EXPERIMENT NO: 09
INSTRUCTOR: Ali Ashraf Molla
EXPERIMENT NAME: Study on HTTP & FTP Server
HTTP server
HTTP server is another term for Web server. A Web server is a software program that maps URL
requests from a Web client (typically a browser) to a resource that will handle the request and return a
response to the client. The Web client and the Web server use HTTP to communicate over a TCP
network.
Apache is the most commonly used Web server in the world. It runs on most operating systems, including
Unix-based operating systems (such as Linux, Solaris, Digital UNIX, and AIX) and Unix-derived systems
(such as BSD, FreeBSD and BeOS) Mac OS and Windows.
To configure a HTTP Server we can a network like the following:
The following shows how to establish the
between the switch and the router:
The following shows how to establish the
between the HTTP server and the router:
The following shows the IP Configuration of
DNS Server:
The following shows how to establish the
between the DNS server and the router:
The following shows the IP Configuration of
DHCP Server:
The following shows the IP Configuration of
HTTP Server:
IP Configuration for the PCs should be switched to DHCP protocol and automatically IP address will
be assigned to them. Following shows the IP Address of the PCs:
The following shows that the server was successfully configured as we can ping the all of the servers:
FTP Server
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files
between a client and server on a computer network.
FTP is built on a client-server model architecture and uses separate control and data connections
between the client and the server. FTP users may authenticate themselves with a clear-text sign-in
protocol, normally in the form of a username and password, but can connect anonymously if the
server is configured to allow it. For secure transmission that protects the username and password, and
encrypts the content, FTP is often secured with SSL/TLS (FTPS). SSH File Transfer Protocol (SFTP)
is sometimes also used instead, but is technologically different.
To configure a FTP Server we can a network like the following:
The following shows the IP Configuration of FTP Server:
The following shows the of FTP Server configuration:
The DHCP protocol should be ‘on’.
IP Configuration for the PCs should be switched to DHCP protocol and automatically IP address will
be assigned to them.
The following shows that the server was successfully configured as we can access the FTP using
different user login:
HTTPD - Apache2 Web Server
Apache is the most commonly used Web server on Linux systems. Web servers are used to serve Web pages
requested by client computers. Clients typically request and view Web pages using Web browser applications
such as Firefox, Opera, Chromium, or Internet Explorer.
Users enter a Uniform Resource Locator (URL) to point to a Web server by means of its Fully Qualified
Domain Name (FQDN) and a path to the required resource. For example, to view the home page of the Ubuntu
Web site a user will enter only the FQDN:
www.ubuntu.com
To view the community sub-page, a user will enter the FQDN followed by a path:
www.ubuntu.com/community
The most common protocol used to transfer Web pages is the Hyper Text Transfer Protocol (HTTP). Protocols
such as Hyper Text Transfer Protocol over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a
protocol for uploading and downloading files, are also supported.
Apache Web Servers are often used in combination with the MySQL database engine, the HyperText
Preprocessor (PHP) scripting language, and other popular scripting languages such as Python and Perl. This
configuration is termed LAMP (Linux, Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust
platform for the development and deployment of Web-based applications.
Installation
The Apache2 web server is available in Ubuntu Linux. To install Apache2:
1. At a terminal prompt enter the following command:
2. sudo apt install apache2
Configuration
Apache2 is configured by placing directives in plain text configuration files. These directives are separated
between the following files and directories:
1. apache2.conf: the main Apache2 configuration file. Contains settings that are global to Apache2.
2. httpd.conf: historically the main Apache2 configuration file, named after the httpd daemon. Now the file
does not exist. In older versions of Ubuntu the file might be present, but empty, as all configuration
options have been moved to the below referenced directories.
3. conf-available: this directory contains available configuration files. All files that were previously
in /etc/apache2/conf.d should be moved to /etc/apache2/conf-available.
4. conf-enabled: holds symlinks to the files in /etc/apache2/conf-available. When a
configuration file is symlinked, it will be enabled the next time apache2 is restarted.
