Intrusion detection in Sun Java System Web Server 7.0 update 2 - in experimental stages I have introduced an experimental untested intrusion detection feature in Web Server 7.0 update 2. It is currently an unsupported feature. Basically we can add in server.xml a file name which contains ModSecurity ruleset. Note that this is an experimental feature so please give me feedback about your experiences.

Additions to server.xml

Directive	Values	Description
SecResponseBodyAccess	On Off	Whether the server should parse response body or not. Default value is "off"

Directive	Values	Description
SecResponseBodyLimit	integer	Configures the maximum response body size that will be accepted for buffering. Anything over this limit will be rejected with status code 500 Internal Server Error. This setting will not affect the responses with MIME types that are not marked for buffering. By default this limit is configured to 512 KB. (524288)

Directive	Values	Description
SecResponseBodyMimeType	strings	Configures which MIME types are to be considered for response body buffering. The default value is text/plain text/html.

Directive	Values	Description
SecResponseBodyMimeTypesClear	-	Clears the list of MIME types considered for response body buffering, allowing to start populating the list from scratch.

Posted by meena ( Apr 11 2008, 12:49:41 PM IST ) Permalink Comments [1]

Using HTTP compression to speed up content delivery in Sun Java System Web Server 7.0 update 2

Using HTTP compression to speed up content delivery in Sun Java System Web Server 7.0 update 2

If you are looking for faster web page downloads, you can use HTTP compression feature which compresses your content to speed it up. It is especially beneficial for low bandwidth connections. This also reduces the number of bytes transferred and improves the overall server performance.

How it Works

Browsers that support compressed content send an Accept-encoding header with value gzip, deflate. Our Web Server sees the header and chooses to provide compressed content, and sends Content-encoding: gzip response header. The browser on seeing this header tries to decompress the content and renders it.

Now the question is how to enable HTTP compression feature can be configured in obj.conf. Let me explain that in detail in this blog.
READ MORE >>>>>>

[Read More] Posted by meena ( Feb 05 2008, 02:24:29 PM IST ) Permalink Comments [3]

Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
In my previous blog I talked about SCF framework and Sun Java System Web Server 7.0 in general. This time I tried to make use of builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with my SSL enabled Sun Java System Web Server 7.0 U2 instance. My blog is an attempt to show how easy it is to do so.

READ MORE DETAILS>>>

[Read More] Posted by meena ( Sep 19 2007, 01:31:20 PM IST ) Permalink Comments [0]

Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server is SSL enabled

Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server is SSL enabled

...

Settings in Web Server 7.0 instance

Troubleshooting

... READ MORE


[Read More] Posted by meena ( Jul 23 2007, 07:13:46 PM IST ) Permalink Comments [0]

Troubleshooting memory leaks and memory corruptions in Sun Java System Web Server 7.0

Troubleshooting memory leaks and memory corruptions in Sun Java System Web Server 7.0

In this blog I am trying to show how to use libumem and watchmalloc to find more information about memory leaks and memory corruptions in Sun Java System Web Server 7.0.
... READ MORE >>>>
[Read More] Posted by meena ( Mar 15 2007, 12:53:56 PM IST ) Permalink Comments [2]

Troubleshooting Web Server crashes : enabling core dumps

Troubleshooting Web Server crashes : enabling core dumps

I get a lot of questions regarding what to do when Web Server instance crashes as shown by error logs and you do not find the core file.

The core file will be dumped in the Web Server instance's config directory. For example, if the Web Server is installed in /opt/SUNWwbsvr directory, core file will be /opt/SUNWwbsvr/https-hostname/config/core.

If you are using SSL, core dumps will be disabled by default. You can force them on by setting the SSL_DUMP environment variable before starting Web Server:

$ SSL_DUMP=1
$ export SSL_DUMP
$ ./start

Check coreadm(1M) and ulimit(1) to see if Solaris will allow processes to dump core. Use the pstack(1M) command to obtain a stack trace. You can use the same coreadm (core file administration) command to set appropriate values.
$coreadm

  global core file pattern:
  global core file content: default
  init core file pattern: core.%p
  initcore file content: default
  global core dumps: disabled
  per-process core dumps: enabled
  global setid core dumps: disabled
  per-process setid core dumps: disabled
  global core dump logging: disabled

Note that I have set core file pattern to core.%p instead of the usual core . If a process with pid lets say 1000 dumps core, it will generate a core file with name core.1000 to avoid overriding in case the server dumps multiple core files. But this is not necessary.

