T-110.5100 Laboratory Works in Datacommunications Software (4 cr)
Lab 5: Web server
Description Of The Exercise
In this exercise, you will introduce yourself to some basic features of Apache and its plugins. In addition, one useful SSH feature is covered here.
Please note that this is an extra round for the students that wish to improve their grade. This is why there is a bit of extra challenge in the exercises. For instance, you may need to find more information by yourself, or have a meeting with the assistant to ask some further help. Furthermore, we will continue asking also other questions than just the written ones.
1. Preparation
You will need only one machine of your choice to complete this assignment.
Ensure that you have Apache 2 installed together with fcgid and php5 modules. The usual CGI module should come with Apache by default. In addition, install libfcgi-perl for counter.pl.
Shut down any other web servers that you might be running on your virtual machine. Set up SSH port forwarding so that you can test the server on your local machine (loopback) with your favourite web browser.
2. Serve pages from users' home directories
Configure Apache to serve files from public_html directory from the users' home directories and use the home directory of user "labrat" in this exercise. In public_html, all the restrictions should be done locally without restarting Apache, i.e., with .htaccess. Make sure to understand why apache operates
as it does!
as it does!
- Add a greeting to "index.html"
- Type "wget https://playground.cs.hut.fi/t-110.5100_2010/problematic.txt" to fetch a textfile from another server. Try to read the file in your browser. It should read "säätö on hyvästä".
- Create a new subdirectory "secrets". Disable listing the contents of this particular subdirectory when the user points his/her browser there.
- Make a new subdirectory "secrets_with_pass". Set up a username/password pair for it using "plain" authentication.
| 2.1 | What's the magic with "index.html"? | 1p |
| 2.2 | Why isn't everything quite right with the problematic.txt? How to fix the issue? | 1p |
| 2.3 | What is MIME? | 2p |
| 2.4 | How does the authentication work with apache? | 1p |
3. Configuring SSL
Start by creating your own CA with a 2048-bit key and then create a certificate based on this CA. Configure Apache to use this certificate for HTTPS traffic. Set up again another SSH port forwarding to test HTTPS using loopback.
| 3.1 | Explain your solution | 1p |
| 3.2 | What information can a certificate include? What is necessary for it to work in the context of a web server? | 1p |
| 3.3 | What does requesting a certificate mean? | 1p |
4. Enforcing HTTPS
Create a yet another subdirectory called "secure_secrets" to public_html directory of the "labrat" user. Enforce access to this directory with HTTPS by using mod_rewrite and .htaccess, so that apache forwards "http://localhost/secure_secrets" to "https://localhost/secure_secrets". Please note that this is a bit more complicated to test with the ssh forwarding, so just test it locally with lynx or netcat at the virtual machine.
| 4.1 | Demonstrate the concept. | 1p |
| 4.2 | What is HSTS? | 1p |
5. Dynamic content
- Create a new subdirectory called "dynamic" in the public_html directory. Allow access to this directory only from the localhost and test the access control e.g. by using another virtual machine and lynx.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/hello.c" to this directory and compile it ("gcc -o hello hello.c"). Use .htaccess to set only the compiled file to be handled by cgi-script. Then access the output with a web browser.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/counter.pl" to the directory and configure .htaccess accordingly using fcgid.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/fileserver.phps" to the directory and rename it to "fileserver.php". If needed, do some configuration for mod_php. Then test out the fileserver script a bit.
| 5.1 | How do the approaches of mod_cgi, mod_fcgi and mod_php differ from each other? | 2p |
| 5.2 | What are the security considerations do for these techniques? What if the server was shared or dedicated? | 1p |
| 5.3 | How does the counter work? What's the flaw in it? | 1p |
6. Additional questions
| 6.1 | When to use .htaccess? In contrast, when not to use it? | 1p |
| 6.2 | What kind of solution would you use to run Python application as a web service? | 1p |
| 6.3 | What does GET and POST mean in HTTP? What else can you do with HTTP? What is REST? | 2p |