Fedora, like most Linux and Unix systems, makes no distinction between server and client systems. In fact, many Fedora systems participate in both roles, both serving and consuming information.
It should come as no surprise, then, that Fedora Core ships with a full complement of software for serving everything from web pages and email to files and printer connections. These server packages are based on open standards and interoperate with other platforms, so you can use a Fedora system to serve Windows, Mac, Linux, or Unix clients.
Most Fedora servers are extensively configurable. Configuration information is stored in text files, but the format of the text files varies, and the information in those files goes by different names directives , statements , parameters , or options depending on the program. Red Hat has developed convenient graphical configuration tools for most of the server configuration files.
Services are programs that constantly run in the background. Services can start automatically when the system starts, but not all services are configured this way by default (see Lab 4.6, "Managing and Configuring Services").
It also might be necessary to adjust your firewall or SELinux configuration to use the services discussed in this chapter (see Chapter 8 for more information).
Fedora can be configured to use Samba to serve files and printers to a wide range of Windows systems using Microsoft-compatible protocols.
Samba can be configured to work with a wide range of Windows versions and to serve resources in many different ways. This lab is focused on sharing files and printers with Windows XP systems in a small workgroup, which is a common scenario in home and small-business networks.
To configure Samba, select the menu option System→Administration→Server Settings→Samba, which will open the window shown in Figure 7-1.
Figure 7-1. Samba configuration window
Click Preferences→Server Settings to open the small window shown at bottom right in Figure 7-1. Enter your local Windows workgroup name into the Workgroup field and click OK. The Sambaserver will be started automatically.
See Lab 4.7, "Managing Users and Groups," to create Fedora accounts for your users before enabling Samba access.
Next, select Preferences→Samba Users to bring up the user configuration dialog box shown in Figure 7-2. Click Add User, select an existing Linux user, enter a Windows username (which may be the same as the Linux username), and enter the Samba password of your choice twice. Click OK when you're done.
Figure 7-2. Samba user configuration
If you are using a firewall or have SELinux enforcing turned on, you will need to adjust your security settings to permit remote systems to access the Samba server (see Lab 8.2, "Using SELinux").
Your system will now be visible to local Windows computers; for example, on an XP system, click My Network Places and then "View workgroup computers," and your Fedora system will appear as an icon with the hostname that you have assigned to it, as shown in Figure 7-3 . Click on the computer icon to see the folders being shared by the Fedora system (after you enter your Samba user ID and password to authenticate).
Figure 7-3. Windows XP workgroup display showing Samba shares from a Fedora system
The folder labeled homes contains the home directory of the authenticated Samba user, and the Printers and Faxes folder will contain all of the printers configured on the Fedora system.
Although the Samba configuration tool starts the Samba system, you'll need to enable the Samba service if you want Samba to start every time you boot your systemsee Lab 4.6, "Managing and Configuring Services."
To share an additional directory, start the Samba configuration tool (System→Administration→Server Settings→Samba) and click the Add button. The window shown in Figure 7-4 will appear.
Figure 7-4. Adding a Samba share
Under the Basic tab, enter the directory name, the name visible to the Windows systems (i.e., the share name), and a description of what is in the shared directory. Use the checkboxes to configure whether the directory is writable by Windows users, and whether it is visible when the Windows users are browsing using a tool such as Windows Explorer.
Under the Access tab, you can choose to make the directory available to all users, or you can go through the list of Samba users and select the specific ones you want to grant access to it. Click OK when you are done.
In order for a remote user to access a shared directory through Samba, that directory must have the appropriate permissions and SELinux context.
Fedora's default Samba configuration will make all printers available to Windows users. To use a shared Samba printer in Windows XP, follow these instructions.
Although you can access Fedora printers through Samba printer sharing, it's often faster and easier to access those printers directly through CUPS printer sharing, regardless of the operating system in use.
1. Go to Printers and Faxes and then click "Add a Printer." The Add Printer Wizard will appear. Click Next to get past the introductory message, then select "A network printer, or a printer attached to another computer" for the printer type, and then click Next. Select "Browse for a Printer," and then click Next to see a list of computers on the local Windows network. Double-click on the name of the Fedora system, which will reveal the names of the printers on that system, as shown in Figure 7-5 ; double-click on the desired printer.
Figure 7-5. Adding a Samba printer to a Windows XP system
1. You may receive a warning about installing printer drivers at this point. Click OK.
2. Select the printer manufacturer and model. Click OK.
If you do not see the printer listed, you will need to insert the printer's driver CD, click Have Disk, and then select the disk location. When the list of printer models appears, select the one that matches the printer you are installing.
1. If you already have a printer set up on the Windows system, you will be asked if the new printer should become the default. Choose Yes or No, and then click Next.
2. Click Finish .
You will now be able to print to the printer from any Windows application.
You can edit Samba's configuration from the command line instead of using the graphical configuration tool.
Samba's configuration file is /etc/samba/smb.conf , and it is a regular text file. Like most server programs, Samba has dozens of configuration options, which it calls parameters . This configuration file is divided into sections by lines of section names enclosed in square brackets (so, for example, the global configuration section starts with the line [global] ). Lines that start with a pound sign ( # ) are treated as comments and ignored.
The workgroup name and server description are configured at the top of the global section:
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = bluesky
# server string is the equivalent of the NT Description field
server string = Samba Server
Set the workgroup name to the value used by the local Windows workgroup or domain. The server string description can be any descriptive value (change the default if you don't want people to know you're running a Linux system). The system name will be the same as the hostname.
By default, only home directories and printers will be shared. To add additional shares, add an additional share section to the end of the configuration file. There are many examples in the configuration file, such as this one:
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[ myshare ]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
From this template, you can see the basic format:
[ myshare ]
Name of the share as it will be seen by the Windows systems.
comment = Mary's and Fred's stuff
The description that will appear when browsing the share.
path = /usr/somewhere/shared
The directory to be shared.
valid users = mary fred public = no
Specifies who can access this share: specific users or everyone ( public = yes ). Either valid users or public should be enabled, but not both.
writable = yes printable = no browseable = yes
Determines what can be done with the share. writable controls whether the remote user can change or create files and directories, printable enables printing (not applicable to a regular directory share), and browseable enables the share to appear when the network user is browsing using a tool such as Windows Explorer.
create mask = 0765
Sets the octal permission that is applied to new files.
To allow read-only access to /usr/share/doc , for example, create this share:
[doc]
comment = Documentation
path = /usr/share/doc
writeable = no
browseable = yes
guest ok = yes
You will need to adjust the SELinux context of the shared directory (see "Using SELinux" in Chapter 8 Lab 8.2, "Using SELinux in Chapter 8).
After editing the configuration file, restart or reload Samba to activate the changes:
# service smb reload
Reloading smb.conf file: [ OK ]
To add Samba users, you must first create a Linux user account (see Lab 4.7, "Managing Users and Groups "), and then use the smbpasswd command with the add option, -a :
# smbpasswd -a frank
New SMB password:
FranklySpeaking
Retype new SMB password:
FranklySpeaking
Added user frank.
To change the password, leave out the -a option:
# smbpasswd jane
New SMB password:
PrimeUser
Retype new SMB password:
PrimeUser
To delete a user, use the -x option:
# smbpasswd -x kim
Deleted user kim.
Samba uses the Server Message Block (SMB) protocol suite and related protocols and programs developed by Microsoftmore recently grouped under the moniker Common Internet File System (CIFS). The name Samba is derived from the acronym SMB.
SMB and related protocols have been in use since the 1980s, but have changed significantly through the years. There are many different, incompatible implementations of the protocols present in various versions of Windows, and in particular, there are several ways of authenticating users. Many of Samba's configuration options relate to compatibility and user authentication.
Samba is implemented as two server daemons:
nmbd
Provides NetBIOS name server services
smbd
Provides SMB/CIFS services
The graphical configuration tool for Samba is system-config-samba .
To prevent Samba from sharing your printers with Windows systems, delete (or comment out) this printer share in /etc/samba/smb.conf :
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writeable = no
printable = yes
Restart or reload Samba to activate the change.
Use the Places→Network Servers option on the GNOME menu (or go to smb:// in KDE's Konqueror) to browse Windows network shares, including Samba shares.
You can also mount Samba or Windows shares at the command line. To mount the share bluesky from the server pictures on the mount point /mnt/pictures :
# mount -t smb //bluesky/pictures /mnt/pictures
This invokes the smbmount command.
The manpages for samba , smb.conf , smbd , nmbd , findsmb , smbmount , and smbumount
The files in /usr/share/samba* , especially /usr/share/samba*/Samba-Guide.pdf and /usr/share/samba*/Samba-HOWTO-Collection.pdf
The Samba web site: http://www.samba.org/
Dynamic Host Configuration Protocol (DHCP) is used to automatically send basic configuration data to computers and network devices. This centralizes network configuration control so that a change in the network layoutsuch as adding a nameserver or a gateway, or renumbering the networkdoes not require a visit to every computer in the network. DHCP also provides a convenient method of supplying network configuration information to visiting computers, such as the laptop of a visiting colleague.
When a DHCP client system boots, it effectively shouts a broadcast message to the network: "Does anyone know who I am?" The DHCP server replies, "I know you, you're..." and then proceeds to tell the client its IP address and some combination of other network configuration information, possibly including a hostname, nameserver, timeserver, gateway, and default domain. The information sent by the DHCP server is called a lease and is only valid for a set length of time. The client can renew the lease when it expires, in which case it can keep its identity, or, if it disappears from the network and fails to renew the lease, the IP address can be recycled by the DHCP server and assigned to another host.
Most home and small networks are connected to the Internet by a router or gateway device that includes DHCP service capability. However, you may prefer to use the Fedora DHCP server instead because it gives you more configuration options and control over the network configuration.
Before you set up a DHCP server for your network, you must design the network layout that you wish to use.
Private networksones that will not be connected to the Internet, or that will be connected through a router or gateway that performs network address translation (NAT), or masquerading will use one of the private network ranges defined in RFC 1918, shown in Table 7-1.
Table 7-1. RFC 1918 private network addresses
| Range | Number of addresses available | Class-based address breakdown |
|---|---|---|
| 10.0.0.0 10.255.255.255 | 16,777,216 | 1 class A network of 16,777,216 addresses |
| 172.16.0.0 172.31.255.255 | 1,048,576 | 16 class B networks of 65,536 addresses each |
| 192.168.0.0 192.168.255.255 | 65,536 | 256 class C networks of 256 addresses each |
Most small networks use one of the class C networks that start with the 192.168 prefix, yielding 256 addresses. Because two addresses are reserved for broadcast and network messages, that leaves 254 addresses for computers and network devices (such as printers), which is plenty for most homes and small businesses.
DHCP can assign any combination of two address types:
static
Addresses that are always assigned to a specific computer or network device and never change. Even though these do not change, they are still communicated to the device using the DHCP protocol. Static addresses should be used for any host that other users will need to connect to, such as a web server or printer.
dynamic
Addresses assigned from a pool on a first-come, first-serve basis. Dynamic addresses are appropriate for computers, such as desktop systems, which will be connecting to remote hosts but will never (or rarely) be a destination for network connections.
Table 7-2 shows a possible network configuration for a home or small office network that will use the network prefix 192.168.1. In this example, available addresses have been divided into four ranges, one each for servers, network devices, desktop and laptop systems, and network infrastructure.
Table 7-2. Example of a small-office network configuration
| Address range and purpose | Host address | Name and description | Notes |
|---|---|---|---|
| 0 | Network | Reserved address | |
| 1-63 Servers | 1 | prime (nameserver, web server) | Traditional nameserver address |
| 2 | cabinet (Samba fileserver) | ||
| 3 | chatterbox (Asterisk phone system) | ||
| 3-63 | Future use | ||
| 64-127 Network devices(non-computers) | 64 | laser1 | Main laser printer |
| 65 | multifunction1 | Printer-scanner-copier | |
| 66 | webcam1 | Monitors front door | |
| 67-127 | Future use | ||
| 128-191 Desktop and laptop systems | Dynamically assigned | ||
| 192-254 Network infrastructure | 192-253 | Future use | |
| 254 | gateway (router; path to the Internet) | Traditional address for a gateway | |
| 255 | Broadcast | Reserved address |
DHCP is configured through the text file /etc/dhcpd.conf , which contains configuration statements and comments. Configuration statements are case-insensitive and are separated by semicolons (;) whitespace doesn't matter. Some statements create blocks, delimited with curly braces ({}), that contain other statements. Comments start with # and continue to the end of the line.
The dhcpd.conf file starts out with global statements; only one is required:
ddns-update-style none;
This prevents the DHCP server from attempting to update records on the DNS server (which is prohibited by Fedora's default SELinux configuration).
The rest of the configuration statements are placed in a block as part of a subnet statement:
subnet 192.168.1.0 netmask 255.255.255.0 {
# Statements that apply only to this subnet...
}
These are the most commonly used configuration statements:
option routers 192.168.1.254
The default gateway. Packets destined for a host that is not in your local network are sent to this gateway for forwarding.
option subnet-mask 255.255.255.0
The subnet mask, which is used to determine whether an IP address is on the local network (which determines routing).
option domain-name-servers 192.168.1.1
Nameservers for this subnet (they may be in the subnet, or they may be external). If there is more than one, list them all, separating the IP addresses or hostnames with commas.
option domain-name " fedorabook.com "
The domain name for machines on this subnet. This is used as the default domain for hostname lookup, so that if a user types a command such as telnet server42 , the hostname will be looked up (using a nameserver) as server42.fedorabook.com .
option time-offset -21600
The difference (in seconds) between the local time zone and Coordinated Universal Time (UTC). -21600 indicates a time zone that is six hours behind Greenwich, England (Eastern Standard Time in North America).
option ntp-servers pool.ntp.org
The hostnames or addresses of any available network time protocol servers. The hostname pool.ntp.org accesses a server randomly drawn from a pool of publicly accessible timeservers. You can prepend your ISO country code to select only timeservers in your country; for example, ca.pool.ntp.org would randomly select a Canadian timeserver.
range 192.168.1.128 192.168.1.191
The range of address from which dynamic IP addresses will be assigned.
default-lease-time 86400
The normal lease time in seconds. 86,400 seconds corresponds to one day.
max-lease-time 172800
The maximum lease time, in case the client requests a lease that is longer than the default.
