Webserving on OSX

From SnOwy - Ed's Wiki Notebook

Contents 1 Tiger 2 Leopard 3 Migrating 4 Upgrading 5 Webserving Security 5.1 Securing MAMP 5.2 Securing XAMPP 5.3 Okay -- it really boils down to two important things: 6 Headless Security 6.1 View SSH Logs 7 Apache Virtual Hosts

Tiger

OSX 10.4 (Tiger) comes with Apache 1.3.

While there isn't really anything wrong with Apache 1.3 per se, it does have a few limitations. For one, many developers of modules for Apaches simply don't work with the 1.x codebase anymore. Another problem is that Apache 1.3 in OS X is tightly coupled to the system, making it difficult or impossible to upgrade and modify without some deleterious side effects.

I've come across two well integrated packages that offer Apache 2.x, these are MAMP (Mac Apache MySQL PHP) and XAMPP ([Windows | Linux | Mac] Apache MySQL PHP PERL).

As of now, XAMPP is more up to date, but I've opted to stay with MAMP as it's a bit easier to configure.

Some unsuccessful attempts have been made to tack on mod_mono and mod_python to the system-- in the former, compilation problems exist for OS X, although I'm sure it has been done in the past-- in the latter, I simply haven't given it too long (it runs fine on a lot of my peers' systems).

Leopard

(stub)

Migrating

Migrating is a breeze with MAMP-- just copy the application folder from one system to the next.

Upgrading

(stub)

Webserving Security

Both MAMP and XAMPP are not considered to be production level products. However, both of these items can be made more or less secure than any other installation of Apache and friends of the same revision by taking the same precautionary measures.

Here, I detail what was done with the MAMP installation on Tin to secure it more or less-- and also XAMPP when I have a chance to play with the software a bit.

Securing MAMP

Stub: Compile, summarize and reference the below.

• http://www.network0.org/2006/09/23/how-to-secure-mamp/
• http://www.twoknowitalls.com/wordpress/?p=72

Securing XAMPP

stub

Okay -- it really boils down to two important things:

• prevent access to /MAMP directory within httpd.conf
• add a root password to MySQL
  • reflect these changes to any mamp script that directly accesses MySQL executables with the root password.

Headless Security

A quick list of things to do for security of a headless LAN box.

• Ensure that ports are blocked by the router and the OS
• Use strong passwords
• When the use of a particular hosting service is complete (e.g. VNC), terminate that service to close its associated ports
• Do not provide redundant services, particularly those whose security are not at par (e.g. SFTP and FTP)
• Filter clients by IP address

View SSH Logs

To check the logs for SSH connections, use the command "last" in the terminal.

Apache Virtual Hosts

Virtual hosts allows many domain names to resolve to one IP address such that each domain name may point to different document roots.

Stub: Cite, Summarize below.

• http://apptools.com/phptools/virtualhost.php
• http://httpd.apache.org/docs/2.0/mod/core.html#virtualhost

Ugh-- here's an example given REAL WORLD awesome!

NameVirtualHost *:8080

<VirtualHost *:8080>
	ServerName *
	DocumentRoot /Users/eddiema/Sites/Oops
</VirtualHost>

<VirtualHost *:8080>
	ServerName tin.blogdns.com
	RewriteEngine on
	RewriteRule ^/(.*) http://eddiema.ca/$1 [L,R=301]
</VirtualHost>

<VirtualHost *:8080>
	ServerName www.eddiema.ca
	RewriteEngine on
	RewriteRule ^/(.*) http://eddiema.ca/$1 [L,R=301]
</VirtualHost>

<VirtualHost *:8080>
	ServerName eddiema.ca
	DocumentRoot /Users/eddiema/Sites/SnO2
</VirtualHost>

<VirtualHost *:8080>
	ServerName cara.blogdns.com
	DocumentRoot /Users/eddiema/Sites/Cara
</VirtualHost>

Yay, DotConfy!