxy Server which takes requests from external clients (web browsers) or Internet and forwards them to servers in an internal network is called as Reverse Proxy Server. Generally, the reverse proxy servers are present in the same network where we have our App/Web servers.
Schematically we can represent all of our reverse proxy servers as follows:
After understanding the different types of proxy servers lets try knowing more about reverse proxy servers especially the advantages and configuration of proxy servers.
Advantages of using Reverse Proxy Servers:
The various advantages of using the proxy servers are as follows:
3) Bypassing filters and censorship
4) Logging and eavesdropping
5) Gateways to private networks
6) Accessing services anonymously
Understanding and comparing these advantages with the other flavors of proxy servers every one of us would be interested to use the reverse proxy servers. So, lets try understanding how do we do the configuration of the reverse proxy servers.
Most of the present day proxy servers have the ability or the behavior to act as reverse proxy servers with an addition of a small module. Since, discussing about the configuration of all of those reverse proxy server with weblogic server wouldn’t be possible, this document restricts its scope only to Apache Server.
Configuration of Apache Reverse Proxy Server with Weblogic Server:
To begin the configuration of apache reverse proxy server, Lets consider a public site http://weblogic-wonders.com (or an application you deployed on cluster) which has a public IP and DNS entry and could be accessed across the globe.
Let’s consider that the application server on which this site is hosted is our weblogic application server having the two instances weblogic_Instance1.com,weblogic_Instance2.com.
Following are the steps for configuring the apache proxy server with weblogic servers:-
1) Post installing and creating a domain in weblogic server copy mod_wl_20.so file from weblogic server to apache server modules folder.
2) Download libxml2 (version shouldn’t be older than 2.6) from http://xmlsoft.org and install it.
3) Copy and paste the file to the paths: /usr/lib/libxml2.so, with headers in /usr/include/libxml2/libxml/
Before we understand how to deal with the proxy plug-in we need to understand what these proxy plugin are, how are they different from web servers, where they are present, etc. Let’s try to discuss each of these in details.
Introduction to Proxy Plug-in: Proxy Plug-in are mainly used to re-direct the requests to the application server based on the configurations specified inside plug-in config file.
The advantages of using the proxy plug-in are as follows:
1) Re-direction of requests
2) Load Balancing of requests
3) Serves the static data (using the proxy cache)
Please find the below pictorial representation of a dynamic application server architecture containing the Proxy plug-in:
fig (a): proxy plug-in inside the dynamic application server architecture
Following are the list of proxy servers supported by Oracle BEA:-
1) IIS plug-in
2) Apache plug-in
3) Netscape/SunOne plug-in
As we can observe from the above pic, the proxy plug-in is always available inside the webservers. (They are different reasons for this)
Working with Proxy Plug-in related issues:
Following are most of the common problems/issues seen while working with the proxy plug-ins:
1) Uneven Load balancing of the HTTP requests
2) Frequent or unexpected session failover
3) Unexpected http status codes in HTTP responses like 400, 404, 500, 503, etc for which the diagnosing at the weblogic server didn’t gave any clue.
*Note: for most of these issues updating of your existing plug-in will resolve the issue.
Enable the following debug flags inside the proxy sever plug-in config files to get more information about the issue:
1) Set Debug=”ALL” : Enabling these debug flag will give more traces of the following information:
a) Headers sent to and from client.
b) Headers sent to and from WLS.
c) Information and error messages
2) Set DebugConfigInfo=”ON”:Enabling this flag will help the plug-in to log the following information:
a) Returns the config information and runtime statistics to the browser
b) Responds to the request that contain the string _WebLogicBridgeConfig
c) Append the string _WebLogicBridgeConfigPath at the end of the URL.
Following is the example on how to use _WebLogicBridgeConfig:– http://hostname:portNo/contextPath/servletPath/pathInfo_WebLogicBridgeConfig
Executing the above URL will give the output that contains the complete information about the proxy plug-in like number if requests handled, max response time, min response time, time out, etc
Note: Enabling any of the above parameters would require a server restart.
After enabling the above debug flags the output would by default routed to the following files depending up on the OS we are using:
1) UNIX( related OS): /tmp/wlproxy.log
2) Windows (related OS): C:\TEMP\wlproxy.log
Depending up on the Web Server we are using the proxy plug-in file name could be any of these two: