• Chapter 27 discusses Mail Transport Agents or MTAs, also referred to as mail servers.Some servers don’t need any configuration, and about all you need to do is to start them.Others, li
Trang 1Basic network access: servers
In the previous chapter, we saw how to use clients to access other systems This is only
half the picture, of course At the other end of the link, we need servers to provide this
service For each client, there is a server (a daemon) whose name is usually derived fromthe client name by adding adto it:
Table 25-1: Server daemons for basic services
In addition to these servers, we look at a few others in other chapters:
• We’v e already looked at X servers briefly in Chapter 8, Taking control, and we’ll see more in Chapter 28, XFree86 in depth.
• Chapter 21 discussed DNS name servers.
Trang 2• Chapter 27 discusses Mail Transport Agents or MTAs, also referred to as mail servers.
Some servers don’t need any configuration, and about all you need to do is to start them.Others, like web servers, can be very complicated None of the complication is related to
FreeBSD For example, the issues involved in configuring apache are the same whether
you run it with FreeBSD, NetBSD, Linux or Solaris There are several good books, each
at least the size of this one, on the detailed setup of some of these servers In this chapterwe’ll look at how to get the servers up and running in a basic configuration, and where toturn for more information
Running servers from inetd
If you look at /etc/services, you’ll find that there are over 800 services available, most of
which are only supported on a small number of machines It’s not always the best idea tostart up a daemon for every possible service you may want to offer IP supplies an
alternative: inetd, the Internet daemon, sometimes called a super-server, which listens on multiple ports When a request arrives on a specific port, inetd starts a daemon specific
to the port For example, FreeBSD supports anonymous ftp, but most people don’t
receive enough requests to warrant having the ftp daemon, ftpd, running all the time Instead, inetd starts an ftpd when a request comes in on port 21.
At startup, inetd reads a configuration file /etc/inetd.conf to determine which ports to
monitor and what to do when a message comes in Here’s an excerpt:
# $FreeBSD: src/etc/inetd.conf,v 1.58 2002/08/09 17:34:13 gordon Exp $
#
# Internet server configuration database
#
This file has the following format:
• The first column is the service on which inetd should listen If it starts with a#sign,
it’s a comment, and inetd ignores it You’ll note in this example that all the listed
services have been commented out Unless you run the daemon independently of
inetd, a request for one of these services will be rejected with the message:
Unable to connect to remote host: Connection refused
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 3Running servers from inetd 449
• The next three columns determine the nature of the connection, the protocol to use,
and whether inetd should wait for the process to complete before listening for new
connections In the example, all the services are TCP, but there are entries both fortcp(the normal TCP protocol for IP Version 4) andtcp6(the same service for IPVersion 6)
• The next column specifies the user as which the function should be performed
• The next column is the full pathname of the program (almost always a daemon) tostart when a message comes in Alternatively, it might be the keywordinternal,
which specifies that inetd should perform the function itself.
• All remaining columns are the parameters to be passed to the daemon
Older versions of UNIX ran inetd as part of the startup procedure That isn’t always
necessary, of course, and for security reasons the default installation of FreeBSD no
longer starts it You can change that by adding the following line to your /etc/rc.conf :
inetd_enable="YES" # Run the network daemon dispatcher (YES/NO).
To enable services in /etc/inetd.conf, it may be enough to remove the comment from the
corresponding line This applies for most the services in the example above In some
cases, though, you may have to perform additional steps For example, lukemftpd, an alternative ftpd, and nntpd, the Network News Transfer Protocol, are not part of FreeBSD: they’re in the Ports Collection Also, nntpd is intended to run as userusenet,which is not in the base system
The other daemons are not mentioned in /etc/inetd.conf :
• The preferred way to run sshd is at system startup As we’ll see, the startup is quite slow, so it’s not a good idea to run it from /etc/inetd.conf, though it is possible—see
the man page if you really want to
• sftp-server is the server for sftp It gets started from sshd.
• httpd, the Apache Web Server, also has quite a long startup phase that makes it impractical to start it from /etc/inetd.conf Note also that httpd requires a
configuration file We’ll look at that on page 455
• By contrast, it’s perfectly possible to start rsyncd from inetd It’s not included in the standard /etc/inetd.conf file because it’s a port Yes, so are lukemftpd and nntpd It’s just a little inconsistent This is the line you need to put in /etc/inetd.conf to start rsyncd.
