Embed Size (px)
Citation preview
Web Server
Mathias Brandstetter Juni 2015
„Das World Wide Web ist eine großräumige Hypermedia-Initiative zur Informationsbeschaffung mit dem Ziel, den
allgemeinen Zugang zu einer großen Sammlung von Dokumenten zu erlauben.“
– Tim Berners-Lee
Erste Schritte zur Darstellung
1990 World Wide Web Browser
1991 ViolaWWW Browser
„Hiermit ist die Version 1.0 von NCSA Mosaic, ein vernetztes Informationssystem und ein World-Wide-Web-
Browser für X-Window-Systeme freigegeben.“ 21. April 1993
Netscape Navigator Oktober 1994
Microsoft Internet Explorer August 1995
Erste Schritte zur Bereitstellung
#! /bin/sh read get docid echo "<TITLE>$docid</TITLE>" echo Here is the data
Webserver als Shellskript
int HTRetrieve (char * arg, char * keywords, int socket) { if (arg != SERVER_NAME) write error message to socket return else if no keywords write back a message explaining what the server is, in HTML, which must include the tag <ISINDEX>, to inform the browser that this is an index else create a query in the langauge of the database, based on the keyword list send this query to the database read the response and convert it to HTML, again including the <ISINDEX> tag write the HTML to the socket endif endif }
Webserver in C
map / /welcome.html map /* /u/john/public/* pass /u/john/public/* fail *
Config des CERN httpd
Skriptsprachen
• 1994 stellte Rasmus Lerdorf PHP/FI vor, welches danach FI und letztendlich PHP genannt wurde
• Ab 1996 Unterstützung von mSQL, DBM und Postgres95
• Aus mSQL ging dann MySQL hervor
LAMP• Linux
• Apache
• MySQL
• PHP
• eine der am weitesten verbreitenden Server Zusammenstellung
• Debian installieren
• aptitude install apache2 php5 apt-get install php5-mysql mysql-server unzip
Linux
Out of the box
DB
Apache
PHP
• Wordpress als Inhalt, welcher alle Teile auch nutzt.
• cd /var/mv www www_oldwget http://wordpress.org/latest.zipunzip latest.zipmv wordpress wwwchown -R www-data:www-data www
• http://example.tld/
WordpressLinux
DB
PHP
Word Press
Apache
Probleme?• Wir müssen die Dienste noch absichern
• MySQL soll nur von lokal erreichbar sein
• Apache und PHP ist noch viel zu geschwätzig
• WordPress braucht auch noch Hand anlegen
• Für kleine Seiten reicht die Geschwindigkeit schon, aber da ist noch Luft nach oben.
Security first!Bitte niemals die Vorgaben einfach übernehmen!
* Connected to example.tld (192.168.3.145) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: example.tld > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 11 Jun 2015 09:49:36 GMT * Server Apache/2.2.22 (Debian) is not blacklisted < Server: Apache/2.2.22 (Debian) < X-Powered-By: PHP/5.4.41-0+deb7u1 < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html
Running 10s test @ http://example.tld/ 2 threads and 10 connections Thread Stats Avg Stdev Max +/- Stdev Latency 747.12ms 192.04ms 1.80s 93.10% Req/Sec 7.05 3.54 19.00 80.85% 119 requests in 10.02s, 1.04MB read Socket errors: connect 0, read 0, write 0, timeout 3 Requests/sec: 11.88 Transfer/sec: 106.79KB
Running 10s test @ http://example.tld/ 20 threads and 1000 connections Thread Stats Avg Stdev Max +/- Stdev Latency 927.90ms 311.00ms 1.92s 87.23% Req/Sec 7.03 9.34 48.00 91.67% 61 requests in 10.03s, 569.37KB read Socket errors: connect 768, read 0, write 0, timeout 14 Requests/sec: 6.08 Transfer/sec: 56.75KB
Verbesserungenein kleiner Anfang
• Aufteilung in Produktiv-, Testing- und Sicherheitstest-Umgebung
• Halbautomatischer Sync zwischen den einzelnen getrennten Umgebungen
UmgebungenProduction
DB
PHP
Word Press
Apache
Staging
DB
PHP
Word Press
Apache
Targeting
DB
PHP
Word Press
Apache
Sync
Sync Sync
Sync
Sync
Sync
Das NVA Setup
Linux
DB
PHP
Word Press
Apache
Linux
DB
PHP
Word Press
Apache
Varnish
Nginx
Nginx ist deutlich besser bei der Behandlung von TCP Session und terminiert auch das http und https.
Weitergereicht wird dann der Traffic an den Varnish Cache, welcher dann beim Apache auftrifft.
Der Rest bleibt im Prinzip unverändert und dass freut die Entwickler sehr.
Nginx & VarnishWie genau geht das?
aptitude install nginx varnish
Plus einiges an Einstellungen
DB
PHP
Word Press
Apache
Varnish
Nginx
* http (80/tcp) * https (443/tcp)
127.0.0.1 (6081/tcp)
127.0.0.1 (8080/tcp)Die Idee dahinter
Running 10s test @ http://example.tld/ 2 threads and 10 connections Thread Stats Avg Stdev Max +/- Stdev Latency 4.15ms 13.81ms 165.52ms 97.66% Req/Sec 2.44k 494.87 3.74k 76.02% 47793 requests in 10.00s, 418.19MB read Requests/sec: 4777.94 (vorher 11.88) Transfer/sec: 41.81MB
Running 10s test @ http://example.tld/ 20 threads and 1000 connections Thread Stats Avg Stdev Max +/- Stdev Latency 50.32ms 82.45ms 1.13s 95.65% Req/Sec 269.36 330.04 1.54k 85.45% 50961 requests in 10.10s, 445.95MB read Socket errors: connect 768, read 0, write 0, timeout 0 Requests/sec: 5045.20 (vorher 6.08)
* Connected to example.tld (192.168.3.145) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: example.tld > Accept: */* > < HTTP/1.1 200 OK * Server nginx/1.2.1 is not blacklisted < Server: nginx/1.2.1 < Date: Mon, 15 Jun 2015 02:27:55 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Powered-By: PHP/5.4.41-0+deb7u1 < X-Pingback: http://example.tld/xmlrpc.php < Vary: Accept-Encoding < X-Varnish: 2073921494 < Age: 0 < Via: 1.1 varnish
NginxAnpassungen und Tuning
Nginx Konfiguration
• Gegenüber dem Standard
• Mehr Verbindungen zulassen
• einiges an den “Schrauben drehen”
• Rate limiting aufsetzen
user www-data; worker_processes 4; worker_rlimit_nofile 262128; pid /var/run/nginx.pid; events { worker_connections 65536; accept_mutex_delay 50ms; } http { sendfile off; tcp_nopush on; tcp_nodelay on; types_hash_max_size 2048; server_names_hash_bucket_size 256; client_max_body_size 200M; client_body_buffer_size 128k; keepalive_timeout 410; keepalive_requests 100; max_ranges 0; postpone_output 1460; recursive_error_pages on; reset_timedout_connection on; server_tokens off; server_name_in_redirect off;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
include /etc/nginx/mime.types; default_type application/octet-stream;
Nginx.config
log_format main '$remote_addr $http_host $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log;
proxy_max_temp_file_size 0; proxy_connect_timeout 900; proxy_read_timeout 900; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_intercept_errors on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
server { listen [::]:80; # brauchen wir für IPv4 und IPv6 server_name example.tld; access_log /data/www/example.tld/log/access_log main; error_log /data/www/example.tld/log/error_log;
include global/restrictions.conf; include redirect/example.tld.redirect;
location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Server-Address $server_addr; proxy_pass_header Set-Cookie; proxy_pass http://127.0.0.1:6081; } }
Nginx config für example.tld
# Prevent clickjacking add_header X-Frame-Options SAMEORIGIN; add_header X-Real-IP $http_true_client_ip;
# enable Gzip gzip on; # Turn on gZip gzip_disable msie6; gzip_static on; gzip_comp_level 9; gzip_proxied any; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Block nessus if ( $http_user_agent ~ (Nessus|BadBoyz) ) { return 403; }
# Deny all attempts to wp-includes/js/swfupload. location ~ /wp-includes/js/swfupload { deny all; access_log off; log_not_found off; }
global/restrictions.conf
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; access_log off; log_not_found off; }
# Deny access to any files with a .php extension in the uploads directory location ~* ^/wp-content/uploads/.*.php$ { deny all; access_log off; log_not_found off; }
# Deny access to any files with a .php extension in the uploads directory for multisite location ~* /files/(.*).php$ { deny all; access_log off; log_not_found off; }
VarnishAnpassungen und Tuning
varnish Einstellung• 3G RAM Cache, statt dem üblichen 500M auf
der Festplatte.
• sehr genaue Anpassung an Wordpress in der default.vcl
• saubere Trennung zwischen der Backend-Konfiguration und dem allgemeinen Teil
• Details auf Anfrage
PHPAnpassungen und Tuning
php Einstellung
• Expose_php aus
• Error_log ins syslog
• Und mehr Speicher zum Hochladen von Inhalten
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, expose_php = Off error_log = syslog post_max_size = 200M upload_max_filesize = 200M date.timezone = Etc/UTC date.default_latitude = 0.0 date.default_longitude = 0.0
php.ini Änderungen
> GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: example.tld > Accept: */* < Server: nginx < Date: Mon, 15 Jun 2015 14:01:37 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Pingback: http://example.tld/xmlrpc.php < Vary: Accept-Encoding < X-Cacheable: YES < X-Varnish: 351080665 351080662 < Via: 1.1 varnish < age: 0 < X-Cache: HIT < X-Cache-Hits: 2 < X-Frame-Options: SAMEORIGIN
WordpressAnpassungen und Tuning
Wordpress Tipps• Alle nicht verwendeten
Themes und Plugins deaktivieren und löschen
• Folgende Plugins sind empfohlen
• Akismet
• Block Bad Queries
• Login Lockdown
• Ultimate Security Checker
• WP Updates Notifier
• Immer Updaten, aber dafür den Target Server zum Testen benutzen
SSLMit Sauce und Scharf ;)
SSL
• Unterstützung von Perfect Forward Secrecy
• Public Key Pinning
• Strict Transport Security
• und Behandlung aller bekannter Probleme
server { listen [::]:443 ssl; # Default listen port server_name example.tld; access_log /data/www/example.tld/log/access_log main; error_log /data/www/example.tld/log/error_log;
include global/ssl.conf; include global/restrictions.conf; include redirect/example.tld.redirect;
ssl_certificate /data/www/example.tld/ssl/example.tld.crt; ssl_certificate_key /data/www/example.tld/ssl/example.tld.key; add_header Public-Key-Pins ‘pin-sha256="v0nazIxjAi5ukseXLbPhTHy15P721r1F4I0YF3JWZsc="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=10; includeSubDomains'; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / { proxy_redirect off; proxy_read_timeout 120; proxy_set_header X-Forwarded-Protocol https; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Server-Address $server_addr; proxy_pass_header Set-Cookie; proxy_pass http://127.0.0.1:6081; } }
Nginx config für example.tld
ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m;
Nginx ssl.conf
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * Server certificate: www.example.tld * Server certificate: StartCom Class 1 Primary Intermediate Server CA * Server certificate: StartCom Certification Authority > GET / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: www.example.tld < Server: nginx < Date: Mon, 15 Jun 2015 16:02:18 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Vary: Accept-Encoding < X-Pingback: https://www.example.tld/xmlrpc.php < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Pragma: no-cache < Vary: Accept-Encoding < Cache-Control: max-age=30 < X-Varnish: 1661077360 < Age: 0 < Via: 1.1 varnish < X-Frame-Options: SAMEORIGIN < X-Pect: Spanish Inquisition, always < Public-Key-Pins: pin-sha256="v0nazIxjAi5ukseXLbPhTHy15P721r1F4I0YF3JWZsc="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=10; includeSubDomains < Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
System Architekturmit Sauce und Scharf ;)
Aufbau bei mehreren Blogs oder Services
Sync
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Prod
D
P
W
A
Stage
D
P
W
A
Target
D
P
W
A
Firewall
NVA in Komplex
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Prod
DP
WA
V
N
Stage
DP
WA
V
N
Target
DP
WA
V
N
Firewall
Stage
DP
WA
V
N
Target
DP
WA
V
N
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Dispatcher
V
N Besser und wenigerkomplex
Firewall
Firewall80/tcp 443/tcp
80/tcp
Stage
DP
WA
V
N
Target
DP
WA
V
N
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Dispatcher
V
N
Firewall
Firewall
80/tcp
Und nun nochmit einem CDN
80/tcp 443/tcp
Content Delivery Network
80/tcp 443/tcp
80/tcp 443/tcp
Stage
DP
WA
V
N
Target
DP
WA
V
N
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Dispatcher
V
N
Firewall
Firewall
80/tcp
Site shielding
80/tcp 443/tcp
Content Delivery Network
80/tcp 443/tcp
80/tcp 443/tcp
Firewall
Dispatcher
V
N
Firewall
80/tcp
Stage
WA
V
N
Target
WA
V
N
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Prod
DPWA
Firewall
Eins geht noch
80/tcp 443/tcp
Content Delivery Network
80/tcp 443/tcpFirewall
Web Application Firewall
80/tcp
