Some tightening in the DNS, HTTP, and FTP sections.
The DNS and HTTP sections still need a good go-through. Clarify the introductions to these sections. Fix some acronyms along the way. To be followed by a white-space fix.
This commit is contained in:
parent
d3886bc6ed
commit
b69ebce38c
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43017
1 changed files with 100 additions and 165 deletions
|
@ -3006,58 +3006,33 @@ dhcpd_ifaces="dc0"</programlisting>
|
|||
-->
|
||||
<title>Domain Name System (<acronym>DNS</acronym>)</title>
|
||||
|
||||
<sect2>
|
||||
<title>Overview</title>
|
||||
|
||||
<indexterm><primary>BIND</primary></indexterm>
|
||||
|
||||
<para>&os; utilizes, by default, a version of BIND (Berkeley
|
||||
Internet Name Domain), which is the most common implementation
|
||||
of the <acronym>DNS</acronym> protocol.
|
||||
<acronym>DNS</acronym> is the protocol through which names are
|
||||
mapped to <acronym>IP</acronym> addresses, and vice versa.
|
||||
For example, a query for
|
||||
<hostid role="fqdn">www.FreeBSD.org</hostid> will receive a
|
||||
reply with the <acronym>IP</acronym> address of The &os;
|
||||
Project's web server, whereas, a query for
|
||||
<hostid role="fqdn">ftp.FreeBSD.org</hostid> will return the
|
||||
<acronym>IP</acronym> address of the corresponding
|
||||
<acronym>FTP</acronym> machine. Likewise, the opposite can
|
||||
happen. A query for an <acronym>IP</acronym> address can
|
||||
resolve its hostname. It is not necessary to run a name
|
||||
<para>Domain Name System (<acronym>DNS</acronym>) is the protocol through which domain names are
|
||||
mapped to <acronym>IP</acronym> addresses, and vice versa. By default, &os; installs the Berkeley
|
||||
Internet Name Domain (<acronym>BIND</acronym>), which is the most common implementation
|
||||
of the <acronym>DNS</acronym> protocol. The &os; version provides enhanced security features, a new file
|
||||
system layout, and automated &man.chroot.8;
|
||||
configuration. BIND is maintained by the
|
||||
<ulink url="https://www.isc.org/">isc.org</ulink>.
|
||||
It is not necessary to run a name
|
||||
server to perform <acronym>DNS</acronym> lookups on a
|
||||
system.</para>
|
||||
|
||||
<para>&os; currently comes with <acronym>BIND</acronym>9
|
||||
<acronym>DNS</acronym> server software by default. Our
|
||||
installation provides enhanced security features, a new file
|
||||
system layout and automated &man.chroot.8;
|
||||
configuration.</para>
|
||||
|
||||
<indexterm><primary>DNS</primary></indexterm>
|
||||
<para><acronym>DNS</acronym> is coordinated across the Internet
|
||||
through a somewhat complex system of authoritative root, Top
|
||||
Level Domain (<acronym>TLD</acronym>), and other smaller-scale
|
||||
name servers which host and cache individual domain
|
||||
information.</para>
|
||||
|
||||
<para>Currently, BIND is maintained by the
|
||||
Internet Systems Consortium
|
||||
<ulink url="https://www.isc.org/"></ulink>.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Terminology</title>
|
||||
|
||||
<para>To understand this document, some terms related to
|
||||
<acronym>DNS</acronym> must be understood.</para>
|
||||
name servers, which host and cache individual domain
|
||||
information. Table 28.4 describes some of the terms associated with <acronym>DNS</acronym>:</para>
|
||||
|
||||
<indexterm><primary>resolver</primary></indexterm>
|
||||
<indexterm><primary>reverse
|
||||
<acronym>DNS</acronym></primary></indexterm>
|
||||
<indexterm><primary>root zone</primary></indexterm>
|
||||
|
||||
<informaltable frame="none" pgwide="1">
|
||||
<table frame="none" pgwide="1">
|
||||
<title><acronym>DNS</acronym> Terminology</title>
|
||||
<tgroup cols="2">
|
||||
<colspec colwidth="1*"/>
|
||||
<colspec colwidth="3*"/>
|
||||
|
@ -3117,7 +3092,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
|||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</table>
|
||||
|
||||
<indexterm>
|
||||
<primary>zones</primary>
|
||||
|
@ -3159,7 +3134,6 @@ dhcpd_ifaces="dc0"</programlisting>
|
|||
of a hostname is much like a file system: the
|
||||
<filename class="directory">/dev</filename> directory falls
|
||||
within the root, and so on.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Reasons to Run a Name Server</title>
|
||||
|
@ -4431,56 +4405,45 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
<secondary>setting up</secondary></indexterm>
|
||||
<indexterm><primary>Apache</primary></indexterm>
|
||||
|
||||
<para>&os; is used to run some of the busiest web sites in the
|
||||
world. The majority of web servers on the Internet are using
|
||||
the <application>Apache HTTP Server</application>.