If your Operating System is Linux, make sure that you set ulimit to unlimited
$ulimit -c unlimited

To get core dumps on Windows, first make drwatson as a default debugger:
C:\WINDOWS\system32>drwtsn32.exe -i

To change various settings of this drwatson,
C:\WINDOWS\system32>drwtsn32.exe
This opens a window where you can specify where to dump the core.

To set back the default debugger to MSVC, change registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug to "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe" -p %ld -e %ld
Set Auto to 0.
Set UserDebuggerHotKey to 0.

Posted by meena ( Mar 14 2007, 12:53:11 PM IST ) Permalink Comments [0]

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0 Denial of Service (Dos) Prevention By Request Timeout in Sun Java System Web Server 7.0

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0

Check out the new improvements we made in Sun Java System Web Server 7.0. In this blog I will talk about Denial Of Service (DoS) Prevention "Request Timeout" enhancements.

We have introduced two more timeouts in the server.xml's <http> element in addition to the existing <io-timeout>. They are <request-header-timeout> and <request-body-timeout>.

If you are a Web Server Administrator and you want to limit users to be sending all request headers in the first 10 minutes of the connection and request body in the next one hour, you can set these two parameters in server.xml like

...
<http> ...
    <request-header-timeout>600</request-header-timeout>
    <request-body-timeout>3600</request-body-timeout>
</http>
...

All other connections which last longer will be disconnected by the server automatically.

Posted by meena ( Mar 07 2007, 12:20:34 PM IST ) Permalink Comments [2]

Directory listing in Sun Java System Web Server 7.0 Directory listing in Sun Java System Web Server 7.0

Directory listing in Sun Java System Web Server 7.0

Been getting a lot of questions about directory listing in Sun Java System Web Server 7.0

I have setup a Sun Java System Web Sever 7.0. I am not able see directory contents. I get a popup saying "Authentication Required". Under "Content Handling"->"General"->"Directory Listing", I tried setting "Listing Type" to 'Fancy' & 'Simple'.  But that did not help (I saved and re-deployed the server instance).

Here is the solution. Check in obj.conf configuration file if "index-common" service SAF is present:
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"

Directory listing is not enabled by default. If you look at the default ACL file default.acl, (assuming you do not have any other other VS specific ACL file)
version 3.0;
acl "default";
authenticate (user, group) {
  prompt = "Sun Java System Web Server";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";

That shows "list" right is allowed to "all" (authenticated users only). And for directory listing, you need "list" rights. That means only authenticated users can see directory lists.

You can move this "list" right to "anyone" so that even unauthenticated users can see the directory lists.
So here is what the changed ACEs should look like :

allow (read, execute, info, list) user = "anyone";
allow (write, delete) user = "all";


Two more minor tips I would like to add

1. If you want to change the width of the columns of filename, last modified time, size, description in directory listing, add "cindex-init" directive in magnus.conf. For example
Init fn="cindex-init" widths="50,5,5,20"

2. If you want to change the directory listing to "simple" style where you will only see the list of filenames, you can change "index-common" to "index-simple" as shown below
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-simple"
Posted by meena ( Feb 26 2007, 01:25:10 PM IST ) Permalink Comments [1]

Creating Authentication Databases in Sun Java System Web Server 7.0

Creating Authentication Databases in Sun Java System Web Server 7.0

I have tried out creating different authentication databases (keyfile, digestfile, LDAP, PAM) via administration CLIs in Sun Java System Web Server 7.0.
...
I created a file authentication database of type "keyfile" in config "test" and in virtual server "test".
wadm> create-file-authdb --vs=test --config=test --path=/space/mykeyfile mykeyfile
CLI201 Command 'create-file-authdb' ran successfully
Then created a file authentication database of type "digest", added "--syntax=digestfile" in the above command.
...
>>> READ MORE >>>

[Read More] Posted by meena ( Jan 20 2007, 03:42:36 PM IST ) Permalink Comments [2]

Migrating Apache After reading my blog about "Migrating JKS Keystore Entries to NSS DB in Sun Java System Web Server 7.0", somebody asked me how to migrate Apache certificates to Sun Java System Web Server 7.0. I found these nice blogs Nelson has written about Apache Migration.