To configure static hosts, statements are placed in the block of a host statement:
host hostname {
# Statements that apply only to this host...
}
These are the statements that are most commonly used in a host block:
hardware ethernet aa:bb:cc:dd:ee:ff
Determines which Ethernet hardware MAC address will match this host block. This block will be selected if the hostname sent by the DHCP client matches the hostname in the host statement, or if the client's Ethernet card has the same MAC address as the hardware statement.
fixed-address 192.168.1.1
Specifies the static address for this host.
To configure a network that uses the layout shown in Table 7-2 , where the devices have the MAC addresses shown in Table 7-3 , you would write this /etc/dhcpd.conf file:
# Sample /etc/dhcpd.conf file
# Don't update DNS
ddns-update-style none;
# The local network is 192.168.1.X
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254; # Default gateway
option subnet-mask 255.255.255.0; # Client netmask
option domain-name "fedorabook.com"; # Domain
option domain-name-servers 172.16.97.1; # Nameserver is .1
option time-offset -21600; # Eastern Standard Time
option ntp-servers pool.ntp.org; # Timeservers
default-lease-time 86400; # 1 day
max-lease-time 172800; # 2 days
# Dynamic configuration
range 192.168.1.128 192.168.1.191
# Static configuration for various hosts
host prime {
hardware ethernet 00:0c:0d:99:99:99 ;
fixed-address 192.168.1.1 ;
}
host cabinet {
hardware ethernet 00:0c:0d:aa:aa:aa ;
fixed-address 192.168.1.2 ;
}
host chatterbox {
hardware ethernet 00:0c:0d:bb:bb:bb ;
fixed-address 192.168.1.3 ;
}
host laser1 {
hardware ethernet 00:0c:0d:cc:cc:cc ;
fixed-address 192.168.1.64 ;
}
host multifunction1 {
hardware ethernet 00:0c:0d:dd:dd:dd ;
fixed-address 192.168.1.65 ;
}
host webcam1 {
hardware ethernet 00:0c:0d:ee:ee:ee ;
fixed-address 192.168.1.66 ;
}
host gateway1 {
hardware ethernet 00:0c:0d:ff:ff:ff ;
fixed-address 192.168.1.254 ;
}
}
Table 7-3. Sample hardware addresses
| Hardware MAC address | Hostname |
|---|---|
| 00:0c:0d:99:99:99 | prime |
| 00:0c:0d:aa:aa:aa | cabinet |
| 00:0c:0d:bb:bb:bb | chatterbox |
| 00:0c:0d:cc:cc:cc | laser1 |
| 00:0c:0d:dd:dd:dd | multifunction1 |
| 00:0c:0d:ee:ee:ee | gateway1 |
Once your configuration has been saved in /etc/dhcpd.conf , restart dhcpd to activate it using the Services graphical tool or this command:
# service dhcpd restart
If there are errors in your configuration file, dhcpd may not start. Check the end of the file /var/log/messages to see if there are any error messages:
# tail -50 /var/log/messages|less
If there are no error messages, clients can begin using the dhcpd server to obtain their IP addresses.
You will need to open port 68 UDP in your firewall configuration in order to permit clients to reach dhcpd. You should also verify that no other DHCP servers are running on your network (check router and gateway appliances in addition to computers).
If configured to obtain IP information through DHCP, the client systems will contact the DHCP server when they are booted. You can also force them to contact the DHCP server at any time:
On a Fedora Core 4 or later system, use dhclient to configure an Ethernet port using DHCP:
# dhclient eth0
In this case, the port being configured is eth0 , the first Ethernet connection. On other Linux systems, you may need to use dhcpcd or pump in place of dhclient .
On a Windows system, you can use ipconfig to obtain or renew a DHCP lease:
C:> ipconfig /renew
Windows IP Configuration
Ethernet adapter 1:
Connection-specific DNS Suffix . : fedorabook.com
IP Address. . . . . . . . . . . . : 192.168.1.207
Subnet Mark . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
Table 7-4 shows the sequence of messages that flow between a DHCP client and a DHCP server during initial negotiation and during lease renewal.
Table 7-4. DHCP messages.
| Context | Message type | Origin | Description | |
|---|---|---|---|---|
| Initial negotiation | Lease renewal | |||
| * | DHCPDISCOVER | Client | Client tries to discover the DHCP server. | |
| * | DHCPOFFER | Server | The DHCP server offers its location and possible lease details. | |
| * | * | DHCPREQUEST | Client | The client requests a lease. |
| * | * | DHCPACK/DHCPNACK | Server | The server acknowledges (approves) or negatively acknowledges (rejects) the lease request. |
Early DHCP messages are sent using UDP to the broadcast address 255.255.255.255. This is necessary because the client does not have an IP address at the start of the negotiation.
dhcpd stores lease information in the file /var/lib/dhcpd/dhcpd.leases so that if it is stopped and restarted, it still has an idea of what leases are outstanding. In a similar way, dhclient stores its lease information in /var/lib/dhcp/dhclient-<eth0>.leases (where <eth0> is the interface name).
The DHCP server, dhcpd , can also manage clients that use the Bootstrap Protocol (BOOTP). However, BOOTP does not use leases, so once an IP address is assigned, it stays assigned even if the computer using that address is removed from the network . IP assignments from an address pool are therefore called automatic assignments instead of dynamic assignments.
To enable dhcpd to assign BOOTP addresses, add the dynamic-bootp option to the range statement in /etc/dhcpd.conf :
range dynamic-bootp 192.168.1.128 192.168.1.191
The manpages for dhcpd , dhcpd.conf , dhclient , and dhclient.conf
The standard that defines DHCP: RFC 2131, http://www.ietf.org/rfc/rfc2131.txt
Domain name service (DNS) is like a telephone-directory service for TCP/IP networks. When a program such as a browser or mail server needs to contact a machine for which it has a hostname, it uses DNS to convert that name to a numeric network address. DNS can also do the reverse: convert a numeric address to a hostname.
It is necessary to have DNS set up before you can serve data to the Internet. Although you can contract for DNS service from an external provider, Fedora Core provides a nameserver that you can easily set up to provide your own DNS capability.
Fedora provides the named domain name server, which is the Berkeley Internet Name Domain (BIND). named serves two roles:
authoritative nameserver
Serves name information about one or more domains to other servers.
caching nameserver
Provides name lookups for client programs such as web browsers by contacting other nameservers. This information is cached in local storage in case it is requested again in the near future.
The Fedora package called bind contains the named service.
The named service is not run by default. Once you configure it to run (see Lab 4.6, "Managing and Configuring Services "), it will act as a caching nameserver:
If you just want to use named as a caching nameserver, you can skip to the section entitled "Using your nameservers locally."
To configure named as an authoritative nameserver for your domain, you just have to give it the information about your domain that you want it to serve to other systems. Usually at least two authoritative nameservers are set up for each domain; one is configured as the master , and the others are slaves . Changes to the DNS data are made on the master, and the slaves update themselves periodically.
You can configure an authoritative nameserver graphically or by editing configuration files and datafiles.
Select the menu option System→Administration→Server Settings→Domain Name Server. After you enter the root password, the window shown in Figure 7-6 will appear.
Figure 7-6. BIND configuration GUI
The user interface of this tool is unique! It does not behave in the same way as other graphical configuration tools, so take your time when using it.
To add a zone which can be a complete domain or a subdomainclick on the DNS Server entry to highlight it, click the New button, and then select "zone" from the menu that appears. Figure 7-7 shows the small dialog box that appears.
Figure 7-7. New Zone dialog box
Click OK under Class, and then click OK under Origin Type. The dialog's controls will change to let you type in the Forward Zone Origin, as shown in Figure 7-8 . Enter the name of the domain with a period at the endfor example, fedorabook.com .
Figure 7-8. Zone Origin entry
Click OK to create the zone. The window in Figure 7-9 will appear. Don't be alarmed by the number of controls!
Figure 7-9. Zone Authority configuration window
This window sets several overall values for the zone. Many of these are time values:
Cache Time to Live (TTL)
The maximum length of time that information should be cached by a client or remote nameserver. A higher value will result in a lower volume of DNS requests for your server to process and fewer delays for your users, but when you change a DNS entry, it will take longer to be "noticed" by other systems. A minimum value of three days is recommended once your configuration is stable ( RFC 1912); the default value of one hour is appropriate during initial setup and during periods of frequent changes.
Refresh Interval, Refresh Retry Interval, and Expiration Interval
These values configure communication between a master and a slave system. The Refresh Interval specifies how often the slave should get an update from the master, the Refresh Retry Interval specifies how long the slave should wait before retrying a refresh if it is unsuccessful, and the Expiration Interval specifies how long a slave can go without an update before it should stop responding to requests.
Default Minimum Cache TTL
The name of this field is somewhat misleading because the usage has changed. It is now used to indicate how long a negative response should be cached by a remote machine; in other words, this is the minimum length of time that a remote machine should wait before asking again if a domain exists. In this graphical configuration tool, this value also sets the default TTL for the rest of the records within this zone.
Leave these values at their defaults to start. If you are setting up DNS for a heavily used domain, you should go back and change the Cache Time to Live to the three-day recommended minimum (or longer) once you've confirmed that your configuration works correctly; you'll also need to change the TTL on each resource record in this zone (which I will come to in a minute).
Beside the time fields, there are only four pieces of information to fill in:
Authoritative Name Server
The hostname of the nameserver computer. If the host is in this zone, you can enter the hostname without the domain name portion (e.g., just bluesky for bluesky.fedorabook.com ); otherwise, enter the fully qualified domain name followed by a period (the hostname and domain name together, such as ns.global.proximity.on.ca. ).
Responsible Person E-mail Address
The email address of the person responsible for managing DNS, followed by a period (if the address is in this zone, you can enter just the username, such as jessica ). Ideally, this address should not be inside the zone that you're defining because people may want to use this address to reach you to tell you that something is wrong with the domainand that same problem may prevent mail from reaching you.
Zone Modification Serial Number
Any number can be used here, but it must be increased every time this zone's DNS information is updated. Most sites use one of these two approaches:
A straight serial number, initially set to 1 , incremented by one each time the zone information is changed. This graphical configuration tool will automatically increment this serial number when required.
The date and a sequence number in YYYYMMDDSS format, where YYYYMMDD is the year/month/day and SS is the sequence number of changes made on that date. For example, 2009021702 indicates the second change made on February 17, 2009. If you're going to use this format, you'll have to remember to update the serial number whenever you make a change.
Zone File Path
The name of the file that will store information for this zone. Use the default value for this field.
Click OK to save this information. You will see the domain listed in the main window, as in Figure 7-10 ; click on the arrow to the left of the domain name to see the entries within that domain.
Figure 7-10. A new zone entry in the main configuration window
Note that two entries have been created: a Start of Authority (SOA) record, which contains basic information about the domain, plus an NS record, which contains information about the authoritative nameserver for the zone.
You'll now need to add resource records (RR) for the machines in this zone. Most domains need four types of records:
A
Defines the address for a hostname. Every host in the zone needs an A record; the next three record types are used in addition to an A record.
CNAME
Enables the use of nicknames for hosts. These records translate a host nickname into a canonical name (true hostname).
MX
Defines a mail exchanger ( SMTP server) within the domain.
NS
Identifies a nameserver for the zone.
To add these records, highlight the new zone you've created, click the Add button, and select the record type from the drop-down list that appears. One of the four windows shown in Figure 7-11 will appear, according to the type of resource record you are adding.
Figure 7-11. Resource record windows
For an A record, insert the hostname in the Domain Name field and the IP address in the IPv4 Address field.
For a CNAME record, insert the nickname in the Domain Name field and the full name of the host in the Canonical Name field.
For an NS record, insert the hostname of the nameserver in the Server Domain Name field.
For an MX record, leave the Domain Name as it is written. If you have more than one mail exchanger for your domain (perhaps a master and a backup email server), enter a priority for each server; lower numbers take precedence over higher numbers. Enter the hostname of the mail server in the Mail Server Name field.
Make sure that an A record exists for each hostname mentioned in CNAME, NS, and MX records.
These hosts don't have to be in the same zone or domain; for example, it's possible for email and name service to be handled by a host outside that domain. In that case, the A record will not appear in this zone but must appear in the zone for that domain.
For example, if the mail server for fedorabook.com was global.proximity.on.ca, then the MX record could point to that host. There would be no A record for global.proximity.on.ca within the fedorabook.com zone, but there would have to be one within the proximity.on.ca zone (which might be on a different nameserver altogether).
Once you have entered all of the resource records you want, click Save to save the information. If named is already running, it will be reloaded so that the changes take effect immediately.
named can also be configured by directly editing the configuration files and datafiles, which is the approach used by many experienced users.
The overall operation of named is controlled by the file /etc/named.conf . This is the default configuration installed by the BIND package:
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked questions using port 53, but BIND 8.1 uses an unprivileged port by default.
*/
// query-source address * port 53;
};
//
// a caching-only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
The options section sets up the basic file and directory locations for the server. controls limits which machines can control named (in this case, only programs running on the localhost, and only if they have the correct security key); and the include line at the end accesses that encryption key from another file and causes named to act as though it's included in this file.
The rest of this file consists of zone sections. The first zone section is for the entire Internet and refers to the file /var/named/named.ca , which contains the names and addresses of the master domain name servers, called the root servers . The extension .ca stands for cache.
If you have the package bind-chroot installed, then prepend the directory /var/named/chroot/ to pathnames throughout this chapter. For example, /var/named would become /var/named/chroot/var/named, and /etc/named.conf would become /var/named/chroot/etc/named.conf.
bind-chroot is a package intended to increase the security of the nameserver. It is considered obsolete, since SELinux now provides similar protection.
The remaining zone sections are used to resolve standard requests, such as the address of localhost and localhost.localdomain (always 127.0.0.1), and the reverse of those requests.
To create a new zone, add it to the end of this file (you can copy an existing zone entry and then modify it):
zone " fedorabook.com " IN {
type master;
file " fedorabook.com.db ";
allow-update { none; };
};
This specifies the name of the zone (exactly the same as the name of the domain) and the file in which this zone's information can be found. You can enter any filename you want, but names based on the domain and ending with .db or hosts such as fedorabook.com.db or fedorabookhosts are traditional.
Next, create the file for the zone. This is a standard text file with a very exact syntax.
The file starts with the default TTL for the zone:
$TTL 3D
The value here represents three days. You can use any combination of numbers suffixed with W , D , H , M , or S (representing units of weeks, days, hours, minutes, and seconds) concatenated together, or you can specify the time in seconds; some examples are shown in Table 7-5.
Table 7-5. named time values
| Entry | Description | Equivalent number of seconds |
|---|---|---|
| 3D | 3 days | 259,200 |
| 1D12H 36H | 1 day and 12 hours (or 36 hours) | 129,600 |
| 2W | 2 weeks | 1,209,600 |
| 1D10M | 1 day and 10 minutes | 87,000 |
The zone file then contains the Start of Authority (SOA) resource record:
@ SOA ns1 chris.global.proximity.on.ca. (2007201702,3D,1H,3D,1H)
The @ sign means "this zone", and SOA is the record type. The values are the authoritative master nameserver ( ns1 ), followed by the administrative email contact, with the @ converted to a period (therefore, usernames containing periods cannot be used for administrative contacts).
All hostnames and domain names in a zone file will have the name of the zone added to the end of them unless they end with a period. Thus, in this example, bluesky (with no period) would be interpreted as bluesky.fedorabook.com, as would bluesky.fedorabook.com with no period: bluesky.fedorabook.com.fedorabook.com.
The values in parentheses at the end of the record are the serial number and the time values for this record. It's helpful (and common practice) to split this information across several lines and add comments to label which time value is which:
@ SOA ns1 chris.global.proximity.on.ca. (
2007201702 ; serial number
3D ; refresh
1H ; retry
3D ; expire
1H ) ; minimum
Notice that comments start with a semicolon. The time values used here are the same ones configured using the graphical tool.
The rest of the zone file contains resource records. We need NS records to indicate the nameservers for this domain:
IN NS bluesky
IN NS darkday
The first field is blank; the line must be indented at least one space. The next field value, IN , specifies that these records are related to the Internet (TCP/IP address family). NS indicates the record type (nameserver), and the last field is the hostname of the nameserver.
We also need A records to indicate the IP address of each computer:
bluesky IN A 216.183.93.224
darkday IN A 216.183.93.225
The first field in each record is the hostname, followed by the address family ( IN ) and the record type ( A ), and then the IP address.
Next we have MX records for mail exchangers:
IN MX 10 bluesky
IN MX 20 global.proximity.on.ca.
These have a blank first field, followed by the address family ( IN ) and record type ( MX ), followed by the mail server priority (lower numbers are higher priority), and then the mail server hostname.
Note that global.proximity.on.ca is outside of this zone, so the hostname is written as a fully qualified domain name (FQDN) ending with a period.
We also need some aliases for common hostnames:
mail IN CNAME bluesky
ftp IN CNAME darkday
www IN CNAME bluesky
ww IN CNAME bluesky
wwww IN CNAME bluesky
These records are like A records, except that the record type is set to CNAME and the last field contains the canonical (true) hostname.
It is possible to override the default TTL by inserting it between the address family ( IN ) and the record type in each record. For example, you could set the TTL for the last CNAME record to five minutes:
wwww IN 5M CNAME bluesky
Putting this all together and adding some comments gives us the complete zone file:
; Zone file for 'fedorabook.com'
; Default TTL is 1 hour
$TTL 1H
; Start of authority
@ SOA ns1 chris.global.proximity.on.ca. (
2007201705 ; serial number
3D ; refresh
1H ; retry
3D ; expire
1H ) ; minimum
; Nameservers
IN NS bluesky
IN NS darkday
; Addresses of hosts
bluesky IN A 216.183.93.224
darkday IN A 216.183.93.225
; Mail exchangers
IN MX 10 bluesky
IN MX 20 darkday
; Nicknames/aliases
mail IN CNAME bluesky
www IN CNAME bluesky
ww IN CNAME bluesky
wwww IN CNAME bluesky
The filename for this data is /var/named/fedorabook.com.db , to match the file enTRy that we made in /etc/named.conf .
Once you have your DNS entries configured, reload the named service. The end of the system message logfile, /var/log/messages , will look something like this:
Mar 4 22:14:58 core5 named[10977]: starting BIND 9.3.2 -u named
Mar 4 22:14:58 core5 named[10977]: found 1 CPU, using 1 worker thread
Mar 4 22:14:58 core5 named[10977]: loading configuration from '/etc/named.conf'
Mar 4 22:14:58 core5 named[10977]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 4 22:14:58 core5 named[10977]: listening on IPv4 interface eth0, 172.16.97.100#53
Mar 4 22:14:58 core5 named[10977]: command channel listening on 127.0.0.1#953
Mar 4 22:14:58 core5 named[10977]: zone 0.in-addr.arpa/IN: loaded serial 42
Mar 4 22:14:58 core5 named[10977]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Mar 4 22:14:58 core5 named[10977]: zone 255.in-addr.arpa/IN: loaded serial 42
Mar 4 22:14:58 core5 named[10977]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
Mar 4 22:14:58 core5 named[10977]: zone fedorabook.com/IN: loaded serial 2007201705
Mar 4 22:14:58 core5 named[10977]: zone localdomain/IN: loaded serial 42
Mar 4 22:14:58 core5 named[10977]: zone localhost/IN: loaded serial 42
Mar 4 22:14:58 core5 named[10977]: running
Mar 4 22:14:58 core5 named[10977]: zone fedorabook.com/IN: sending notifies (serial 2007201705)
If there is an error in your zone file, an error message will appear here. Read the error message carefully, and then edit your zone file to correct the error and try again (the most common errors are simple syntax errors in the configuration or zone files).
Once named has started without errors, test the nameserver using the dig command:
$ dig bluesky.fedorabook.com @localhost any
; <<>> DiG 9.3.2 <<>> bluesky.fedorabook.com @localhost any
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;bluesky.fedorabook.com. IN ANY
;; ANSWER SECTION:
bluesky.fedorabook.com. 3600 IN A 216.183.93.224
;; AUTHORITY SECTION:
fedorabook.com. 3600 IN NS bluesky.fedorabook.com.
fedorabook.com. 3600 IN NS darkday.fedorabook.com.
;; ADDITIONAL SECTION:
darkday.fedorabook.com. 3600 IN A 216.183.93.225
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 4 22:18:08 2006
;; MSG SIZE rcvd: 108
The argument @localhost tells dig to use the local nameserver instead of the one your machine is normally configured to use. The any argument instructs named to report any information that it finds about the requested server or domain (the default is to show only A records). You can substitute a record type such as soa or mx to see those specific resource records.
The line highlighted in bold the output shows the correct address for the requested hostname, which proves that named is configured correctly.
You can also test the nameserver with the host or nslookup commands (don't include the @ sign in front of the nameserver name localhost when using these commands):
$ host bluesky.fedorabook.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
bluesky.fedorabook.com has address 216.183.93.224
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
$ nslookup bluesky.fedorabook.com localhost
Server: localhost
Address: 127.0.0.1#53
Name: bluesky.fedorabook.com
Address: 216.183.93.224
To test the caching capabilities of the nameserver, look up a hostname that is not in any of your local zones:
$ dig fedora.redhat.com @localhost
; <<>> DiG 9.3.2 <<>> fedora.redhat.com @localhost
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41999
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;fedora.redhat.com. IN A
;; ANSWER SECTION:
fedora.redhat.com. 300 IN A 209.132.177.50
;; AUTHORITY SECTION:
redhat.com. 600 IN NS ns1.redhat.com.
redhat.com. 600 IN NS ns2.redhat.com.
redhat.com. 600 IN NS ns3.redhat.com.
;; Query time: 401 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 4 22:28:53 2006
;; MSG SIZE rcvd: 105
Once you have configured a master nameserver for a zone, you can configure another computer to fetch the zone information from that master nameserver and serve it to other machines. This can be done to share the workload for extremely busy domains or (more often) to provide some redundancy in case the master server is down or unreachable.
There is little point configuring a second nameserver if all of your services (mail server, web server, and so on) are on one server and that is the same machine that runs your master nameserver, because a failure or overload on that system would effectively cripple the other services along with the nameserver (and there is no value in being able to reach a server that can't provide service).
This type of nameserver is called a slave , but it is still considered authoritative for the domain if there is an NS record for it in the zone.
You may need to adjust your SELinux configuration to use slave zones (see Lab 8.2, "Using SELinux").
To configure a slave nameserver graphically, start the graphical configuration tool ( Figure 7-6 ), highlight the DNS Server entry, click on the New icon, and then click on the Zone option from the pull-down list. Create the zone in the same way you did on the master server, but set the Zone Type to "slave." Click OK, and the window shown in Figure 7-12 will appear.
Figure 7-12. Slave zone configuration window
Click on IPV4 Address, and the window will change to include fields for the IP address, as shown in Figure 7-13 .
Figure 7-13. Slave zone configuration window with address fields
Enter the IP address of the master nameserver, and then click on the upper OK button followed by the lower OK button. Click on the Save button on the main window, and the slave zone will be created.
To configure a slave zone by editing the configuration files, add a section to /var/named.conf that looks like this:
zone " fedorabook.com " IN {
type slave;
file " fedorabook.com.db ";
masters { 216.183.93.224 ; };
};
The zone and file values are the same as for a master zone. The type must be set to slave , and the masters value is a semicolon-separated list of zone master nameservers, enclosed in curly braces.
Once you have configured the slave zone, restart or reload named on the same machine. The initial zone transfer should be recorded in /var/log/messages :
zone fedorabook.com/IN: Transfer started.
transfer of 'chris.com/IN' from 216.183.93.224#53: connected using 47.52.6.120#55096
zone fedorabook.com/IN: transferred serial 2
Once the nameserver is working, you can configure your local clients to use it:
If the computers on your local network have been manually configured with their IP information, change the nameserver IP address to that of the machine running named . Edit the file /etc/resolv.conf , or for Fedora Linux systems, use the menu option System→Administration→Network(the system-config-network tool, also known as neat) and adjust the entries in the DNS tab. For other operating systems, use the appropriate network configuration tool (such as the Microsoft Windows Control Panel).
If the computers on your local network are configured to get their IP information through the DHCP protocol, and the DHCP server is on a gateway or router device, program the DHCP settings on that gateway or router so that the IP address of your named server is used as the domain name server. Consult the device documentation for configuration information.
If the computers on your local network are configured to get their IP information through the DHCP protocol, and you're using your Fedora system as the DHCP server, add the nameserver to your DHCPD configuration file.
If you configure only your local clients to use your nameserver, any zones that you have configured are accessible only to those clients.
In order to make your domain information accessible to other systems on the Internet, it is necessary to register your domain and give the IP address of your nameserver(s) to your domain registrar.
There are many registrars available; to find one, simply search for "domain registration" on any search engine. Be sure to read the fine print of the registrar's contract because some registrars will try to lock you into their service by charging you exorbitant transfer fees if you try to switch to another registrar at a later date.
Most registrars now offer a myriad of different packages with domain forwarding, web hosting, or email management features. If you are planning to do your own web serving and email hosting, you can forgo those features and sign up for the most basic registration service. Give the IP address of all of your named servers to your registrar as the nameservers for your domain.
Once your domain registration is complete, the nameservers for your top-level domain (TLD)such as .com or .org will start forwarding queries about your domain to your nameservers. It takes a short while for your domain information to circulate to all of the nameservers for your TLD, so be patient!
To test whether your domain name service is accessible to the Internet, use the dig command with your ISP's nameserver:
$ dig somehost.yourdomain.com @nameserver.yourisp.com
DNS is also capable of performing reverse mapping , which translates an IP address into a domain name. However, unless your ISP has provided you with a block of IP addresses that is a power of 256that is, either 256, 65,536, or 16,777,216 addressesreverse mapping is particularly difficult to set up. If you really need reverse mapping controlled by your nameserver, you'll need to find out how your ISP has configured this and whether they are willing to delegate the reverse mapping to you.
If you have a small number of Internet-accessible hosts, most ISPs prefer to enter your hostnames and IP addresses into their reverse-mapping tables rather than go through the arduous task of connecting a portion of their reverse map to your nameserver.
Domain name service is based on the concept of referrals . When a client program (such as a web browser) needs to convert a hostname into an IP address, it uses query functions in a resolver library . The resolver looks in the local hosts file ( /etc/hosts on Fedora, other Linux, Unix, and Mac OS X systems; c:\windows\system32\drivers\etc\hosts on Windows 2000, Windows Server 2003, and Windows XP), and if the hostname is not found in that file, it queries one of the caching nameservers specified in the operating system's network configuration. On a Fedora system (like most other Linux and Unix systems) the nameservers to be used are listed in /etc/resolv.conf.
The Linux resolver uses the file /etc/nsswitch to determine possible ways of resolving a hostname to an IP address. The default configuration is to check /etc/hosts first, and then try DNS.
The caching nameserver first checks its cache to see if it already has the answer to the query, and if it does, it returns that answer to the client. Otherwise, it contacts one of the root nameservers (listed in /var/named/named.ca ) by sending a UDP packet to port 53. The root nameserver sends back a reply referring the caching nameserver to the authoritative nameserver for the appropriate top-level domain (TLD). The caching nameserver then sends another query, this time to the TLD nameserver, which replies with a referral to the next nameserver down the chain. This happens recursively until a nameserver that knows the answer is foundor until the possibilities are exhausted and a nameserver finally returns an NXDOMAIN (nonexistent domain) response.
Slave zones are transferred from master zones when the master zone notifies the slave of the need for an update, or when an update is mandated by the refresh time value in the zone's SOA record. The transfer is always initiated by the slave side.
In addition to the resource records discussed in this lab, DNS supports a number of other record types that can be used to serve information, such as host hardware and OS configuration, geographical locations, email server authorization (Sender Policy Framework), and more, but these records are much less commonly used.
Reverse address resolution is performed by reversing the bytes of the dotted-quad IP address and using that as a domain name within the in-addr.arpa TLD. The resource record returned is a pointer (PTR) record.
For example, to discover the hostname of 216.183.93.224 , a query is made for 224.93.183.216.in-addr.arpa :
$ dig 224.93.183.216.in-addr.arpa ptr
; <<>> DiG 9.3.1 <<>> 224.93.183.216.in-addr.arpa ptr
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10860
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;224.93.183.216.in-addr.arpa. IN PTR
;; ANSWER SECTION:
224.93.183.216.in-addr.arpa. 38204 IN PTR global.proximity.on.ca.
;; AUTHORITY SECTION:
93.183.216.in-addr.arpa. 38204 IN NS ns1.scratchtelecom.com.
;; ADDITIONAL SECTION:
ns1.scratchtelecom.com. 172567 IN A 216.183.93.250
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 5 00:21:39 2006
;; MSG SIZE rcvd: 133
The host or nslookup commands will automatically convert an IP address into this type of query:
$ host 216.183.93.224
224.93.183.216.in-addr.arpa domain name pointer global.proximity.on.ca.
$ nslookup 216.183.93.224
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
224.93.183.216.in-addr.arpa name = global.proximity.on.ca.
Authoritative answers can be found from:
93.183.216.in-addr.arpa nameserver = ns1.scratchtelecom.com.
ns1.scratchtelecom.com internet address = 216.183.93.250
The Fedora graphical configuration tool for DNS is called system-config-bind .
Be sure that you never leave an obsolete nameserver active. For example, if your name service was provided by an ISP and you take over the name service, ensure that the ISP's nameserver no longer contain entries for your domain; otherwise, customers of that ISP may not be able to reach your system because they will receive obsolete DNS information.
The manpages for named and named_selinux ; dig , nslookup , and host ; nsswitch.conf , hosts , and resolv.conf
The BIND 9 Administrator's Reference Manual in PDF format (/usr/share/doc/bind-9.3.2/arm/Bv9ARM.pdf) or HTML format (file:///usr/share/doc/bind-9.3.1/arm/Bv9ARM.html)
The Common Unix Printing System (CUPS) printer daemon can also be used as a print server, enabling other computers on the local network to access the printers it controls.
Start the Printer Configuration tool shown in Figure 7-14 . Highlight the printer you wish to share, select the checkbox labeled Shared, and then click Apply.
Figure 7-14. Printer configuration: sharing properties
Next, click on Server Settings on the lefthand side and select the checkbox labeled "Share published printers connected to this system." Click Apply.
You will need to open the IPP port 631 (ipp:tcp) in your firewall configuration (see Lab 8.1, "Prevent Unwanted Connections").
Your printer will now be accessible to other systems.
To add a CUPS printer to a Windows XP system, select "Printers and Faxes" from the Start menu and click on "Add a printer." The Add Printer Wizard will appear.
Click Next to advance past the introduction. On the next page, select "A network printer, or a printer attached to another computer," and click Next. The window shown in Figure 7-15 will appear.
Figure 7-15. Adding a CUPS printer to a Windows XP system
Select "Connect to a printer on the Internet or on a home or office network," and enter a URI in this form:
http://server :631/printers/printername
Replace server with the hostname of the CUPS server if the Windows system can resolve that hostname using DNS; if you haven't configured DNS, use the IP address instead. Replace printername with the name of the printer as it is known to CUPS.
Click Next.
Select the manufacturer and printer model, and click Next (or, if the printer drivers are on a CD, click "Have a Disk" and select the disk location). Then click Finish to set up the printer. You can now use the CUPS printer from any Windows applications.
CUPS uses the Internet Print Protocol (IPP), which is based on the same HTTP protocol used by the Web. One shared virtual directory is mapped to each printer.
The CUPS configuration files are stored in /etc/cups , and the format of the main configuration file /etc/cups/cupsd.conf is very similar to the Apache configuration file (discussed in Lab 7.5, "Using the Apache Web Server "). Printer sharing is therefore enabled and disabled using Allow and Deny directives in the same way that they would be used to control access to an Apache directory. For example, global access to the printer laser0 could be configured like this:
<Location /printers/laser0>
Order Deny,Allow
Allow From All
</Location>
If you wish to share the printer with a client that knows only the older Line Printer Daemon (LPD) protocol, such as an older Linux/Unix system or a Windows NT system, you will need to install the cups-lpd package.
To enable the service, start the Services tool (System→Administration→Services), select the On Demand Services tab, select the checkbox labeled "cups-lpd," and click Save. You can also enable the service by editing /etc/xinetd.d/cups-lpd, which looks like this:
# default: off
# description: Allow applications using the legacy lpd protocol
# to communicate with CUPS
service printer
{
disable = yes
socket_type = stream
protocol = tcp
wait = no
user = lp
server = /usr/lib/cups/daemon/cups-lpd
}
Change the disable line to the following:
disable = no
Save the file and restart the xinetd service:
# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
LPD printer sharing requires the printer port 515 (printer:tcp) to be opened in your firewall.
LPD emulation is enabled globally; there is no provision to share only some printers, or to share only with certain clients
Fedora does not provide a facility for configuring printer sharing from the command line. The only available option is to edit /etc/cups/cupsd.conf and insert the appropriate Allow and Deny directives (or, if you're accessing from a remote system, you may want to use X tunneling via SSHsee Lab 4.10, "Remote Management Using SSH ").
The CUPS manual: http://localhost:631/documentation.html
The manpage for cups-lpd
Apache is the most widely used web server and is a standard part of Fedora Core. One of the reasons that it has garnered a majority market share is that it is highly configurable and can therefore meet a wide range of web-serving needs. Despite the number of options available, Fedora Core ships Apache with a default configuration that is ready to meet most basic web-serving needs.
Before configuring Apache, it's a good idea to make a backup copy of the original configuration file:
# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-original
Apache is not enabled by default. To start it, use the Services tool or enter this command:
# service httpd start
To ensure that Apache starts each time the system is booted, enable the httpd service.
Whenever the Apache configuration is changed, you must instruct Apache to reload its configuration:
# service httpd reload
Alternately, you can use the Restart button in the Services tool.
Using a web browser on the machine running Apache, access the web location http://localhost/ . You will see the test page shown in Figure 7-16 .
Figure 7-16. Apache test page confirming operation of the web server
Once you can view this web page on the server, you can attempt to access the page from a remote system using the IP address of the server (such as http://192.168.100.1/ ), or, if DNS has been set up to allow it, the server's hostname (e.g., http://fedorabook.com/).
If you can access the web page on the server but not from a remote system, then the firewall configuration may require adjustment.
Once the web server is running, place the content you wish to serve in the directory /var/www/html . The default page for each directory is index.html ; once you have created /var/www/html/index.html , the test page ( Figure 7-16 ) will no longer appear.
Create subdirectories within /var/www/html to create any directory structure you want. These directories will be reflected in the URLs accessible through the web server. For example, you could create the directory /var/www/html/photos/ :
# mkdir /var/www/html/ photos
That directory will be accessible using the URI http://<hostname>/photos/ .
The default Apache configuration serves all web content from one directory: /var/www/html . To perform more advanced web serving, the default configuration needs to be modified.
Apache can be configured by using Fedora's graphical configuration tool or by editing configuration files, but you can't alternate between the two approaches. Most experienced Apache administrators prefer to directly edit the configuration file because it provides direct access to all of Apache's features and because it is more convenient when accessing a remote server. However, Fedora's graphical configuration tool is quite powerful and is a good place to start if you're not familiar with Apache setup.
To configure Apache graphically, select System→Administration→Server Settings→HTTP (or in KDE, Administration→Server Settings→HTTP). The httpd configuration dialog, a simple tabbed window (shown in Figure 7-17), will appear.
Figure 7-17. Graphical configuration tool for Apache httpd
Start with the Main tab and enter the server name and webmaster's email address. The server name must contain only alphanumeric characters; it will be used as a hostname and combined with the current domain name to build a fully qualified domain name (FQDN).
The webmaster's address is displayed in server error messages and could be harvested by web spiders, so it is a good idea to use a disposable email alias and change it frequently to thwart spammers.
The Available Addresses area is used only if you wish to prevent the web server from using some network interfaces, or if you wish to use a nonstandard TCP/IP port (the default for HTTP is port 80). This is usually left at the default setting.
The Virtual Hosts tab shown in Figure 7-18 is used to configure Apache to respond to requests for multiple web sitesfor example, www.fedorabook.com and www.tylers.info . By default, a single entry is present, labeled Default Virtual Host.
Figure 7-18. Virtual host configuration
To edit an existing entry or add a new entry, use the Edit or Add buttons. In either case, the window shown on the right of Figure 7-18 will appear, with these tabs:
General Options
Enter the name of the virtual host (this information is only for your reference, so you can be as descriptive as you want), the Document Root directory that will store documents for this host, and the webmaster email address (if different from the default).
If you choose a Document Root that is not within /var/www/html and have SELinux active, you will need to change the security context of that directory (see Lab 8.2, "Using SELinux").
Page Options
When Apache receives a request for a directory (such as http://www.fedorabook.com/example/ ), it will search that directory for files that can serve as an index to the contents of that directory. Traditionally, the index is named index.html , but you may wish to use other names, such as index.php , home.html , or index.htm . Use the Directory Page Search List area of this tab to configure all of the possible names for the index file, in your desired order of precedence.
Apache is preconfigured with standard pages that are displayed when an error occurs. To override any of these pages and present a custom error message, highlight the page in the Error pages list and click Edit. A dialog box will appear; change the error message behavior from Default to File and enter the location of the page you wish to use (or select URL and specify the local URL of the web page). You can customize the footer displayed at the bottom of default error pages using the Default Error Page Footer control.
Logging
Apache maintains two logs per virtual host: a transfer log , which records what was sent to clients, and an error log , which records any problems encountered. By default, all virtual hosts will share one pair of logs, but to analyze statistics separately for each virtual host, you'll need to specify separate logfiles for each. To do this, change the "Log to file" name for the Transfer Log from logs/access_log to a name that includes an indication of the virtual hostname, such as logs/ fedorabook_ access_log . Do the same for the Error log, changing logs/error_log to logs/ fedorabook_ error_log . Alternately, you can consolidate logs from several servers using syslog by selecting the Use System Log option and entering the hostname or IP address of the syslog server.
The default logfile format does not contain referrer information, so you can't tell where your visitors are coming from or how they're navigating your site. To add this information, select the checkbox "Use custom logging facilities" and set the "Custom log string" to combined .
Performance
This tab should actually be named Permission, since it controls what is permitted in web directories. Click on the Edit button in the Default directory options section to edit the options for the virtual host's Document Root directory; available permission options include ExecCGI (run scripts), FollowSymLinks (follow symbolic links to files), Includes (process server-side include directives in files), IncludesNOEXEC (process server-side includes, except scripts), Indexes (use index files such as index.html when a directory is requested), MultiViews (enable content negotiation such as automatic language or image-type selection), and SymLinksIfOwnerMatch (follow symbolic links if the link and the target are owned by the same user).
To set the permissions for a particular directory, click the Add button in the lower part of the window (or, if the directory is already listed, click the Edit button). Enter the directory name in the Directory field at the bottom of the window and set the Options checkboxes for the options you wish to enable in this directory. By default, all remote computers (hosts) will have access to the content in this directory; the Allow and Deny list options can be used to permit (or deny) access only from certain hosts. The hosts can be identified by hostname (fedorabook.com), partial domain name (.com), IP address (192.168.100.1), or IP address and netmask or bit count ( 192.168.100.0/255.255.255.0 , or the equivalent 192.168.100.0/24 ).
To enable the use of .htaccess files, select the checkbox labeled "Let .htaccess override directory options."
There is also a tab for SSLused for secure, encrypted web servingand a tab for Environment, which is used to pass information to web scripts, but the options on those tabs are not used for basic web serving.
Once the virtual host is configured, click OK to return to the main HTTP configuration window ( Figure 7-17 ).
The Server and Performance Tuning tabs in the main HTTP configuration window do not normally require adjustment.
After configuring Apache, click OK to save your configuration (a confirmation dialog may appear).
The main Apache configuration information is stored in /etc/httpd/conf/ httpd.conf . Additional configuration information is stored in the directory /etc/httpd/conf.d/ . Per-module configuration files are automatically installed and removed along with Apache modules and web applications such as SquirrelMail.
httpd.conf is a regular text file and can be edited with any standard text editor. As mentioned earlier, I strongly recommended that you make a backup copy of this file before each change:
# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup- 1
httpd.conf contains a number of directives , each of which consists of a name and one or more values, listed on a single line with a space after the name and each of the values. The directive names are not case-sensitive, but some of the values are. Values must be quoted if they contain spaces.
These directives are all equivalent:
ServerRoot /etc/httpd
ServerRoot "/etc/httpd"
ServerRoot '/etc/httpd'
SERVERROOT /etc/httpd/
serverroot /etc/httpd
To add a comment line, place a pound sign at the start of the line:
# Note: /etc/httpd is the standard Fedora server root.
Comments must be on a line by themselves.
Directives are global unless they are placed in a container , which limits the scope to which the directive applies. For example, the <Directory> container causes the contained directives to be applied only to a specific directory (and its subdirectories); here, the directives apply only to the contents of /var/www/html :
<Directory "/var/www/html">
Options Indexes Includes FollowSymLinks
AllowOverride None
Allow from all
Order allow,deny
</Directory>
The ServerRoot directive sets the directory that contains all files related to the Apache serverincluding configuration files, logs, modules, and runtime informationexcept the actual content being served. By default, all relative paths specified in httpd.conf are relative to this directory. The default is /etc/httpd :
ServerRoot "/etc/httpd"
The DocumentRoot directive sets the directory for files being served. Fedora's default is /var/www/html :
ServerRoot "/var/www/html"
Changing DocumentRoot will require you to change the SELinux context of the new document root directory.
The directive named ServerAdministrator specifies an email address that can be used to reach the person responsible for running the web server. This address appears on certain error pages. This should be a valid address so that your web visitors can contact you if necessary, but since it can be harvested by web spiders, it is a good idea to use a disposable email address and change it regularly. The default value is root@localhost and should always be changed:
ServerAdministrator webmaster@fedorabook.com
The IP address and port are configured with the Listen directive. The web server will normally listen to port 80 on all available network interfaces:
Listen 80
If necessary, you can specify an alternate port, or a specific IP address and a port:
Listen 8000
Listen 192.168.10.1:8000
The ServerName directive configures the name of the server and is necessary only if you are using a value different from the machine's fully qualified domain name:
ServerName www.fedorabook.com
Apache uses directory containers to control access to directories on your system. The root directory is configured first:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
The Options directive is critical: it specifies what is permitted in these directories. In this case, all access to the root directory and all subdirectoriesin other words, the entire systemis prohibited except as the destination of symbolic links.