|
||||
<application>Apache</application> software packages should be
|
||||
included on the &os; installation media. If
|
||||
<application>Apache</application> was not installed while
|
||||
installing &os;, then it can be installed from the
|
||||
<filename role="package">www/apache22</filename> port.</para>
|
||||
<para>The open source
|
||||
<application>Apache HTTP Server</application> is the most widely
|
||||
used web server. &os; does not install this web server by default,
|
||||
but it can be installed from the
|
||||
<filename role="package">www/apache24</filename> package or port.</para>
|
||||
|
||||
<para>Once <application>Apache</application> has been installed
|
||||
successfully, it must be configured.</para>
|
||||
|
||||
<note>
|
||||
<para>This section covers version 2.2.X of the
|
||||
<application>Apache HTTP Server</application> as that is the
|
||||
most widely used version for &os;. For more detailed
|
||||
information beyond the scope of this document about
|
||||
<application>Apache</application> 2.X, please see
|
||||
<ulink url="http://httpd.apache.org/"></ulink>.</para>
|
||||
</note>
|
||||
<para>This section summarizes how to configure and start version 2.<replaceable>x</replaceable> of the
|
||||
<application>Apache HTTP Server</application>, the
|
||||
most widely used version, on &os;. For more detailed
|
||||
information about
|
||||
<application>Apache</application> 2.X and its configuration directives, refer to
|
||||
<ulink url="http://httpd.apache.org/">httpd.apache.org</ulink>.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Configuration</title>
|
||||
<title>Configuring and Starting Apache</title>
|
||||
|
||||
<indexterm><primary>Apache</primary>
|
||||
<secondary>configuration file</secondary></indexterm>
|
||||
|
||||
<para>The main <application>Apache HTTP Server</application>
|
||||
<para>In &os;, the main <application>Apache HTTP Server</application>
|
||||
configuration file is installed as
|
||||
<filename>/usr/local/etc/apache22/httpd.conf</filename> on
|
||||
&os;. This file is a typical &unix; text configuration file
|
||||
with comment lines beginning with the <literal>#</literal>
|
||||
character. A comprehensive description of all possible
|
||||
configuration options is outside the scope of this book, so
|
||||
only the most frequently modified directives will be described
|
||||
here.</para>
|
||||
<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>.
|
||||
This ASCII text file begins
|
||||
comment lines with the <literal>#</literal>. The
|
||||
most frequently modified directives are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><literal>ServerRoot "/usr/local"</literal></term>
|
||||
|
||||
<listitem>
|
||||
<para>This specifies the default directory hierarchy for
|
||||
<para>Specifies the default directory hierarchy for
|
||||
the <application>Apache</application> installation.
