Configuring a Minimal Web Server
With the rising demand for web servers, system administrators are hard pressed to make room for them on their computers. Because few organizations have the resources they would like, administrators are forced with trying to install robust, yet inexpensive and small servers. At Urbana Design Center of Motorola, we currently use four different Web servers, each for a different purpose. This article outlines how to install and run a minimalist Web server - whether the limitation is funds, hard drive space, or RAM - while keeping security in mind.
Choosing the Server that Matches Your Needs
Although several commercial Web server products are now available, two of the best free Web servers currently are the National Center for Supercomputing Applications' NCSA HTTPd and the Apache Group's HTTPd. NCSA's HTTPd was developed first and became the starting point for the Apache Group's server development. Currently, to improve the speed of the NCSA server, NCSA is using pieces of the new Apache code. Although both are excellent Web servers, there are differences.
The first consideration is licensing. If you are running a Web server for purely internal, educational, or personal uses, NCSA is free. If, on the other hand, you are running a server for external commercial uses, note that the Apache is free no matter what you use it for. In any case, you should read the LICENSE file that comes with each.
Because Apache's configuration used to be downwardly compatible with the NCSA server, most configuration issues are identical. Apache is smaller by a hair, and is almost as fast as the NCSA server. Apache also offers highly configurable logs and many plug-in expansion modules. For setting up a minimal server, these issues are unimportant, but if you ever decide to expand your server, you should keep them in mind.
Downloading the Server
The easiest place to find either the NCSA or Apache server is at ftp://ftp.ncsa.uiuc.edu. The NCSA server can be found in the /Web/httpd/Unix/ncsa_httpd/current directory, and Apache can be found in the /Web/httpd/Unix/apache_httpd/ directory. For the latest server from the Apache Group, use ftp://ftp.apache.org. It is located in the /apache/dist/ directory.
When you download Apache, grab apache_1.0.0.tar.Z for the source code and apache_1.0_psdocs.tar.Z for the PostScript configuration documentation. I strongly recommend printing out the documentation, because it can answer specific questions beyond the scope of this article.
The NCSA server is available in precompiled form for several UNIX platforms, but I would discourage downloading these. Instead, download httpd_1.5.1-export_source.tar.Z, so you can configure and compile the server yourself. The PostScript documentation can be found in /Web/httpd/Unix/ncsa_httpd/documents/. HTTPd.ps.Z is the configuration documentation, and HTTPd.ref.ps.Z contains a collection of reference materials for the NCSA server, including the FAQ and revision histories.
The standard location for the http server is /usr/local/etc/httpd. If you wish to put it somewhere else, you will need to modify the default configuration files. Uncompress and untar the file in /usr/local/etc, and it will make a directory for itself. After you rename this directory to httpd, you will be ready to start compiling your Web server.
Compiling the NCSA Server
Before starting compilation, you need to know which Unix platform you are running. Run uname -a to find out. Then go into the src/ directory. If you plan to change the location of your Web server, you should edit config.h and change the following line to indicate where you will keep your server:
#define HTTPD_ROOT "/usr/local/etc/httpd"
Once you have made these changes, just run make [your os here]. For example, if you are compiling under SunOS, run make sunos in the src/ directory. If that fails, just run make alone in /usr/local/etc/httpd/ and find your OS in the list. Then, try the make again with the correct OS in src/. Either of these methods should result in the httpd executable. Move httpd from the src/ directory into /usr/local/etc/httpd/, and run make clean to clear out unneeded object files.
Compiling the Apache Server
As above, make sure you know what OS you are running; then, go into the src/ directory, and edit the Configuration file. Find the line that says:
# AUX_CFLAGS are system-specific control flags
and look for your OS type. Uncomment each line under your system type, and save the file. For example, if you run System V R4, the relevant part of the file should look like this:
# For SVR4 AUX_CFLAGS= -DSVR4 AUX_LIBS= -lsocket -lnsl -lc # For Amdahl UTS 2.1
Be sure to uncomment all the lines related to your operating system - some have only have one configuration line, others have two. You must also comment out the default operating system if you are not running SunOS. There will be a line referring to SunOS that needs to be changed to:
# AUX_CFLAGS= -DSUNOS4
Also, near the bottom of the Configuration file, you will find some module options. If you want Apache to write the same log files that NCSA does, comment in the following lines:
Module agent_log_module mod_log_agent.o Module referer_log_module mod_log_referer.o
Apache will then write the agent_log and referer_log files just as the NCSA server would.
With the above changes completed, run ./Configure and then make. As with the NCSA compilation, run a make clean after you move httpd out of the src/ directory.
