HERE - UNIX Linux Admin A UW PCE certificate course

advertisement
Unix Linux
Administration II
Class 5: Introduction to HTTPD.
Scripting and Variables. Certificates
Agenda
 discuss
Homework.
 Unit 1: Introduction to HTTPD.
 Unit 2: Scripting and variables.
 Unit 3: Certificates
Homework review




vimrc file
local zone transfer, using @localhost
Restrict recursion
Firewall and services updates.
Review: DNS config
Named.conf = /etc/
Zone file = /var/named (defined by
named.conf).
Local zone transfer dig axfr <FQDN>
@localhost
Dig +trace ns1.<domain>.ulcert.uw.edu
Network access? Port 53 udp/tcp
Logs = /var/log/messages
/etc/resolv.conf
Review:
DNS server types: master, slave, forwarder…
It all starts at “.”
FQDN ends with “.”
DNS servers exist to answer questions, or
punt to the next server to answer.
gTLD and ccTLD
Name space, name server, resolvers.
The primary configuration file is named.conf
chroot based under /var/named/chroot
Class 5, Unit 1
What we are going to cover:
 Standard web server build and configurations.
What you should leave with from this session:
 How to install the yum supported web server.
 How to provide basic administration for this
service.
Power of the web
*image source http://xkcd.com/979/
Web Servers
If we find a reason to compile our own
apache web servers we can but for now
we are going to use the pre-packaged
solutions.
 We can install just the httpd server or a
common collection of services along with
the httpd server. This time we will install
the "Web Server" group package.

 sudo
yum “grouplist”
 install using “groupinstall”
Default configuration information

The default httpd.conf file is under
 /etc/httpd/conf

Additional configuration files are under
 /etc/httpd/conf.d/

The default web root directory is under
 /var/www

Manage your webserver instance with
 sudo
/sbin/service httpd start|stop|graceful|status
Default configuration information
Adding an index.html file under /var/www/html
will remove the default web page.
<html>
<head>
<title>
ulc-###.ulcert.uw.edu
</title>
<body>
Default home page for ulc-###
</body>
</html>

Virtual hosting
One instance of apache can serve multiple
web sites. You could host to servers from
the same server like:
www.books.ulcert.uw.edu and
www.my.books.ulcert.uw.edu
Apache allows the virtual web servers to
inherit permissions from the main server.
They can all leverage for example the same
scriptalias
Name based or IP based Virtual hosts

Name based virtual hosts
 Leverages
the same ip for all servers
 Recommended solution in most cases
 Based on host header values
 Possible conflicts with web browsers that do
not support http 1.1

IP based virtual hosts
 Allocates
one ip per host
 Requires of course multiple interfaces defined
on host also
Problems with virtual hosting
Restarting one webserver means
restarting them all
 Problems with providing granular access
to config files for various depts
 Potential problems with clients that are not
http 1.1 capable.

HTTPD logs
The HTTPD logs by default are under
/var/log/httpd
The permissions for this folder are set to only allow
the root use access. I would suggest you change
this to allow a group you are a member of access
to the directory.
By default you will find access and error logs for
both http and https traffic
Review: web servers
You can compile your webservers from
source.
“groupinstall” will provide a standard yum
managed webserver.
Related files can be found under:
/etc/httpd/,
/etc/httpd/conf.d/
/var/www/.
/var/log/httpd
Lab 1a