|
||||
Binaries are stored in the
|
||||
<filename class="directory">bin</filename> and
|
||||
<filename class="directory">sbin</filename>
|
||||
subdirectories of the server root, and configuration
|
||||
files are stored in <filename
|
||||
class="directory">etc/apache</filename>.</para>
|
||||
class="directory">etc/apache2<replaceable>x</replaceable></filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -4488,8 +4451,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
<term><literal>ServerAdmin you@your.address</literal></term>
|
||||
|
||||
<listitem>
|
||||
<para>The address to which problems with the server should
|
||||
be emailed. This address also appears on some
|
||||
<para>The email address to receive problems with the server. This address also appears on some
|
||||
server-generated pages, such as error documents.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -4498,21 +4460,20 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
<term><literal>ServerName www.example.com</literal></term>
|
||||
|
||||
<listitem>
|
||||
<para><literal>ServerName</literal> allows an
|
||||
<para>Allows an
|
||||
administrator to set a host name which is sent back to
|
||||
clients for the server. This is useful if the host is
|
||||
different than the one that it is configured with (i.e.,
|
||||
use <hostid>www</hostid> instead of the host's real
|
||||
name).</para>
|
||||
clients for the server. For example,
|
||||
<hostid>www</hostid> can be used instead of the actual host
|
||||
name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><literal>DocumentRoot
|
||||
"/usr/local/www/apache22/data"</literal></term>
|
||||
"/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term>
|
||||
|
||||
<listitem>
|
||||
<para><literal>DocumentRoot</literal>: The directory
|
||||
<para>The directory
|
||||
where documents will be served from. By default, all
|
||||
requests are taken from this directory, but symbolic
|
||||
links and aliases may be used to point to other
|
||||
|
@ -4525,18 +4486,14 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
<application>Apache</application> configuration file before
|
||||
making changes. When the configuration of
|
||||
<application>Apache</application>, is complete, save the
|
||||
file and verify the configuration using &man.apachectl.8;.
|
||||
To do this, issue <command>apachectl configtest</command>
|
||||
which should return <literal>Syntax OK</literal>.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Running <application>Apache</application></title>
|
||||
file and verify the configuration using apachectl(8).
|
||||
Running <command>apachectl configtest</command>
|
||||
should return <literal>Syntax OK</literal>.</para>
|
||||
|
||||
<indexterm><primary>Apache</primary>
|
||||
<secondary>starting or stopping</secondary></indexterm>
|
||||
|
||||
<para>The <filename role="package">www/apache22</filename> port
|
||||
<para>The <filename role="package">www/apache24</filename> port
|
||||
installs an &man.rc.8; script to aid in starting, stopping,
|
||||
and restarting <application>Apache</application>, which can be
|
||||
found in <filename
|
||||
|
@ -4546,13 +4503,13 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
startup, add the following line to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>apache22_enable="YES"</programlisting>
|
||||
<programlisting>apache24_enable="YES"</programlisting>
|
||||
|
||||
<para>If <application>Apache</application> should be started
|
||||
with non-default options, the following line may be added to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
<filename>/etc/rc.conf</filename> to specify the needed flags:</para>
|
||||
|
||||
<programlisting>apache22_flags=""</programlisting>
|
||||
<programlisting>apache24_flags=""</programlisting>
|
||||
|
||||
<para>The <application>Apache</application> configuration can be
|
||||
tested for errors after making subsequent
|
||||
|
@ -4561,7 +4518,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
or by the &man.service.8; utility by issuing one of the
|
||||
following commands:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service apache22 configtest</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>service apache24 configtest</userinput></screen>
|
||||
|
||||
<note>
|
||||
<para>It is important to note that the
|
||||
|
@ -4571,11 +4528,10 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
</note>
|
||||
|
||||
<para>If <application>Apache</application> does not report
|
||||
configuration errors, the
|
||||
<application>Apache</application> <command>httpd</command>
|
||||
can be started with &man.service.8;:</para>
|
||||
configuration errors, start <command>httpd</command>
|
||||
with &man.service.8;:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service apache22 start</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>service apache24 start</userinput></screen>
|
||||
|
||||
<para>The <command>httpd</command> service can be tested by
|
||||
entering <literal>http://<hostid
|
||||
|
@ -4585,7 +4541,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
|||
domain name of the machine running <command>httpd</command>,
|
||||
if it is not the local machine. The default web page that is
|
||||
displayed is
|
||||
<filename>/usr/local/www/apache22/data/index.html</filename>.</para>
|
||||
<filename>/usr/local/www/apache24/data/index.html</filename>.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
|
@ -4915,128 +4871,107 @@ DocumentRoot /www/someotherdomain.tld
|
|||
</authorgroup>
|
||||
</sect1info>
|
||||
-->
|
||||
<title>File Transfer Protocol (FTP)</title>
|
||||
<title>File Transfer Protocol (<acronym>FTP</acronym>)</title>
|
||||
|
||||
<indexterm><primary>FTP servers</primary></indexterm>
|
||||
<indexterm><primary><acronym>FTP</acronym> servers</primary></indexterm>
|
||||
|
||||
<para>The File Transfer Protocol (FTP) provides users with a
|
||||
<para>The File Transfer Protocol (<acronym>FTP</acronym>) provides users with a
|
||||
simple way to transfer files to and from an
|
||||
<acronym role="File Transfer Protocol">FTP</acronym> server.
