Unix Linux Administration II Class 5: Introduction to HTTPD. Scripting and Variables. Certificates Agenda discuss Homework. Unit 1: Introduction to HTTPD. Unit 2: Scripting and variables. Unit 3: Certificates Homework review vimrc file local zone transfer, using @localhost Restrict recursion Firewall and services updates. Review: DNS config Named.conf = /etc/ Zone file = /var/named (defined by named.conf). Local zone transfer dig axfr <FQDN> @localhost Dig +trace ns1.<domain>.ulcert.uw.edu Network access? Port 53 udp/tcp Logs = /var/log/messages /etc/resolv.conf Review: DNS server types: master, slave, forwarder… It all starts at “.” FQDN ends with “.” DNS servers exist to answer questions, or punt to the next server to answer. gTLD and ccTLD Name space, name server, resolvers. The primary configuration file is named.conf chroot based under /var/named/chroot Class 5, Unit 1 What we are going to cover: Standard web server build and configurations. What you should leave with from this session: How to install the yum supported web server. How to provide basic administration for this service. Power of the web *image source http://xkcd.com/979/ Web Servers If we find a reason to compile our own apache web servers we can but for now we are going to use the pre-packaged solutions. We can install just the httpd server or a common collection of services along with the httpd server. This time we will install the "Web Server" group package. sudo yum “grouplist” install using “groupinstall” Default configuration information The default httpd.conf file is under /etc/httpd/conf Additional configuration files are under /etc/httpd/conf.d/ The default web root directory is under /var/www Manage your webserver instance with sudo /sbin/service httpd start|stop|graceful|status Default configuration information Adding an index.html file under /var/www/html will remove the default web page. <html> <head> <title> ulc-###.ulcert.uw.edu </title> <body> Default home page for ulc-### </body> </html> Virtual hosting One instance of apache can serve multiple web sites. You could host to servers from the same server like: www.books.ulcert.uw.edu and www.my.books.ulcert.uw.edu Apache allows the virtual web servers to inherit permissions from the main server. They can all leverage for example the same scriptalias Name based or IP based Virtual hosts Name based virtual hosts Leverages the same ip for all servers Recommended solution in most cases Based on host header values Possible conflicts with web browsers that do not support http 1.1 IP based virtual hosts Allocates one ip per host Requires of course multiple interfaces defined on host also Problems with virtual hosting Restarting one webserver means restarting them all Problems with providing granular access to config files for various depts Potential problems with clients that are not http 1.1 capable. HTTPD logs The HTTPD logs by default are under /var/log/httpd The permissions for this folder are set to only allow the root use access. I would suggest you change this to allow a group you are a member of access to the directory. By default you will find access and error logs for both http and https traffic Review: web servers You can compile your webservers from source. “groupinstall” will provide a standard yum managed webserver. Related files can be found under: /etc/httpd/, /etc/httpd/conf.d/ /var/www/. /var/log/httpd Lab 1a Lab notes for this session can be found here: http://www.ulcert.uw.edu/class/ -> Home -> Labs -> Class 5, Unit 2 What we are going to cover: Scripting; variables What you should leave this session with: Script syntax (review) Valid variable names. How to rename and re-assign variables Scripting: Variables, expression & quotes Shell scripting is very similar to what we have been doing so far except that we get to record our actions. Something simple like ps –ef | wc -l can be scripted and then repeated by creating a script containing these commands. Review: Basic script syntax All your shell scripts should start with a line defining the shell to use. Meaing bourne (sh) bourne again shell (bash) korn shell (ksh) etc. Your script files should have read and execute permissions set (chmod u+rx <file>) For this class your scripts should also include a few other default comment lines: Title: Date: Author: Purpose: Template script files We may improve upon this as we continue here is the basic template I would like you to use for your shell scripts. #!