1. Home
  2. Linux systems
  3. Secure Linux-based Servers

Section 8.6. Other Servers and Web Security

I'll finish the chapter with some brief notes about other servers used with or instead of Apache.

8.6.1 Web Servers

Apache has the largest market share, but it isn't the only web server available for Linux. An organization that is more comfortable with commercial software might consider an Apache derivative like Covalent or an independent product like Zeus or iPlanet.

There are also some interesting open source alternatives. tux is a new open source web and FTP server, developed by Ingo Molnar and others at Red Hat. It takes advantage of improvements in recent (2.4+) Linux kernels to provide an extremely fast server. (It set some benchmark records for SPECWeb99 ? as much as three times faster than Apache or IIS on the same hardware). tux can operate in user and kernel space, serving static and dynamic content, with optional caching. It can work in front of Apache or behind it, so you can assign tasks to the appropriate server. The frontend server serves port 80, and the back-end server serves port 8080 or another unused value. Usually, tux serves static content and passes everything else to Apache.

tux is still quite new, and little is yet known of any specific security issues. The tux manual details the checks it makes before serving a file:

TUX only serves a file if:

The URL does not contain ?.

The URL does not start with /.

The URL points to a file that exists.

The file is world-readable.

The file is not a directory.

The file is not executable.

The file does not have the sticky-bit set.

The URL does not contain any forbidden substrings such as ..

simplefile is a read-only HTTP and FTP server by Daniel Bernstein, the author of djbdns and qmail. It serves only static files. If your site has static pages and stringent security requirements, it may be easier to install and configure this server than to close all the doors in Apache.

aolserver, wn, and xitami are other open source contenders.

8.6.2 Application Servers

A mini-industry has sprouted up in the territory between web servers and databases. Application servers provide connection pooling and other services. Oracle touted its servers as "unbreakable" until buffer overflows and other flaws were found. Generally, anything that increases the surface area of web services also increases the complexity, security risks, and maintenance costs. It isn't clear that there is a proportional gain in performance or uptime.



    		Building Secure Servers with Linux
    		Preface
    		Chapter 1. Threat Modeling and Risk Management
    		Chapter 2. Designing Perimeter Networks
    		Chapter 3. Hardening Linux
    		Chapter 4. Secure Remote Administration
    		Chapter 5. Tunneling
    		Chapter 6. Securing Domain Name Services (DNS)
    		Chapter 7. Securing Internet Email
    		Chapter 8. Securing Web Services
    		Section 8.1. Web Server Security
    		Section 8.2. Build Time: Installing Apache
    		Section 8.3. Setup Time: Configuring Apache
    		Section 8.4. Runtime: Securing CGI Scripts
    		Section 8.5. Special Topics
    		Section 8.6. Other Servers and Web Security
    		Chapter 9. Securing File Services
    		Chapter 10. System Log Management and Monitoring
    		Chapter 11. Simple Intrusion Detection Techniques
    		Appendix A. Two Complete Iptables Startup Scripts
    		Colophon