5. envvars: file where Apache2 environment variables are set.
6. mods-available: this directory contains configuration files to both load modules and configure them. Not
all modules will have specific configuration files, however.
7. mods-enabled: holds symlinks to the files in /etc/apache2/mods-available. When a module
configuration file is symlinked it will be enabled the next time apache2 is restarted.
8. ports.conf: houses the directives that determine which TCP ports Apache2 is listening on.
9. sites-available: this directory has configuration files for Apache2 Virtual Hosts. Virtual Hosts allow
Apache2 to be configured for multiple sites that have separate configurations.
10. sites-enabled: like mods-enabled, sites-enabled contains symlinks to
the /etc/apache2/sites-available directory. Similarly when a configuration file in sites-
available is symlinked, the site configured by it will be active once Apache2 is restarted.
11. magic: instructions for determining MIME type based on the first few bytes of a file.
In addition, other configuration files may be added using the Include directive, and wildcards can be used to
include many configuration files. Any directive may be placed in any of these configuration files. Changes to
the main configuration files are only recognized by Apache2 when it is started or restarted.
The server also reads a file containing mime document types; the filename is set by the TypesConfig directive,
typically via /etc/apache2/mods-available/mime.conf, which might also include additions and
overrides, and is /etc/mime.types by default.
Basic Settings
Documentation for more details.
1. Apache2 ships with a virtual-host-friendly default configuration. That is, it is configured with a single
default virtual host (using the VirtualHostdirective) which can be modified or used as-is if you have a
single site, or used as a template for additional virtual hosts if you have multiple sites. If left alone, the
default virtual host will serve as your default site, or the site users will see if the URL they enter does not
match the ServerName directive of any of your custom sites. To modify the default virtual host, edit the
file /etc/apache2/sites-available/000-default.conf.
The directives set for a virtual host only apply to that particular virtual host. If a directive is set
server-wide and not defined within the virtual host settings, the default setting is used. For example,
you can define a Webmaster email address and not define individual email addresses for each
virtual host.
If you wish to configure a new virtual host or site, copy that file into the same directory with a name you
choose. For example:
sudo cp /etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/mynewsite.conf
Edit the new file to configure the new site using some of the directives described below.
2. The ServerAdmin directive specifies the email address to be advertised for the server's administrator. The
default value is webmaster@localhost. This should be changed to an email address that is delivered to
you (if you are the server's administrator). If your website has a problem, Apache2 will display an error
message containing this email address to report the problem to. Find this directive in your site's
configuration file in /etc/apache2/sites-available.
3. The Listen directive specifies the port, and optionally the IP address, Apache2 should listen on. If the IP
address is not specified, Apache2 will listen on all IP addresses assigned to the machine it runs on. The
default value for the Listen directive is 80. Change this to 127.0.0.1:80 to cause Apache2 to listen only
on your loopback interface so that it will not be available to the Internet, to (for example) 81 to change
the port that it listens on, or leave it as is for normal operation. This directive can be found and changed
in its own file, /etc/apache2/ports.conf
4. The ServerName directive is optional and specifies what FQDN your site should answer to. The default
virtual host has no ServerName directive specified, so it will respond to all requests that do not match a
ServerName directive in another virtual host. If you have just acquired the domain name
ubunturocks.com and wish to host it on your Ubuntu server, the value of the ServerName directive in
your virtual host configuration file should be ubunturocks.com. Add this directive to the new virtual host
file you created earlier (/etc/apache2/sites-available/mynewsite.conf).
You may also want your site to respond to www.ubunturocks.com, since many users will assume the
www prefix is appropriate. Use theServerAlias directive for this. You may also use wildcards in the
ServerAlias directive.
For example, the following configuration will cause your site to respond to any domain request ending
in .ubunturocks.com.
ServerAlias *.ubunturocks.com
5. The DocumentRoot directive specifies where Apache2 should look for the files that make up the site. The
default value is /var/www/html, as specified in /etc/apache2/sites-available/000-
default.conf. If desired, change this value in your site's virtual host file, and remember to create
that directory if necessary!
