Some tightening in the DNS, HTTP, and FTP sections.

The DNS and HTTP sections still need a good go-through.

Clarify the introductions to these sections.

Fix some acronyms along the way.

To be followed by a white-space fix.
This commit is contained in:
Dru Lavigne 2013-10-21 22:20:54 +00:00
parent d3886bc6ed
commit b69ebce38c
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43017

View file

@ -3006,58 +3006,33 @@ dhcpd_ifaces="dc0"</programlisting>
-->
<title>Domain Name System (<acronym>DNS</acronym>)</title>
<sect2>
<title>Overview</title>
<indexterm><primary>BIND</primary></indexterm>
<para>&os; utilizes, by default, a version of BIND (Berkeley
Internet Name Domain), which is the most common implementation
of the <acronym>DNS</acronym> protocol.
<acronym>DNS</acronym> is the protocol through which names are
mapped to <acronym>IP</acronym> addresses, and vice versa.
For example, a query for
<hostid role="fqdn">www.FreeBSD.org</hostid> will receive a
reply with the <acronym>IP</acronym> address of The &os;
Project's web server, whereas, a query for
<hostid role="fqdn">ftp.FreeBSD.org</hostid> will return the
<acronym>IP</acronym> address of the corresponding
<acronym>FTP</acronym> machine. Likewise, the opposite can
happen. A query for an <acronym>IP</acronym> address can
resolve its hostname. It is not necessary to run a name
<para>Domain Name System (<acronym>DNS</acronym>) is the protocol through which domain names are
mapped to <acronym>IP</acronym> addresses, and vice versa. By default, &os; installs the Berkeley
Internet Name Domain (<acronym>BIND</acronym>), which is the most common implementation
of the <acronym>DNS</acronym> protocol. The &os; version provides enhanced security features, a new file
system layout, and automated &man.chroot.8;
configuration. BIND is maintained by the
<ulink url="https://www.isc.org/">isc.org</ulink>.
It is not necessary to run a name
server to perform <acronym>DNS</acronym> lookups on a
system.</para>
<para>&os; currently comes with <acronym>BIND</acronym>9
<acronym>DNS</acronym> server software by default. Our
installation provides enhanced security features, a new file
system layout and automated &man.chroot.8;
configuration.</para>
<indexterm><primary>DNS</primary></indexterm>
<para><acronym>DNS</acronym> is coordinated across the Internet
through a somewhat complex system of authoritative root, Top
Level Domain (<acronym>TLD</acronym>), and other smaller-scale
name servers which host and cache individual domain
information.</para>
<para>Currently, BIND is maintained by the
Internet Systems Consortium
<ulink url="https://www.isc.org/"></ulink>.</para>
</sect2>
<sect2>
<title>Terminology</title>
<para>To understand this document, some terms related to
<acronym>DNS</acronym> must be understood.</para>
name servers, which host and cache individual domain
information. Table 28.4 describes some of the terms associated with <acronym>DNS</acronym>:</para>
<indexterm><primary>resolver</primary></indexterm>
<indexterm><primary>reverse
<acronym>DNS</acronym></primary></indexterm>
<indexterm><primary>root zone</primary></indexterm>
<informaltable frame="none" pgwide="1">
<table frame="none" pgwide="1">
<title><acronym>DNS</acronym> Terminology</title>
<tgroup cols="2">
<colspec colwidth="1*"/>
<colspec colwidth="3*"/>
@ -3117,7 +3092,7 @@ dhcpd_ifaces="dc0"</programlisting>
</row>
</tbody>
</tgroup>
</informaltable>
</table>
<indexterm>
<primary>zones</primary>
@ -3159,7 +3134,6 @@ dhcpd_ifaces="dc0"</programlisting>
of a hostname is much like a file system: the
<filename class="directory">/dev</filename> directory falls
within the root, and so on.</para>
</sect2>
<sect2>
<title>Reasons to Run a Name Server</title>
@ -4431,56 +4405,45 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<secondary>setting up</secondary></indexterm>
<indexterm><primary>Apache</primary></indexterm>
<para>&os; is used to run some of the busiest web sites in the
world. The majority of web servers on the Internet are using
the <application>Apache HTTP Server</application>.
