[LUAU] linux web server tutorial

knowtree at aloha.com knowtree at aloha.com
Tue Apr 12 08:48:21 PDT 2005


> Hello,
> 
> I'm a newbie and just got Fedora 3 core installed. Does anyone know of 
> an online tutorial for configuring a secure webserver using Fedora? I'm 
> planning on using it to demo and test some database projects I'm 
> working on for school. I'm using a separate firewall to do port 
> forwarding to the webserver box and I have mysql & php installed.

Depends on what you mean by "secure." Putting the server behind a firewall
is good for shielding the OS from a variety of attacks, but by its very
nature a web server must deal with HTTP traffic. Incorrect HTTP is a common
method of attacking a web server; good ones will side-step such attacks
most of the time, but even apache has its occasional vulnerability. 

The really big issue is the code you will write or install to drive your
database application. It too has to hold up under the stress of a bad HTTP
attack. It also must avoid giving someone opportunities to exploit. I
highly recommend "CGI Programming with Perl" from O'Reilly. Even if you
don't code in Perl you need to understand the security concepts presented,
such as not piping user input through the shell. Perl offers many useful
add-on modules for writing CGI code, stuff that has been around for years
and scrubbed clean.

A completely different take on "secure" would be a web server capable of
encrypted sessions. This is the SSL protocol. There are special versions of
Apache you can install that provide this capability. It relies on OpenSSL,
and to be useful you must register your server certificate at a well-known
certificate authority, such as Verisign.

If you decide to use PHP or something like it, be aware that it poses
aditional security risks.

Whatever you use, to have a secure system you must monitor security issues
constantly and install patches as soon as they become available. It has to
be an obsession.

Good luck, and have fun!

Gary Dunn
Honolulu
knowtree at aloha.com




More information about the LUAU mailing list