albertldee
05-09-2005, 08:25 PM
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Introduction (How I setup a free web server)</th></tr>
<tr><td class="BORDEREDTABLE">
The free aspect is a little misleading. There are four costs:
Time isn't a limitless resource, and this may take a lot of time - however this should be hobby time.
<LI>Your'll need some hardware - an old PC and a new modem.
Your'll need some kind of "Always-on" internet connection such as broadband. I currently get BT broadband for 27 a month (but I'd have it even if I didn't run a web-server).
Your'll have the electricity cost of leaving the server on 24-7 - (couple of quid a week).
<h3>The Plan</h3>
Get a Broadband connection working.
Add a linux box to the network
Start the webserver.
Get website accessible from the world wide web.
Secure the network with a firewall.
Reduce the noise of the webserver.
Increase the power of the webserver.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Get a Broadband connection working</th></tr>
<tr><td class="BORDEREDTABLE">
<h3>First purchase (March 2003)</h3>
I decided I wanted broadband and looked for the cheapest possible "always-on" price, NTL did one for £15, but of course they didn't serve my area so I had to get BT Broadband (http://www.bt.co.uk/broadband) for £ 27 per month. The extra money buys more upload speed. Upload speed is important when running a server as it governs the speed of the site.
Do some reasearch before signing up:
http://www.broadband-help.com (http://www.broadband-help.com/cm_adslbuyers.asp#2)
http://www.cameo.com.tw/tsd/faq/ip-faq/frequently_asked_questions.htm
It took 9 days for BT to make the telephone line DSL compatible (but no engineer needs to come) and then they sent me an information pack which contains your username.
<h3>Second purchase (March 2003)</h3>
Broadband is ADSL technology and you need a ADSL modem. Instead of getting the one BT was trying to sell me, I wanted a network friendly one so I searched ebay (http://www.ebay.co.uk) and found:
<table>
<tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/ADSL4Portthumnale.jpg</img>
</td>
<td>
"ADSL Modem Router with 4-Ports 10/100 Switch and Firewall with 1 Free Micro Filter" (£70 including packaging)
2x5m RJ45 network cable
</td>
</tr>
</table>
This little box is:
A ADSL modem - Enabling me to communicate with my broadband provider.
A router - Used to connect different networks together. It is a bridge between my small LAN home-network and my broadband providers WAN network that will give me access to the internet. My local LAN traffic will stay one side of the router whereas internet traffic will pass through the router.
A switch - Used to get IP packets from one machine in the network to another machine in the network. Packets are not broadcast across all cables connected to the switch and so a switch prevents flooding the whole ethernet, unlike a hub. You can think of a hub as a box which connects all the cables together. Any packet from any host is broadcast across all cables connected to the hub.
A few other things - The little box has an enormously complex interface (routerInterface.html) which reveals it is a DCHP server and many other things that I don't yet understand. e.g. it supports NAT, Virtual Servers, and Bridge Filtering.
Having a modem/router/switch in one is cheaper, helps to minimise clutter and seems to be a simple solution to getting more that one computer connected to the web.
To read about configuring the broadband internet connection see my configuration diary (utopiaJourney.html#modemconfig).
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Add a linux box to the network</th></tr>
<tr><td class="BORDEREDTABLE">
<h3>The webserver Hardware</h3>
<table>
<tr>
<td>
The webserver can be an old computer not much good at playing the latest games. I chose to make my 8 year old Pentium 1 a webserver. It only has a 166MHz processor but handles things fine.
My network is now 2 fast windows machines (good for network games), a Xbox (with Xbox live) and a linux box as a webserver.
</td>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/WebserverDiagram.png</img>
</td>
</tr>
</table>
<h3>Linux Install</h3>
Since the rest of the adventure is with software rather than hardware, linux is the free and hip way to go about it. Get a copy of Linux (whatever distro, but I got the newest and most standard: Redhat (http://www.redhat.com) version 8). You can download it and burn it onto CD, buy it from ebay or go to virgin megastore.
The installation procedure is important and you need to be carefull what packages you install. You want to install the packages related to servers, don't assume anything is installed by default. If you can see these, make sure their ticked to be installed:
Applications - Databases - Postgresql-perl
Development - languages - php
Development - Languages - php-pqsql
System Environment - Daemons - mode_php
System Environment - Daemons - wu_ftpd
<h3>Boot up the Linux Box</h3>
login as root. Oh my God, linux is slow, perhaps I should have installed an older version? No, the plan for this machine is to sit quietly in the corner, it doesn't have to have a responsive user interface as long as it can serve web pages fast. After the initial configuration, we won't have to touch it, we can even take away it's monitor to save space! Setting a low screen resolution and installing the minimum needed services is a good idea anyway.
Check:
The internet works - load a page in the broswer
The network works - ping an existing computer and use that computer to ping the linux box.
You can access the router - go to 10.0.0.2 in a browser.
<h4>Understanding the Linux file organisation</h4>
There are two big differences between the way windows and linux organise files.
In Linux there is a root to the directory tree, this is not the case in windows where one often has many drives (C:, A: etc).
Windows has the concept of "Program directories" where all a programs files start from one place. In Linux, programs put their documentation into '/usr/share/doc/program_name', man pages into '/usr/share/man/ ', info pages into '/usr/share/info'. That is they are merged with the system hierarchy.
The linux directory convention:
/bin - This is where the system stores important executables, needed for the startup of the system.
/boot - The kernel is often placed here, together with some other boot files, this directory should be on the first 1024 cylinders of the disk, or the disk should be LBA translated, otherwise LILO can't boot the kernel.
/dev - This is a really interesting directory :). In there, every device on your computer (serial ports, hard disks etc..) has a file, a device file.
/etc - Global configuration files.
