T-110.5101 Laboratory Works on Datacommunications Software (5 cr)
Lab 5: Web
Description Of The Exercise
In this exercise, you will introduce yourself to some basic features of Apache and its plugins. In addition, one useful SSH feature is covered here.
1. Preparation
You will need only one machine of your choice to complete this assignment-
Ensure that you have Apache 2 installed together with fcgid and php5 modules. The modules for serving CGI applications, user directory contents, rewriting URLs and setting up SSL should come with Apache by default. In addition, please install libfcgi-perl for counter.pl.
Shut down any other web servers that you might be running on your virtual machine. Set up SSH port forwarding for HTTP and HTTPS so that you can test the server on your local machine (loopback) with your favourite web browser.
2. Serve pages from users' home directories
Configure Apache to serve files from public_html directory from the users' home directories and use the home directory of user "labrat" in this exercise. In public_html, all the restrictions should be done locally without restarting Apache, i.e. with .htaccess. Make sure to understand why apache operates as it does!
After configuration, serve the following resources from the public_html of user labrat:
- Add a greeting to "index.html"
- Type "wget https://playground.cs.hut.fi/t-110.5100_2010/problematic.txt" to fetch a textfile from another server. Try to read the file in your browser. It should read "säätö on hyvästä".
- Create a new subdirectory "secrets". Disable listing the contents of this particular subdirectory when the user points his/her browser there.
- Make a new subdirectory "secrets_with_pass". Set up a username/password pair for it using "plain" authentication.
| 2.1 | Provide a working solution (0,5pts per step). | 2p |
| 2.2 | What's the magic with "index.html"? | 1p |
| 2.3 | Why isn't everything quite right with the problematic.txt? How to fix the issue? | 1p |
| 2.4 | What is MIME? | 1p |
| 2.5 | How does the authentication work with apache? | 1p |
3. Configuring SSL
Start by creating a 2048-bit key for the server. Then create a certificate that matches to the key. Configure Apache to use this certificate for HTTPS traffic. Set up again another SSH port forwarding to test HTTPS using loopback.
Note: Taking a shortcut with CA.pl is not accepted, you need to understand the process! Only a few commands are needed, though.
| 3.1 | Provide and explain your solution. | 1p |
| 3.2 | What information can a certificate include? What is necessary for it to work in the context of a web server? | 1p |
| 3.3 | What do PKI and requesting a certificate mean? | 1p |
4. Enforcing HTTPS
Create a yet another subdirectory called "secure_secrets" to public_html directory of the "labrat" user. Enforce access to this directory with HTTPS by using mod_rewrite and .htaccess, so that apache forwards "http://localhost/secure_secrets" to "https://localhost/secure_secrets". Please note that this is a bit more complicated to test with the ssh forwarding, so just test it locally with lynx or netcat at the virtual machine. If your demo requires, you may hard-code your port numbers to the forwarding rules.
| 4.1 | Provide and explain your solution. | 2p |
| 4.2 | What is HSTS? | 1p |
5. Dynamic content
- Create a new subdirectory called "dynamic" in the public_html directory. Allow access to this directory only from the localhost and test the access control e.g. by using another virtual machine and lynx.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/hello.c" to this directory and compile it ("gcc -o hello hello.c"). Use .htaccess to set only the compiled file to be handled by cgi-script. Then access the output with a web browser.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/counter.pl" to the directory and configure .htaccess accordingly using fcgid.
- Fetch "https://playground.cs.hut.fi/t-110.5100_2010/fileserver.phps" to the directory and rename it to "fileserver.php". If needed, do some configuration for mod_php. Then test out the fileserver script a bit.
| 5.1 | Provide a working solution (0,5pts per step). | 2p |
| 5.1 | How do the approaches of mod_cgi, mod_fcgi and mod_php differ from each other? | 2p |
| 5.2 | What security considerations do you have for these techniques? What if the server was shared or dedicated? | 1p |
| 5.3 | How does the counter work? What's the flaw in it? | 1p |
6. Additional questions
| 6.1 | When to use .htaccess? In contrast, when not to use it? | 1p |
| 6.2 | What kind of solution would you use to run Python application as a web service? | 1p |
| 6.3 | What does GET and POST mean in HTTP? What else can you do with HTTP? What is REST? | 1p |
| 7. |
Extra points for an excellent demo, or in-depth mastery of the topic or software | 3p |