<application>Apache</application> software packages should be
included on the &os; installation media. If
<application>Apache</application> was not installed while
installing &os;, then it can be installed from the
<filename role="package">www/apache22</filename> port.</para>
<para>The open source
<application>Apache HTTP Server</application> is the most widely
used web server. &os; does not install this web server by default,
but it can be installed from the
<filename role="package">www/apache24</filename> package or port.</para>
<para>Once <application>Apache</application> has been installed
successfully, it must be configured.</para>
<note>
<para>This section covers version 2.2.X of the
<application>Apache HTTP Server</application> as that is the
most widely used version for &os;. For more detailed
information beyond the scope of this document about
<application>Apache</application>&nbsp;2.X, please see
<ulink url="http://httpd.apache.org/"></ulink>.</para>
</note>
<para>This section summarizes how to configure and start version 2.<replaceable>x</replaceable> of the
<application>Apache HTTP Server</application>, the
most widely used version, on &os;. For more detailed
information about
<application>Apache</application>&nbsp;2.X and its configuration directives, refer to
<ulink url="http://httpd.apache.org/">httpd.apache.org</ulink>.</para>
<sect2>
<title>Configuration</title>
<title>Configuring and Starting Apache</title>
<indexterm><primary>Apache</primary>
<secondary>configuration file</secondary></indexterm>
<para>The main <application>Apache HTTP Server</application>
<para>In &os;, the main <application>Apache HTTP Server</application>
configuration file is installed as
<filename>/usr/local/etc/apache22/httpd.conf</filename> on
&os;. This file is a typical &unix; text configuration file
with comment lines beginning with the <literal>#</literal>
character. A comprehensive description of all possible
configuration options is outside the scope of this book, so
only the most frequently modified directives will be described
here.</para>
<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>.
This ASCII text file begins
comment lines with the <literal>#</literal>. The
most frequently modified directives are:</para>
<variablelist>
<varlistentry>
<term><literal>ServerRoot "/usr/local"</literal></term>
<listitem>
<para>This specifies the default directory hierarchy for
<para>Specifies the default directory hierarchy for
the <application>Apache</application> installation.
Binaries are stored in the
<filename class="directory">bin</filename> and
<filename class="directory">sbin</filename>
subdirectories of the server root, and configuration
files are stored in <filename
class="directory">etc/apache</filename>.</para>
class="directory">etc/apache2<replaceable>x</replaceable></filename>.</para>
</listitem>
</varlistentry>
@ -4488,8 +4451,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<term><literal>ServerAdmin you@your.address</literal></term>
<listitem>
<para>The address to which problems with the server should
be emailed. This address also appears on some
<para>The email address to receive problems with the server. This address also appears on some
server-generated pages, such as error documents.</para>
</listitem>
</varlistentry>
@ -4498,21 +4460,20 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<term><literal>ServerName www.example.com</literal></term>
<listitem>
<para><literal>ServerName</literal> allows an
<para>Allows an
administrator to set a host name which is sent back to
clients for the server. This is useful if the host is
different than the one that it is configured with (i.e.,
use <hostid>www</hostid> instead of the host's real
name).</para>
clients for the server. For example,
<hostid>www</hostid> can be used instead of the actual host
name.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>DocumentRoot
"/usr/local/www/apache22/data"</literal></term>
"/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term>
<listitem>
<para><literal>DocumentRoot</literal>: The directory
<para>The directory
where documents will be served from. By default, all
requests are taken from this directory, but symbolic
links and aliases may be used to point to other
@ -4525,18 +4486,14 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<application>Apache</application> configuration file before
making changes. When the configuration of
<application>Apache</application>, is complete, save the
file and verify the configuration using &man.apachectl.8;.
To do this, issue <command>apachectl configtest</command>
which should return <literal>Syntax OK</literal>.</para>
</sect2>
<sect2>
<title>Running <application>Apache</application></title>
file and verify the configuration using apachectl(8).
