This is a proposed Canonical Question about Beginning Web Server Administration.

Assuming that you are a beginning SysAd, are new to WebOps, or a small team with little or no experienced Web Server SysAd support (and cannot afford it right now), what should you do to configure and secure a Web Server for your business?

Before We Begin:

Having quality people will save you money. Just like having a good Lawyer (NSFW) or an accountant, having a quality SysAd will save you money. You may not have the money to pay for the expertise now, but as soon as you can, you should make that investment.

You should know:

Web Server Administration is a large topic, and it is intrinsically interweaved with many different disciplines. To do it well you will need a fundamental understanding of TCP/IP, your host OS, your WebServer Application, and some understanding of running the application stack.

Be prepared to read. A lot.

Identify your needs:

Requirements

• Are you running a plain, static website (maybe with some Javascript effects), or
• (more likely) are you running an application that happens to have a web interface?
• Do you have persistent data? (Do you need a database?)
• Are there user credentials involved? Is there another reason that you’d need the connection between the user and website to be secured? (SSL)
• Are you handling payments of any kind? In addition to having SSL requirements, there are additional considerations that you’ll need to research (dependent on region). These will also vary depending on the payment processor that you use.

Identify your stack:

How are you going to write and run this?

• Platform (Windows, Linux, other Unix, etc)
• App requirements (Ruby/Rails, Python, Perl, PHP, .NET, etc, etc)
• Database (…)
• Caching? (Honestly, don’t worry about this now; be aware that this solves some problems, and can create others. This is a problem of performance, and right now you’re just trying to get started.)

Some of these choices will inform others. For instance, If you’re running a .NET app, you probably want to use MSSQL and IIS; If you’re running Ruby on Rails, you probably want a Linux server.

Get to Know your Product:

Now that you’ve decided on what your stack will look like, you need to get to know it. This is where you should spend most of your time. Searching for “Configure [product]” or “[product] Admin Guide” should get you plenty of resources.

For instance, if you are running Apache on Ubuntu, you should absolutely read:

• http://httpd.apache.org/docs/2.2/
• https://help.ubuntu.com/10.04/serverguide/httpd.html

Look for similar docs, articles, blog posts for your stack.

Install the bare minimum:

There is a vast array of modules for Apache, but if you’re not going to use PHP (for example), don’t install mod-php.

It also should be stated here that you should avoid installing a GUI if it’s a Linux server; GUI’s use up a significant amount of system resources.

Securing the site:

• Ensure minimal permissions to function. This applies not only to the filesystem, but also to services and processes
• Keep server ports disabled for unneeded services. (Again, only install the minimum.)
• Restrict application interfaces to the internal environment (if, for instance, running a web application on the same server (such as Rails), restrict it to only listen to localhost)

In Closing:

This is only the beginnings of what you should do to get a site up and running. This doesn’t even begin to touch the problems of maintaining servers or how to handle problems of scaling should your project become successful, nor any of the other myriad issues that a knowledgeable SysAd will solve for you.

Check more discussion of this question.

We have got a website (hosted locally but available over the internet) that does not work for everybody. The problem has been reported by internal users having windows vista home. If they go on our website with this address http://example.com, everything is fine. If the address is http://www.example.com it doesn’t work, they get a simple error message that suggest to reload the page. It’s not all Vista users that have this problem.

For the rest of our group, both address are working. Our server (Windows Server 2008) accept both headers. Cache has been cleared and all browser get the same error on those vista home, so I don’t know what to do more. Maybe it’s a server security? Any ideas?

As suggested by @TheCleaner I did a ping to our website:

On Windows 7

I get a 209.161.xxx.xx for both website (It's the good address)

On Vista

I get a 208.69.xx.xxx for the website with www. (the 209.161.xxx.xx should be the good one...but I see my website)
I get a 192.168.1.25 without the www. (this was an old server that crashed about 2 month ago)

How do I resolve this? Thanks

Are any/all of these clients connected via a proxy, or do they access the server directly? It sounds like there’s some legacy stuff hanging around. Can you check the C:/Windows/system32/drivers/etc/hosts file to see if the server has some nasty hard coded stuff in there?