The name rsync is not a typo rsync and rsyncd are the same thing; it’s the
daemonoption that makes rsync run as a daemon.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 4inetd doesn’t notice alterations to /etc/inetd.conf automatically After modifying the file,
you must send it aSIGHUPsignal:
# killall -HUP inetd
You can write-1instead of-HUP This causes inetd to re-read /etc/inetd.conf
Instead of starting daemons via inetd, you can start them at boot time inetd is
convenient for servers that don’t get run very often, but if you make frequent connections,you can save overhead by running the servers continuously On the other hand, it’s not
practical to start rshd, rlogind, re xecd or telnetd at boot time: they’re designed to be
started once for each session, and they exit after the first connection closes We’ll look atstarting the other daemons in the following sections, along with their configuration
Configuring ftpd
Normally you’ll run ftpd from inetd, as we saw above If you want to run it directly,
perform the following steps:
• Add the following line in /etc/rc.local:
echo -n ’starting local daemons:’
# put your local stuff here
echo " ftpd" && ftpd -D
The option-Dtells ftpd to run as a daemon You will possibly want other options as
well; see the discussion below
• Comment out the ftp line in /etc/inetd.conf by adding a hash mark (#) in front of it:
# ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
• Either reboot, or cause inetd to re-read its configuration file:
If you don’t perform this step, inetd keeps the ftp port open, and ftpd can’t run.
For security reasons, you will probably want to add options such as logging and
anonymous ftp We’ll look at how to do that in the next two sections.
anonymous ftp
Anonymous ftp gives you a couple of security options:
• It restricts access to the home directory of user ftp From the point of view of the remote user, ftp’s home directory is the root directory, and he cannot access any files
outside this directory Note that this means that you can’t use symbolic links outside
the ftp directory, either.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 5Configur ing ftpd 451
• It restricts access to the machine generally: the user doesn’t learn any passwords, so
he has no other access to the machine
In addition, you can start ftpd in such a manner that it will allow only anonymous ftp
connections
There are a number of preparations for anonymous ftp:
• Decide on a directory for storing anonymous ftp files The location will depend on
the amount of data you propose to store there By default, it’s /var/spool/ftp.
• Create a userftp, with the anonymous ftp directory as the home directory and the
shell /dev/null Using /dev/null as the shell makes it impossible to log in as user ftp, but does not interfere with the use of anonymous ftp ftp can be a member of group bin or you can create a new group ftp by adding the group to /etc/group See page
145 for more details of adding users, and the man page group(5) for adding groups.
• Create subdirectories ˜ftp/bin and ˜/ftp/pub It is also possible to create a directory for incoming data By convention its name is ˜ftp/incoming This is a very bad idea
if you’re connected to the global Internet: it won’t be long before people start usingyour system as a server for illicit data Only use this option if you have some othermethod of stopping unauthorized access
Set the ownership of the directories like this:
directories You can do this by setting the permissions of pub and its subdirectories
Trang 6You can (‘‘hard’’) link the files if you want (and if the directory is on the same filesystem), but symbolic links will fail, since they contain path names that do not point
to the correct place when running in the anonymous ftp environment.
Restricting access and logging
A number of ftpd options make it easier to control and monitor ftp access:
• The -l option logs each session, whether successful or not, to syslogd with the
facilityLOG_FTP To enable this logging, your /etc/syslog.conf should contain a linelike
• The-Soption logs all anonymous transfers to the file /var/log/ftpd.
• You can restrict access to only anonymous ftp with the-Aoption
There are a number of other options; see the man page ftpd(8) for further details.
In addition to these options, when a real user establishes a connection, ftpd checks the user’s shell If it is not listed in /etc/shells, ftpd will deny the connection This can be
useful if you don’t want specific users to access the system: give them a different shell,
such as /usr/bin/sh instead of /bin/sh, and ensure that /usr/bin/sh is not in /etc/shells.
Log file format
The format of the log files is a little unusual You’ll see things like:
Oct 12 16:32:04 freebie ftpd[8691]: ANONYMOUS FTP LOGIN FROM adam.adonai.net, leec@a donainet
Oct 12 18:33:32 freebie ftpd[9007]: connection from gateway.smith.net.au
Oct 12 18:33:37 freebie ftpd[9007]: ANONYMOUS FTP LOGIN FROM gateway.smith.net.au, m ike
Oct 12 21:36:28 freebie ftpd[9369]: connection from grisu.bik-gmbh.de
Oct 12 21:36:29 freebie ftpd[9369]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv est@
Oct 12 21:36:37 1997!harvest@!grisu.bik-gmbh.de!/pub/cfbsd/README!9228!1
Oct 12 21:37:05 freebie ftpd[9371]: connection from grisu.bik-gmbh.de
Oct 12 21:37:06 freebie ftpd[9371]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv est@
Oct 13 09:38:19 freebie ftpd[13514]: connection from 151.197.101.46
Oct 13 09:38:21 freebie ftpd[13514]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho vercraft.willscreek.com
Oct 13 09:38:58 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/dear-re viewer!8890!1
Oct 13 09:41:42 netdebug.txt.gz!12188!1
1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/26-Oct 13 09:42:05 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/C-p
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 7Configur ing ftpd 453
ackages.txt.gz!37951!1
Oct 13 09:59:07 freebie ftpd[14117]: connection from 151.197.101.46
Oct 13 09:59:08 freebie ftpd[14117]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho vercraft.willscreek.com
Oct 13 09:59:24 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/D-b iblio.txt.gz!1815!1
This log excerpt shows three kinds of message:
• The messages starting with the textconnection fromoccur when an ftp connection
is made They don’t mean that any permission to access has been given Thesemessages are logged by the-loption
anonymously The name follows, not always in the required username format The
standard ftpd does not enforce this requirement; you may find something that does in
the Ports Collection These messages are logged by the-Soption
• The lines full of ! marks show files being transferred The ! marks delimit thefields, which are:
• The year, as an extension of the timestamp
• The user ID
• The IP address of the system to which the data is transferred
• The name of the file transferred
• The number of bytes transferred
sshd reads a configuration file /etc/ssh/sshd_config. Like its companion
/etc/ssh/ssh_config, it contains mainly commented-out lines showing the default values.