The next directory container loosens up the restrictions for /var/www/html and its subdirectories:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
The values for the Options directive are selected from this list:
All
The default, which permits everything except for MultiViews .
ExecCGI
Permits execution of scripts.
FollowSymLinks , SymLinksIfOwnerMatch
If FollowSynLinks is specified Apache will follow symbolic links which lead to or from this directory. If SymLinksIfOwnerMatch is specified, the link and the target must be owned by the same user.
Includes , IncludesNoExec
Files may include other files, with or without the ability ( Includes and IncludesNoExec , respectively) to execute those other files. Files that use this feature must have a name ending in .shtml and may include directives such as <!--#include virtual="footer.html" --> or <!--#exec cmd="/usr/bin/cal" --> to include the footer.html file or the output of the cal command, respectively.
Indexes
An index.html file usually serves as the index for a directory. If it is not present, and the Indexes option is enabled, Apache will generate an appropriate index page when required, listing the contents of the directory. If you do not wish your web visitor to know the contents of your directories, do not use this option.
MultiViews
Enables Apache to search for appropriate content based on file type, encoding, and language. For example, if the MultiViews option is in effect, Apache will select between index.html.en (English) and index.html.fr (French) files when index.html is requested, using the browser's language preference to select the most appropriate file.
Order , Allow , and Deny are directives that work together to define which remote users may access the directory. Order sets the order in which the Allow and Deny directives are used, and the value must be Allow,Deny or Deny,Allow (the default). The Allow and Deny directives accept a list of full or partial domain names, IP addresses, or IP addresses and netmask or network bit count.
For example, to enable access only from computers on your internal network, assuming your network is 12.200.X.X :
Order Allow,Deny
Allow from 12.200.0.0/16
Deny from all
On the other hand, you could enable access only from computers that are not in your internal network:
Order Deny,Allow
Deny from 12.200.0.0/255.255.0.0
Allow from all
Or you could exclude access from specific domains:
Order Deny,Allow
Deny from .gov ourcompetition.com
Allow from all
The AllowOverride directive enables the use of a hidden file, .htaccess , which may be placed in directories to override the configuration of that directory and subdirectories. Although there are several possible values for this directive, it is normally set to None (no overrides are permitted) or AuthConfig (the .htaccess file can control whether a user ID and password are required to access the content of that directory).
The next set of directory containers configure special permissions for the icon , cgi-bin , and error directories in /var/www :
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order Allow,Deny
Allow from all
</Directory>
<Directory "/var/www/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order Allow,Deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
These directories are not within the normal DocumentRoot and are instead made accessible through the use of Alias and ScriptAlias directives:
Alias /icons/ "/var/www/icons/"
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Alias /error/ "/var/www/error/"
These directives make the indicated directories appear to exist within the document tree; for example, a request for http://<hostname>/icons/text.png is fulfilled using the file /var/www/icons/text.png (instead of /var/www/html/icons/text.png ). This permits /var/www/html to remain uncluttered by icons, scripts, and error messages.
Since /cgi-bin/ is aliased using a ScriptAlias directive, it is assumed that all files in that directory are actually scripts (executable programs) rather than document files, regardless of their extension. In the default configuration, this is the only directory that may contain scripts, so you only have to look in one place to check for script vulnerabilities.
To permit each user to maintain her own web directory, find the UserDir section of httpd.conf:
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
Comment out the line that reads UserDir disable and uncomment the line which reads UserDir public_html :
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>
Then uncomment the container section <Directory /home/*/public_html> :
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
Each user can then create a ~/public_html directory and place her own personal content in that directory.
If you have SELinux enabled, each user will need to execute this command to make his content accessible to Apache:
$ chcon -R -t httpd_sys_content_t ~/public_html
Alternately, users can make their public_html content accessible to both Apache and Samba (see Lab 8.2, "Using SELinux").
Virtual hosting permits one web server to serve web pages for multiple hostnames. There are two ways of detecting which host a browser is trying to connect to: the web server can respond to multiple IP addresses and serve different content based on which IP address is used (IP-based virtual hosts), or the web server can serve the content based on the Host: header sent by the browser (name-based virtual hosts).
To configure named-based virtual hoststhe most common typeuncomment the NameVirtualHost directive in the httpd.conf file:
NameVirtualHost *:80
If you're using a port other than 80 , enter it on this line.
Next, create a VirtualHost container for each virtual host. There is an example in the comments near the end of the httpd.conf file:
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
Copy and uncomment these lines, substituting the correct values for these directives:
ServerAdmin
Insert the email contact for the administrator for this virtual host.
DocumentRoot
Enter the document root for this virtual host. If you're using SELinux, it is easiest to use subdirectories of /var/www/html for the virtual host document roots.
ServerName , ServerAlias
The main name of the web server and any assigned nicknames, respectively. These names must appear in the DNS entries for this host. It's a good idea to include common misspellings within your domain name, such as ww.fedorabook.com and wwww.fedorabook.com .
Your DNS configuration must include all of the hostnames used for ServerName and ServerAlias or be configured with a wildcard hostname (*).
ErrorLog , CustomLog
Set these to the name of the logfiles you wish to use for errors and for normal access, respectively. At the end of CustomLog , specify the logfile format combined so that referrer information is included in your logfile.
A completed virtual host container will look like this:
<VirtualHost *:80>
ServerAdmin webadministrator@fedorabook.com
DocumentRoot /var/www/html/fedorabook
ServerName fedorabook.com
ServerAlias www.fedorabook.com ww.fedorabook.com wwww.fedorabook.com
ErrorLog logs/fedorabook-error_log
CustomLog logs/fedorabook-access_log combined
</VirtualHost>
Fedora's default Apache configuration permits CGI scripts only in the /cgi-bin/ script alias directory, /var/www/cgi-bin/ . This makes it easy to keep an eye on all of the scripts, and many webmasters prefer this.
However, on a complex site with different web applications running, it is often desirable to group files by application, allocating one directory for each application and building a structure within that directory for the scripts, HTML, stylesheets, and multimedia files, rather than mixing the scripts for all of the applications together into a single directory.
To enable CGI scripts in every directory, uncomment the AddHandler directive for the .cgi extension in httpd.conf :
AddHandler cgi-script .cgi
Then add ExecCGI to the Options directive for the DocumentRoot :
<Directory "/var/www/html">
...
Options Indexes FollowSymLinks ExecCGI
...
</Directory>
Apache will then treat any file with a .cgi extension as a script.
If you want individual users to be able to run scripts, do the same for the ~/public_html directories:
<Directory /home/*/public_html>
...
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
...
</Directory>
CGI scripts in users' ~/public_html directories will execute with that user's permission and will therefore be able to read and write any files that the user can read and write. This can be a huge security risk because a single web script can expose any file, email, or database on your system which that user can normally access.
In order to reduce the risk of a script that has been maliciously compromised, scripts that are writable by group or other users or contained in directories that are writable by group or others will not be executed by Apache, and an error message will be logged in /var/log/httpd/suexec.
Apache can be configured to password-protect content using two files: a password file and an .htaccess file.
Note that passwords are sent in unencrypted form over the network unless you use a secure (SSL) connection, so the security provided by this option is minimal.
First, configure Apache to permit the use of .htaccess files for authentication configuration. If you're using the graphical configuration tool, select the checkbox labeled "Let .htaccess files override directory options."
To configure this without using the graphical tool, add the AuthConfig keyword to the AllowOverride line in the appropriate directory container within httpd.conf :
<Directory "/var/httpd">
...
AllowOverride AuthConfig
...
</Directory>
This option is enabled by default for ~/public_html directories.
An .htaccess file is similar to an httpd.conf file, but it is placed in the directory that you wish to protect. Here is an example:
AuthType Basic
AuthName " team scores "
AuthUserFile /etc/httpd/team_scores_password
Require valid-user
The four directives in this file are required for basic password protection:
AuthType
Specifies the authentication type to be used. Basic indicates that a simple user ID/password pair will be used.
AuthName
Describes the type of data being protected by the password. Most browsers will include this text in the password dialog, as shown in Figure 7-19 .
AuthUserFile
The name of the password file.
Require
Normally set to valid-user , permitting any user with a valid password to access the protected content.
Figure 7-19. Browser dialog box showing the AuthName value
For security, the password file must be located outside of the directories served by Apache. It is managed with the htpasswd command; to create the file and set the first password, use the -c option and provide the password filename and user ID as arguments:
# htpasswd -c /var/httpd/team_scores_password chris
New password:
bigsecret
Re-enter new password:
bigsecret
Adding password for user chris
Once the file has been created, leave out the -c option, or you'll erase existing entries:
# htpasswd /var/httpd/team_scores_password diane
New password:
neverguess
Re-type new password:
neverguess
Adding password for user diane
If you prefer, you can include the password at the end of command linewhich works well for scriptsby adding the -b option:
# htpasswd -b /var/httpd/team_scores_password frank TheBestPitcher
Adding password for user frank
If other users are logged in to the system, there is a small chance that they will be able to discover these passwords if you set them using the -b option because the command line is visible in the output of the ps command (although very briefly).
If you enter an existing user ID instead of a new one, the old password will be updated instead of creating a new record:
# htpasswd -b /var/httpd/team_scores_password diane new-secret
Updating password for user diane
.htaccess files have traditionally been used for access control, and they work well for ~/public_html directories because users can configure them on their own. For directories in your document root, it's just as easy to place the authentication directives in a directory container in httpd.conf :
<Directory /var/www/html/scores/ >
AuthType Basic
AuthName " team scores "
AuthUserFile /etc/httpd/team_scores_password
Require valid-user
</Directory>
Apache is the most widely used web server software in the world. It is actively developed by the Apache Software Foundation ( http://apache.org ) and can be scaled from a static personal web site on a desktop-class computer to a extremely high-volume database-backed web site running on clusters of computers.
In order to meet such a wide range of needs, Apache can be configured using over 370 distinct directives. Although many different graphical configuration tools have been developed, none of them can configure all directives or handle all possible deployment scenarios for the software.
The Fedora graphical configuration tool for Apache is named system-config-httpd . The options entered into the configuration dialogs are saved in XML and then converted into a working httpd.conf by using the XSLT transformation stylesheet /usr/share/system-config-httpd/httpd.conf.xsl . You can customize that file to change the generated httpd.conf file.
The actual Apache server program is /usr/sbin/httpd . It can be started or stopped with the service command or system-config-services , which use the Fedora-specific script file /etc/rc.d/init.d/httpd ; it can also be started and stopped with Apache tool /usr/sbin/ apachectl, but the SELinux security context will be different.
Apache listens on the configured ports and waits for incoming connections from client software such as web browsers. Once a connection is established, the client sends a request , plus additional headers with information such as the client software version and preferred languages and encodings, followed by a blank line. The server responds with a result code, additional headers, a blank line, and then the content requested (or an error message). In its most basic form, the conversation goes something like this (the request is shown in bold; the response headers are in italic, and the rest of the listing is the body of the response):
GET /testfile.html HTTP/1.1
Host: www.fedorabook.com
HTTP/1.1 200 OK
Date: Wed, 01 Mar 2006 02:49:54 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Mon, 27 Feb 2006 21:25:54 GMT
ETag: "f0518-4a-5b0edc80"
Accept-Ranges: bytes
Content-Length: 85
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head><title>Test</title></head>
<body>
<i><p>Success!</p></i>
</body>
</html>
In an elementary configuration, Apache is responsible for mapping the web namespace to the local filesystem namespace, performing access control and logging, collecting the requested resource (either by reading a file or executing code), and sending the resource to the client.
Logfiles come in two forms: access logs and error logs. An access log in the default common format contains entries like these (all on one line):
24.43.223.54 - - [28/Feb/2006:22:01:33 -0500] "GET / HTTP/1.1" 200 956
The fields here are the IP address of the remote host (24.43.223.54); the remote user login name (-); the authenticated username on the local system (- , because the user did not authenticate); the date, time, and time zone of the request ([28/Feb/2006:22:01:33 -0500]); the request string (GET / HTTP/1.1); the status code returned to the client (200, meaning OK); and the number of bytes sent to the client (956).
If you use the combined log format, the entries will look like this:
24.43.223.54 - - [28/Feb/2006:22:01:33 -0500] "GET / HTTP/1.1" 200 956 "http://www.fedorabook.com/index.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7"
The additional fields are the referring page, which linked to or contained the information requested ( http://www.fedorabook.com/index.html ), and the user agent header, which describes the client software (Firefox on a Fedora system in this case). The user agent information is interesting, but the referrer information is critical if you want to analyze where your visitors are coming from, which pages they visit first, and how they progress through your web site.
The error logfile contains entries like this:
[Tue Feb 28 22:01:33 2006] [error] [client 24.43.223.54] File does not exist: /var/www/html/favicon.ico
This indicates the date and time, the fact that this is an error, the client IP address, and the detail of the error.
The problem with basic authentication is that the user ID and password travel in plain text across the network. Anyone snooping on the network can see the password.
A slightly better approach is to use digest authentication, which hashes the password before sending it across the network. This is still not nearly as secure as encrypting the connection.
To use digest authentication, use the same authentication configuration as you would for basic authentication, but substitute Digest for the AuthType :
AuthType Digest
AuthName " prices "
AuthUserFile /var/www/digest
Require valid-user
Create the password file using the htdigest command instead of htpasswd . htdigest requires one additional argument in front of the username, called the realm ; copy the value from the AuthName directive and use it for the realm. Here is an example:
# htdigest -c /var/www/digest prices chris
Adding password for chris in realm prices.
New password:
confidentialpassword
Re-type new password:
confidentialpassword
# htdigest /var/www/digest prices diane
Adding user diane in realm prices
New password:
bigsecret
Re-type new password:
bigsecret
htdigest does not accept the -b option used with htpasswd.