Changing the Default Configuration
First, in /usr/local/etc/httpd, make sure the directories logs/ and htdocs/ exist. You may have to create them.
You will see several files in the conf/ directory, and you should copy each to a new file without the -dist ending. The file mime.types will not need to be changed. With the NCSA server, you may also ignore localhost_srm.conf-dist.
Each section in access.conf contains a set of Directory tags. For security purposes, comment out the line referring to cgi-bin:
#<Directory /usr/local/etc/httpd/cgi-bin> #Options Indexes FollowSymLinks #</Directory>
If you have changed your server base, be sure that change is reflected in this line:
If you want other directories to be visible from the outside world, be sure to add a complete "Directory" section for each in access.conf. For example, if you want all the directories under /home to be visible (e.g., for your users' web pages), add the following at the end of the access.conf:
<Directory /home> Options Indexes </Directory>
Be sure to keep "FollowSymLinks" and "ExecCGI" out of every "Options" line for better security. If you must turn them on, be sure you know which symlinks or CGIs are going to be used.
To make directories available to the outside world, you'll need to alias them in srm.conf. User home directories already have an alias, which is the ~username convention.
If you're not root, you'll need to change the "Port" line in httpd.conf, to something above 1024. If you don't use 80, 8000 is recommended:
Reflect who is responsible for the server, for example:
If you've changed your server root, be sure to reflect that here also:
The default "Timeout" value is generally too small. Some large files being sent over a 28.8 modem will take a long time to download, so raise the default to something reasonable. As an example, the following will make the server wait for an hour for a download to complete:
One of the last items of note is how many servers are allowed to be running at the same time. NCSA calls this "MaxServers" and Apache calls it "MaxClients." If you want to limit the strain on your computer, turn this down. NCSA and Apache come with different defaults, so it's really your best estimate. Twenty seems reasonable.
# NCSA MaxServers 20 # Apache MaxClients 150
NCSA's httpd.conf also has a default "VirtualHost" entry that is not needed for a minimal server. It is easiest to completely comment out these lines:
#<VirtualHost 127.0.0.1 Optional> #DocumentRoot /local #ServerName localhost.ncsa.uiuc.edu #ResourceConfig conf/localhost_srm.conf #</VirtualHost>
be sure to update your server root in the srm.conf file if you changed it:
Any aliases you might want for directories, outside the document root and the user home directories, would go in an "Alias" line. The alias has two parts: the name that would be in the URL, and the directory to which it corresponds on the computer. For example:
Alias /icons/ \ /usr/local/etc/httpd/icons/ Alias /FAQ/ /usr/doc/faq/
For security purposes, turn off the CGI alias for cgi-bin:
#ScriptAlias /cgi-bin/ \ /usr/local/etc/httpd/cgi-bin/
If you want to use imagemaps or CGIs, comment in the respective lines:
#AddType text/x-imagemap .map #AddType application/x-httpd-cgi .cgi
Starting the HTTPd
Now that the server is ready to run, you probably want to actually start using it. Listing 1 shows a handy script for running a Web server. http start will initially run the HTTPd process; http restart will cause the HTTPd to re-read its configuration files if you make changes while it's running. http stop will stop the server.
To get your Web server to start up every time you boot your system, you'll need to add this script to your system initialization scripts. These scripts change from OS to OS. The file /etc/rc.d/rc.inet2 would be a good place for it under Linux. Of course, before using Listing 1, be sure to change the following line to reflect the directory in which you placed your server:
Notes on an Absolutely Minimal Installation
I have ignored the support/ directory that provides extra tools for dealing with a variety of other HTTP issues. If you are just using the server for basic operation, you won't have to build these tools. If you're really pressed for disk space, you can remove the support/, cgi-src/, and cgi-bin/ directories. The two CGI directories are just examples of some CGI tools that can be used with the Web server and are not necessary for basic operation. If you never intend to build the Web server again, you could even remove src/.
The files in logs/ can fill up quickly, so you may want to either keep an eye on how fast they grow, or disable them completely. To disable them, find all the references to "TransferLog," "ErrorLog," "AgentLog," and "RefererLog" in httpd.conf and set them to /dev/null:
You are now ready to start serving HTML documents. More information about other configuration options can be found on the Web. The NCSA server's information pages are available at http://hoohoo.ncsa.uiuc.edu/, and the Apache Group's site is at: http://www.apache.org/.
About the Author
Kees Cook has been programming computers since he was 6 years old when he first learned BASIC on a Sinclair ZX-80. As a Junior in the Computer Science department at the University of Illinois in Urbana/Champaign, he is working as a System Administrator for the Urbana Design Center of the Motorola Computer Group. He can be reached at firstname.lastname@example.org or email@example.com.