Wednesday Nov 05, 2008
If you need to see the incoming request Host header logged in the web server 6.1SPx logs, then you can try below:
add last one below in magnus.conf, i.e. %Req->headers.host%
Init fn="flex-init" access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% %vsid% %Req->headers.host% "
then it will log the host header of the incoming request, e.g.
apple:/export/home/iws6.1sp10> telnet localhost 60103
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /banner.html HTTP/1.1
Host: dummytest (note this)
HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 05 Nov 2008 10:45:37 GMT
Content-length: 1827
Content-type: text/html
Last-modified: Mon, 29 Sep 2008 08:37:07 GMT
Etag: "723-48e093b3"
Accept-ranges: bytes
...........
The log will show,
127.0.0.1 - - [05/Nov/2008:18:45:37 +0800] "GET /banner.html HTTP/1.1" 200 1827 https-sess dummytest
You can see the Host: dummytest in the last column above.
See more at
http://docs.sun.com/app/docs/doc/820-1639/6nda10e4a?l=ja&a=view
e.g. add Req->headers.cookie.cookie_name for
Easy Cookie Logging
Wednesday Aug 13, 2008
In 6.1 or 7.0 web server,
1. if this is a standalone installation,
then you can run
apple:/export/home/iws6.1sp9> find . -name webservd
./bin/https/bin/webservd
^C
apple:/export/home/iws6.1sp9> ./bin/https/bin/webservd -v
Sun Microsystems, Inc.
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
Or, you can always run,
apple:/export/home/iws6.1sp9/https-apple.asia.sun.com> ./start -version
Sun Microsystems, Inc.
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
apple:/export/home/iws7.0u3/https-apple.asia.sun.com/bin> ./startserv --version
Sun Microsystems, Inc.
Sun Java System Web Server 7.0U3 B06/16/2008 12:00
2. if this is a JES installation, then you can run
apple:/export/home/opt/SUNWwbsvr-JES3> https-apple.asia.sun.com/start -version
Sun Microsystems, Inc.
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
You will get following error if you run #1 above in a JES installation,
apple:/export/home/opt/SUNWwbsvr-JES3> find . -name webservd
./bin/https/bin/webservd
^C
apple:/export/home/opt/SUNWwbsvr-JES3> ./bin/https/bin/webservd -v
ld.so.1: webservd: fatal: libldap50.so: open failed: No such file or directory
Killed
3. Summary:
In 6.1, "start -version" will print out web server version.
In 7.0, "startserv --version" will print out web server version.
Thursday Jun 12, 2008
It is a good security practice to mask the web server name.
In Sun Java Web server 6.1 SPx, you can simply add
ServerString none
into magnus.conf file, then restart.
Before the change ,
apple:/export/home/iws6.1sp9> telnet localhost 61901
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: apple
HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 12 Jun 2008 01:33:50 GMT
Content-length: 447
Content-type: text/html
Last-modified: Thu, 27 Mar 2008 00:22:13 GMT
Etag: "1bf-47eae8b5"
Accept-ranges: bytes
Then after the change,
apple:/export/home/iws6.1sp9/https-apple.asia.sun.com/config> telnet localhost 61901
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: apple
HTTP/1.1 200 OK
Date: Thu, 12 Jun 2008 01:37:25 GMT
Content-length: 447
Content-type: text/html
Last-modified: Thu, 27 Mar 2008 00:22:13 GMT
Etag: "1bf-47eae8b5"
Accept-ranges: bytes
(Note: no more Server: Sun-ONE-Web-Server/6.1 in above headers from server.)
-------------------------------------------------------------------------------------------------------------------------------------------------------
For 7.0 Ux, you can do it in Admin GUI - Configurations - General - Advanced -HTTP Settings - Server Header:
e.g. Server Header: none
then you will see it inside server.xml,
cat server.xml,
..........
<user>webservd</user>
<http>
<server-header>none</server-header>
</http>
<snmp>
..........
then a restart will do it.
E.g. before the above change in 7.0 Ux,
apple:/export/home/iws7.0u2/https-migrate-sp2> telnet localhost 7028
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: apple
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 12 Jun 2008 01:42:55 GMT
Content-type: text/html
Last-modified: Thu, 13 Jan 2005 02:34:52 GMT
Content-length: 447
Etag: W/"1bf-41e5de4c"
after the change,
apple:/export/home/iws7.0u2/https-apple.asia.sun.com/config> telnet localhost 7023
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: apple
HTTP/1.1 200 OK
Server: none
Date: Thu, 12 Jun 2008 02:29:41 GMT
Content-type: text/html
Last-modified: Wed, 28 May 2008 06:31:58 GMT
Content-length: 447
Etag: "1bf-483cfc5e"
Accept-ranges: bytes
Hope this above can help you mask out the default web server name banner.
Friday May 23, 2008
I tried the latest web 6.1 SP9 International Release.
You can download it at
Sun Download link
The installation is the same easy.
It will ask one more question about Default Language.
See ScreenDump118.gif below for the choice of default language.
I tried Traditional Chinese because I am in Hong Kong.
Then, everything works the same well in the installation and later startup.
The good results are now localized default pages and error responses, e.g.
See ScreenDump111.gif below for the default home page after install
See ScreenDump112.gif below for the localized Chinese NOT FOUND error responses after install
I opened the config files and found this below in magnus.conf
DefaultLanguage zh_tw
So, I experimented and tried to change it to
#DefaultLanguage zh_tw
DefaultLanguage ja
then I restarted the web server and hit a page which does not exist.
It will show me Japanese Not Found error responses.
See ScreenDump119.gif below for the JA responses.
Hope this will add more local languages you need in your site.
Walter
Wednesday May 21, 2008
If you want to block certain file types , e.g. some .ini or .conf files, from outside access in Sun Java System Web Server 6.1 SP9, then you can add <Client> tag into obj.conf, e.g.
.....
NameTrans fn="document-root" root="$docroot"
<Client uri="*.(ini|conf)">
PathCheck fn=deny-existence bong-file="<web install root>/docs/bongfile.html"
</Client>
PathCheck fn="unix-uri-clean"
....
and the bongfile is :
shell> cat bongfile.html
You cannot view this type of files here !!!
If you do not specify the "bong-file=" above, then the users will get the standard "Not Found" error in their browser.
e.g.
<Client uri="*.(ini|conf)">
PathCheck fn=deny-existence
</Client>
then restart the web server and test, e.g.
http://<hostname.domain>/test.conf
or
http://<hostname.domain>/test.ini
will result in the response as set in bongfile.html to prevent users accessing these types of ini/conf files.
Errors logs:
[21/May/2008:14:38:03] security (10791): for host xx.xx.xx.xx trying to GET /test.conf, deny-existence reports: HTTP4129: denying existence of <web root>/docs/test.conf
[21/May/2008:14:41:12] security (10791): for host xx.xx.xx.xx trying to GET /test.ini, deny-existence reports: HTTP4129: denying existence of <web root>/docs/test.ini
This can add security to file types you do not want outside users accidentally access.