The Apache documentation from the Apache Software Foundation is on their web site at http://httpd.apache.org/docs/2.2/ and on the web server of any Fedora system at http://<hostname>/<manual> (to disable access to the manual, remove /var/www/manual ).
The manpages for httpd , htpasswd , htdigest , and httpd_selinux.
sendmail is a robust email server. Like Apache, it has an enormous number of configuration options to handle many different service scenarios, even though many of these scenarios are pretty rare. With a small amount of configuration, sendmail can be configured to handle most mail-serving tasks.
Fedora's default sendmail configuration will:
Start the sendmail service at each boot
Accept mail from local users for local mailboxes and place it in those mailboxes
Accept mail from local users for remote systems, place it in a queue, and attempt to deliver it directly to the remote mail hosts
This configuration may or may not work for you, depending on how you are connected to the Internet.
To configure sendmail easily, install the sendmail-cf package:
# yum install sendmail-cf
Changes to the sendmail configuration are made to the file /etc/mail/sendmail.mc . However, this isn't the sendmail configuration file! Instead, it's a file that is used to generate the sendmail configuration file, /etc/mail/sendmail.cf .
To generate a new sendmail.cf file:
# cd /etc/mail
# make
This must be done after each change is made to sendmail.mc . Reload the sendmail server to make your changes take effect:
# service sendmail reload
(You can also use the Restart button in the Services tool.)
Some Internet Service Providers (ISPs) block email traffic to all mail servers except their own. This is intended to block viruses that set themselves up as a mail server, but it also interferes with Fedora's default sendmail configuration, which expects to be able to send email directly to the destination system.
To configure sendmail to send your outbound email through your ISP's mail server, find the line in /etc/mail/sendmail.mc that contains the word SMART_HOST :
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(\QSMART_HOST',\Qsmtp.your.provider ')
In this file, dnl means discard to newline , which effectively turns this line into a comment. Uncomment the SMART_HOST line by removing the dnl and then replace smtp.your.provider with the name of your ISP's mail server:
define(\QSMART_HOST',\Qmailserver.yourisp.com ')
Fedora's standard sendmail configuration does not accept email from remote systems, a feature that must be enabled if the system is going to act as an Internet email host.
To enable remote inbound connections, locate the line in sendmail.mc that contains the loopback address 127.0.0.1:
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(\QPort=smtp,Addr=127.0.0.1, Name=MTA')dnl
Add dnl to the start of this line to comment it out:
dnl DAEMON_OPTIONS(\QPort=smtp,Addr=127.0.0.1, Name=MTA')dnl
sendmail will then accept connections on all network interfaces and deliver mail that is addressed to a user on the local host. For example, if the hostname is bluesky.fedorabook.com , then email addressed to chris@bluesky.fedorabook.com will be delivered to the mailbox of the local user chris , which is /var/spool/mail/chris .
To configure sendmail to accept mail for other destinations, add those destinations to the file /etc/mail/local-host-names :
# local-host-names - include all aliases for your machine here.
fedorabook.commailserver.fedorabook.comglobal.proximity.on.ca
Remember to enable inbound connections on port 25 (SMTP) in your firewall configuration.
There are many standard email addresses that people expect to be able to use: webmaster to reach the person responsible for the web server and content, abuse to report spam problems, info as a general information contact, and so forth. Mail sent to these standard addresses can be redirected to the mailbox of chosen users through the sendmail alias facility.
Aliases are configured in the file /etc/aliases , which looks like this:
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
adm: root
...(Lines snipped)...
info: postmaster
marketing: postmaster
sales: postmaster
support: postmaster
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
#root: marc
You'll notice that all of the standard aliases are redirected to root but on most systems, no one checks the root mailbox, so you should start by defining who is to receive mail addressed to root . Uncomment the last line of this file and replace marc with a valid user ID:
root: chris
Run the newaliases command after each edit to the /etc/aliases file to ensure that the changes are put into effect immediately:
# newaliases/etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Next, change any aliases that you do not wish to redirect to root , sending the mail to the user of your choice:
info: sam
marketing: frida
sales: angela
support: henry
Destination mailboxes do not have to be local:
abuse: hotline@global.proximity.on.ca
And it's possible to specify multiple destinations for an alias, separated by commas:
webmaster: frank, jason@fedorabook.com
This opens up the possibility of using aliases to create simple mailing lists. For example, all of your sales people could be reached through one address:
sales-team: angela, sue, mike, olgovie, george
sysadmins: nancy43252345234@hotmail.com,
scott84353534534@gmail.com,george
Note that alias destinations can be on multiple lines.
You can create as many aliases as you want, whenever you want. Aliases are handy for creating disposable email addresses . I create batches of made-up addresses from time to time and use them when I register for a conference or web site, or when I enter a contest:
daa: chris
dab: chris
dac: chris
dad: chris
dae: chris
daf: chris
When I use one of these addresses, I record who I gave it to, and if I see spam arriving with that address, then I know who has been abusing my personal information. I can discontinue receiving mail at that address simply by removing the offending alias from the aliases file.
This strategy is also effective when publishing email addresses on a web site: simply change the address on the web site periodically, using a different disposable email address each time. If a spammer harvests your email address from the web page, it will be useful to them only for a short time.
Aliases (and regular user accounts) have one critical limitation: they apply to all of the domains for which sendmail is accepting mail. If you have a server that is accepting mail for fedorabook.com as well as global.proximity.on.ca , and you define an alias or create a user account named chris , then mail to chris@fedorabook.com and mail to chris@global.proximity.on.ca will end up in the same mailbox.
To overcome this limitation, use the /etc/mail/ virtusertable file to define where mail to each address should be sent. Each line in this file consists of an address, a space, and the destination. Here is an example:
chris@fedorabook.com chris
chris@global.proximity.on.ca chris7895378943683897@gmail.com
Note that the syntax for /etc/mail/virtusertable differs from the syntax for /etc/aliases: there are no colons, and only one destination address may appear in each entry.
virtusertable also permits the redirection of entire domains, by leaving out the username portion of the email address:
joe@fedorabook.com joseph
frank@fedorabook.com frank265897e93456738@hotmail.com
@fedorabook.com chris
The last entry will redirect all mail to the fedorabook.com domain to the local user chris , except for mail addressed to joe@fedorabook.com or frank@fedorabook.com (because they are listed first, and the file is processed in the sequence given).
Like /etc/mail/sendmail.mc , the virtusertable file must be processed before it is used:
# cd /etc/mail
# make
sendmail includes masquerading capability, which enables outbound mail to be modified so that it looks like it came from another system. This is commonly used to remove hostname information from the email address. To configure bluesky.fedorabook.com so that outbound mail appears to be from user @fedorabook.com instead of user @bluesky.fedorabook.com , locate the MASQUERADE_AS line in /etc/mail/sendmail.mc :
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(\Qmydomain.com')dnl
Uncomment the MASQUERADE_AS line and replace mydomain.com with the domain name you wish to use:
MASQUERADE_AS(\Q fedorabook.com ')dnl
Fedora's email system, like most others, is divided into three parts:
mail transport agent (MTA)
Transports mail between systems. sendmail is the default MTA.
mail delivery agent (MDA)
Delivers mail to local users, optionally performing filtering or sending vacation replies ("Jane is away from the office until Monday; she will read and reply to your mail when she returns"). Fedora uses procmail in this role.
mail user agent (MUA)
The email client that interacts with the user. A Fedora user can choose from many different MDAs, including Evolution, Thunderbird, SquirrelMail, and the text-based mail command.
Originally written when a wide range of email transportation schemes were in use, sendmail is designed to route mail through and between these different systems, each with their own address format and message queuing system. Because of this heritage, sendmail has a sophisticated and complex configuration system, but many of the configuration options are not used for Internet email servers.
sendmail is now used almost exclusively with the Simple Mail Transport Protocol (SMTP), which is a human-readable transfer protocol that uses TCP/IP connections on port 25. You can use telnet to connect to an SMTP server and manually send mail if you want:
$ telnet concord2.proximity.on.ca smtp
Trying 127.0.0.1...
Connected to concord2.proximity.on.ca (127.0.0.1).
Escape character is '^]'.
220 concord2.proximity.on.ca ESMTP Sendmail 8.13.5/8.13.5; Thu, 2 Mar 2006 13:07:11 -0500
EHLO fedorabook.com
250- concord2.proximity.on.ca Hello concord8.proximity.on.ca [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL From: chris@fedorabook.com
250 2.1.0 chris@fedorabook.com... Sender ok
RCPT To: chris@concord2.proximity.on.ca
250 2.1.5 chris@concord2.proximity.on.ca... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: Greetings!Date: Thu, Mar 2006 12:08:11 -0500
Hi there -- just dropping you a quick note viatelnet. Hope your day is going well.
-Chris.
250 2.0.0 k22I7BTo016133 Message accepted for delivery
QUIT
221 2.0.0 concord2.proximity.on.ca closing connection
Notice the blank line separating the email headers from the message bodyjust like HTTP transfers. The HTTP format is derived from the email format.
You can also send mail by sending it to the standard input of a sendmail process:
$ /usr/bin/sendmail chris@concord2.proximity.on.caSubject: Test II
Did you remember to renew the domain registration?If not, please take care of this before next Tuesday.[Ctrl-D]
Outbound mail is queued in /var/spool/mqueue /. Inbound mail is delivered via procmail to users' mailboxes in /var/spool/mail/ . The mailboxes are simply text files containing all of the messages concatenated end to end; this format is sometimes called mbox format .
The /etc/mail/sendmail.mc file used for configuration is an m4 macro file. It is interpreted by the m4 command using files in /usr/share/sendmail-cf/m4/ to build /etc/mail/sendmail.cf . While it is possible to construct the sendmail.cf file by hand, it's typically eight times as long as the sendmail.mc file and uses a very cryptic structure. Here's a snippet:
R< > $+ $: < > < $1 <> $&h > nope, restore +detail
R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
R< > < $+ <> $* > $: < > < $1 > else discard
R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
R< > < $+ > $@ $1 no +detail
R$+ $: $1 <> $&h add +detail back in
Most system administrators would much rather deal with sendmail.mc than sendmail.cf .
Postfix is an alternate MTA shipped as part of Fedora. For most users, sendmail will work well, but if you are familiar with Postfix configuration you may want to use it instead.
You can easily switch between sendmail and Postfix using the alternatives command:
# alternatives --config mta
There are 2 programs which provide 'mta'.
Selection Command
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter to keep the current selection[+], or type selection number:
2
You can also switch graphically, using the system-switch-mail command available through the menu option System→Administration→Mail Transport Agent Switcher (this requires the somewhat obscure package system-switch-mail). The window shown in Figure 7-20 will be displayed; select the MTA you wish to use and click OK.
Figure 7-20. The Mail Transport Agent Switcher tool.
If you're using Fedora at a location that does not have a permanent Internet connection with a static IP address, incoming email cannot be delivered directly to sendmail. Instead, you'll have to arrange for the email to be delivered to mailboxes on another system and then pick up the mail from that system.
Many MUAs such as Evolution will directly access remote mailboxes, but sometimes you want to have that mail flow through the local mail system so that alias handling and procmail processing take place.
Fetchmail can retrieve mail from a remote mailbox and feed it to sendmail on the local system. To configure Fetchmail, create the file ~/.fetchmailrc using a text editor. Here is a simple configuration:
# Check for email at five-minute (300-second) intervals
set daemon 300
# Poll the system fedorabook.com using the POP3 protocol
poll fedorabook.com with protocol POP3 :
# Describe how the usernames on this machine relate
# to the usernames on fedorabook.com
user chris here is chris.tyler there, password " FedoraRules! "
user diane here is diane.tyler there, password " BiggestSecret ";
This will fetch the mail for two users from one server using the Post Office Protocol, Version 3 (POP3). Fetchmail can retrieve mail using many different protocols and has an uncommonly readable configuration syntax; consult its extensive manpage for the gritty details.
Once you have set up the ~/.fetchmailrc file, execute the fetchmail command:
$ fetchmail
It will run in the background until you stop it by running fetchmail with the -q option:
$ fetchmail -q
fetchmail: background fetchmail at 8025 killed.
To make fetchmail run automatically whenever you log in, place it in your ~/.bash_profile.
The manpages for sendmail , procmail , procmailrc , fetchmail , procmailex , and postfix (check the See Also section for a long list of other manpages related to postfix )
The files in the /usr/share/doc/sendmail* , /usr/share/doc/fetchmail* , /usr/share/doc/procmail* , and /usr/share/doc/postfix* directories
The sendmail web site: http://www.sendmail.org
The fetchmail web site: http://www.catb.org/~esr/fetchmail
The procmail web site: http://www.procmail.org
The postfix web site: http://www.postfix.org
RFC 2142 defines a standard list of aliases that should exist on any Internet server: http://www.ietf.org/rfc/rfc2142.txt
Having mail delivered to the system mailboxes in /var/spool/mail is fineas long as the users are using an MUA running on the Fedora system. If a user is running his MUA on another systemEvolution on another Fedora system in the local network, or perhaps Outlook on a Windows machinethen the user needs IMAP or POP3 access to the remote mailbox.
Fedora's Dovecot server provides IMAP and POP3 access.
When freshly installed, Dovecot will not successfully start. Dovecot requires security certificates to enable encrypted communications. There are three solutions to this problem:
Buy a certificate
A certificate is signed by a certificate authority (CA), whotheoreticallyis trusted by both the client and server. The CA certifies that the parties to whom certificates are issued are who they say they are, therefore eliminating the possibility of a malicious party between the client and the server masquerading as the server.
Buying a certificate is not covered in this lab.
Create your own certificate
Because there is no way to verify the authenticity of the certificate (whether unsigned or self-signed) with a third party, most client programs will present a warning dialog every time a certificate of this type is encountered. However, the connection will still be encrypted.
Disable encryption
In all caseswhether encryption is disabled or notDovecot will accept unencrypted connections. If you are in a secure environment (for example, where the only client connecting to the Dovecot server is SquirrelMail on the local machine, or connections are made over a reasonably secure LAN such as a wired home network), you may decide to forgo encryption altogether.