/home - Users's home directories, every user has a directory in this directory.
/lib - Shared libraries, important for the system startup. Share libraries are used by many executables at the same time, saving memory and diskspace.
/lost+found - If you run a fsck, and it finds some weirdness, the result goes here.
/mnt - This is non-standard, but common directory. It exist there for temporary mounts (e.g cdrom or floppy).
/proc - This is a really important directory. It exists only as a mount point on the harddisk, the rest is virtual information filled in by the kernel. Here you find information about all your processes, and other information such as which interupts and memory addresses are in use. An easy way to fetch that information, it's just files, as the rest of the UNIX system.
/root - This is the home directory of the root user.
/sbin - Executables the root needs to use, that should be availiable at boot.
/tmp - Temporary files. Everybody can write here, but only the owner of the file may remove the file. Root may do it too, of course.
/usr - This directory has a lot of subdirs. /usr/bin has the same type of programs in it as /bin, but they aren't that essential for the system to work. One subdir of /usr is /usr/local, also having a bin and sbin and lib directory. In local you can place local extensions of the system, and if you upgrade your system the upgrade shouldn't do anything about local, so your changes will still be there.
/var - var stands for Variable. This directory holds files that could be a lot bigger in a short time, and get smaller really fast too. Typical examples are mail and news spools.
<h3>Start apache webserver </h3>
Using KDE, goto "Server Settings -> services" and start the httpd which is the apache webserver. You know it's working if you open a browser and go to <a href="http://127.0.0.1" target="_blank">http://127.0.0.1 (http://127.0.0.1)</a> from the linux box and you should get an apache default page. If that works try going to the servers IP address (in my case, <a href="http://10.0.0.5)" target="_blank">http://10.0.0.5 (http://10.0.0.5)))</a> from another computer in the network.
The webserver must have a static LAN IP. You can configure the network using the netconfig program (/usr/sbin/netconfig). Use the router IP as the gateway and name-server. Afterwards restart the network with /etc/rc.d/init.d/network restart. If you need more options in network configuration use the neat program.
Instead of using the apache default page, put your website content in the "/var/www/html" directory indexed by "index.html".
<h3>Get website accessible from the world wide web</h3>
Traffic coming to your router needs to be forwarded to the webserver. I had to do three things:
Change the HTTP server port on the router to 8080 meaning that if I want to configure the router I have to go to <a href="http://10.0.0.2:8080" target="_blank">http://10.0.0.2:8080 (http://10.0.0.2:8080)</a>. Otherwise traffic would by default be directed to the router configuration page rather than the webserver.
Set up internet traffic connecting to the WAN side of the router to be forwarded to my webserver.
The 1st way I did this was using the DMZ option on my router with the host being my webserver (10.0.0.5). A DeMilitarized Zone means that incoming traffic is forwarded straight to the webserver, so traffic isn't confused about which internal IP to go to.
I later changed to using the "Virtual server" setting on my router to forward traffic on port 80 to 10.0.0.5. I had to use NAT for the machines on the LAN so they could still access the internet (see setting up my router (routerInterface.html)).
Save and restart the router.
After doing that, make a note of your current WAN IP address, go to work and type it in a browser, you should get your website.
Getting a domain name: You don't want to have to type in a IP address to get to your website:
Free solution: Get a account from www.cjb.net (http://www.cjb.net) and your'll get a domain name such as "www.tomfotherby.cjb.net". Then you can forward traffic to your real IP address such as "http://217.44.186.130".
Expensive solution: Buy a domain name such as "www.tomfotherby.com" from a registrar such as www.buydomains.com (http://www.buydomains.com) (see the full index of registrars at: http://www.internic.net). Your'll then be able to URL or frame forward to your IP address.
<font color="red">Problems:</font>
Your ISP will change your IP address every few weeks and your'll need to update your domain name forwarding to the new WAN IP.
The browser looking at your webside gets an ugly URL
Google can’t index your site because the URL it sees is likely to be an old IP address that has since been re-assigned by your ISP.
Solution to problem 1: Write a program to check you WAN IP for change and update your domain name forwarding if nesseccary.
/home/tf98/bin/checkWANIP.pl (checkWANIP.pl) gets the current WANIP and compares it with the latest one in a history file (IPhistory.txt). If there is a mismatch it records the new IP in IPhistory.txt and updates the forwarding address for www.tomfotherby.com at my registrar (www.buydomains.com)
Write a script that will run this perl program.
<pre>
#!/bin/sh -
perl /home/tf98/bin/checkWANIP.pl
</pre>
and change the permissions of the script so it is executible: chmod a+x checkWANIP
Put the script in /etc/cron.hourly so the script is run automatically every hour as a cron job.
Solution to problems 2&3:
If your registrar has a "Domain Listing Service" then you should use it instead of IP or URL forwarding so that your domain name is used rather than your IP address.
The registrar with which the www.tomfotherby.com domain is registered will have added a entry into the whois (http://www.networksolutions.com/en_US/whois/index.jhtml) database containing my domain name, my owner information and a domain name server. They will have a couple of default name-servers, but if we forward traffic to an IP address a name-server isn't used. We could set up our own name-server and use it. For more information read the www.diywebserver.com (http://www.diywebserver.com) site.
I think it might be possible to use apaches virtual hosts (http://httpd.apache.org/docs/vhosts/).
More on name-servers: When you type a URL into your browser, the browser's first step is to convert the domain name and host name into an IP address so that the browser can go request a Web page from the machine at that IP address. To do this conversion, the browser has a conversation with a name server.