Lab notes for this session can be found
here: http://www.ulcert.uw.edu/class/ ->
Home -> Labs ->
Class 5, Unit 2
What we are going to cover:
 Scripting; variables
What you should leave this session with:
 Script syntax (review)
 Valid variable names.
 How to rename and re-assign variables
Scripting: Variables, expression & quotes
Shell scripting is very similar to what we
have been doing so far except that we get
to record our actions.
Something simple like ps –ef | wc -l can be
scripted and then repeated by creating a
script containing these commands.
Review: Basic script syntax
All your shell scripts should start with a line
defining the shell to use. Meaing bourne (sh)
bourne again shell (bash) korn shell (ksh) etc.
Your script files should have read and execute
permissions set (chmod u+rx <file>)
For this class your scripts should also include a
few other default comment lines:
Title:
Date:
Author:
Purpose:
Template script files
We may improve upon this as we continue
here is the basic template I would like you to
use for your shell scripts.
#!/bin/sh
# Title: <script>.sh
# Date: 00/00/2013
# Author:
# Purpose:
Start script here…
* remember using vi you can use :r to read in a file
Comments, comments, comments
The key to good scripting is good commenting,
the script you write today may seem very
simple but not so simple in the future.
Comments are pre-pended with a hash (#).
This can come as the first character in a line or
after the command
# clear screen
clear
clear # clear screen
Adding blank lines to your output
To make the output easier to read you might
want to add blank lines.
This can be done using echo
echo # insert blank line
echo “Total processes on host:”
/bin/ps –ef | /usr/bin/wc -l
Variables
In the previous example it might be handy to
know the host where the processes were
running.
Variables are defined using the = sign
No spaces are allowed between variable, =,
and value
*myhost=ulc-231_q2
echo $myhost
Variables can be defined in the shell
From the command line you can define
variables also:
myhost=ulc-231-b
echo $myhost
Now type bash
echo $myhost
What happened?
Pre defined variables
Your shell often has pre-defined variables
Type env
What do you see?
Type:
echo $SHELL ; echo $HOSTNAME; echo
$HOME
The semi colon lets you string commands
together.
How is this different from a | (pipe)
Defining UNIX utilities as variables.
You can define UNIX utilities as variables also
list=ls
*best practice to define the full path.
list=/bin/ls
options=-la
# list all files in current directory
echo “Files in current directory are: ”
$list $options
Valid variable names
Must start with alphabetic or underscore
character followed by zero or more
alphanumeric or underscore characters.
Variable names ARE case sensitive.
 $var
 $__ # two underscores.
 $a
Any others?
Re-assigning variables
If you want to you can re-assign variables
options=-la
newoptions=$options
Shell order of operations
Variable substitution
 Filename substitution
 Parse command line into arguments

So if you assign * to x
x=*
What happens when you enter:
echo $x
How to rename variable values
If you have variable value you want to rename
you may need to use the ${variable}new
construct
For example to rename /etc/resolv.conf to
/etc/resolv.conf.bk you might use
resolv=/etc/resolv.conf
bkresolv=${resolv}.bk
echo $bkresolv
Review:
Script templates - :r template.sh
Variables start with _ or alphabetic character
Variables assignment
var1=value
Re-assign var2=$var1
Rename var3=${var2}.bk
Order of operations; variable substitution, file
substitution, parse command line.
In class lab 5b

Lab notes for this session can be found
here: http://www.ulcert.uw.edu -> Class
Content -> InClass labs ->
Class 5, Unit 3
What we are going to cover:
 Self signed certificates
What you should leave this session with:
 How to create self signed certificates
 Certificate installation for web servers.
Crypto nerd fantasy and reality.
Source: http://xkcd.com/538/
PKI-Bob and Alice in a crowded room.
How do Bob and Alice have a private
conversation in a crowded room using a
mega phone?
Both create public/private key pairs
They exchange public keys
Now they can establish communication by
encrypting all communication with the
others public key as only the holder of the
private key can decrypt the messages.
How important is the private key?
Self signed certificates
Self signed certificates are just like the
public/private keys generated by Bob and
Alice.
When we create a self signed certificate a
user in our case a web client is provided
with the public key and if accepted will
encrypt the traffic with that key. Ok just the
symmetric key they agree on but I
digress….
Openssl: self signed certificates
Using openssl you can create both the private and
public keys or certificates.
This means you sign your own public certificate.
You are saying, “Trust me, hey I trust me!”.
Just like the ssh keys we use for system
authentication, private key encryption is optional.
If we encrypt the private key for ssl we will have to
provide the passphase each time we start up the
websever.
Openssl: self-signed.
Creating a self signed cert requires:
 Cert request
 Private key
 Public certificate signed by private key.
The cert request should also include
attributes about the certificate including
but not limited to organization, name, city,
state, and cn (fqdn).
Openssl: self signed
openssl req –x509 –nodes –days 365 –newkey rsa:2048 –
keyout cert.key –out cert.crt
req = generate cert request
nodes = do not encrypt cert
days = life of cert
newkey = type and length of the certificate.
keyout = private key name
out = public key path.
QUESTION, do you need to root privileges for this action?
Web server configuration
Apache web servers typically have a
separate ssl.conf file.
This file for yum based builds is located
under:
/etc/httpd/conf.d/
You need to define the path to your public
certificate and private key.
If the key is passphrase encrypted, you will
need to enter this passphrase each time
you start the server.
Review: certificates
Public certificate and Private key
For self-signed certificates you need:

private key


certificate signing request (csr)


server.key
server.csr
public certificate which is based on the newly created
csr which is related to the private key.

server.crt
Web server ssl configurations:
/etc/httpd/conf.d/
In class lab 5c

Lab notes for this session can be found
here: http://www.ulcert.uw.edu -> Class
Content -> InClass labs ->
Homework
homework for this week posted later tonight.
Download