Most of them don’t require change, but the following entries may be of interest:
• Protocolstates which ssh protocols to use, and in which order By default, sshd
tries protocol 2 first, and falls back to protocol 1 if protocol 2 fails You mightconsider setting it to use only protocol 2
• WhenPermitRootLoginis set toyes, you can log in asrootvia ssh Normally
it’s disabled
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 8• SetPasswordAuthenticationtonoif you want all access to be via key exchange(see page 420 for more details).
• If you want to run sftp-server, add the following line to /etc/ssh/sshd_config:
Starting rsyncd isn’t enough, though: it needs configuration Create a file cal/etc/rsyncd.conf with contents something like this:
/usr/lo-motd file = /usr/local/etc/rsyncd.txt
log file = /var/log/rsyncd.log
transfer logging = true
comment = TiVo staging area
hosts allow = tivo.example.org
This is the configuration file used in the server examples in Chapter 24 It consists of two
parts: a global part at the beginning, with settings that apply to all modules, and one or more module parts describing files that the server will supply.
The global options here specify the motd file, a file whose contents are printed when you
list modules (the ‘‘be gentle’’ message in the examples), and that transfers should be
logged to /var/log/rsyncd.log The log output looks something like this:
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash dot/topicscience.gif 1083
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash dot/topicsecurity.gif 3034
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash dot/topictv.jpg 951
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slide pdf 40470
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () stock whip.html 1602
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 9have two modules Both have a comment, a descriptive text printed out when you list the
modules, and both allow listing the name of the module (list = yes) In addition:
• Module groggy makes available the directory /home/grog/public_html, my web pages, for read-only access rsyncd accesses the module as usergrog Any host onthe 256 address block starting with 223.147.37.0 can access the data
• Moduletivomakes available the directory /var/tivo for read-write access, but only
to the host tivo.example.org Again rsyncd accesses the data as usergrog
There are a large number of other options for rsyncd, but this example shows the most important ones See the man page rsyncd.conf(5) for more information.
Setting up a web server
FreeBSD is a system of choice for running web servers, so it’s not surprising that a large
number are available Probably the most popular is apache, which is available in the
Ports Collection Install with:
# cd /usr/ports/www/apache13
# make install
In future versions, the name apache13 will change Apache comes with a lot of
documentation in HTML format (of course), which is installed in cal/share/doc/apache/manual You might find it useful to put a symbolic link to it in
/usr/lo-your web home directory:
The Apache port uses the following directories:
• The configuration files are in the directory hierarchy /usr/local/etc/apache The port
installs prototype configuration files, but they need to be modified
• By default, the web pages are in /usr/local/www/data This is the ‘‘root’’ directory for the web pages: the file /usr/local/www/data/foo.html on www.example.org will have the URL http://www.example.org/foo.html You may find it a good idea to change the directory to the /var file system in a location such as /var/www/data.
We’ll look at how to do that with theDocumentRootentry in the configuration file
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 10• Icons for Apache’s own use are stored in /usr/local/www/icons You can’t access
these icons by URI, so don’t put your own images here
• CGI scripts are stored in /usr/local/www/cgi-bin.
The configuration file
The apache configuration file is /usr/local/etc/apache/httpd.conf Older versions of apache also used the files /usr/local/etc/apache/access.conf and /usr/lo- cal/etc/apache/srm.conf The division between these three files was relatively arbitrary,
and the current recommendation is to not use these files, but to put their content in
/usr/local/etc/apache/httpd.conf instead See the apache documentation if you need to
change the other files
httpd.conf
Probably the best way to understand httpd.conf is to read through it It’s pretty long and
contains a large number of comments Most entries can be left the way there are, so wewon’t list the entire file here: instead we’ll look at the parameters that may need change.We’ll look at the system-wide features in the following list, and host-related features inthe next section
• ServerTypestates whether you start it from inetd or standalone (the default) It’s not a good idea to start httpd from inetd, so you should leave this entry unchanged.