Enable the new VirtualHost using the a2ensite utility and restart Apache2:
sudo a2ensite mynewsite
sudo systemctl restart apache2.service
Be sure to replace mynewsite with a more descriptive name for the VirtualHost. One method is to name the file
after the ServerNamedirective of the VirtualHost.
Similarly, use the a2dissite utility to disable sites. This is can be useful when troubleshooting configuration
problems with multiple VirtualHosts:
sudo a2dissite mynewsite
sudo systemctl restart apache2.service
Default Settings
This section explains configuration of the Apache2 server default settings. For example, if you add a virtual
host, the settings you configure for the virtual host take precedence for that virtual host. For a directive not
defined within the virtual host settings, the default value is used.
1. The DirectoryIndex is the default page served by the server when a user requests an index of a directory
by specifying a forward slash (/) at the end of the directory name.
For example, when a user requests the page http://www.example.com/this_directory/, he or she will get
either the DirectoryIndex page if it exists, a server-generated directory list if it does not and the Indexes
option is specified, or a Permission Denied page if neither is true. The server will try to find one of the
files listed in the DirectoryIndex directive and will return the first one it finds. If it does not find any of
these files and if Options Indexes is set for that directory, the server will generate and return a list, in
HTML format, of the subdirectories and files in the directory. The default value, found
in /etc/apache2/mods-available/dir.conf is "index.html index.cgi index.pl index.php
index.xhtml index.htm". Thus, if Apache2 finds a file in a requested directory matching any of these
names, the first will be displayed.
2. The ErrorDocument directive allows you to specify a file for Apache2 to use for specific error events.
For example, if a user requests a resource that does not exist, a 404 error will occur. By default, Apache2
will simply return a HTTP 404 Return code. Read /etc/apache2/conf-
available/localized-error-pages.conf for detailed instructions for using ErrorDocument,
including locations of example files.
3. By default, the server writes the transfer log to the file /var/log/apache2/access.log. You can
change this on a per-site basis in your virtual host configuration files with the CustomLog directive, or
omit it to accept the default, specified in /etc/apache2/conf-available/other-vhosts-
access-log.conf. You may also specify the file to which errors are logged, via
the ErrorLog directive, whose default is /var/log/apache2/error.log. These are kept separate
from the transfer logs to aid in troubleshooting problems with your Apache2 server. You may also
specify the LogLevel (the default value is "warn") and
the LogFormat (see /etc/apache2/apache2.conf for the default value).
4. Some options are specified on a per-directory basis rather than per-server. Options is one of these
directives. A Directory stanza is enclosed in XML-like tags, like so:
5. <Directory /var/www/html/mynewsite>
6. ...
7. </Directory>
The Options directive within a Directory stanza accepts one or more of the following values (among
others), separated by spaces:
1. ExecCGI - Allow execution of CGI scripts. CGI scripts are not executed if this option is not
chosen.
Most files should not be executed as CGI scripts. This would be very dangerous. CGI scripts
should kept in a directory separate from and outside your DocumentRoot, and only this
directory should have the ExecCGI option set. This is the default, and the default location
for CGI scripts is /usr/lib/cgi-bin.
2. Includes - Allow server-side includes. Server-side includes allow an HTML file to include other
files.
3. IncludesNOEXEC - Allow server-side includes, but disable the #exec and #include commands in
CGI scripts.
4. Indexes - Display a formatted list of the directory's contents, if no DirectoryIndex (such as
index.html) exists in the requested directory.
For security reasons, this should usually not be set, and certainly should not be set on your
DocumentRoot directory. Enable this option carefully on a per-directory basis only if you
are certain you want users to see the entire contents of the directory.
5. Multiview - Support content-negotiated multiviews; this option is disabled by default for security
reasons.
6. SymLinksIfOwnerMatch - Only follow symbolic links if the target file or directory has the same
owner as the link.
httpd Settings
This section explains some basic httpd daemon configuration settings.