|
||||
&os; includes <acronym
|
||||
role="File Transfer Protocol">FTP</acronym> server
|
||||
software, <application>ftpd</application>, in the base system.
|
||||
This makes setting up and administering an
|
||||
<acronym role="File Transfer Protocol">FTP</acronym> server on
|
||||
&os; very straightforward.</para>
|
||||
<acronym>FTP</acronym> server.
|
||||
&os; includes <acronym>FTP</acronym> server
|
||||
software, <application>ftpd</application>, in the base system.</para>
|
||||
|
||||
<para>&os; provides several configuration files for controlling access
|
||||
to the <acronym>FTP</acronym> server. This section summarizes
|
||||
these files. Refer to &man.ftpd.8; for more details about the
|
||||
built-in <acronym>FTP</acronym> server.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Configuration</title>
|
||||
<sect2>
|
||||
<title>Configuration</title>
|
||||
|
||||
<para>The most important configuration step is deciding which
|
||||
accounts will be allowed access to the FTP server. A normal
|
||||
&os; system has a number of system accounts used for various
|
||||
daemons, but unknown users should not be allowed to log in
|
||||
with these accounts. The <filename>/etc/ftpusers</filename>
|
||||
file is a list of users disallowed any FTP access. By
|
||||
default, it includes the aforementioned system accounts, but
|
||||
it is possible to add specific users here that should not be
|
||||
allowed access to FTP.</para>
|
||||
accounts will be allowed access to the <acronym>FTP</acronym> server. A
|
||||
&os; system has a number of system accounts which
|
||||
should not be allowed <acronym>FTP</acronym> access.
|
||||
The list of users disallowed any <acronym>FTP</acronym> access
|
||||
can be found in <filename>/etc/ftpusers</filename>.
|
||||
By
|
||||
default, it includes system accounts. Additional
|
||||
users that should not be
|
||||
allowed access to <acronym>FTP</acronym> can be added.</para>
|
||||
|
||||
<para>In some cases it may be desirable to restrict the access
|
||||
of some users without preventing them completely from using
|
||||
FTP. This can be accomplished with the
|
||||
<filename>/etc/ftpchroot</filename> file. This file lists
|
||||
users and groups subject to FTP access restrictions. Refer to
|
||||
&man.ftpchroot.5; for more details.</para>
|
||||
<acronym>FTP</acronym>. This can be accomplished be creating
|
||||
<filename>/etc/ftpchroot</filename> as described in &man.ftpchroot.5;. This file lists
|
||||
users and groups subject to <acronym>FTP</acronym> access restrictions.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>FTP</primary>
|
||||
<primary><acronym>FTP</acronym></primary>
|
||||
<secondary>anonymous</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>To enable anonymous FTP access to the server, create a
|
||||
<para>To enable anonymous <acronym>FTP</acronym> access to the server, create a
|
||||
user named <username>ftp</username> on the &os; system. Users
|
||||
will then be able to log on to the FTP server with a username
|
||||
of <username>ftp</username> or <username>anonymous</username>
|
||||
and with any password (by convention an email address for the
|
||||
user should be used as the password). The FTP server will
|
||||
will then be able to log on to the <acronym>FTP</acronym> server with a username
|
||||
of <username>ftp</username> or <username>anonymous</username>. When prompted for the password,
|
||||
any input will be accepted, but by convention, an email address
|
||||
should be used as the password. The <acronym>FTP</acronym> server will
|
||||
call &man.chroot.2; when an anonymous user logs in, to
|
||||
restrict access to only the home directory of the
|
||||
<username>ftp</username> user.</para>
|
||||
|
||||
<para>There are two text files that specify welcome messages to
|
||||
be displayed to FTP clients. The contents of the file
|
||||
<para>There are two text files that can be created to specify welcome messages to
|
||||
be displayed to <acronym>FTP</acronym> clients. The contents of
|
||||
<filename>/etc/ftpwelcome</filename> will be displayed to
|
||||
users before they reach the login prompt. After a successful