• ServerRootclaims to be the path to the configuration files, but in fact the files are
stored in the subdirectory etc/apache of this directory You shouldn’t need to change
it
• The comments aboutScoreBoardFilesuggest that you should check to see if thesystem creates one Don’t bother: FreeBSD doesn’t create this file, and you don’tneed to worry about it
• The Keep-Alive extension to HTTP, as defined by the HTTP/1.1 draft, allowspersistent connections These long-lived HTTP sessions allow multiple requests to besent over the same TCP connection, and in some cases have been shown to result in
an almost 50% speedup in latency times for HTML documents with lots of images
• The parameters MinSpareServers, MaxSpareServers, StartServers, ClientsandMaxRequestsPerChildare used for server tuning The default valuesshould work initially, but if you have a lot of Web traffic, you should considerchanging them
Max-• The next area of interest is a large list of modules A lot of apache functionality is
optional, and you include it by including a module We’ll look at this in more detailbelow
• The parameterProxyRequestsallows Apache to function as a proxy server We’ll
look at this in more detail below
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 11Setting up a web server 457
• The parameters starting withCache apply only to proxy servers, so we’ll look atthem below as well
• TheListenparameter defines alternate ports on which Apache listens
• DirectoryIndex is a list of names that httpd recognizes as the main page (‘‘index’’) in the directory Traditionally it’s index.html This is the means by which httpd changes a directory name into an index It searches for the names in the order
specified For example, if you’re using PHP,DirectoryIndexgets set to the stringindex.php index.php3 index.html, and that’s the sequence in which it looksfor a page
The file ends with a commented outVirtualHostsection We’ll look at it in detail inthe next section, along with a number of parameters that appear elsewhere in theconfiguration file, but that relate to virtual hosts
Vir tual hosts
Running and maintaining a web server is enough work that you might want to use thesame server to host several sets of web pages, for example for a number of different
organizations apache calls this feature virtual hosts, and it offers a lot of support for
them Theoretically, all your hosts can be virtual, but the configuration file still containsadditional information for a ‘‘main’’ server, also called a ‘‘default’’ server The defaultconfiguration does not have any virtual servers at all, though it does contain configurationinformation
There’s a good reason to keep the ‘‘main’’ server information: it serves as defaults for allvirtual hosts, which can make the job of adding a virtual host a lot easier
Consider your setup at example.org: you may run your own web pages and also a set of pages for biguser.com (see page 310) To do this, you add the following section to /usr/local/etc/apache/httpd.conf :
<VirtualHost *>
ServerAdmin grog@example.org
DocumentRoot /usr/local/www/biguser where we put the web pages
If you look at the default configuration file, you’ll find most of these parameters, but not
in the context of aVirtualHostdefinition They are the corresponding parameters forthe ‘‘main’’ web server They hav e the same meaning, so we’ll look at them here
• ServerAdminis the mail ID of the system administrator For the main server, it’s set
toyou@your.address, which obviously needs to be changed You don’t necessarilyneed a ServerAdmin for each virtual domain; that depends on how you run thesystem
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Trang 12• DocumentRoot is the name of the directory that will become the root of the webpage hierarchy that the server provides By default, for the main server it’s
/usr/local/www/data, which is not really a very good place for data that changes frequently You might prefer to change this to /var/www, as some Linux distributions
do This is one parameter that you must supply for each virtual domain: otherwisethe domain would have the same content as the main server In this case, it’s the
location of the files in http://www.example.com/.
• Next you can put information about individual data directories The default serverfirst supplies defaults for all directories:
system-wide defaults, and though you don’t hav e to worry about apache playing
around in your root file system, that’s the only directory of which all other directoriesare guaranteed to be a subdirectory TheOptionsdirective ensures that the servercan follow symbolic links belonging to the owner Without this option, symboliclinks would not work We’ll look at theAllowOverridedirective in the discussion
of the htaccess file below.
There’s a separate entry for the data hierarchy:
In this case, we have two additional options:
• Indexesallows httpd to display the contents of a directory if no index file, with
a name defined inDirectoryIndex, is present Without this option, if there is
no index file present, you will not be able to access the directory at all
• MultiViewsallows content-based multiviews, which we don’t discuss here.Note that if you change the name of the default data directory, you should alsochange the name on theDirectoryinvocation
We’ll look at the remaining entries in more detail when we see them again in the
discussion of the htaccess file.
• Normally you should setServerName For example, www.example.org is a CNAME
for freebie.example.org (see page 370), and if you don’t set this value, clients will access www.example.org, but the server will return the name freebie.example.org.
netserver.mm,v v4.19 (2003/04/09 20:42:40)