When you set up your machine on the Internet, you (or the software that you installed to connect to your ISP) had to tell your machine what name server it should use for converting domain names to IP addresses. On some systems, the DNS is dynamically fed to the machine when you connect to the ISP, and on other machines it is hard-wired. If you are working on a Windows 95/98/ME machine, you can view your current name server with the command WINIPCFG or IPCONFIG, or on a UNIX machine, type nslookup, dig or host along with your machine name (which can be found using the hostname command).
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Configuring the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
<h4>Making yourself at home</h4>
The Basics:
I used Linux for 4 years but found being an administrator required lots of new knowledge:
Permissions - Your'll need to use the chmod command a lot to limit file access to only the correct users.
Users - The permissions system is calculated on a per-user basis. Users aren't just humans; each software process runs under a particular user name as well. For example the apache webserver uses "apache" as a user name so you'd better make sure it has access to your website files.
Groups - A fundamental need is the ability to maintain the web content under a normal user ID, without having to go around as root all the time. I created a group of users who will work on web content:
groupadd www - add a new group called www.
usermod -G www your-user-ID - add yourself to the group
chgrp -R www /var/www/html - assign the www group to the HTML directory tree.
chmod -R g+w /var/www/html - give the www group write permissions to the tree.
To check the amount of disk space avaliable use the df -h command.
The shell you use is determined by the /etc/passwd file. You can see what shells are avaliable from the /etc/shells file. I use the csh shell and have a ".cshrc" file in my home directory which is a special shell script that is run whenever the shell is loaded (e.g when you open a command prompt terminal). I added these commands to the ".cshrc" file:
<pre>
alias sp set prompt='[$cwd\]%'
alias cd 'chdir \!* ; sp'
alias sgrep 'find . -type f | xargs grep \!*'
set prompt="[$cwd\]%"
</pre>
They change the command prompt to display the current directory and give me a new find-in-files command which I commonly use.
<h3>Making your Linux box file system accessible on the network</h3>
You can do this fairly easily by running a Samba server on the linux box.
Step One
First edit your smb.conf file. Mine is at /etc/samba (do whereis samba). To understand the smb.conf file see the manual page (man smb.conf). This is a quick and dirty smb.conf file that worked for me:
<table border=1 align="center" bordercolor="blue"><td>
<pre>
[global]
; A special section that sets up global variables used in all other sections
; %m is the NetBIOS name of the client machine.
encrypt passwords = yes
guest account = smbguest
log file = /var/log/samba/%m.log
netbios name = LINUXBOX
security = share
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
workgroup = KIXNTOM
[linuxBox]
; Defines a file space share called "linuxBox", using the priviledges of smbguest.
comment = linux box file system
browseable = yes
guest ok = yes
guest only = yes
read only = yes
path = /
# This one is useful for people to share files
[tmp]
comment = Temporary file space
browseable = yes
guest ok = yes
guest only = yes
read only = no
create mode = 0666
directory mode = 0777
path = /tmp
</pre>
</td></table>
The smb.conf file is split into sections which are defined with angle brackets e.g. [shareName]. There are three special share names ([global], [homes] and [printers]) but any other share name denotes a particular shared view of the file system.
<table>
<tr><th>View from windows</th><th>smb.conf sections</th></tr>
<tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/My_Network_Places.png</img>
</td>
<td>
[Global] defines the global variables used throughout the smb.conf file. The netBIOS name is equivalent to the "computer name" in windows. Make sure the workgroup name is the same as what you used in the windows computers.
[linuxBox] is a particular share of the linux box's files. This share gives smbguest read-only access to the linux box's file system which allows me to browse it from a windows box on the network.
[tmp] is another share of the linux box's files. This time it allows write access to /tmp. I use it to transfer files from windows to linux.
</td>
</tr>
</table>
Step Two
When you view files on the linux box on the network from another machine you use the guest account, smbguest. This account needs to be set up on the linux box:
<pre>
mkdir -p /usr/local/samba/private
touch /usr/local/samba/private/smbpasswd
touch /usr/local/samba/private/secrets.tdb
groupadd smbguest
useradd -d /home/smbguest -g smbguest -s /bin/false -m smbguest
mkdir -p /home/smbguest
chmod 0700 /home/smbguest
smbpasswd -a smbguest
testparm</pre>
Step Three
Start the samba server by going to the services user interface and starting smbd and nmbd daemons.
Testing
That should be it, go to network neighbourhood in windows and see if you can see the linux box's files.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Secure the network with a firewall</th></tr>
<tr><td class="BORDEREDTABLE">
"IPtables" is the name of the linux firewall system but it looks complicated! There is a simple way though: Under System Settings -> Security Level I set the security level to high which says to allow DHCP and DNS and block all other connections unless explicitly defined. I then ticked Customise and allowed WWW(HTTP) connections and in other ports I put "137:udp,138:udp,139:tcp,80:tcp" to allow samba connections (NetBIOS Name Service, NetBIOS Datagram Service and NetBIOS Session Service respectivly).
<table><tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/security_setup.png</img>
</td>
<td>
I think my network is secure because any traffic coming from the internet gets forwarded by my router to the DMZ which contains the firewall and should drop uncatered-for packets.
However, in reality the network is totally unsecure because there's many things that I still don't really understand. I don't really understand samba or iptables or my de-militarized zone. The firewall is supposed to sit inbetween the LAN and internet, but this seems a waste of a machine. Are my windows machines open to attack?
oh well, I make regular backups!
</td></tr></table>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Setting up a private directory</th></tr>
<tr><td class="BORDEREDTABLE">
I was interested in setting up a restricted directory:
Create a new directory the in the website: mkdir safedir
Create a new password file somewhere not accessible by the web using a special command:
<pre>
# htpasswd -c /usr/local/apache/passwd/passwords bob
New password: mypassword
Re-type new password: mypassword
Adding password for user bob
</pre>
The -c flag creates the .htpasswd file and should only be used the first time, to add other users leave out the -c flag.