First, edit the file /etc/pki/dovecot/dovecot-openssl.cnf and find the CN= and emailAddress= lines:
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=
# Locality Name (eg. city)
#L=Helsinki
# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
OU=IMAP server
# Common Name (*.example.com is also possible)
CN=imap.example.com
# E-mail contact
emailAddress=postmaster@example.com
[ cert_type ]
nsCertType = server
Edit these two lines to contain the hostname of the system and the mail administrator's email address:
# Common Name (*.example.com is also possible)
CN=bluesky.fedorabook.com
# E-mail contact
emailAddress=postmaster@fedorabook.com
Then generate the certificates:
# SSLDIR=/etc/pki/dovecot /usr/share/doc/dovecot-1.0/examples/mkcert.sh
To disable encryption, edit /etc/dovecot.conf and locate the ssl_disable line:
# Disable SSL/TLS support.
#ssl_disable = no
Uncomment this line and change the value to yes :
# Disable SSL/TLS support.
ssl_disable = yes
Start the dovecot service using the Services tool or from the command line:
# service dovecot start
If you are going to use IMAP or POP3 remotely, you will need to open some ports in your firewall. For IMAP, open ports for the IMAPandIMAPSservices (TCP ports 143 and 220); for POP3, open the POP3 and POP3S ports (TCP ports 110 and 995).
On the other hand, if you will be using the IMAP and POP3 services only with local applications such as SquirrelMailor local MTAs such as Evolution, you should close the IMAP and POP3 ports on your firewall.
Dovecot enables MUAs to access mailboxes over a network connection using the POP3 or IMAP protocols. POP3 is primarily used to fetch mail from a mailbox so that it can be used elsewhere; IMAP is used to manipulate email messages and folders while leaving them on the server.
Like SMTP, POP3 is a human-readable protocol, and you can use telnet to manually conduct a POP3 session to see how it works:
$ telnet bluesky.fedorabook.com pop3
Trying 172.16.97.102...
Connected to 172.16.97.102 (172.16.97.102).
Escape character is '^]'.
+OK Dovecot ready.
USER chris
+OK
PASS bigsecret
+OK Logged in.
LIST
+OK 2 messages:
1 615
2 609
.
RETR 1
+OK 616 octets
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.13.5/8.13.5) with ESMTP id k232Hf26026693
for <chris@localhost.localdomain>; Thu, 2 Mar 2006 21:17:41 -0500
Received: (from root@localhost)
by localhost.localdomain (8.13.5/8.13.5/Submit) id k232HfOb026692
for chris; Thu, 2 Mar 2006 21:17:41 -0500
Date: Thu, 2 Mar 2006 21:17:41 -0500
From: Jason Smith <root@localhost.localdomain>
Message-Id: <200603030217.k232HfOb026692@localhost.localdomain>
To: chris@localhost.localdomain
Subject: Book Cover
Nice!
.
QUIT
+OK Logging out.
IMAP is also human-readable, but a bit more complex.
In its default configuration, Dovecot uses the input mailboxes in /var/spool/mail as the IMAP INBOX folder and the POP3 data source. This ensures that other applications (such as a local MUA like Evolution) can be used to access the same messages.
Dovecot creates these in the user's home directory.
The Dovecot web site: http://dovecot.org
The Dovecot Wiki: http://wiki.dovecot.org
Documentation in /usr/share/doc/dovecot*
The manpages for openssl , the library that handles encryption for dovecot
When you're on the move, it's nice to have consistent access to your email. If you set up SquirrelMail, you'll be able to access your email from any web browser.
Before you set up SquirrelMail, you'll need a working Apache configuration and the Dovecot IMAP server.
If you're using SELinux, you must permit web scripts to create network connections. Use the graphical SELinux configuration tool or enter this command:
# setsebool -P httpd_can_network_connect 1
If Apachewas running before you installed SquirrelMail, you'll need to restart or reload it so that it notices the SquirrelMail alias directive:
# service apache reload
Unless you have other computers on your local network that need to access IMAP, you can restrict remote access to the IMAP server using Fedora's firewall facilities.
You can now use SquirrelMail by accessing https://<hostname>/webmail . The web page shown in Figure 7-21 should appear.
If you are using the default Apache SSL certificate (which is automatically up by default), you will get a warning from your browser when you first connect using https.
You can instead access http://<hostname>/webmail to avoid that warning message, but your passwords and email may be read if someone intercepts your network communication.
Figure 7-21. SquirrelMail login page
Once you enter your user ID and password, the main inbox display will appear, as shown in Figure 7-22 .
Figure 7-22. SquirrelMail inbox page
SquirrelMail is a set of PHP scripts that reside in the directory /usr/share/squirrelmail . The file /etc/httpd/conf.d/squirrelmail.conf contains an Alias directive, which aliases that directory to http://<hostname>/webmail . When a user attempts to log in, the PHP scripts contact the local Dovecot IMAP server and tries to log in with the same user ID and password. Because the authentication information is passed directly to the IMAP server, SquirrelMail doesn't need an authentication mechanism of its own. Once connected to the IMAP server, SquirrelMail accesses your mailbox contents, reformats the messages into web pages, and passes them back to Apache for delivery to the browser.
SquirrelMail also installs a daily cron job through the file /etc/cron.daily/squirrelmail. cron ; this cron job cleans up any temporary files that have been left lying around for more than 10 days.
You can change individual user preferences using the Option link within the SquirrelMail web interface.
Global SquirrelMail configuration is performed by running the script /usr/share/squirrelmail/config/conf.pl . You will be greeted with a menu:
# /usr/share/squirrelmail/config/conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >>
Type the number or letter of the option you wish to configure; then press Enter and follow the instructions on the screen. For example, to change the default theme:
Command >> 5
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Themes
1. Change Themes
Default Plain Blue
Sand Storm Deep Ocean
...(Lines snipped)...
Random (Changes every login) Midnight
Penguin
2. CSS File :
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> 1
Define the themes that you wish to use. If you have added a theme of your own, just follow the instructions (?) about how to add them. You can also change the default theme.
[theme] command (?=help) > ?
.-------------------------.
| t (detect themes) |
| + (add theme) |
| - N (remove theme) |
| m N (mark default) |
| l (list themes) |
| d (done) |
\Q-------------------------'
[theme] command (?=help) > l
* 0. Default (../themes/default_theme.php)
1. Plain Blue (../themes/plain_blue_theme.php)
2. Sand Storm (../themes/sandstorm_theme.php)
3. Deep Ocean (../themes/deepocean_theme.php)
4. Slashdot (../themes/slashdot_theme.php)
...(Lines snipped)...
31. Midnight (../themes/midnight.php)
32. Alien Glow (../themes/alien_glow.php)
33. Dark Green (../themes/dark_green.php)
34. Penguin (../themes/penguin.php)
[theme] command (?=help) > m 32
[theme] command (?=help) > d
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Themes
1. Change Themes
Default Plain Blue
Sand Storm Deep Ocean
...(Lines snipped)...
Random (Changes every login) Midnight
Alien Glow Dark Green
Penguin
2. CSS File :
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> s
Data saved in config.php
Press enter to continue...
[Enter]
Command >> q
Exiting conf.pl.
You might want to test your configuration by browsing to
http://your-squirrelmail-location/src/configtest.php
Happy SquirrelMailing!
SquirrelMail has been designed to work regardless of whether JavaScript is enabled.
The SquirrelMail web site: http://www.squirrelmail.org/
The documentation files in /usr/share/doc/squirrelmail*
MySQL is an open source database system that has become very popular due to its high performance, lightweight design, and open source license.
Many software packages, including web applications such as the Serendipity blog software ( http://www.s9y.org/ ), use MySQL to store data. In order to use these programs, you will need to create a MySQL database and access account.
First, you'll need to select names for your database and access account; for this example, let's use chrisblog for the database name and chris for the access account. Both names should start with a letter, contain no spaces, and be composed from characters that can be used in filenames.
To create the database and account, use the mysql monitor program:
# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.18
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database chrisblog;
Query OK, 1 row affected (0.01 sec)
mysql> grant all privileges on chrisblog.* to 'chris' @'localhost' identified by 'SecretPassword' ;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
Make sure that the mysqld service is running!
You can then enter the database, access account, and password information into the configuration of whatever software will use MySQL.
MySQL recommends that you add a password to root's access of the MySQL server. You can do that with these commands (\ indicates that text continues on the following line):
# /usr/bin/mysqladmin -u root password 'Secret'
# /usr/bin/mysqladmin -u root -h $(hostname) \
password 'Secret'
Secret is the root password that you wish to use. After you enable the root password, you'll need to use the -p option to mysql so that you are prompted for the password each time:
# mysql -p
For example, to install Serendipity:
1. Download the Serendipity software from http://www.s9y.com and place it in the /tmp directory.
2. Unpack the Serendipity software in the /var/www/html directory:
3. # cd /var/www/html
4. # tar xvzf /tmp/serendipity*.tar.gz
5. Access that directory through a web browser at http://<hostname>/serendipity . You will see the initial verification page shown in Figure 7-23 .
Figure 7-23. Serendipity Installation verification page
1. If there are any permission errors, correct them using the instructions on the page and then click the Recheck Installation link at the bottom of the page. Once the check is successful, click on the Simple Installation link.
2. As shown in Figure 7-24 , enter the database, hostname, access account (database user), and password that you created in the MySQL database. Fill in the other fields, such as the blog title and the username and password you wish to use to administer the blog, using values of your choosing. Click on the Complete Installation link at the bottom of the page.
3. Figure 7-25 shows the confirmation page that appears. Click on the link labeled "Visit your new blog here" to see your initial blog page, shown in Figure 7-26 .
Figure 7-24. Serendipity Installation page
Figure 7-25. Serendipity Installation confirmation page
Figure 7-26. Serendipity blog front page
MySQL is a Structured Query Language (SQL) database server. It provides rapid access to large sets of structured data, such as customer lists, sports scores, student marks, product catalogs, blog comments, or event schedules. The MySQL database runs as a server daemon named mysqld , and many different types of software can connect to the server to access data.
Connections to the database server are made through the network socket /var/lib/mysql/mysql.sock (local connections) or on the TCP port 3306 (remote connections). If the MySQL server is running on the same machine as your application, you should leave port 3306 closed in your firewall configuration, but you must open it if you separate the MySQL server and the application onto different machines (which you might do for performance reasons if you're using the database heavily).
The mysql monitor command is a very simple command-line interface to the MySQL server. It permits you to enter commands to the server and to see the results of those commands on your screen.
MySQL data is stored in /var/lib/mysql ; each database is stored in a separate subdirectory.
Most scripting and programming languages have modules to access MySQL data. For example, you can use the database driver (DBD) module DBD::mysql to access the basic database interface (DBI) abstraction layer to work with databases in Perl. For details on writing software that accesses a MySQL database, see Chapter 22 in the MySQL documentation ( http://dev.mysql.com/doc/refman/5.0/en/apis.html ).
The manpages for mysqld , mysql , mysqladmin , mysqldump , and mysqlshow
The MySQL manual: http://www.mysql.com/doc
Documentation on the Perl DBI module: perldoc DBI
Documentation on the PHP MySQL functions: http://ca.php.net/mysql
A Wiki is a series of web pages that can be easily edited using only a web browsera simple and convenient way of producing a collaborative web site. Perhaps the most impressive examples of Wikis are those operated by the Wikimedia Foundation ( http://wikimedia.org ), including Wikipedia, the Wiktionary, and WikiBooks.
Fedora Extras includes the Wiki software used by the Wikimedia Foundation, named MediaWiki. Once installed, it can be configured and ready for use in a few minutes.
MediaWiki requires a MySQL server. yum won't automatically install a MySQL server when you install MediaWiki because MySQL isn't truly a dependency: the database server doesn't have to be on the same computerbut for a small installation, that makes the most sense.
To configure MediaWiki, start your web server (if it's not already running) and then, using a browser on the same computer as the MediaWiki software, go to http://localhost/mediawiki/ . You will see an introduction page like that in Figure 7-27 , informing you that the software must be configured before use.
Figure 7-27. MediaWiki before initial configuration
To configure the software, click on the link provided. The page shown in Figure 7-28 will appear.
Figure 7-28. MediaWiki configuration page
This page presents the results of some initial configuration tests, followed by a form that you must fill in with configuration information. The fields on this form are:
Site name
Input an opaque string (no spaces and no punctuation marks) of letters and numbers for the name of your Wiki.
Contact email
Enter an email address that can be used to contact the Wiki administrator. It is probably best to use an email alias here.
Language
The language for the Wiki prompts and messages (the content can be in any language, regardless of the value you choose here).
Copyright/license metadata
The license that will be used to tag the Wiki contents. You can choose not to tag your pages with license information, or you can use one of two types of open content licenses: GNU Free Documentation License (GNU FDL) or a Creative Commons license. If you are not sure what to use, select "no license metadata ."
Sysop account name and password
Enter the username of the system operator ( sysop ) or Wiki administrator. This user does not have to have a Fedora login account. The password must be entered twice to verify that it is typed correctly.
Shared memory
Use a memory cache system for performance acceleration. This is not necessary for small installations.
E-mail (general)
Enable all email operations. In almost all cases, this should be left on.
User-to-user e-mail
Enable users to send mail to each other; whether this makes sense depends on the intended use of your Wiki.
E-mail notification
Select the events that trigger an automatic notification email. Use the middle setting for most small-to-medium Wikis.
E-mail address authentication
If enabled, this feature sends a token to the email address of newly registered users to verify that the email address is valid. This presents a minor inconvenience to your users, but prevents email from being sent to invalid addresses and, more importantly, prevents a user from entering someone else's email address.
MySQL server
Leave this set to localhost if the MySQL server is on the same computer as the MediaWiki software.
Database name, DB username, and DB password
The name of the MySQL database, and the username and password for the MySQL access account, respectively. Leave the default values for the Database name and the DB username, and make up a new password (twice) for the DB password.
Database table prefix
If you are running more than one instance of MediaWiki, set this to a unique value for each instance. Otherwise, leave this field blank.
Database charset
Leave this value set to "Backwards-compatible UTF-8."
Super user and Password
The MySQL database and access account for the Wiki can be created by hand, or you can enter the user ID and MySQL password for the database administrator here, and MediaWiki will create the database and access account automatically.
