2.5. Setting Up a Win32 Server
There is no point trying to run Apache
unless TCP/IP is set up and running on your
machine. In our experience, if it isn't, Apache will crash
Windows 95. A quick test is to ping some
IP -- and if you can't think of a real one, ping
yourself:
>ping 127.0.0.1
If TCP/IP is working, you should see some collaborative message like:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=32
....
If you don't see something along these lines, defer further
operations until TCP/IP is working.
It is important to remember that internally, Windows Apache is
essentially the same as the Unix version and that it uses Unix-style
forward slashes ("/") rather than MS-DOS- and
Windows-style backslashes ("\") in its file and directory
names as specified in various files.
There
are several ways of running Apache under Win32. Under NT, you can run
it as a service, operating in the background. First you have to
install it as a service by running the "Install Apache as a
Service" option from the Start menu. Alternatively, click on
the MS-DOS prompt to get a DOS session window. Go to the
/Program Files/Apache directory (or wherever else you
installed Apache) with:
>cd "\Program Files\apache"
Apache can be installed as an NT service with:
>apache -i
and uninstalled with:
>apache -u
Once this is done, you can open the Services window in the Control
Panel, select Apache, and click on Start. Apache then runs in the
background until you click on Stop. Alternatively, you can open a
console window and type:
>net start apache
>net stop apache
To run Apache from a console window, select the Apache server option
from the Start menu.
Alternatively -- and under Win95, this is all you can
do -- click on the MS-DOS prompt to get a DOS session window. Go
to the /Program Files/Apache directory with:
>cd "\Program Files\apache"
The Apache executable, apache.exe,
is sitting here, and we can start it running, to see what
happens, with:
>apache -s
You might want to automate your Apache startup by putting the
necessary line into a file called go.bat. You
then only need to type:
go[RETURN]
Since this is the same as for the Unix version, we will simply say
"type go" throughout the book when
Apache is to be started, and thus save lengthy explanations.
When we ran Apache, we received the following lines:
Apache/<version number>
Syntax error on line 44 of /apache/conf/httpd.conf
ServerRoot must be a valid directory
To deal with the first complaint, we looked at the file
\Program Files\apache\conf \httpd.conf. This
turned out to be a formidable document that, in effect, compresses
all the information we try to convey in the rest of this book into a
few pages. We could edit it down to something more lucid, but a
sounder and more educational approach is to start from nothing and
see what Apache asks for. The trouble with simply editing the
configuration files as they are distributed is that the process
obscures a lot of default settings. If and when someone new has to
wrestle with it he or she may make fearful blunders because it
isn't clear what has been changed from the defaults. Rename
this file if you want to look at it:
>ren httpd.conf *.cnk
Otherwise, delete it, and delete srm.conf and
access.conf :
>del srm.conf
>del access.conf
When you run Apache now, you see:
Apache/<version number>
fopen: No such file or directory
httpd: could not open document config file apache/conf/httpd.conf
And we can hardly blame it. Open edit
:[23]
[23]Paradoxically, you have to use
what looks like an MS-DOS line editor, edit,
which you might think limited to the old MS-DOS 8.3 filename format,
to generate a file with the four-letter extension
.conf. The Windows editors, such as
Notepad and WordPad, insist
on adding .txt at the end of the
filename.
>edit httpd.conf
and insert the line:
# new config file
The "#" makes this a comment without
effect, but it gives the editor something to save. Run Apache again.
We now see something sensible:
...
httpd: cannot determine local host name
use ServerName to set it manually
What Apache means is that you should put a line in the
httpd.conf file:
ServerName your_host_name
Now when you run Apache you see:
>apache -s
Apache/<version number>
_
The "_" here is meant to represent a blinking cursor,
showing that Apache is happily running. Unlike other programs in an
MS-DOS window, Apache keeps on going even after the screen saver has
kicked in.
You will notice that throughout this book, the Config files always
have the following lines:
...
User webuser
Group webgroup
...
These are necessary for Unix security and, happily, are ignored by
the Win32 version of Apache, so we have avoided tedious explanations
by leaving them in throughout. Win32 users can include them or not as
they please.
You can now get out of the MS-DOS window and go back to the desktop,
fire up your favorite browser, and access http://yourmachinename/. You should see a
cheerful screen entitled "It Worked!," which is actually
\apache\htdocs\index.html.
When you have had enough, hit CTRL-C in the Apache window.
Alternatively, under Win95 and from Apache Version 1.3.3 on, you can
open another DOS session window and type:
apache -k shutdown
This does a graceful shutdown, in which Apache allows any
transactions currently in process to continue to completion before it
exits. In addition, using:
apache -k restart
performs a graceful restart, in which Apache rereads the
configuration files while allowing transactions in progress to
complete.
2.5.1. Security Under Win32
Although
NT has an
extensive and complex security infrastructure, it is poorly
documented and understood. Consequently, there is currently little
code in the Windows version of Apache to interface with it. Besides,
NT seems to suffer from a variety of more mundane problems: the
README file that comes with Apache v1.3.1 says,
in part:
Versions of Apache on Win32 prior to version 1.3.1 are vulnerable to a number of security holes common to several Win32 servers. The problems that impact Apache include:
trailing "."s are ignored by the file system. This allowed certain types of access restrictions to be bypassed. directory names of three or more dots (e.g. "...") are considered to be valid similar to "...". This allowed people to gain access to files outside of the configured document trees.
There have been at least four other similar instances of the same basic problem: on Win32, there is more than one name for a file. Some of these names are poorly documented or undocumented, and even Microsoft's own IIS has been vulnerable to many of these problems. This behavior of the Win32 file system and API makes it very difficult to ensure future security; problems of this type have been known about for years, however each specific instance has been discovered individually. It is unknown if there are other, yet unpublicized, filename variants. As result, we recommend that you use extreme caution when dealing with access restrictions on all Win32 servers.
In plain English, this means, once again, that Win32 is not an
adequate platform for running a web server that has any need for
security.
 |  |  | | 2.4. Setting Up a Unix Server |  | 3. Toward a Real Web Site |
Copyright © 2001 O'Reilly & Associates. All rights reserved.
|