Check more discussion of this question.

I have lighttpd as web server and on it I have installed IP-based SSL certificates.

I want to have a way to have multiple SSL certificates on each new IP that the server may get.

For example, at the moment I have https://127.0.0.1 and it works, but it certificate on which the CN = 127.0.0.1, so if the webserver gets a new IP from the DHCP server, say 192.168.1.x, the server will cause SSL mismatches.

Instead I need a new certificate exclusively for that IP address.

How can I create a multi-IP based SSL certificate? Of course on lighttpd.

I’m not sure I understand your question correct, but if you want to serve the same certificate on all IP interfaces on the server, define a socket without giving an IP:

$SERVER["socket"] == ":443" {
     ssl.engine                  = "enable" 
     ssl.pemfile                 = "/path/to/ssl/certificate.pem" 
}

This way it listens and serves https with the same certificate (certificate.pem) on all interfaces, no matter what IP address has been assigned

Check more discussion of this question.

There is server with Hyper-v. We would like split them to several virtual machine’s. Each machine has own web server. There is any solution pass to Webserver not throw external ip(buying them)?

Yes – and it has nothing to do with VMs, it can be done in a single IIS server (or multiple ones). It’s called Host Header : it enables your webserver to respond differently based on the website name that the client is asking for.

Check more discussion of this question.

When I created a website named Portal on my IIS 7.5 on the website permissions->security I got this user. What is its purpose?

From what I have read the ApplicationPool runs under NetworkService permissions, but I noticed if I gave Portal user full permissions I could do the saving I wanted in the virtual folder without needing to impersonate any other user (I used to impersonate admin which was a bad idea). So I guess my question is, should I be setting permissions on this Portal user without knowing how it came about?

It seems that this user did not get created when I created the website, but did so when I published to the website from VS 2010.

In IIS 7.5 the default behavior is to run all application pools under a specific account for the individual application. You can of course change this if you modify the application pool settings.

Regardless, yes, setting permissions against this user is the desired behavior as it limits the potential attack surface rather than using a generic network service account as in the past.

You can read more about the change to default accounts in IIS here.

Check more discussion of this question.

What is a possible scenario for exhausting the memory designated to a connection zone with limit_conn_zone directive and what are the implication in this case?

Suppose I have this in my configuration:

http {
  limit_conn_zone $binary_remote_addr zone=connzone:1m;
  ...
  server {
    limit_conn connzone 5;

which, according to the documentation, allocates 16000 states for connzone on a 64-bit server. It also says that

If the storage for a zone is exhausted, the server will return error
503 (Service Temporarily Unavailable) to all further requests.

Well, Ok. But what does it mean on practice? When does this happen? Who receives those 503s? Does it mean that if the number of IPs somehow associated with connzone hits 16000 everyone gets a 503 and it’s all over? How does Nginx decide? The documentation is weirdly vague on this.

So, considering the example config, who would actually get a 503 and under which circumstances and how would things go from there? Same with request zones?

Practice? You can control the total amount of IPs connected to the server.

When? Well, if the zone is full.

Who? Yes, everybody who isn’t already within the zone and as long as the zone is full.

If you’re on a 64 bit system and set the zone to 1M, nginx can store up to 16,000 IPs. This means if 16,001 IPs have to be stored that +1 user will receive the first 503 error. The decision is pretty easy, if the B-tree is full, reject.

You can find out the exact implementation by reading the source code of the module: https://github.com/git-mirror/nginx/blob/master/src/http/modules/ngx_http_limit_conn_module.c

Request zones works pretty similar.

Check more discussion of this question.

We have two Coldfusion servers that have a huge performance difference running the exact same code on the exact same input data. The code in questions instantiates a large amount of CFCs (Coldfusion Components, which are similar to objects in OOP languages).

