|
A standard web server configuration is available for Unix-based web servers that takes advantage of the many features of the JLab CUE central environment. These advantages include robust backups, enhanced reliability features, a high degree of data accessibility, and great integration with other CUE systems. Specific advantages offering improvements in our overall web-server system include:
The Apache web server is installed in the central CUE /apps filesystem, subject to the usual CUE configuration management procedures, tools, etc. This single, centrally maintained apache build is used on all Unix-based CUE web servers.
The actual compilation of the Apache server was configured to use Apache's Dynamic Shared Object (DSO) system. This allows for optional inclusion of Apache modules based on config file entries, rather than depending on compile-time determination of these features. This allows a single, centrally maintained Apache compilation to be tailored to individual server instances using config files that are specific to each server.
| Item | Status / Notes |
| Server OS | All non-frozen CUE OS's, including Solaris, HP-UX, Linux and Windows (forthcoming) |
| Web Server | Apache on Unix, probably IIS on Windows |
| Optional Server Features configured | SSL support, PAM authentication, eventual ColdFusion / PHP support, many others -- see "Web Server Config / Build Details" |
| Server runs as | user: httpd, group nobody |
| Search Engine | Harvest / Glimpse -- Work in progress |
| Virtual host support | yes |
| Publishing Connectivity | CUE central filesystem access used for workstation and PC connectivity |
| User Authentication | configurable, provided via mod_auth_pam for SSL-enabled servers only |
| ~/public_html access | Disabled by default |
| Database Connectivity | Connectivity to MySQL provided through perl, php in progress |
| Central / Local Installation? | Installed in /apps/apache, installation to local system per CUE SWC standard. |
| Automatic Configuration | Work in progress on generation of config files from JMan database. |
Configuration and content files are located in the central CUE /group filesystem. This area is accessible (with appropriate authorization) throughout CUE. Standard Unix file permissions are used to control access to these areas throughout the CUE NIS account space. In general, groups are created to specify the administrators and authors allowed for each web. In addition to server start and stop privileges, web server administrators have RW access to server config file and script areas, while web authors have RW access only to web content areas, all others (web and other users) have RO access throughout by default, although local web administrators can further restrict world access as needed.
The default startup for apache (defined at compile time) looks to /etc/httpd/ to find the main configuration file httpd.conf. The CUE installation provides a startup script that specifies the location of this file within the appropriate /group/... areas used for the CUE configuration. The web server configuration files, logs, etc. are also located in this area.
The table below provides a list of the default values for common web server configuration parameters. The details of an individual server's configuration is available online from WebList.
In order to provide individual groups with the ability to run multiple, independent web servers, allowing for local development of content, and for providing configurability for each such server, it is necessary to provide a structured area of the central filesystem. Specifically, each group desiring to run a web server is provided with a set of directories (created by the install script) for this purpose.
Each unix group within CUE can be granted an area within the /group filesystem. These areas are used to place web server configuration and content directories within the central filesystem. A standard layout is used within the CUE webserver configuration to simplify management.
| Item | Location |
| Group web area | /group/<groupname>/www |
| Each web's root directory ($WebRoot) | /group/<groupname>/www/<webname> |
| Server root directory ($ServerRoot) | $WebRoot/httpd |
| Config files (httpd.conf) for httpd | $ServerRoot/conf |
| Shared object directory | $ServerRoot/libexec -- Links back to /apps/apache/libexec by default |
| Web Content Location ($DocumentRoot) | $WebRoot/html |
| Virtual host content directory | $DocumentRoot/<virtual_webname> |
| CGI directory (http://<hostname>/cgi-bin/) | $WebDaemonRoot/htbin |
| Virtual host cgi directory (http://<V-hostname>/cgi-bin/) | $WebDaemonRoot/htbin/<virtual_webname> |
| Web Server Information (mod-info) | http://<webname>.jlab.org/server-info |
| Web Server status | http://<webname>.jlab.org/mod-status |
| Log files, etc. | $ServerRoot/logs -- links back to /var/log/httpd on server system by default |
| Web server utilization statistics (via Webalyzer) | http://<webname>.jlab.org/usage/ |
| Icon area for fancy indexing | $WebDaemonRoot/icons |
| Perl directory for server | $WebDaemonRoot/perl |
| Apache Base Directory | /apps/apache |
| Harvest Base Directory | /apps/harvest |
| Harvest Data Area | /group/<groupname>/www/harvest |
Web content files are maintained within the /group filesystem in the locations given above. Access to these files is managed through unix permissions. In general, RW access is granted to all members of the authoring group in addition to web administrators. This access is not extended currently to script directories. It is hoped that web administrators will review and post these scripts cautiously.
The basic configuration of CUE systems provides the most basic security for each system. The operation of a simple web server on a CUE system introduces few new security constraints in itself. However, many optional features and related activities introduce these constraints. Web server security is discussed more fully in "Web Server Security Considerations".
Virtual host support is available within the configuration. Name-based virtual hosting is used to provide multiple virtual web servers via a single set of httpd daemon processes. These virtual webs are configured with independent content and cgi directories to provide for isolation to allow different sets of access controls and privileges between multiple virtual servers. Each virtual server must have an appropriate DNS entry that references the CNAME of the real server system.
Each web server system is instrumented to allow remote monitoring and management to the greatest possible degree. If mod-status and mod-info are specified for inclusion in the httpd config file, these modules provide access to lots of interesting internal server configuration data. Logs from the httpd process are kept in thr directory indicated in the table above. Usage, info and status data can be obtained from the URLs listed above as well.
This document is maintained by {helpdesk@jlab.org}
Copyright Jefferson Lab 2007