Create a file in the directory-to-be-restricted called .htaccess
<pre>
AuthName "Enter Password"
AuthType Basic
AuthUserFile /usr/local/apache/passwd/passwords/.htpasswd
require valid-user
</pre>
Set permissions:
chmod 711 safedir
chmod 711 /usr/local/apache/passwd/passwords
chmod 644 .htpasswd
chmod 644 .htaccess
That was supposed to be it but no pop-up box appeared, something was wrong.
<font color="red">Solution:</font> I had to play around with Apache's configuration file. I only got it working after I added this to /etc/httpd/conf/httpd.conf:
<pre>
<Directory "/var/www/html/safedir">
AllowOverride AuthConfig
</Directory>
</pre>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Writeing my first CGI script</th></tr>
<tr><td class="BORDEREDTABLE">
In the apache configuration file (/etc/httpd/conf/httpd.conf) there is a variable called "ScriptAlias" which gives a directory such as /var/www/cgi-bin where perl code can be run by the webserver. I put the following code in a file called "something.cgi" in the ScriptAlias directory.
<pre>
#!/usr/bin/perl
print "Content-type: text/html\n\n";
while (($key, $val) = each %ENV) {
print $key." = ".$val."<br>\n";
}
</pre>
It didn't work to start with (I got a "Premature end of script headers" error) for three reasons:
The "Content-type: text/html\n\n" line must have the "\n\n" at the end.
File permissions: chmod 755 something.cgi.
The first line of the script must be where perl is (e.g. #!/usr/bin/perl got from whereis perl.
So now I have the tools to write CGI scripts. Here's an example of one which get's the value of my shares: getShareValue.cgi (/myScripts/getShareValue.cgi). One more things though. How do I install other perl modules?
<h4>Install via CPAN module</h4>
The CPAN module is a module that usually comes bundled with perl and provides an interface with CPAN itself
(Comprehensive Perl Archive Network (http://cpan.org))
Using the CPAN module you can download, make, and install the modules with one command. To start the CPAN shell, become root or superuser on your server and type the following from the command line: perl -MCPAN -e'shell'. Some configuration needs to be done before you can start using it.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Increase the power of the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
I'm going to try to use PHP to let the webserver access a Postgres Database.
Install PHP as part of the Linux install process or otherwise.
See where PHP is installed: whereis php
Check PHP works by creating a file called info.php somewhere in the webservers file structure that contains
<pre>
<?php
phpinfo();
?>
</pre>
Use a browser to view info.php. You should get information about apache and php.
Install Postgres as part of the Linux install process or otherwise.
See where Postgres is installed: whereis postgres
Start Postgres running using the Services GUI application to start the postgreSQL backend daemon.
Set yourself and the webserver up to access PostgreSQL:
Find out what user name the webserver runs as: ps -aux | grep http
Become root: su -
Become the postgres user: su postgres
Create tf98 as a user: createuser tf98 - allow create db's and add new users
Create apache as a user: createuser apache - allow create dbs but not add new users.
Exit back to yourself: exit,exit
Create a database called friends: createdb friends
Check the new database exists: psql -l
Create a file called input containing:
<pre>
CREATE TABLE friends (id serial, firstname char(10), surname char (10));
INSERT INTO friends values (nextval ('friends_id_seq'), 'Test', 'User');
INSERT INTO friends values (nextval ('friends_id_seq'), 'Your', 'Name');
</pre>
Run the input file to populate the database: psql -d friends -f input
Create a file called test.php somewhere in the webservers file structure that contains:
<pre>
<html>
<body>
<?php
$db = pg_connect("dbname=friends");
$query = "SELECT * FROM friends";
$result = pg_exec($db, $query);
if (!$result) {printf ("ERROR"); exit;}
$row = pg_fetch_row ($result,0);
printf ("ID : %s<br>\n", $row[0]);
printf ("First Name: %s<br>\n", $row[1]);
printf ("Surname : %s<br>\n", $row[2]);
pg_close();
?>
</body>
</html>
</pre>
Grant the webserver access to the friend Database:
Open the command line interface to postgreSQL: psql friends
Grant access to apache: GRANT all ON friends TO apache;
Quit out: \q
Browse to the file and check that the webserver can use PHP to access a postgreSQL database!
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Webalizer</th></tr>
<tr><td class="BORDEREDTABLE">
Webalizer (http://www.mrunix.net/webalizer/) is a program that analyses webserver logs and produces statistics in a usage (../../../usage) directory. My apache logfile is kept at "/var/log/httpd/access_log" and is in the "CLF" (Combined Log Format) standard. My system seems to do some log rotation that periodically produces access_log.1, access_log.2 etc.
<table><tr><td>
The webalizer program generates a current statistics file ("index.html") that indexes a HTML file for each month. The webalizer program has a configuration file kept at "/etc/webalizer.conf".
</td><td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/website-hits.gif</img>
</td></tr></table>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Future Plans</th></tr>
<tr><td class="BORDEREDTABLE">
The following are future plans...
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Reduce the noise of the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
Noise is a problem because the webserver is always on and might disturb the peace. Tackleing the problem:
</p>
The CD rom drive - Take any CD out, problem solved (wish everything was that easy).
The CPU fan - OK this is an old machine worth about 5, I took the CPU fan off and everything was fine.
The Power Supply unit - This isn't too noisey, I can cope with it.
The hard disk - big problem, I want to buy a specially quiet hard disk such as the "seagate barracuda V", 60GB for $86 isn't bad.
A good place to start is www.quietpc.com (http://www.quietpc.com)
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">setup a mail server</th></tr>
<tr><td class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Introduction (How I setup a free web server)</th></tr>
<tr><td class="BORDEREDTABLE">
The free aspect is a little misleading. There are four costs:
Time isn't a limitless resource, and this may take a lot of time - however this should be hobby time.