Running <command>apachectl configtest</command>
should return <literal>Syntax OK</literal>.</para>
<indexterm><primary>Apache</primary>
<secondary>starting or stopping</secondary></indexterm>
<para>The <filename role="package">www/apache22</filename> port
<para>The <filename role="package">www/apache24</filename> port
installs an &man.rc.8; script to aid in starting, stopping,
and restarting <application>Apache</application>, which can be
found in <filename
@ -4546,13 +4503,13 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
startup, add the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>apache22_enable="YES"</programlisting>
<programlisting>apache24_enable="YES"</programlisting>
<para>If <application>Apache</application> should be started
with non-default options, the following line may be added to
<filename>/etc/rc.conf</filename>:</para>
<filename>/etc/rc.conf</filename> to specify the needed flags:</para>
<programlisting>apache22_flags=""</programlisting>
<programlisting>apache24_flags=""</programlisting>
<para>The <application>Apache</application> configuration can be
tested for errors after making subsequent
@ -4561,7 +4518,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
or by the &man.service.8; utility by issuing one of the
following commands:</para>
<screen>&prompt.root; <userinput>service apache22 configtest</userinput></screen>
<screen>&prompt.root; <userinput>service apache24 configtest</userinput></screen>
<note>
<para>It is important to note that the
@ -4571,11 +4528,10 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
</note>
<para>If <application>Apache</application> does not report
configuration errors, the
<application>Apache</application>&nbsp;<command>httpd</command>
can be started with &man.service.8;:</para>
configuration errors, start <command>httpd</command>
with &man.service.8;:</para>
<screen>&prompt.root; <userinput>service apache22 start</userinput></screen>
<screen>&prompt.root; <userinput>service apache24 start</userinput></screen>
<para>The <command>httpd</command> service can be tested by
entering <literal>http://<hostid
@ -4585,7 +4541,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
domain name of the machine running <command>httpd</command>,
if it is not the local machine. The default web page that is
displayed is
<filename>/usr/local/www/apache22/data/index.html</filename>.</para>
<filename>/usr/local/www/apache24/data/index.html</filename>.</para>
</sect2>
<sect2>
@ -4915,128 +4871,107 @@ DocumentRoot /www/someotherdomain.tld
</authorgroup>
</sect1info>
-->
<title>File Transfer Protocol (FTP)</title>
<title>File Transfer Protocol (<acronym>FTP</acronym>)</title>
<indexterm><primary>FTP servers</primary></indexterm>
<indexterm><primary><acronym>FTP</acronym> servers</primary></indexterm>
<para>The File Transfer Protocol (FTP) provides users with a
<para>The File Transfer Protocol (<acronym>FTP</acronym>) provides users with a
simple way to transfer files to and from an
<acronym role="File Transfer Protocol">FTP</acronym> server.
&os; includes <acronym
role="File Transfer Protocol">FTP</acronym> server
software, <application>ftpd</application>, in the base system.
This makes setting up and administering an
<acronym role="File Transfer Protocol">FTP</acronym> server on
&os; very straightforward.</para>
<acronym>FTP</acronym> server.
&os; includes <acronym>FTP</acronym> server
software, <application>ftpd</application>, in the base system.</para>
<para>&os; provides several configuration files for controlling access
to the <acronym>FTP</acronym> server. This section summarizes
these files. Refer to &man.ftpd.8; for more details about the
built-in <acronym>FTP</acronym> server.</para>
<sect2>
<title>Configuration</title>
<sect2>
<title>Configuration</title>
<para>The most important configuration step is deciding which
accounts will be allowed access to the FTP server. A normal
&os; system has a number of system accounts used for various
daemons, but unknown users should not be allowed to log in
with these accounts. The <filename>/etc/ftpusers</filename>
file is a list of users disallowed any FTP access. By
default, it includes the aforementioned system accounts, but
it is possible to add specific users here that should not be
allowed access to FTP.</para>
accounts will be allowed access to the <acronym>FTP</acronym> server. A
&os; system has a number of system accounts which
should not be allowed <acronym>FTP</acronym> access.
The list of users disallowed any <acronym>FTP</acronym> access
can be found in <filename>/etc/ftpusers</filename>.
