***********************
Web Server 

	Intro

	Essential Details

	File Synchronization

	Config Discussion

	Password Protection

	References
***********************

Intro

	Apache is a stand-alone daemon on port 80.
	Config information mostly in /etc/httpd/httpd.conf
	Daemon activated on run level 5 with /etc/rc.d/rc5.d/S21apache
	If you change the config, refresh the changes with the reload command.

	Document tree mounts from /usr/local/html
	Synchronized with Windows RAID array using Rsynch.  See that section.
	
Essential Details

	Web Server : 	apache-1.3.20-29.rpm
	Config Files : 	/etc/httpd/httpd.conf
				/etc/httpd/access.conf
				WARNING! SuseConfig changes some parameters.

	ServerName twd.biophys.cornell.edu			
	ServerAdmin root@twd.biophys.cornell.edu
	User wwwrun
	ErrorLog /var/log/httpd/error_log
	TransferLog /var/log/httpd/access_log

	DocumentRoot "/usr/local/html"
			Where file tree starts from (httpd.conf)
	AliasMatch -->  Mapping /~Username/ to /People/Username/ with line
		AliasMatch ^/~(.*) /usr/local/html/People/$1


File Synchronization
	
	Web pages are editted by users on BIGSIS.
	Synchronize with our directory tree using rsync.
	2 elements to this.

	1.  SAMBA Mount webpages 
		Added line to /etc/fstab ---> 
			//Bigsis/Web_Pages  /mnt/webpages  smbfs username=us,password=bilayer,ro,ip=128.253.36.40,netbiosname=twd.biophys.cornell.edu
		Thus Windows box mounted on /mnt/webpages.	

	2.  Need a short rsync script to keep us up to date.
	    Script located in 
			/usr/local/sbin/webpage_sync

          Just says,
			#!/bin/bash
			rsync -avz --delete /mnt/webpages/ /usr/local/html > /var/log/webpage_sync
	
          Symbolically linked to /etc/cron.hourly/webpage.

	    Thus, every hour the web page aligns itself with the windows version.

Config Discussion

	DocumentRoot
		This is the point from where you hang the file tree.

	<Directory>
		You use this command to control directory access (httpd.conf).

		Step 1.  Restrict access to PC.
			<Directory />
			    	AllowOverride None
    				Order deny,allow
    				Deny from all
			</Directory>
			   This blocks any directory by default.

			<Files ~ "^\.ht">
    				Order allow,deny
    				Deny from all
			</Files>
			   This blocks anyone from reading .ht files.	

			UserDir disabled root 
			   This prevents root abuse.

		Step 2.  
			Set up our main file tree.  
			Permit user authentication and access restriction.	
			List indexes of a folder automatically if not specified.

			<Directory /usr/local/html>

 		             Order deny,allow
    				 Allow from all

			       AuthUserFile  /etc/httpd/user
    				 AuthGroupFile /etc/httpd/group

    				Options Indexes -FollowSymLinks +Multiviews -Includes -ExecCGI -IncludesNOEXEC
			  	AllowOverride AuthConfig
			</Directory>
			<IfModule mod_dir.c>
    			DirectoryIndex index.html index.htm index.shtml
			</IfModule>
	

	AliasMatch
		Use this to map one location to another. 
		In our case it is personal web pages.
		Old links are of the form,
			http://www.useless.com/~user/
		     to go to 
				Directory_Root/People/				
		We do this with the line,
			AliasMatch ^/~(.*) /usr/local/html/People/$1
		Can also use 	
			Redirect permanent /foo/  http://www.example.com/

	Restarting Apache. 
		kill -TERM 'cat /usr/local/apache/logs/httpd.pid'

	Mod_User module.
		Traditionally on a unix system, users keep their own web-pages in 
			/home/username/public_html
		Apache interprets http://www.yourwebsite.com/~user as
			/home/user/public_html.
		This redirect is implimented by the Mod_User module.
		Under SuSE you need to use the SUSE_Config file.
			/etc/rc.config.d/apache.rc.config
		Set,
			HTTPD_SEC_PUBLIC_HTML="no"
		Run SuSEconfig.	
		With this out of the way you can put users wherever you like.
	
	CGI 
		CGI is a traditional evil of security.  Eliminate entirely
		# GEST 11 July, 2002.  Killing off CGI
		#<IfModule mod_alias.c>

		# GEST 11 July, 2002.  Turn off CGI!!!
		#
		# set /cgi-bin for CGI execution
		#
		#<Location /cgi-bin>
		#AllowOverride None

		

Password Protection

	If you want to restrict access to a file or folder a good way to do it is with 
	USER/Password authentication.
	
	Doing this is easy.

	Setup Notes
	Need to set in httpd.conf 
		AccessFileName .htaccess
		AllowOverride AuthConfig.

	To password protect a directory:
		1.  Add the user to the password list
			(you must be root for this step)
			htpasswd /etc/httpd/users new-user-name
			(type in new password twice)
			cat /etc/httpd/users  
			(username and password should be there.  Password is encrypted, of
			course.)

		2.  Add a .htaccess file to the directory you want to protect.
		    (you should not be root for this step.  Just be yourself.)
		    File should be of the form.

			    	AuthName "Computer Czar"
				AuthType Basic
				AuthUserFile /etc/httpd/users
				require user "username one" "username 2"
			 [ the last line can also have several user names (separated byspaces).    
			   Each user name must have an entry in /etc/httpd/users.]	

References

Apache Manual in 	/usr/local/httpd/htdocs/manual/index.html.en
Documentation at apache website or /usr/share/doc/packages/apache