LockFile - The LockFile directive sets the path to the lockfile used when the server is compiled with either
USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be stored on the
local disk. It should be left to the default value unless the logs directory is located on an NFS share. If this is the
case, the default value should be changed to a location on the local disk and to a directory that is readable only
by root.
PidFile - The PidFile directive sets the file in which the server records its process ID (pid). This file should only
be readable by root. In most cases, it should be left to the default value.
User - The User directive sets the userid used by the server to answer requests. This setting determines the
server's access. Any files inaccessible to this user will also be inaccessible to your website's visitors. The default
value for User is "www-data".
Unless you know exactly what you are doing, do not set the User directive to root. Using root as the User will
create large security holes for your Web server.
Group - The Group directive is similar to the User directive. Group sets the group under which the server will
answer requests. The default group is also "www-data".
Apache2 Modules
Apache2 is a modular server. This implies that only the most basic functionality is included in the core server.
Extended features are available through modules which can be loaded into Apache2. By default, a base set of
modules is included in the server at compile-time. If the server is compiled to use dynamically loaded modules,
then modules can be compiled separately, and added at any time using the LoadModule directive. Otherwise,
Apache2 must be recompiled to add or remove modules.
Ubuntu compiles Apache2 to allow the dynamic loading of modules. Configuration directives may be
conditionally included on the presence of a particular module by enclosing them in an <IfModule> block.
You can install additional Apache2 modules and use them with your Web server. For example, run the
following command at a terminal prompt to install the MySQL Authentication module:
sudo apt install libapache2-mod-auth-mysql
See the /etc/apache2/mods-available directory, for additional modules.
Use the a2enmod utility to enable a module:
sudo a2enmod auth_mysql
sudo systemctl restart apache2.service
Similarly, a2dismod will disable a module:
sudo a2dismod auth_mysql
sudo systemctl restart apache2.service
HTTPS Configuration
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications.
Thus, when your browser is communicating using SSL, the https:// prefix is used at the beginning of the
Uniform Resource Locator (URL) in the browser navigation bar.
The mod_ssl module is available in apache2-common package. Execute the following command at a terminal
prompt to enable the mod_ssl module:
sudo a2enmod ssl
There is a default HTTPS configuration file in /etc/apache2/sites-available/default-
ssl.conf. In order for Apache2 to provide HTTPS, a certificate and key file are also needed. The default
HTTPS configuration will use a certificate and key generated by the ssl-cert package. They are good for testing,
but the auto-generated certificate and key should be replaced by a certificate specific to the site or server. For
information on generating a key and obtaining a certificate.
To configure Apache2 for HTTPS, enter the following:
sudo a2ensite default-ssl
The directories /etc/ssl/certs and /etc/ssl/private are the default locations. If you install the
certificate and key in another directory make sure to
change SSLCertificateFile and SSLCertificateKeyFile appropriately.
With Apache2 now configured for HTTPS, restart the service to enable the new settings:
sudo systemctl restart apache2.service
Depending on how you obtained your certificate you may need to enter a passphrase when Apache2 starts.
You can access the secure server pages by typing https://your_hostname/url/ in your browser address bar.
Sharing Write Permission
For more than one user to be able to write to the same directory it will be necessary to grant write permission to
a group they share in common. The following example grants shared write permission to /var/www/html to
the group "webmasters".
sudo chgrp -R webmasters /var/www/html
sudo find /var/www/html -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www/html -type f -exec chmod g=rw "{}" \;
These commands recursively set the group permission on all files and directories in /var/www/html to read write
and set user id. This has the effect of having the files and directories inherit their group and permission from
their parrent. Many admins find this useful for allowing multiple users to edit files in a directory tree.
If access must be granted to more than one group per directory, enable Access Control Lists (ACLs).
FTP Server
File Transfer Protocol (FTP) is a TCP protocol for downloading files between computers. In the past, it has also
been used for uploading but, as that method does not use encryption, user credentials as well as data transferred
in the clear and are easily intercepted. So if you are here looking for a way to upload and download files
securely, see the section on OpenSSH in Remote Administrationinstead.