• Migrating Apache Certificates to SJS Web Server 7.0
• Migrating htpasswd-style user authentication from Apache to SJS Web Server 7.0

Posted by meena ( Dec 02 2006, 01:48:19 PM IST ) Permalink Comments [0]

Disabling TRACE in Sun Java System Web Server 7.0 In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1, comment the TRACE service in obj.conf.
#Service method="TRACE" fn="service-trace"

For releases prior to Sun ONE Web Server 6.1:

<Client method="TRACE">
AuthTrans fn="set-variable"
         remove-headers="transfer-encoding"
         set-headers="content-length: -1"
         error="501"
</Client>

It is a perception that Sun Java System Web Server (Web Server) is somehow vulnerable with these methods.
These methods (except for TRACE) are NOT enabled by default in the Web Server. The fact that OPTIONS request lists these methods doesn't mean they could be exploited.

Web Server responds to the HTTP OPTIONS method by reporting the methods understood. It should be noted that indication that a method is understood, however, is no guarantee that a method is permitted or will be executed.

By default Web Server blocks all "privileged" HTTP methods behind the Access Control Lists (ACL) system. Attempts to invoke the methods will be responded to with an HTTP 401 error code (Unauthorized) requesting credentials from the User-Agent. If valid credentials are provided, or if the default ACL is disabled, Web Server will respond with an HTTP 405 error code (Method Not Allowed).

You can also set it as the first ACE in the default.acl :
deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";
Related Links :

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
• http://forum.java.sun.com/thread.jspa?threadID=5064651
• http://forum.java.sun.com/thread.jspa?threadID=5161735
• http://forum.java.sun.com/thread.jspa?threadID=5166155

Posted by meena ( Oct 30 2006, 12:55:04 PM IST ) Permalink Comments [1]

Migrating JKS Keystore Entries to NSS datbase in Sun Java System Web Server 7.0 or 6.x

Migrating JKS Keystore Entries to NSS database in Sun Java System Web Server 7.0 or 6.x

Read More >>>>
[Read More] Posted by meena ( Sep 29 2006, 11:52:17 AM IST ) Permalink Comments [3]

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Initial steps

Read MORE >>>>>

Read my next blog Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance

[Read More] Posted by meena ( Sep 21 2006, 02:06:49 PM IST ) Permalink Comments [0]

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

    Check out the new improvements we made in  Sun Java System Web Server 7.0 Technology Preview 3. It can be downloaded for free from here. In this blog I will talk about Cross Site Scripting (XSS) prevention.

Obj.conf now supports a lot of features which allows you to use it a lot like a programming language, which allows us to configure in our WebServer features similar to in ModSecurity Apache Module.

The main method of preventing Cross Site Scripting (XSS) is through entity encoding, using entities such as "&lt;".  We now have a introduced a native input stage filter based on sed which can do XSS filtering.

Read More>>> [Read More] Posted by meena ( Jun 13 2006, 11:49:12 AM IST ) Permalink Comments [0]

Dynamic compression of static files in Sun Java System Web Server 7.0

Dynamic compression of static files in Sun Java System Web Server 7.0

    Check out the new cool features in Sun Java System Web Server 7.0 Technology Preview which can be downloaded for free from here.
In this blog I will talk about dynamic compression of static files.

    We have also implemented caching of compressed data for static files. We have added a new service function "compress-file" which will compress static files (if the compressed file doesn't exist) and serves it from the cache if the compressed version already exists.
Lets say if I want to create .gz files on the fly for static files, all I have to do is to modify obj.conf as shown below.
READ MORE>>>

[Read More] Posted by meena ( Jun 09 2006, 12:28:26 PM IST ) Permalink Comments [2]

New Feature WebDAV Access Control Protocol In Sun Java System Web Server 7.0

---

New Feature WebDAV Access Control Protocol In Sun Java System Web Server 7.0

The Sun Java System Web Server 7.0 Technology Preview was released today! There's a whole bunch of new stuff in 7.0, and you can use it free of charge.