/bin/sh # Title: <script>.sh # Date: 00/00/2013 # Author: # Purpose: Start script here… * remember using vi you can use :r to read in a file Comments, comments, comments The key to good scripting is good commenting, the script you write today may seem very simple but not so simple in the future. Comments are pre-pended with a hash (#). This can come as the first character in a line or after the command # clear screen clear clear # clear screen Adding blank lines to your output To make the output easier to read you might want to add blank lines. This can be done using echo echo # insert blank line echo “Total processes on host:” /bin/ps –ef | /usr/bin/wc -l Variables In the previous example it might be handy to know the host where the processes were running. Variables are defined using the = sign No spaces are allowed between variable, =, and value *myhost=ulc-231_q2 echo $myhost Variables can be defined in the shell From the command line you can define variables also: myhost=ulc-231-b echo $myhost Now type bash echo $myhost What happened? Pre defined variables Your shell often has pre-defined variables Type env What do you see? Type: echo $SHELL ; echo $HOSTNAME; echo $HOME The semi colon lets you string commands together. How is this different from a | (pipe) Defining UNIX utilities as variables. You can define UNIX utilities as variables also list=ls *best practice to define the full path. list=/bin/ls options=-la # list all files in current directory echo “Files in current directory are: ” $list $options Valid variable names Must start with alphabetic or underscore character followed by zero or more alphanumeric or underscore characters. Variable names ARE case sensitive. $var $__ # two underscores. $a Any others? Re-assigning variables If you want to you can re-assign variables options=-la newoptions=$options Shell order of operations Variable substitution Filename substitution Parse command line into arguments So if you assign * to x x=* What happens when you enter: echo $x How to rename variable values If you have variable value you want to rename you may need to use the ${variable}new construct For example to rename /etc/resolv.conf to /etc/resolv.conf.bk you might use resolv=/etc/resolv.conf bkresolv=${resolv}.bk echo $bkresolv Review: Script templates - :r template.sh Variables start with _ or alphabetic character Variables assignment var1=value Re-assign var2=$var1 Rename var3=${var2}.bk Order of operations; variable substitution, file substitution, parse command line. In class lab 5b Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs -> Class 5, Unit 3 What we are going to cover: Self signed certificates What you should leave this session with: How to create self signed certificates Certificate installation for web servers. Crypto nerd fantasy and reality. Source: http://xkcd.com/538/ PKI-Bob and Alice in a crowded room. How do Bob and Alice have a private conversation in a crowded room using a mega phone? Both create public/private key pairs They exchange public keys Now they can establish communication by encrypting all communication with the others public key as only the holder of the private key can decrypt the messages. How important is the private key? Self signed certificates Self signed certificates are just like the public/private keys generated by Bob and Alice. When we create a self signed certificate a user in our case a web client is provided with the public key and if accepted will encrypt the traffic with that key. Ok just the symmetric key they agree on but I digress…. Openssl: self signed certificates Using openssl you can create both the private and public keys or certificates. This means you sign your own public certificate. You are saying, “Trust me, hey I trust me!”. Just like the ssh keys we use for system authentication, private key encryption is optional. If we encrypt the private key for ssl we will have to provide the passphase each time we start up the websever. Openssl: self-signed. Creating a self signed cert requires: Cert request Private key Public certificate signed by private key. The cert request should also include attributes about the certificate including but not limited to organization, name, city, state, and cn (fqdn). Openssl: self signed openssl req –x509 –nodes –days 365 –newkey rsa:2048 – keyout cert.key –out cert.crt req = generate cert request nodes = do not encrypt cert days = life of cert newkey = type and length of the certificate. keyout = private key name out = public key path. QUESTION, do you need to root privileges for this action? Web server configuration Apache web servers typically have a separate ssl.conf file. This file for yum based builds is located under: /etc/httpd/conf.d/ You need to define the path to your public certificate and private key. If the key is passphrase encrypted, you will need to enter this passphrase each time you start the server. Review: certificates Public certificate and Private key For self-signed certificates you need: private key certificate signing request (csr) server.key server.csr public certificate which is based on the newly created csr which is related to the private key. server.crt Web server ssl configurations: /etc/httpd/conf.d/ In class lab 5c Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs -> Homework homework for this week posted later tonight.