Oracle® HTTP Server Administrator's Guide
10g Release 2 (10.1.2) B14007-03 |
|
Previous |
Next |
This appendix provides answers to frequently asked questions about Oracle HTTP Server.
Documentation from the Apache Software Foundation is referenced when applicable.
Note: Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only. To access the third-party documentation referenced in this guide, use the HTML version of this guide and click the hyperlinks. |
Oracle HTTP Server has a default content handler for dealing with errors. You can use the ErrorDocument
directive to override the defaults.
For HTTP, Oracle HTTP Server supports two types of virtual hosts: name-based and IP-based. HTTPS supports only IP-based virtual hosts.
If you are using IP-based virtual hosts for HTTP, then the customer has a virtual server listening on port 80 of a per-customer IP address. To provide HTTPS for these customers, simply add an additional virtual host per user listening on port 4443 of that same per-customer IP address and use SSL directives, such as Using mod_ossl Directives to specify the per-customer SSL characteristics. Note that each customer can have their own wallet and server certificate.
If you are using name-based virtual hosts for HTTP, each customer has a virtual server listening on port 80 of a shared IP address. To provide HTTPS for those customers, you can add a single shared IP virtual host listening on port 4443 of the shared IP address. All customers will share the SSL configuration, including the wallet and ISP's server certificate.
You can use Oracle HTTP Server as a cache by setting the ProxyRequests
to "On" and CacheRoot
directives.
You can use multiviews, a general name given to the Apache server's ability to provide language and character-specific document variants in response to a request.
You can use directives such as ExpiresActive
, ExpiresByType
, ExpiresDefault
, to set the length of time that any cache existing between the client and the Web server will cache the returned Web pages.
See Also: "ExpiresActive, ExpiresByType, ExpiresDefault directives" in the Apache Server documentation. |
You should use the Proxy directives, and not the Cache directives, to send proxy sensitive requests across firewalls.
mod_oc4j
is a module that integrates with Web servers, typically Oracle HTTP Server, and routes request to the backend OC4J processes. OPMN module keeps mod_oc4j
aware of the status of different OC4J processes, so mod_oc4j
routes only to the processes that are up and running. mod_oc4j
also understands the concepts of Oracle Application Server Clusters and OC4J islands, and routes accordingly to provide as much transparent failover as possible.
mod_oc4j
supports other Web servers including IIS, Sun ONE, and non-Oracle HTTP Server Apache Servers.
The AJP communication between mod_oc4j
and OC4J processes can now be over AJP/SSL. Previously, this was in the clear. Also, the SSL negotiation does not happen each time mod_oc4j
and OC4J communicate, resulting in less performance impact.
You cannot apply the Apache security patches to Oracle HTTP Server for the following reasons:
Oracle tests and appropriately modifies security patches before releasing them to Oracle HTTP Server users.
In many cases those alerts may not be applicable, for example, openSSL
alerts, since Oracle has removed those components from the stack in use.
Oracle releases these patches soon enough that the time-delay impact of getting the patch from Oracle versus open source organization should be minimal and the benefit with respect to supportability, tremendous.
In general, Oracle recommends the use of OracleAS Web Cache for this purpose. There are other freeware modules, such as mod_gzip
that may be plugged in for this purpose, but their use is not supported. When using these, there may be an error message with respect to EAPI, but in general that can be ignored.
The general idea is that all servers in a distributed Web site should agree on a single URL namespace. Every server serves some part of that namespace, and is able to redirect or proxy requests for URLs that it does not serve to a server that is "closer" to that URL. For example, your namespaces could be the following:
/app1/login.html /app1/catalog.html /app1/dologin.jsp /app2/orderForm.html /apps/placeOrder.jsp
We could initially map this namespace to two Web servers by putting app1
on server1 and app2
on server2. Server1's configuration might look like the following:
Redirect permanent /app2 http://server2/app2 Alias /app1 /myApps/application1 <Directory /myApps/application1> ... </Directory>
Server2's configuration is complementary. If you decide to partition the namespace by content type (HTML on server, JSP on server2), change server configuration and move files around, but do not have to make changes to the application itself. The resulting configuration of server1 might look like the following:
RedirectMatch permanent (.*) \.jsp$ http://server2/$1.jsp AliasMatch ^/app(.*) \.html$ /myPages/application$1.html <DirectoryMatch "^/myPages/application\d"> ... </DirectoryMatch>
Note that the amount of actual redirection can be minimized by configuring a hardware load balancer like F5 system's BigIP to send requests to server1 or server2 based on the URL.
There are many attacks, and new attacks are invented everyday. The following are some general guidelines for securing your site. You can never be completely secure, but you can avoid being an easy target.
Use a commercial firewall, such as Checkpoint FW-1 or Cisco PIX between your ISP and your Web server. Recognize, however, that not all hackers are outside your organization.
Use switched ethernet to limit the amount of traffic a compromised server can sniff. Use additional firewalls between Web server machines and highly sensitive internal servers running database and enterprise applications.
Remove unnecessary network services such as RPC, Finger, telnet from your server machine.
Carefully validate all input from Web forms. Be especially wary of long input strings and input that contains non-printable characters, HTML tags, or javascript tags.
Encrypt or randomize the contents of cookies that contain sensitive information. For example, it should be difficult to guess a valid sessionID to prevent a hacker from hijacking a valid session.
Check often for security patches for all your system and application software, and install them as soon as possible. Be sure these patches come from bona fide sources; download from trusted sites and verify the cryptographic checksum.
Use an intrusion detection package to monitor for defaced Web pages, viruses, and presence of "rootkits" that indicate hackers have broken in. If possible, mount system executables and Web content on read-only file systems.
Have a "forensic analysis" package on hand to capture evidence of a break in as soon as detected. This aids in prosecution of the hackers.