Configuration and management of Web servers

Web server configuration and Management (2) virtual host technology

In the previous blog post, we have built a Web server with IIS and can successfully access the default site that comes with IIS, so can we create another Web site on this server? In other words, can there be multiple sites in a single Web server? The answer is certainly, in fact, many small and medium-sized enterprises of the website are rented from the online space, provide space to rent a Web server in the meantime there are many sites. But when multiple sites exist in a single server, there must be a way to separate them, which is the virtual host technology. There are three ways to implement virtual host technology:

• Take advantage of different IP addresses
• Take advantage of different port numbers
• Take advantage of different hostname (domain name)

That is, as long as the different sites in the IP address, port number, host name of the three items are not the same, then these sites can coexist. The following is a description of the three virtual host technologies. 1. setting up multiple sites with different IP addresses This approach is to set up a different IP for each site, in order to use this method first requires the Web server installed a number of network cards, each network card using a different IP. If there is only one network card in the Web server, you can also bind multiple IP addresses to the NIC. Open the local area connection, and in the advanced settings of the TCP/IP properties, add an IP address 192.168.0.15 to the server, as shown in.

Next we create a new Web site in IIS Manager. Select Web Sites in IIS Manager, and then select Add Sites in the Actions panel on the right. "Website name" can be arbitrarily set, here with YTVC. The "Physical path" is the home directory of the Web site, which is set to C:\YTVC. The protocol type for the site is still HTTP,IP address using 192.168.1.15, port number 80.

After the site is created, a Web page file named default.htm is also stored in its home directory, so that the client can enter a different IP address to access the appropriate Web site.

This method is seldom used in practical applications, because if the server is using a public IP, then the public IP address is a very valuable resource, and this way is undoubtedly to waste a large number of IP addresses.

2. setting up multiple sites using different TCP ports

This approach is to allow each site to still use the same IP address, but assign different port numbers to different sites. If the default Web site still uses the default 80 port, the YTVC Web site changes the port to 8000. First delete the second IP that you just added in the local connection, then select the YTVC Web site in the IIS Manager, click the bindings link in the Actions panel on the right, and set the IP to 192.168.1.5 and the port to 8000.

When the client accesses the default Web site, it can still be accessed via the URL "http://192.168.1.5", and if the YTVC site is to be accessed, the port number cannot be omitted, and a URL in the form of "http://192.168.1.5:8000" must be used. However, the client cannot access the YTVC Web site because the firewall on the Web server automatically filters out the data destined for the TCP8000 port, either temporarily shutting down the firewall for testing, or adding an inbound rule to the firewall. Open the advanced settings for the firewall, create a new inbound rule, and select port for the type of rule to be created.

Specifies that the rule applies to TCP 8000 ports.

Allows a connection to an operation that satisfies a condition.

Apply the rule to all the networks.

Optionally, give the rule a name.

After the inbound rule is created, the client can access the YTVC Web site with Port 8000 normally. In this way, the client must visit the site with the corresponding port number after the URL, and the user is not able to remember the port number of each site, so this approach is seldom used in practice.

3. Set up multiple sites with different host header namesThe host header name is actually the URL of each site, that is, its FQDN, so to use this method first need to add the corresponding zone and host records in the DNS server. In the DNS server below, create a zone named Ytvc.com.cn, and then add a host record named "www", the corresponding IP address is 192.168.1.5. (If you do not have a DNS server, you can also make domain name resolution by modifying the client's Hosts file.) Then we set the hostname www.ytvc.com.cn for the YTVC site and put its port number back to 80.

The host name of the default Web site is then set to Www.coolpen.net.

So that the client can enter a different URL to access different sites, which is the most often used in practice is the most recommended way, but in this way can not be accessed through the IP address of the corresponding site (many of the actual sites can be accessed by the URL, but not IP address access.) ）

"Reprint" http://www.it165.net/admin/html/201304/1012.html

Configuration and management of Web servers (3) Configuring virtual directories

All the pages in a Web site and related files are stored in the main directory, in order to classify the file, you can also create sub-folders under the main directory, separate files for different content, such as a Web site, news category pages placed in the main directory of the News folder, Technical Web page files are placed in the home directory of the tech folder, the product category of Web files placed in the products folder, etc., which are directly stored in the main directory subfolder is called the physical directory. Below we create a subdirectory named News under the home directory of the default site and place 2 Web page files in it.

On client access, if you enter the URL "http://www.coolpen.net/news", then it is open the default home page in the news subdirectory, if you enter the URL "http://www.coolpen.net/news/news.htm" , you open the page specified in the News subdirectory. Not all subdirectories are physically directly located in the home directory, as we can also set the "C:\tech" as a subdirectory of the default site, a subdirectory that is logically subordinate to a Web site called a virtual directory. The virtual directory is the next-level directory of the main site and is attached to the main site, but its physical location is not in the home directory. Next we create the "C:\tech" folder and set it as the default site's virtual directory. Open IIS Manager, right-click on the default site, and select Add virtual directory.

Aliases for virtual directories use tech, then enter their physical path.

Place some test pages in the C:\tech folder, and then access them as the client can access the physical directory. We can also set the shared folder on another server as the virtual directory for the Web site, which is also the biggest advantage of virtual directory technology. Below we will be located on file server FS on shared folder FS set as the default site for the virtual directory. Note that you must use a UNC path when specifying the path to the virtual directory.