WebDAV and WebDAV Access Control Protocol support in Sun Java System Web Server 7.0

Sun Java System Web Server 7.0 now

• Conforms to WebDAV protocol as defined by the RFC 2518.
• Supports the following HTTP methods GET, HEAD, OPTIONS, PUT, LOCK, UNLOCK, MKCOL, COPY, MOVE PROPPATCH, DELETE, PROPFIND.
• Conforms to WebDAV Access Control Protocol as defined by the RFC 3744.
• Also supports ACL, REPORT(DAV:acl-principal-prop-set, DAV:principal-match, DAV:expand-property), PROPFIND (DAV:acl and DAV:current-user-privilege-set property).
• Has finer access rights like dav:all, dav:read, dav:read-acl, dav:read-current-user-privilege-set, dav:write, dav:write-acl, dav:write-properties, dav:write-content, dav:bind, dav:unbind, dav:unlock.

Read More>>>>

[Read More] Posted by meena ( May 16 2006, 11:22:27 PM IST ) Permalink Comments [1]

Configuring WebDAV in Sun Java System Web Server 7.0

---

Configuring WebDAV in Sun Java System Web Server 7.0

Download Sun Java System Web Server 7.0 Technology Preview absolutely free from here.

Also check out my next blog about WebDAV Access Control Protocol(RFC 3744) support in Sun Java System Web Server 7.0.

Overview

WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers. Sun Java System Web Server 7.0 conforms to WebDAV protocol as defined by the RFC 2518 and the WebDAV Access Control Protocol specification as defined by the RFC 3744.
In this article I will describe how to configure WebDAV in Sun Java System Web Server 7.0 via Administration CLI.

Read More>>
[Read More] Posted by meena ( May 16 2006, 11:17:56 PM IST ) Permalink Comments [0]

Configuring Reverse Proxy in Sun Java System Web Server 7.0 Technology Preview

---

Configuring Reverse Proxy in Sun Java System Web Server 7.0 Technology Preview

Sun Java System Web Server 7.0 Technology Preview is now avaliable for FREE and can be downloaded from here.

Introduction

A reverse proxy is a proxy that appears to be a web server (origin server) to clients but in reality forwards the requests it receives to one or more origin servers. Because a reverse proxy presents itself as an origin server, clients do not need to be configured to use a reverse proxy. By configuring a given reverse proxy to forward requests to multiple similarly configured origin servers, a reverse proxy can operate as an application level software load balancer. In a typical deployment one or more reverse proxies will be deployed between the browsers and the origin servers.
In this article I will descirbe how to configure reverse proxy in Sun Java System Web Server 7.0 via Administration CLI.
Read More >>
[Read More] Posted by meena ( May 16 2006, 11:15:12 PM IST ) Permalink Comments [0]

Access Control In Sun Java System Web Server 7.0 - II

---

Access Control In Sun Java System Web Server 7.0 -II

After my first blog about Access Control in general, let me try to talk about some more ACL related topics.

Access Rights in Access Control Lists in Sun Java System Web Server 7.0

Access rights that can be used to set access control in ACL file in Sun Java System Web Server 7.0 are

• all
• read
• execute
• info
• write
• list
• delete
• http_<method>
• dav:read-acl
• dav:read-current-user-privilege-set

Read More >>

[Read More] Posted by meena ( May 16 2006, 11:11:46 PM IST ) Permalink Comments [0]

Access Control In Sun Java System Web Server 7.0

---

Access Control In Sun Java System Web Server 7.0

Sun Java System Web Server 7.0 Technology Preview is released and is FREE download it from here.

What Is Access Control?

Access control allows us to determine and manage

We can allow or deny access based on:

Read More >>

[Read More] Posted by meena ( May 16 2006, 11:09:44 PM IST ) Permalink Comments [1]