<LI>Your'll need some hardware - an old PC and a new modem.
Your'll need some kind of "Always-on" internet connection such as broadband. I currently get BT broadband for 27 a month (but I'd have it even if I didn't run a web-server).
Your'll have the electricity cost of leaving the server on 24-7 - (couple of quid a week).
<h3>The Plan</h3>
Get a Broadband connection working.
Add a linux box to the network
Start the webserver.
Get website accessible from the world wide web.
Secure the network with a firewall.
Reduce the noise of the webserver.
Increase the power of the webserver.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Get a Broadband connection working</th></tr>
<tr><td class="BORDEREDTABLE">
<h3>First purchase (March 2003)</h3>
I decided I wanted broadband and looked for the cheapest possible "always-on" price, NTL did one for £15, but of course they didn't serve my area so I had to get BT Broadband (http://www.bt.co.uk/broadband) for £ 27 per month. The extra money buys more upload speed. Upload speed is important when running a server as it governs the speed of the site.
Do some reasearch before signing up:
http://www.broadband-help.com (http://www.broadband-help.com/cm_adslbuyers.asp#2)
http://www.cameo.com.tw/tsd/faq/ip-faq/frequently_asked_questions.htm
It took 9 days for BT to make the telephone line DSL compatible (but no engineer needs to come) and then they sent me an information pack which contains your username.
<h3>Second purchase (March 2003)</h3>
Broadband is ADSL technology and you need a ADSL modem. Instead of getting the one BT was trying to sell me, I wanted a network friendly one so I searched ebay (http://www.ebay.co.uk) and found:
<table>
<tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/ADSL4Portthumnale.jpg</img>
</td>
<td>
"ADSL Modem Router with 4-Ports 10/100 Switch and Firewall with 1 Free Micro Filter" (£70 including packaging)
2x5m RJ45 network cable
</td>
</tr>
</table>
This little box is:
A ADSL modem - Enabling me to communicate with my broadband provider.
A router - Used to connect different networks together. It is a bridge between my small LAN home-network and my broadband providers WAN network that will give me access to the internet. My local LAN traffic will stay one side of the router whereas internet traffic will pass through the router.
A switch - Used to get IP packets from one machine in the network to another machine in the network. Packets are not broadcast across all cables connected to the switch and so a switch prevents flooding the whole ethernet, unlike a hub. You can think of a hub as a box which connects all the cables together. Any packet from any host is broadcast across all cables connected to the hub.
A few other things - The little box has an enormously complex interface (routerInterface.html) which reveals it is a DCHP server and many other things that I don't yet understand. e.g. it supports NAT, Virtual Servers, and Bridge Filtering.
Having a modem/router/switch in one is cheaper, helps to minimise clutter and seems to be a simple solution to getting more that one computer connected to the web.
To read about configuring the broadband internet connection see my configuration diary (utopiaJourney.html#modemconfig).
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Add a linux box to the network</th></tr>
<tr><td class="BORDEREDTABLE">
<h3>The webserver Hardware</h3>
<table>
<tr>
<td>
The webserver can be an old computer not much good at playing the latest games. I chose to make my 8 year old Pentium 1 a webserver. It only has a 166MHz processor but handles things fine.
My network is now 2 fast windows machines (good for network games), a Xbox (with Xbox live) and a linux box as a webserver.
</td>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/WebserverDiagram.png</img>
</td>
</tr>
</table>
<h3>Linux Install</h3>
Since the rest of the adventure is with software rather than hardware, linux is the free and hip way to go about it. Get a copy of Linux (whatever distro, but I got the newest and most standard: Redhat (http://www.redhat.com) version 8). You can download it and burn it onto CD, buy it from ebay or go to virgin megastore.
The installation procedure is important and you need to be carefull what packages you install. You want to install the packages related to servers, don't assume anything is installed by default. If you can see these, make sure their ticked to be installed:
Applications - Databases - Postgresql-perl
Development - languages - php
Development - Languages - php-pqsql
System Environment - Daemons - mode_php
System Environment - Daemons - wu_ftpd
<h3>Boot up the Linux Box</h3>
login as root. Oh my God, linux is slow, perhaps I should have installed an older version? No, the plan for this machine is to sit quietly in the corner, it doesn't have to have a responsive user interface as long as it can serve web pages fast. After the initial configuration, we won't have to touch it, we can even take away it's monitor to save space! Setting a low screen resolution and installing the minimum needed services is a good idea anyway.
Check:
The internet works - load a page in the broswer
The network works - ping an existing computer and use that computer to ping the linux box.
You can access the router - go to 10.0.0.2 in a browser.
<h4>Understanding the Linux file organisation</h4>
There are two big differences between the way windows and linux organise files.
In Linux there is a root to the directory tree, this is not the case in windows where one often has many drives (C:, A: etc).
Windows has the concept of "Program directories" where all a programs files start from one place. In Linux, programs put their documentation into '/usr/share/doc/program_name', man pages into '/usr/share/man/ ', info pages into '/usr/share/info'. That is they are merged with the system hierarchy.
The linux directory convention:
/bin - This is where the system stores important executables, needed for the startup of the system.
/boot - The kernel is often placed here, together with some other boot files, this directory should be on the first 1024 cylinders of the disk, or the disk should be LBA translated, otherwise LILO can't boot the kernel.
/dev - This is a really interesting directory :). In there, every device on your computer (serial ports, hard disks etc..) has a file, a device file.
/etc - Global configuration files.
/home - Users's home directories, every user has a directory in this directory.
/lib - Shared libraries, important for the system startup. Share libraries are used by many executables at the same time, saving memory and diskspace.