|
||||
login, the contents of the file
|
||||
login, the contents of
|
||||
<filename>/etc/ftpmotd</filename> will be displayed. Note
|
||||
that the path to this file is relative to the login
|
||||
environment, so the file <filename>~ftp/etc/ftpmotd</filename>
|
||||
environment, so the contents of <filename>~ftp/etc/ftpmotd</filename>
|
||||
would be displayed for anonymous users.</para>
|
||||
|
||||
<para>Once the FTP server has been configured properly, it must
|
||||
be enabled in <filename>/etc/inetd.conf</filename>. All that
|
||||
is required here is to remove the comment symbol
|
||||
<quote>#</quote> from in front of the existing
|
||||
<application>ftpd</application> line :</para>
|
||||
|
||||
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
|
||||
|
||||
<para>As explained in <xref linkend="network-inetd-reread"/>,
|
||||
the <application>inetd</application> configuration must be
|
||||
reloaded after this configuration file is changed. Please
|
||||
refer to <xref linkend="network-inetd-settings"/> for details
|
||||
on enabling <application>inetd</application> on the
|
||||
system.</para>
|
||||
|
||||
<para>Alternatively, <application>ftpd</application> can also be
|
||||
started as a stand-alone server. In this case, it is
|
||||
sufficient to set the appropriate variable in
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
<para>Once the <acronym>FTP</acronym> server has been configured, set the appropriate variable in
|
||||
<filename>/etc/rc.conf</filename> to start the service during boot:</para>
|
||||
|
||||
<programlisting>ftpd_enable="YES"</programlisting>
|
||||
|
||||
<para>After setting the above variable, the stand-alone server
|
||||
will be started at the next reboot, or it can be started
|
||||
manually by executing the following command as
|
||||
<username>root</username>:</para>
|
||||
<para>To start the service now:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service ftpd start</userinput></screen>
|
||||
|
||||
<para>Log on to the FTP server by typing:</para>
|
||||
<para>Test the connection to the <acronym>FTP</acronym> server by typing:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Maintaining</title>
|
||||
|
||||
<indexterm><primary>syslog</primary></indexterm>
|
||||
<indexterm><primary>log files</primary>
|
||||
<secondary>FTP</secondary></indexterm>
|
||||
<secondary><acronym>FTP</acronym></secondary></indexterm>
|
||||
|
||||
<para>The <application>ftpd</application> daemon uses
|
||||
&man.syslog.3; to log messages. By default, the system log
|
||||
daemon will put messages related to FTP in the
|
||||
<filename>/var/log/xferlog</filename> file. The location of
|
||||
the FTP log can be modified by changing the following line in
|
||||
daemon will write messages related to <acronym>FTP</acronym> in
|
||||
<filename>/var/log/xferlog</filename>. The location of
|
||||
the <acronym>FTP</acronym> log can be modified by changing the following line in
|
||||
<filename>/etc/syslog.conf</filename>:</para>
|
||||
|
||||
<programlisting>ftp.info /var/log/xferlog</programlisting>
|
||||
|
||||
<indexterm>
|
||||
<primary>FTP</primary>
|
||||
<primary><acronym>FTP</acronym></primary>
|
||||
<secondary>anonymous</secondary>
|
||||
</indexterm>
|
||||
|
||||
<note>
|
||||
<para>Be aware of the potential problems involved with running
|
||||
an anonymous FTP server. In particular, think twice about
|
||||
an anonymous <acronym>FTP</acronym> server. In particular, think twice about
|
||||
allowing anonymous users to upload files. It may turn out
|
||||
that the FTP site becomes a forum for the trade of unlicensed
|
||||
commercial software or worse. If anonymous FTP uploads are
|
||||
that the <acronym>FTP</acronym> site becomes a forum for the trade of unlicensed
|
||||
commercial software or worse. If anonymous <acronym>FTP</acronym> uploads are
|
||||
required, then verify the permissions so that these files can
|
||||
not be read by other anonymous users until they have been
|
||||
reviewed by an administrator.</para>
|
||||
</note>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
|
Loading…
Reference in a new issue