By
default, it includes system accounts. Additional
users that should not be
allowed access to <acronym>FTP</acronym> can be added.</para>
<para>In some cases it may be desirable to restrict the access
of some users without preventing them completely from using
FTP. This can be accomplished with the
<filename>/etc/ftpchroot</filename> file. This file lists
users and groups subject to FTP access restrictions. Refer to
&man.ftpchroot.5; for more details.</para>
<acronym>FTP</acronym>. This can be accomplished be creating
<filename>/etc/ftpchroot</filename> as described in &man.ftpchroot.5;. This file lists
users and groups subject to <acronym>FTP</acronym> access restrictions.</para>
<indexterm>
<primary>FTP</primary>
<primary><acronym>FTP</acronym></primary>
<secondary>anonymous</secondary>
</indexterm>
<para>To enable anonymous FTP access to the server, create a
<para>To enable anonymous <acronym>FTP</acronym> access to the server, create a
user named <username>ftp</username> on the &os; system. Users
will then be able to log on to the FTP server with a username
of <username>ftp</username> or <username>anonymous</username>
and with any password (by convention an email address for the
user should be used as the password). The FTP server will
will then be able to log on to the <acronym>FTP</acronym> server with a username
of <username>ftp</username> or <username>anonymous</username>. When prompted for the password,
any input will be accepted, but by convention, an email address
should be used as the password. The <acronym>FTP</acronym> server will
call &man.chroot.2; when an anonymous user logs in, to
restrict access to only the home directory of the
<username>ftp</username> user.</para>
<para>There are two text files that specify welcome messages to
be displayed to FTP clients. The contents of the file
<para>There are two text files that can be created to specify welcome messages to
be displayed to <acronym>FTP</acronym> clients. The contents of
<filename>/etc/ftpwelcome</filename> will be displayed to
users before they reach the login prompt. After a successful
login, the contents of the file
login, the contents of
<filename>/etc/ftpmotd</filename> will be displayed. Note
that the path to this file is relative to the login
environment, so the file <filename>~ftp/etc/ftpmotd</filename>
environment, so the contents of <filename>~ftp/etc/ftpmotd</filename>
would be displayed for anonymous users.</para>
<para>Once the FTP server has been configured properly, it must
be enabled in <filename>/etc/inetd.conf</filename>. All that
is required here is to remove the comment symbol
<quote>#</quote> from in front of the existing
<application>ftpd</application> line :</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
<para>As explained in <xref linkend="network-inetd-reread"/>,
the <application>inetd</application> configuration must be
reloaded after this configuration file is changed. Please
refer to <xref linkend="network-inetd-settings"/> for details
on enabling <application>inetd</application> on the
system.</para>
<para>Alternatively, <application>ftpd</application> can also be
started as a stand-alone server. In this case, it is
sufficient to set the appropriate variable in
<filename>/etc/rc.conf</filename>:</para>
<para>Once the <acronym>FTP</acronym> server has been configured, set the appropriate variable in
<filename>/etc/rc.conf</filename> to start the service during boot:</para>
<programlisting>ftpd_enable="YES"</programlisting>
<para>After setting the above variable, the stand-alone server
will be started at the next reboot, or it can be started
manually by executing the following command as
<username>root</username>:</para>
<para>To start the service now:</para>
<screen>&prompt.root; <userinput>service ftpd start</userinput></screen>
<para>Log on to the FTP server by typing:</para>
<para>Test the connection to the <acronym>FTP</acronym> server by typing:</para>
<screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
</sect2>
<sect2>
<title>Maintaining</title>
<indexterm><primary>syslog</primary></indexterm>
<indexterm><primary>log files</primary>
<secondary>FTP</secondary></indexterm>
<secondary><acronym>FTP</acronym></secondary></indexterm>
<para>The <application>ftpd</application> daemon uses
&man.syslog.3; to log messages. By default, the system log
daemon will put messages related to FTP in the
<filename>/var/log/xferlog</filename> file. The location of
the FTP log can be modified by changing the following line in
daemon will write messages related to <acronym>FTP</acronym> in
<filename>/var/log/xferlog</filename>. The location of
the <acronym>FTP</acronym> log can be modified by changing the following line in
<filename>/etc/syslog.conf</filename>:</para>
<programlisting>ftp.info /var/log/xferlog</programlisting>
<indexterm>
<primary>FTP</primary>
<primary><acronym>FTP</acronym></primary>
<secondary>anonymous</secondary>
</indexterm>
<note>
<para>Be aware of the potential problems involved with running
an anonymous FTP server. In particular, think twice about
an anonymous <acronym>FTP</acronym> server. In particular, think twice about
allowing anonymous users to upload files. It may turn out
that the FTP site becomes a forum for the trade of unlicensed
commercial software or worse. If anonymous FTP uploads are
that the <acronym>FTP</acronym> site becomes a forum for the trade of unlicensed
commercial software or worse. If anonymous <acronym>FTP</acronym> uploads are
required, then verify the permissions so that these files can
not be read by other anonymous users until they have been
reviewed by an administrator.</para>
</note>
</sect2>
</sect1>