This is the MySQL administrator account (root) and the MySQL password for that account; do not enter the Fedora root password!
Once you have entered this information, click the Install button at the bottom of the page. You will see a confirmation page.
At this point, copy the configuration file from the config directory to the main mediawiki directory:
# cp -v /var/www/mediawiki/config/LocalSettings.php /var/www/mediawiki
\Q/var/www/mediawiki/config/LocalSettings.php' -> \Q/var/www/mediawiki/LocalSettings.php'
You can now click the link at the bottom of the confirmation page or go to http://<hostname>/mediawiki/ to view the front page of the Wiki.
The only other customization that is necessary is to install a new logo image. The image should be 155 pixels wide and 135 pixels tall and in .gif , .png , or .jpg format. Edit /var/www/mediawiki/LocalSettings.php and find the line that reads:
$wgLogo = "$wgStylePath/common/images/wiki.png";
Change the path on the righthand side of the equal sign to the path of your image location, relative to the Apache Document Root. For example, if your image is in /var/www/mediawiki/images/draft-cover.png , edit this line to read:
$wgLogo = " /mediawiki/images/draft-cover.png ";
You can then edit the front page of your Wiki by clicking on the "edit" link at the top of the page; changes are made using the same Wikitext format used on Wikipedia. Figure 7-29 shows a fully configured MediaWiki installation.
Figure 7-29. Configured MediaWiki front page
MediaWiki is written as a collection of PHP scripts, with some Perl scripts for maintenance functions. The Fedora Extras MediaWiki package installs these files in /var/www/mediawiki , which is within the default Apache Document Root. The file /etc/httpd/conf.d/mediawiki.conf limits access to the mediawiki subdirectories, ensuring that only a browser on the same machine as the server can access the configuration page and making several other directories inaccessible through the Web.
All of the Wiki content is stored in the MySQL database for fast, index-based access. Users indicate how they want text to appear by using Wikitext markings; most of these are converted to HTML when the page is displayed, but some (such as --~~~ , which is converted to the user's name) are translated when the page is saved.
You can alter the appearance of the Wiki by editing the value of $wgDefaultSkin in /var/www/mediawiki/LocalSettings.php . This variable must be set to the name of one of the skin files in /var/www/mediawiki/skins/ ; for example, to use the simple skin, place this line in the LocalSettings.php file:
$wgDefaultSkin="simple";
Additional skins are available from the Wikimedia "Gallery of user styles" ( http://meta.wikimedia.org/wiki/Gallery_of_user_styles ).
Use a graphics tool such as the GIMP to create an image with transparency, so that the page background shows through the portions of the 155x135 logo rectangle that are not occupied by your logo image. For example, if you had an oval image, the space between the outer edge of the logo and the edge of the logo rectangle would be transparent. Save your image in PNG format.
All of these operations can be performed by the sysop user. Go to the main page of the Wiki and log in using the sysop username and password created during the initial configuration of the Wiki, and you will see additional tabs on the top of each page for protecting, deleting, and moving.
The MediaWiki web page: http://www.mediawiki.org
The files in /usr/share/doc/mediawiki*/docs
The Wikipedia Cheatsheet, which describes the Wikitext format on a reference card: http://upload.wikimedia.org/wikipedia/commons/0/05/Cheatsheet-en.pdf
File Transfer Protocol (FTP) is a long-established Internet protocol for downloading files. In Fedora, you can use the Very Safe FTP program, vsftp , to serve data via FTP.
To serve content via FTP, just install the vsftpd package and place the content that you wish to make publicly available in the /var/ftp directory.
If you are using a firewall, you will need to open the FTP ports in the firewall
To view the contents of /var/ftp with a browser, go to ftp://<hostname>/ . To access files in a home directory, use the URL ftp://<user>@<hostname>/ (the browser will ask for your password) or ftp://<user>:<password>@<hostname>/ .
To access the contents of /var/ftp using a command-line FTP client program, log in as anonymous and use your email address as your password:
$ ftp
ftp> open ftp.fedorabook.com
Connected to 172.16.97.100.
220 (vsFTPd 2.0.4)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (ftp.fedorabook.com:chris):
anonymous
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,16,97,100,237,192)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-5
drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-6
drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-linux
drwxr-xr-x 2 0 0 4096 Mar 09 16:42 images
drwxr-xr-x 2 0 0 4096 Mar 09 04:46 pub
drwxr-xr-x 2 0 0 4096 Mar 09 16:41 rawhide
226 Directory send OK.
ftp> cd images
250-This directory contains images for the book "Fedora Linux".
250-
250 Directory successfully changed.
ftp> ls *http*
227 Entering Passive Mode (172,16,97,100,240,225)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 49931 Mar 09 16:44 fen-chapter07-system-config-httpd-tab2.png
-rw-r--r-- 1 0 0 27119 Mar 09 16:44 fen-chapter07-system-config-httpd.png
226 Directory send OK.
ftp> get fen-chapter07-system-config-httpd-tab2.png
local: fen-chapter07-system-config-httpd-tab2.png remote: fen-chapter07-system-config-httpd-tab2.png
227 Entering Passive Mode (172,16,97,100,214,160)
150 Opening BINARY mode data connection for fen-chapter07-system-config-httpd-tab2.png (49931 bytes).
226 File send OK.
49931 bytes received in 0.017 seconds (2.9e+03 Kbytes/s)
ftp> quit
221 Goodbye.
To access a home directory using an FTP client, enter the user ID and password of the Fedora account.
vsftpd is configured using the files in /etc/vsftpd . The main configuration file is /etc/vsftpd/vsftpd.conf and permits all local users (except for system users such as root , bin , and so forth) to have read/write access to their home directories, and all anonymous users to have read-only access to /var/ftp .
These are the most commonly changed configuration entries, along with the default values (as set in the Fedora default configuration file or in the program's internal defaults):
anonymous_enable= YES
Enables anonymous login. Change the value to NO to disable access to /var/ftp .
write_enable= YES
Permits file uploads.
anon_upload_enable= NO and anon_mkdir_write_enable= NO
Permits anonymous users to upload files and create directories. write_enable=YES must also be present and at least one of the directories in /var/ftp must be writable in order for this to work.
dirmessage_enable= NO and message_file= .message
Enables the display of descriptive messages when a user enters a directory; this is usually used to explain the directory contents, usage instructions, contact information, or copyright and licensing details. There is an example of this in the character-mode transfer shown earlier, highlighted in bold. The text of the message is normally contained in the file .message within the directory, but the filename may be set to any value you choose. Some client programs will display these messages to the remote client, and somesuch as the Firefox web browserwill not.
banner_file= filename
Configures a file that contains a banner message that will be sent to clients when they connect to the server.
ascii_upload_enable= NO and ascii_download_enable= NO
FTP has the ability to automatically change end-of-line characters to compensate for differences between Linux/Unix, Windows, and Macintosh computers using ASCII mode. The author of vsftpd , Chris Evans, considers this to be a bug in the protocol rather than a feature, and it is true that ASCII mode has mangled many, many binary files. If you want to use ASCII mode, enable these options.
ls_recurse_enable= NO
Controls the use of recursive directory listings. Some very nice clients, such as ncftp , assume that this is enabled.
use_localtime= NO
Enables the display of times in the local time zone instead of GMT.
You can restrict FTP access to specific local users by adding their usernames into the file /etc/vsftpd/ftpusers or /etc/vsftpd/user_list .
FTP is a disaster from a security perspective, since transmitted data (including the username and password) are sent in plain text and can be intercepted by anyone snooping on the network. Nonetheless, it's a useful protocol for the public download of large files.
vsftp was designed from the ground up to be as secure as possible because many of the preceding FTP servers were notoriously insecure. It uses simple code along with techniques such as changing the root directory ( chroot ) to limit the damage that can be caused if the server is compromised.
FTP is a very old protocol, so old, in fact, that in its original form, it predates TCP/IP! In order to work around some network transport limitations, traditional FTP uses two connections between the client and the server: one for data and one for controlling commands and responses. The control connection originates at the client, and the data connection originates at the server. For years this architecture has caused headaches in firewall configuration.
FTP also supports passive (PASV) operation, which uses a single connection for both control and data. Almost all modern client programs support passive operation as the default mode of operation, as an automatic fallback option, or as a manually configured option.
vsftpd logs data transfers in the file /var/log/xferlog .
There are two types of secure FTP:
SFTP
An FTP extension to the secure shell ( SSH) protocol. This is installed by default on Fedora systems as part of the SSH service; the command name is sftp . SSH also provides secure copy ( scp ), which is in many cases more convenient than SFTP.
FTPS
FTP over the Secure Socket Layer (SSL). SSL is a general encryption layer that can be used to protect many types of connections, including HTTP, IMAP, and POP3 (which are known as HTTPS, IMAPS, and POP3S when used with SSL). I recommend the use of SFTP over FTPS, but vsftpd is capable of handling FTPS connections if security certificates are installed; refer to the vsftpd documentation for details.
The manpages for vsftpd , vsftpd.conf , and ftp
The manpages for sshd , scp , and sftp
RFC 959: http://www.ietf.org/rfc/rfc0959.txt
Fedora provides the Webalizer tool for analyzing Apache and vsftp logfiles, but the default configuration works only with the default Apache virtual host. With a few minutes of configuration, Webalizer can analyze the logfiles off all of your Apache virtual hosts as well as your vsftp server.
The default configuration for Webalizer analyzes the default Apache logfile at 4:02 a.m. each day, as long as that logfile is not empty. The results can be read by using a browser on the same machine and accessing http://localhost/usage/ , which displays the report page. A sample report page is shown in Figure 7-30 .
Figure 7-30. Webalizer web usage report
This configuration assumes that your Apache virtual host logfiles are named /var/log/httpd/<virtualhostname>-<access_log> and are in combined format.
To configure Webalizer to analyze your virtual host logfiles each day, create the file /etc/cron.daily/00webalizer-vhosts :
#! /bin/bash
# update access statistics for virtual hosts
CONF=/etc/httpd/conf/httpd.conf
for NAME in $(sed -n "s=^[^#]*CustomLog logs/\([^ ]*\)-.*=\1=p" $CONF)
do
mkdir /var/www/usage/$NAME
chmod a+rx /var/www/usage/$NAME
LOG=/var/log/httpd/${NAME}-access_log
if [ -s $NAME ]
then
exec /usr/bin/webalizer -Q -o /var/www/usage/$NAME $LOG
fi
done
Make this file readable and executable by root :
# chmod u+rx /etc/cron.daily/00webalizer-vhosts
Next, edit /etc/webalizer.conf and place a pound-sign character ( # ) at the start of the HistoryName and IncrementalName lines to comment them out:
# HistoryName /var/lib/webalizer/webalizer.hist
...(Lines snipped)...
# IncrementalName /var/lib/webalizer/webalizer.current
This will ensure that a separate analysis history is maintained for each virtual host.
The virtual host logfiles will be analyzed every morning at 4:02 a.m., and the reports will be accessible at http://localhost/usage/<virtualhostname> .
To analyze the vsftp logfile each day, create the file /etc/cron.daily/00webalizer-ftp :
#! /bin/bash
# update access statistics for ftp
if [ -s /var/log/xferlog ]; then
exec /usr/bin/webalizer -Q -F ftp -o /var/www/usage/ftp /var/log/xferlog
fi
Make this file readable and executable by root :
# chmod u+rx /etc/cron.daily/00webalizer-ftp
Then create the directory /var/www/usage/ftp :
# mkdir /var/www/usage/ftp
# chmod a+r /var/www/usage/ftp
Make sure that you have made the changes to /etc/webalizer.conf noted previously.
Your FTP usage statistics will now be analyzed each day at 4:02 a.m. along with your web statistics. The reports will be accessible at http://localhost/usage/<ftp> .
It's often inconvenient to access the usage statistics from the same machine that is running Apache. To make the statistics password-protected and accessible from any system, edit the file /etc/httpd/conf.d/webalizer.conf to look like this:
#
# This configuration file maps the Webalizer log-analysis
# results (generated daily) into the URL space. By default
# these results are only accessible from the local host.
#
Alias /usage /var/www/usage
<Location /usage>
Order deny,allow
Allow from ALL
AuthType Basic
AuthName "usage statistics"
AuthUserFile /var/lib/webalizer/passwd
Require valid-user
</Location>
Create the password file with the htpasswd command:
# htpasswd -c /var/lib/webalizer/passwd chris
New password:
NeverGuess
Re-type new password:
NeverGuess
Adding password for user chris
The SELinux context of the directory containing the password file must be changed in order for this to work:
# chcon -t httpd_sys_content_t /var/lib/webalizer/
The statistics reports should now be accessible using a web browser on any computer.
The script /etc/cron.daily/00webalizer is started once a day (at around 4:02 a.m.) by crond . This script in turn starts up Webalizer; the default configuration file ( /var/webalizer.conf ) is preset to analyze the main Apache logfile ( /var/log/httpd/access_log ) and place the results in /var/www/usage .
The script file 00webalizer-vhosts obtains the virtual host log filenames from /etc/httpd/conf/httpd.conf and runs Webalizer on each logfile after the main logfile has been processed. 00webalizer-ftp does the same thing for the vsftp logfile, /var/log/xferlog .
The web directory /var/www/usage is initially protected by the file /var/httpd/conf.d/webalizer.conf so that Apache will serve it only to a browser running on the same computer.
Webalizer analyzes web files and logfiles to determine usage patterns; it can process the Apache common and combined logfile formats, and the wuftp logfile formats (which is the same format used by vsftp ). It stores the generated statistics for the last year in the file webalizer.hist , and stores partial statistics for the current reporting period (month) in the file webalizer.current . The data from previous runs of the program is retrieved from those files and combined with data from the current logfile to generate the reports. By default, webalizer.hist and webalizer.current are stored in /var/lib/webalizer ; the changes to the configuration file cause these files to be stored in the output directories so that each report has its own, separate copy of these files.
The generated reports are saved as HTML pages and PNG graphics.
The manpages for webalizer , cron , and crontab
The Webalizer web site: http://webalizer.org/
Information on the Apache logfile format: http://httpd.apache.org/docs/2.2/logs.html
Information on the wu-ftp/vsftp logfile format: http://www.wu-ftpd.org/man/xferlog.html