Because this virtual directory is a shared folder on the network, you must pass authentication, that is, to specify the user's identity to access. Click "Connect as" and enter the domain administrator account and password.

This will allow the client to access it normally. Finally, summarize:

"Reprint" http://www.it165.net/admin/html/201304/1011.html

Configuration and management of the Web server (4) Configure access rights and security

1. user authentication

IIS Web site By default is to allow all users to connect, if the security requirements of the site, the site for specific users only open, you need to verify the user, the main way to verify is: • Anonymous authentication • Basic Authentication • Digest authentication the Windows authentication system only has the anonymous body enabled by default Verification, because IIS in 2008R2 has a modular design, only a few features and components are installed by default, so to set up the use of other authentication methods, you first need to install the appropriate functional components. In Server Manager, select Add role Services.

In security, tick the 3 authentication methods that you want to install.

The priority of these 4 authentication methods is:

Anonymous authentication >windows authentication > Digest authentication > Basic authentication that is, if both anonymous authentication and Basic authentication are turned on, the client takes advantage of anonymous authentication, and Basic authentication is not valid! Therefore, if you want to enable users to authenticate before they can access, you must first disable the anonymous Access feature before you set the authentication method. If you do not disable the anonymous access feature, it does not take effect even if the authentication method is set. Www.it165.net open authentication in the main window of the Web site, by default, anonymous authentication is enabled and disabled by clicking the Disable command in the Actions menu on the right. This way, users must log on with the user name when they visit again.

Basic Identity Verification

Basic authentication is authenticated using a local user of the Web server and, if the Web server belongs to a member server of the domain, it can also be authenticated using a domain user. Enable Basic authentication in the authentication interface so that clients enter the user name and password when they visit the site.  We will first try to authenticate with the local user and create a new local user named Admin on the Web server. Then in the client test, with the Admin user can successfully access the site. The following again with a domain user Zhangsan test, if only enter Zhangsan user name, is not verified, you must specify the domain of Zhangsan, that is, the use of the domain user account full name coolpen\ Zhangsan We can also specify the domain in which the Web server is located. Check Basic authentication, and then click the Edit button on the right to set it.

Default domain: Specifies the domain in which the Web server is located. When a user connects to a Web site, if the user enters a user name Zhangsan, the server first treats it as a local user for authentication, and if Zhangsan is not a local user, It is automatically treated as a domain user of the coolpen.net domain, and the user name and password are sent to the domain controller for this domain check. The benefit of this setting is that, even for a domain user, you can enter only the user name without entering the full name.

Field: The text here is available for user reference and it will be displayed on the login screen. It is important to note that the user name and password for Basic authentication are transmitted in clear text in the network, and therefore not high security. If you want to use Basic authentication, you should be paired with other measures to ensure that data is sent securely, such as using SSL connections.

Digest-based authentication

Digest authentication is a little improved compared to basic authentication, and it is more secure than basic authentication by MD5 encrypting the user name and password before transferring it to the network. However, Digest authentication can only be used in a domain environment, requiring the Web server to be a member server of the domain, and the user must be a domain user account. The configuration is more complicated, and the actual use is not much, so here is not introduced. Windows AuthenticationWindows authentication uses the NTLM or Kerberos protocol for authentication, but it has some limitations when used. The NTLM protocol does not pass through a proxy server, and the Kerberos protocol does not pass through the firewall, so Windows Authentication is best for the Intranet environment summary: Windows Authentication and Digest authentication because of the use of conditional restrictions, so very little use, We are more using Basic Authentication! In addition, a virtual directory can be set up like a master site for various forms of authentication, and for most Web sites, the primary site is set to allow anonymous access, and a virtual directory under it is set to be accessed by an authenticated party.

2. IP Address Restrictions

In IIS, you can also increase the security of your Web site by restricting the IP address, but this approach is only appropriate for providing Web sites to specific users or restricting access to specific users. To use the IP address throttling feature, you must also install the IP and domain restrictions component first.

After the component installation is complete, reopen IIS Manager, and you will find that there is one more "IP address and Domain Restriction" feature component.

Open the component and click Add Allow entry on the right to set which clients are allowed to access the site. You can only allow a specific IP address, or it can be an address segment.

It is important to note that if an allow entry is set, will other clients be allowed or denied access to the site other than the specified IP address? This can be set by the "Edit function Settings" on the right.

Unspecified clients can be set to allow or deny access as needed.

The settings for denying access are similar to this. 3. website Performance Tuning

If the performance of the Web server is general, or the site is a large number of visits, in order to avoid slow server response or downtime, you can limit the amount of bandwidth and concurrent connections to the site. In the main interface of the default site, click the "Restrictions ..." link in the Actions panel on the right. Opens the Edit Site Restrictions dialog box, which limits bandwidth usage: Sets the maximum bandwidth allowed for a Web site, in bytes, and not greater than the current network bandwidth. The default limit for connection timeouts is 120 seconds, which is automatically disconnected if there is no activity within 120 seconds when the user accesses the Web site. Limit the number of connections to limit the maximum number of users that are allowed to connect to the site simultaneously.

4. Configure the log

Through the site log, administrators can view how the site is accessed, such as which users visited the site, what the visitors viewed, and when the information was last viewed. Logs can be used to assess content popularity or to identify information bottlenecks, and sometimes logs to identify unauthorized users to visit the site for countermeasures. Click "Log" in the main site screen to set it up.

"Reprint" http://www.it165.net/admin/html/201304/1013.html

Configuration and management of Web servers