FTP works on a client/server model. The server component is called an FTP daemon. It continuously listens for
FTP requests from remote clients. When a request is received, it manages the login and sets up the connection.
For the duration of the session it executes any of commands sent by the FTP client.
Access to an FTP server can be managed in two ways:
1. Anonymous
2. Authenticated
In the Anonymous mode, remote clients can access the FTP server by using the default user account called
"anonymous" or "ftp" and sending an email address as the password. In the Authenticated mode a user must
have an account and a password. This latter choice is very insecure and should not be used except in special
circumstances. If you are looking to transfer files securely see SFTP in the section on OpenSSH-Server. User
access to the FTP server directories and files is dependent on the permissions defined for the account used at
login. As a general rule, the FTP daemon will hide the root directory of the FTP server and change it to the FTP
Home directory. This hides the rest of the file system from remote sessions.
vsftpd - FTP Server Installation
vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can
run the following command:
sudo apt install vsftpd
Anonymous FTP Configuration
By default vsftpd is not configured to allow anonymous download. If you wish to enable anonymous download
edit /etc/vsftpd.conf by changing:
anonymous_enable=Yes
During installation a ftp user is created with a home directory of /srv/ftp. This is the default FTP directory.
If you wish to change this location, to /srv/files/ftp for example, simply create a directory in another location
and change the ftp user's home directory:
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp ftp
After making the change restart vsftpd:
sudo restart vsftpd
Finally, copy any files and directories you would like to make available through anonymous FTP
to /srv/files/ftp, or /srv/ftp if you wish to use the default.
User Authenticated FTP Configuration
By default vsftpd is configured to authenticate system users and allow them to download files. If you want users
to be able to upload files, edit/etc/vsftpd.conf:
write_enable=YES
Now restart vsftpd:
sudo restart vsftpd
Now when system users login to FTP they will start in their home directories where they can download, upload,
create directories, etc.
Similarly, by default, anonymous users are not allowed to upload files to FTP server. To change this setting, you
should uncomment the following line, and restart vsftpd:
anon_upload_enable=YES
Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable anonymous upload on
servers accessed directly from the Internet.
The configuration file consists of many configuration parameters. The information about each parameter is
available in the configuration file. Alternatively, you can refer to the man page, man 5 vsftpd.conf for
details of each parameter.
Securing FTP
There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to
their home directories by uncommenting:
chroot_local_user=YES
You can also limit a specific list of users to just their home directories:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per
line. Then restart vsftpd:
sudo restart vsftpd
Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root,
daemon, nobody, etc. To disable FTP access for additional users simply add them to the list.
FTP can also be encrypted using FTPS. Different from SFTP, FTPS is FTP over Secure Socket Layer
(SSL). SFTP is a FTP like session over an encrypted SSH connection. A major difference is that users of SFTP
need to have a shell account on the system, instead of a nologin shell. Providing all users with a shell may not be
ideal for some environments, such as a shared web host. However, it is possible to restrict such accounts to only
SFTP and disable shell interaction. See the section on OpenSSH-Server for more.
To configure FTPS, edit /etc/vsftpd.conf and at the bottom add:
ssl_enable=Yes
Also, notice the certificate and key related options:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
By default these options are set to the certificate and key provided by the ssl-cert package. In a production
environment these should be replaced with a certificate and key generated for the specific host. For more
information on certificates.
Now restart vsftpd, and non-anonymous users will be forced to use FTPS:
sudo restart vsftpd
To allow users with a shell of /usr/sbin/nologin access to FTP, but have no shell access,
edit /etc/shells adding the nologin shell:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin
This is necessary because, by default vsftpd uses PAM for authentication, and
the /etc/pam.d/vsftpd configuration file contains:
auth required pam_shells.so
The shells PAM module restricts access to shells listed in the /etc/shells file.
Most popular FTP clients can be configured to connect using FTPS. The lftp command line FTP client has the
ability to use FTPS as well.