/lost+found - If you run a fsck, and it finds some weirdness, the result goes here.
/mnt - This is non-standard, but common directory. It exist there for temporary mounts (e.g cdrom or floppy).
/proc - This is a really important directory. It exists only as a mount point on the harddisk, the rest is virtual information filled in by the kernel. Here you find information about all your processes, and other information such as which interupts and memory addresses are in use. An easy way to fetch that information, it's just files, as the rest of the UNIX system.
/root - This is the home directory of the root user.
/sbin - Executables the root needs to use, that should be availiable at boot.
/tmp - Temporary files. Everybody can write here, but only the owner of the file may remove the file. Root may do it too, of course.
/usr - This directory has a lot of subdirs. /usr/bin has the same type of programs in it as /bin, but they aren't that essential for the system to work. One subdir of /usr is /usr/local, also having a bin and sbin and lib directory. In local you can place local extensions of the system, and if you upgrade your system the upgrade shouldn't do anything about local, so your changes will still be there.
/var - var stands for Variable. This directory holds files that could be a lot bigger in a short time, and get smaller really fast too. Typical examples are mail and news spools.
<h3>Start apache webserver </h3>
Using KDE, goto "Server Settings -> services" and start the httpd which is the apache webserver. You know it's working if you open a browser and go to <a href="http://127.0.0.1" target="_blank">http://127.0.0.1 (http://127.0.0.1)</a> from the linux box and you should get an apache default page. If that works try going to the servers IP address (in my case, <a href="http://10.0.0.5)" target="_blank">http://10.0.0.5 (http://10.0.0.5)))</a> from another computer in the network.
The webserver must have a static LAN IP. You can configure the network using the netconfig program (/usr/sbin/netconfig). Use the router IP as the gateway and name-server. Afterwards restart the network with /etc/rc.d/init.d/network restart. If you need more options in network configuration use the neat program.
Instead of using the apache default page, put your website content in the "/var/www/html" directory indexed by "index.html".
<h3>Get website accessible from the world wide web</h3>
Traffic coming to your router needs to be forwarded to the webserver. I had to do three things:
Change the HTTP server port on the router to 8080 meaning that if I want to configure the router I have to go to <a href="http://10.0.0.2:8080" target="_blank">http://10.0.0.2:8080 (http://10.0.0.2:8080)</a>. Otherwise traffic would by default be directed to the router configuration page rather than the webserver.
Set up internet traffic connecting to the WAN side of the router to be forwarded to my webserver.
The 1st way I did this was using the DMZ option on my router with the host being my webserver (10.0.0.5). A DeMilitarized Zone means that incoming traffic is forwarded straight to the webserver, so traffic isn't confused about which internal IP to go to.
I later changed to using the "Virtual server" setting on my router to forward traffic on port 80 to 10.0.0.5. I had to use NAT for the machines on the LAN so they could still access the internet (see setting up my router (routerInterface.html)).
Save and restart the router.
After doing that, make a note of your current WAN IP address, go to work and type it in a browser, you should get your website.
Getting a domain name: You don't want to have to type in a IP address to get to your website:
Free solution: Get a account from www.cjb.net (http://www.cjb.net) and your'll get a domain name such as "www.tomfotherby.cjb.net". Then you can forward traffic to your real IP address such as "http://217.44.186.130".
Expensive solution: Buy a domain name such as "www.tomfotherby.com" from a registrar such as www.buydomains.com (http://www.buydomains.com) (see the full index of registrars at: http://www.internic.net). Your'll then be able to URL or frame forward to your IP address.
<font color="red">Problems:</font>
Your ISP will change your IP address every few weeks and your'll need to update your domain name forwarding to the new WAN IP.
The browser looking at your webside gets an ugly URL
Google can’t index your site because the URL it sees is likely to be an old IP address that has since been re-assigned by your ISP.
Solution to problem 1: Write a program to check you WAN IP for change and update your domain name forwarding if nesseccary.
/home/tf98/bin/checkWANIP.pl (checkWANIP.pl) gets the current WANIP and compares it with the latest one in a history file (IPhistory.txt). If there is a mismatch it records the new IP in IPhistory.txt and updates the forwarding address for www.tomfotherby.com at my registrar (www.buydomains.com)
Write a script that will run this perl program.
<pre>
#!/bin/sh -
perl /home/tf98/bin/checkWANIP.pl
</pre>
and change the permissions of the script so it is executible: chmod a+x checkWANIP
Put the script in /etc/cron.hourly so the script is run automatically every hour as a cron job.
Solution to problems 2&3:
If your registrar has a "Domain Listing Service" then you should use it instead of IP or URL forwarding so that your domain name is used rather than your IP address.
The registrar with which the www.tomfotherby.com domain is registered will have added a entry into the whois (http://www.networksolutions.com/en_US/whois/index.jhtml) database containing my domain name, my owner information and a domain name server. They will have a couple of default name-servers, but if we forward traffic to an IP address a name-server isn't used. We could set up our own name-server and use it. For more information read the www.diywebserver.com (http://www.diywebserver.com) site.
I think it might be possible to use apaches virtual hosts (http://httpd.apache.org/docs/vhosts/).
More on name-servers: When you type a URL into your browser, the browser's first step is to convert the domain name and host name into an IP address so that the browser can go request a Web page from the machine at that IP address. To do this conversion, the browser has a conversation with a name server.
When you set up your machine on the Internet, you (or the software that you installed to connect to your ISP) had to tell your machine what name server it should use for converting domain names to IP addresses. On some systems, the DNS is dynamically fed to the machine when you connect to the ISP, and on other machines it is hard-wired. If you are working on a Windows 95/98/ME machine, you can view your current name server with the command WINIPCFG or IPCONFIG, or on a UNIX machine, type nslookup, dig or host along with your machine name (which can be found using the hostname command).