I compared the two servers by running Process Monitor and then calling the problematic code on both machines. I learned two things. First, Coldfusion opens CFC files every time it instantiates an object. Both servers do this, so it cannot be the cause of the performance difference. Second, the fast server opens the CFC files directly while the server with the performance problem seems to navigate its way through the path until it reaches the desired CFC file. It does this for every file, even the ones it has previously loaded, and because the code instantiates so many CFCs it becomes very slow. See below the partial Promon traces that show this behavior. It can take over 60 seconds for the slow server to do what the fast one does in 2 seconds.

Can anyone tell me what causes this behavior? Is it a Coldfusion setting? Since Coldfusion runs on top of Java, is it a Java setting? Is it an OS option? The fast server is running Windows XP and I think the slow server is a Windows Server 2003.

Bonus question: Coldfusion doesn’t seem to perform any READ FILE operations on any of the CFC or CFM files. How can this be?

Sample of the fast server opening CFC files:

11:25:14.5588975    jrun.exe    QueryOpen                   C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5592758    jrun.exe    CreateFile                  C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5595024    jrun.exe    QueryBasicInformationFile   C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5595940    jrun.exe    CloseFile                   C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5599628    jrun.exe    CreateFile                  C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5601600    jrun.exe    QueryBasicInformationFile   C:\CF\wwwroot\APP\com\HtmlUtils.cfc
11:25:14.5602463    jrun.exe    CloseFile                   C:\CF\wwwroot\APP\com\HtmlUtils.cfc

Equivalent sample of the slow server opening CFC files:

11:15:08.1249230    jrun.exe    CreateFile                  D:\
11:15:08.1250100    jrun.exe    QueryDirectory              D:\org
11:15:08.1252852    jrun.exe    CloseFile                   D:\
11:15:08.1259670    jrun.exe    CreateFile                  D:\org
11:15:08.1260319    jrun.exe    QueryDirectory              D:\org\cli
11:15:08.1260769    jrun.exe    CloseFile                   D:\org
11:15:08.1269451    jrun.exe    CreateFile                  D:\org\cli
11:15:08.1270613    jrun.exe    QueryDirectory              D:\org\cli\cpn
11:15:08.1271140    jrun.exe    CloseFile                   D:\org\cli
11:15:08.1279312    jrun.exe    CreateFile                  D:\org\cli\cpn
11:15:08.1280086    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP
11:15:08.1280789    jrun.exe    CloseFile                   D:\org\cli\cpn
11:15:08.1291034    jrun.exe    CreateFile                  D:\org\cli\cpn\APP
11:15:08.1291709    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP\com
11:15:08.1292224    jrun.exe    CloseFile                   D:\org\cli\cpn\APP
11:15:08.1300568    jrun.exe    CreateFile                  D:\org\cli\cpn\APP\com
11:15:08.1301321    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1301843    jrun.exe    CloseFile                   D:\org\cli\cpn\APP\com
11:15:08.1312049    jrun.exe    CreateFile                  D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1314409    jrun.exe    QueryBasicInformationFile   D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1314633    jrun.exe    CloseFile                   D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1315881    jrun.exe    CreateFile                  D:\
11:15:08.1316379    jrun.exe    QueryDirectory              D:\org
11:15:08.1316926    jrun.exe    CloseFile                   D:\
11:15:08.1330951    jrun.exe    CreateFile                  D:\org
11:15:08.1338656    jrun.exe    QueryDirectory              D:\org\cli
11:15:08.1339118    jrun.exe    CloseFile                   D:\org
11:15:08.1526468    jrun.exe    CreateFile                  D:\org\cli
11:15:08.1527295    jrun.exe    QueryDirectory              D:\org\cli\cpn
11:15:08.1527989    jrun.exe    CloseFile                   D:\org\cli
11:15:08.1531977    jrun.exe    CreateFile                  D:\org\cli\cpn
11:15:08.1532589    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP
11:15:08.1533575    jrun.exe    CloseFile                   D:\org\cli\cpn
11:15:08.1538457    jrun.exe    CreateFile                  D:\org\cli\cpn\APP
11:15:08.1539083    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP\com
11:15:08.1539553    jrun.exe    CloseFile                   D:\org\cli\cpn\APP
11:15:08.1544126    jrun.exe    CreateFile                  D:\org\cli\cpn\APP\com
11:15:08.1544980    jrun.exe    QueryDirectory              D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1545482    jrun.exe    CloseFile                   D:\org\cli\cpn\APP\com
11:15:08.1551034    jrun.exe    CreateFile                  D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1552878    jrun.exe    QueryBasicInformationFile   D:\org\cli\cpn\APP\com\HtmlUtils.cfc
11:15:08.1553044    jrun.exe    CloseFile                   D:\org\cli\cpn\APP\com\HtmlUtils.cfc

