Basic network access: servers

Access control

Sometimes you want to restrict access to a web server, either for specific directories or for the web site as a whole. apache has a number of options to limit access. One possibility is to set options in /usr/local/etc/apache/httpd.conf to cover an individual host, but this is seldom useful. It's more likely that you will want to restrict access to specific directories, and it's easier to do that in the file .htaccess in the same directory.

For apache to even look at .htaccess, you need to change the configuration file, however: by default, it disables the use of .htaccess a together, as we saw above:

<Directory />
  Options FollowSymLinks
  AllowOverride None
</Directory>

For it to work, you'll have to change the AllowOverride parameter to some other value. There are five categories of entries that you can allow in .htaccess files:

1. AuthConfig allows .htaccess to include authorization directives.
2. FileInfo allows the use of directives controlling document types.
3. Indexes allows the use of directives controlling directory indexing.
4. Limit allows the use of directives controlling host access.
5. Options allows the use of directives controlling specific directory features.

You can find more details in /usr/local/share/doc/apache/manual/mod/core.html.

The most common use of the .htaccess is to require that users authorize themselves before accessing a directory. In this case, the browser will pop up a window like this:

Рис. 25.1.

To achieve this, add something like this to your .htaccess file:

AuthType Basic
AuthName grog
AuthDBUserFile /usr/local/etc/apache/passwd
Require valid-user

This method is similar to normal login authentication. You need a password file, which you can create and update with dbmmanage:

# dbmmanage /usr/local/etc/apache/passwd adduser grog
New password:
Re-type new password:
User grog added with password encrypted to OzREW8Xx5hUAs using crypt
# dbmmanage /usr/local/etc/apache/passwd adduser guest
New password:
Re-type new password:
User guest added with password encrypted to hFCYwd23ftHE6 using crypt

This adds passwords for users grog and guest. The AuthName suggests a name to authenticate, but Require valid-user states that it can be any user. Even if you don't care which user logs in, you need to specify an AuthName line. If you do insist that only user grog can log in, you can write:

Require user grog

This will fail the authentication for any other user. You can also specify a list of users or groups. For example, you might add the following line:

AuthGroupFile /usr/local/etc/apache/group
Require group bigshots

/usr/local/etc/apache/group might then contain:

bigshots:  davidb davidp gordon grog liz malcolm

This will allow any of the users specified on this line to access the directory.

Apache modules

apache offers a large quantity of optional functionality, which it provides in the form of dynamically loadable modules. We've seen above that there are two long lists of module names in /usr/local/etc/apache/httpd.conf; the first starts with LoadModule and tells httpd which dynamic modules to load. The order is important; don't change it.

Proxy web servers

Apache is capable of operating as a proxy server: it can accept requests for web pages of other systems. This can be an alternative to a general IP aliasing package such as natd (see page 393) if you need it only for web access. It's also useful in conjunction with caching.

Unfortunately, by default the current version of Apache does not support proxy servers. You need to rebuild the package manually after enabling it in the configuration file. See the file INSTALL in the port build directory for more details. This file will be present after building Apache from source, and it will have a name like /usr/ports/www/apache13/work/apache1.3.23/src/INSTALL.Inaddition to reinstalling the server with code for proxy serving, you must set ProxyRequests to On to enable the proxy server.

Caching

One reason for enabling the proxy server is to cache data requests. Caching keeps pages requested through the proxy and presents them again if they are requested again. This is particularly useful if the server serves a large number of people who communicate with each other and are thus likely to request many of the same pages.

The Cache parameters are commented out by default. If you uncomment them, you should uncomment them all except possibly NoCache. When setting these values, change the name of the directory CacheRoot. A good name might be /usr/local/www/proxy.

Running apache

When you install apache, it installs the file /usr/local/etc/rc.d/apache.sh,which automatically starts apache at boot time. If you don't want to start it automatically, remove this file. You can start and stop apache manually with the apachectl program, which takes a command parameter:

# apachectl start       start httpd
# apachectl stop        stop httpd
# apachectl restart     restart httpd, or start if not running
# apachectl graceful    restart httpd "gracefully," or start if not running
# apachectl configtest  do a configuration syntax test

The difference between a normal and a "graceful" restart is that the graceful restart waits for existing connections to complete before restarting the individual server processes. Unless you're in a big hurry, use the graceful restart.

NFS server

A number of processes are needed to provide NFS server functionality:

• The NFS daemon, nfsd, is the basic NFS server.
• The mount daemon, mountd, processes mount requests from clients.
• The NFS lockdaemon, rpc.lockd, processes lock requests for NFS file systems. There are still a lot of problems with this function on all platforms. It's best to avoid it if you can.
• The status monitoring daemon, rpc.statd, provides a status monitoring service.

monitoring service.

In addition:

• Since NFS uses Remote procedure calls (RPC), the rpcbind daemon must be running. rpcbind is not part of NFS, but it is required to map RPC port numbers to IP service numbers. In previous releases of FreeBSD, this function was performed by the portmap daemon. It has not been renamed, it has been replaced.
• The server needs a file /etc/exports to define which file systems to export and how to export them. We'll look at this in the next section.