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Configuring the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
<h4>Making yourself at home</h4>
The Basics:
I used Linux for 4 years but found being an administrator required lots of new knowledge:
Permissions - Your'll need to use the chmod command a lot to limit file access to only the correct users.
Users - The permissions system is calculated on a per-user basis. Users aren't just humans; each software process runs under a particular user name as well. For example the apache webserver uses "apache" as a user name so you'd better make sure it has access to your website files.
Groups - A fundamental need is the ability to maintain the web content under a normal user ID, without having to go around as root all the time. I created a group of users who will work on web content:
groupadd www - add a new group called www.
usermod -G www your-user-ID - add yourself to the group
chgrp -R www /var/www/html - assign the www group to the HTML directory tree.
chmod -R g+w /var/www/html - give the www group write permissions to the tree.
To check the amount of disk space avaliable use the df -h command.
The shell you use is determined by the /etc/passwd file. You can see what shells are avaliable from the /etc/shells file. I use the csh shell and have a ".cshrc" file in my home directory which is a special shell script that is run whenever the shell is loaded (e.g when you open a command prompt terminal). I added these commands to the ".cshrc" file:
<pre>
alias sp set prompt='[$cwd\]%'
alias cd 'chdir \!* ; sp'
alias sgrep 'find . -type f | xargs grep \!*'
set prompt="[$cwd\]%"
</pre>
They change the command prompt to display the current directory and give me a new find-in-files command which I commonly use.
<h3>Making your Linux box file system accessible on the network</h3>
You can do this fairly easily by running a Samba server on the linux box.
Step One
First edit your smb.conf file. Mine is at /etc/samba (do whereis samba). To understand the smb.conf file see the manual page (man smb.conf). This is a quick and dirty smb.conf file that worked for me:
<table border=1 align="center" bordercolor="blue"><td>
<pre>
[global]
; A special section that sets up global variables used in all other sections
; %m is the NetBIOS name of the client machine.
encrypt passwords = yes
guest account = smbguest
log file = /var/log/samba/%m.log
netbios name = LINUXBOX
security = share
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
workgroup = KIXNTOM
[linuxBox]
; Defines a file space share called "linuxBox", using the priviledges of smbguest.
comment = linux box file system
browseable = yes
guest ok = yes
guest only = yes
read only = yes
path = /
# This one is useful for people to share files
[tmp]
comment = Temporary file space
browseable = yes
guest ok = yes
guest only = yes
read only = no
create mode = 0666
directory mode = 0777
path = /tmp
</pre>
</td></table>
The smb.conf file is split into sections which are defined with angle brackets e.g. [shareName]. There are three special share names ([global], [homes] and [printers]) but any other share name denotes a particular shared view of the file system.
<table>
<tr><th>View from windows</th><th>smb.conf sections</th></tr>
<tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/My_Network_Places.png</img>
</td>
<td>
[Global] defines the global variables used throughout the smb.conf file. The netBIOS name is equivalent to the "computer name" in windows. Make sure the workgroup name is the same as what you used in the windows computers.
[linuxBox] is a particular share of the linux box's files. This share gives smbguest read-only access to the linux box's file system which allows me to browse it from a windows box on the network.
[tmp] is another share of the linux box's files. This time it allows write access to /tmp. I use it to transfer files from windows to linux.
</td>
</tr>
</table>
Step Two
When you view files on the linux box on the network from another machine you use the guest account, smbguest. This account needs to be set up on the linux box:
<pre>
mkdir -p /usr/local/samba/private
touch /usr/local/samba/private/smbpasswd
touch /usr/local/samba/private/secrets.tdb
groupadd smbguest
useradd -d /home/smbguest -g smbguest -s /bin/false -m smbguest
mkdir -p /home/smbguest
chmod 0700 /home/smbguest
smbpasswd -a smbguest
testparm</pre>
Step Three
Start the samba server by going to the services user interface and starting smbd and nmbd daemons.
Testing
That should be it, go to network neighbourhood in windows and see if you can see the linux box's files.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Secure the network with a firewall</th></tr>
<tr><td class="BORDEREDTABLE">
"IPtables" is the name of the linux firewall system but it looks complicated! There is a simple way though: Under System Settings -> Security Level I set the security level to high which says to allow DHCP and DNS and block all other connections unless explicitly defined. I then ticked Customise and allowed WWW(HTTP) connections and in other ports I put "137:udp,138:udp,139:tcp,80:tcp" to allow samba connections (NetBIOS Name Service, NetBIOS Datagram Service and NetBIOS Session Service respectivly).
<table><tr>
<td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/security_setup.png</img>
</td>
<td>
I think my network is secure because any traffic coming from the internet gets forwarded by my router to the DMZ which contains the firewall and should drop uncatered-for packets.
However, in reality the network is totally unsecure because there's many things that I still don't really understand. I don't really understand samba or iptables or my de-militarized zone. The firewall is supposed to sit inbetween the LAN and internet, but this seems a waste of a machine. Are my windows machines open to attack?
oh well, I make regular backups!
</td></tr></table>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Setting up a private directory</th></tr>
<tr><td class="BORDEREDTABLE">
I was interested in setting up a restricted directory:
Create a new directory the in the website: mkdir safedir
Create a new password file somewhere not accessible by the web using a special command:
<pre>
# htpasswd -c /usr/local/apache/passwd/passwords bob
New password: mypassword
Re-type new password: mypassword
Adding password for user bob
</pre>
The -c flag creates the .htpasswd file and should only be used the first time, to add other users leave out the -c flag.