Thanks

Along the lines of Adam Cameron’s answer, I’d suggest comparing C:\ColdFusion8\lib\neo*.xml on both machines and working through the differences, particularly neo-runtime.xml and neo-debug.xml – these are where the config for ColdFusion are stored. Post any interesting differences here.

If you don’t have a diff tool, use the trial version of BeyondCompare as it’ll do whole directories and supports XML well.

Check more discussion of this question.

I have never used Node.js but since I am developing a browsergame that needs (almost) “realtime” communication, I am planning on using Node.js for this.

To get started, I wanted to use a home server (normal computer) that is conntected to a dynamic IP via DynDNS.

Are there the disadvantages using such a setting?

What is the best way in combination with Node.js to store game status for a online game session?

No there should not be any disadvantages (for the development phase of your project). But you have to take care that your dynamic IP is not reassigned while your client is online. (e.g. schedule your disconnect at night).

If you have got a low bandwidth connection, take account of the slow data transfer which will not occur as soon as you are hosting your server professionally.

The most appropriate way to store your game status is:

• Server side: Some structured data format, XML or SQL(ite)
• Client side: WebSQL. See http://www.w3.org/TR/webdatabase/

Check more discussion of this question.

I’m having troubles using SSL for 2 different websites on my IIS 7 server.
Please see my setup below:

website1: my.corporate.portal.com

SSL certificate for website1: *.corporate.portal.com

https/443 binded to my.corporate.portal.com

website2: client.portal.com
SSL certificate issued for: client.portal.com
When I try to bind https in IIS7 with the client’s certificate, I don’t have an option to put host name(grayed out) and as soon as I select ‘client.portal.com’ cert, I’m getting the following error in IIS:

At least one other site is using the same HTTPS binding
and the binding is configured with a different certificate.
Are you sure that you want to reuse this HTTPS binding 
and reassign the other site or sites to use the new certificate?

If I click ‘yes’ my.corporate.portal.com website stops using the proper SSL cert.

Could you suggest something?

Implementing Elastic Load Balancing for the Amazon instance solve the issue (http://aws.amazon.com/elasticloadbalancing/)

Check more discussion of this question.

i looking at trying to make my web server easier to manage, backup and replicate. I have websites, config files, ssl certs, vhosts scattered all over the place. It seems logical that they should all be in one place. i was thinking of creating a directory in root like so

/data

and inside this have all the directories for my data on this webserver like so:

/data 
    /websites                    [websites directories]
    /ssl_certs                   [secure certificates for sites]
    /vhosts                      [virtual host files for sites]
    /config                      [Software config files (apache, mod_security etc.)
        /apache2                 [Apache Server Config files]
        /proftpd                 [FTP Server Config files]
    /utilities                   [Misc Bash Scripts]

this would mean if i had to replicate this server, i could install and config the required packages and then copy this folder across which will contain all of my data. Also i could backup everything on my server easily and quickly so in the event of needing to restore i would have all my data in one place.

so i have 3 questions:

is this a good idea or would it be more hassle than its worth?

would there be any security implications of doing things this way?

what is the standard way of doing this if the above is not feasible?

Different sites do different things; if you have a backup system in place and disaster recovery plan that is thoroughly documented, and your config files are properly set up, where you put the files won’t matter.

“Standards”…there’s so many of them that it’s a stupid name. There are typical sites but even that varies by distro and web server.

In the end, if you have it properly documented and backed up, this shouldn’t be a problem. Do what fits best with your business/workflow and don’t worry about it.

Check more discussion of this question.