Create a file in the directory-to-be-restricted called .htaccess
<pre>
AuthName "Enter Password"
AuthType Basic
AuthUserFile /usr/local/apache/passwd/passwords/.htpasswd
require valid-user
</pre>
Set permissions:
chmod 711 safedir
chmod 711 /usr/local/apache/passwd/passwords
chmod 644 .htpasswd
chmod 644 .htaccess
That was supposed to be it but no pop-up box appeared, something was wrong.
<font color="red">Solution:</font> I had to play around with Apache's configuration file. I only got it working after I added this to /etc/httpd/conf/httpd.conf:
<pre>
<Directory "/var/www/html/safedir">
AllowOverride AuthConfig
</Directory>
</pre>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Writeing my first CGI script</th></tr>
<tr><td class="BORDEREDTABLE">
In the apache configuration file (/etc/httpd/conf/httpd.conf) there is a variable called "ScriptAlias" which gives a directory such as /var/www/cgi-bin where perl code can be run by the webserver. I put the following code in a file called "something.cgi" in the ScriptAlias directory.
<pre>
#!/usr/bin/perl
print "Content-type: text/html\n\n";
while (($key, $val) = each %ENV) {
print $key." = ".$val."<br>\n";
}
</pre>
It didn't work to start with (I got a "Premature end of script headers" error) for three reasons:
The "Content-type: text/html\n\n" line must have the "\n\n" at the end.
File permissions: chmod 755 something.cgi.
The first line of the script must be where perl is (e.g. #!/usr/bin/perl got from whereis perl.
So now I have the tools to write CGI scripts. Here's an example of one which get's the value of my shares: getShareValue.cgi (/myScripts/getShareValue.cgi). One more things though. How do I install other perl modules?
<h4>Install via CPAN module</h4>
The CPAN module is a module that usually comes bundled with perl and provides an interface with CPAN itself
(Comprehensive Perl Archive Network (http://cpan.org))
Using the CPAN module you can download, make, and install the modules with one command. To start the CPAN shell, become root or superuser on your server and type the following from the command line: perl -MCPAN -e'shell'. Some configuration needs to be done before you can start using it.
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Increase the power of the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
I'm going to try to use PHP to let the webserver access a Postgres Database.
Install PHP as part of the Linux install process or otherwise.
See where PHP is installed: whereis php
Check PHP works by creating a file called info.php somewhere in the webservers file structure that contains
<pre>
<?php
phpinfo();
?>
</pre>
Use a browser to view info.php. You should get information about apache and php.
Install Postgres as part of the Linux install process or otherwise.
See where Postgres is installed: whereis postgres
Start Postgres running using the Services GUI application to start the postgreSQL backend daemon.
Set yourself and the webserver up to access PostgreSQL:
Find out what user name the webserver runs as: ps -aux | grep http
Become root: su -
Become the postgres user: su postgres
Create tf98 as a user: createuser tf98 - allow create db's and add new users
Create apache as a user: createuser apache - allow create dbs but not add new users.
Exit back to yourself: exit,exit
Create a database called friends: createdb friends
Check the new database exists: psql -l
Create a file called input containing:
<pre>
CREATE TABLE friends (id serial, firstname char(10), surname char (10));
INSERT INTO friends values (nextval ('friends_id_seq'), 'Test', 'User');
INSERT INTO friends values (nextval ('friends_id_seq'), 'Your', 'Name');
</pre>
Run the input file to populate the database: psql -d friends -f input
Create a file called test.php somewhere in the webservers file structure that contains:
<pre>
<html>
<body>
<?php
$db = pg_connect("dbname=friends");
$query = "SELECT * FROM friends";
$result = pg_exec($db, $query);
if (!$result) {printf ("ERROR"); exit;}
$row = pg_fetch_row ($result,0);
printf ("ID : %s<br>\n", $row[0]);
printf ("First Name: %s<br>\n", $row[1]);
printf ("Surname : %s<br>\n", $row[2]);
pg_close();
?>
</body>
</html>
</pre>
Grant the webserver access to the friend Database:
Open the command line interface to postgreSQL: psql friends
Grant access to apache: GRANT all ON friends TO apache;
Quit out: \q
Browse to the file and check that the webserver can use PHP to access a postgreSQL database!
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Webalizer</th></tr>
<tr><td class="BORDEREDTABLE">
Webalizer (http://www.mrunix.net/webalizer/) is a program that analyses webserver logs and produces statistics in a usage (../../../usage) directory. My apache logfile is kept at "/var/log/httpd/access_log" and is in the "CLF" (Combined Log Format) standard. My system seems to do some log rotation that periodically produces access_log.1, access_log.2 etc.
<table><tr><td>
The webalizer program generates a current statistics file ("index.html") that indexes a HTML file for each month. The webalizer program has a configuration file kept at "/etc/webalizer.conf".
</td><td>
http://members.lycos.co.uk/tfotherby/Contents/Home/Computing/Images/website-hits.gif</img>
</td></tr></table>
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Future Plans</th></tr>
<tr><td class="BORDEREDTABLE">
The following are future plans...
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">Reduce the noise of the webserver</th></tr>
<tr><td class="BORDEREDTABLE">
Noise is a problem because the webserver is always on and might disturb the peace. Tackleing the problem:
</p>
The CD rom drive - Take any CD out, problem solved (wish everything was that easy).
The CPU fan - OK this is an old machine worth about 5, I took the CPU fan off and everything was fine.
The Power Supply unit - This isn't too noisey, I can cope with it.
The hard disk - big problem, I want to buy a specially quiet hard disk such as the "seagate barracuda V", 60GB for $86 isn't bad.
A good place to start is www.quietpc.com (http://www.quietpc.com)
</td></tr></table>
<table class="BORDEREDTABLE">
<tr><th class="BORDEREDTABLE">setup a mail server</th></tr>
<tr><td class="BORDEREDTABLE">