Web Stack Project

For this project option, you will implement a full Web stack that is capable of hosting dynamic applications with static file acceleration. This Web stack will include the nginx, Apache Httpd, and Apache Tomcat servers running inside a QEMU-based virtual machine. A browser connected to the virtual machine from the host computer on port 9443 will be able to reach the Web stack via an encrypted (TLS) connection. Alpine Linux will be used as the operating system inside the virtual machine.

Background

Building a Web stack in a Linux environment is an extremely common task, and there is a considerable amount of documentation available online. The critical part to this project is integrating the server stack into a set of servers with nginx at the front. In this setup, nginx acts as a reverse proxy for both the Httpd and Tomcat servers.

Figure 1 depicts the design of the Web stack. The resulting system has a single QEMU virtual machine, configured to forward TCP port 9443 on the host to port 443 on the guest. Within the guest, nginx is listening on port 443 and implements Transport Layer Security (TLS) using a self-signed certificate. Static files (like HTML or image files) are served directly by nginx from a directory inside the virtual machine. Dynamic Web content written in PHP is served by Apache Httpd, but the connection to Httpd goes through nginx first (this is called reverse proxying). Similarly, dynamic Web content written in Java is served by Apache Tomcat, but the connection to Tomcat is also proxied through nginx.

This setup is extremely common, as it allows a single port on a single server to be exposed through a firewall, improving cybersecurity by reducing the number of services directly exposed to the Internet (i.e. decreasing the attack surface of the system). A firewall inside the virtual machine ensures that only TCP port 443 is made available for outside connections. All other ports should drop incoming traffic (except for an optional SSH server on TCP port 22).

The following are links to resources that may be helpful. However, some additional research will be required to implement this project.

• Using QEMU
• Alpine Linux Notes
• iptables Notes
• Apache (Alpine Wiki)
• Apache HTTP Server Version 2.4 Documentation
• Nginx (Alpine Wiki)
• nginx Documentation
• Tomcat (Alpine Wiki)

Project Requirements

A successful implementation of this project:

1. Has a working Alpine Linux environment running in a QEMU virtual machine.
2. Has port 9443 on the host computer forwarded to port 443 on the virtual machine.
3. Permits a Web browser on the host computer to connect to https://localhost:9443 and make a secure TLS (still also sometimes called SSL) connection using a self-signed certificate.
4. Serves static files directly from nginx inside the virtual machine.
5. Serves dynamic content, generated from PHP code, from Apache Httpd running inside the virtual machine. The connection to Httpd is reverse-proxied through nginx inside the virtual machine.
6. Serves dynamic Java-based content from an Apache Tomcat server running inside the virtual machine. The connection to Tomcat is reverse-proxied through nginx inside the virtual machine.
7. Has a working firewall that blocks all incoming connections to the virtual machine’s operating environment except those to TCP port 443. (Optionally, the virtual machine may permit SSH on TCP port 22.)
8. Minimizes the server tokens displayed by nginx, Httpd, and Tomcat whenever error message pages are displayed. In particular, the operating system and software versions should not be displayed on an error page, as these pieces of data give information to potential hackers.

Milestones

Milestone 1

For Milestone 1, prepare a video presentation that covers the following items:

1. Demonstrate that Alpine Linux is installed and is running properly in a QEMU virtual machine.
2. Show that you have the APK repository configuration set up correctly.
3. Show that you have installed the base set of packages required for nginx, Apache Httpd, and Apache Tomcat. (Note that you might find you need more packages as the project progresses.)

Each person in the group should present for approximately equal time. Be sure to include the URLs to each person’s portfolio in your presentation.

Add the following items to your portfolio:

1. Your current resume.
2. A screenshot of your running virtual machine.

Milestone 2

For Milestone 2, prepare a video presentation that covers the following items:

1. Show that you have port 9443 on your host system forwarded to port 443 on your virtual machine.
2. Demonstrate that you have nginx running on port 443 in the virtual machine, with TLS implemented using a self-signed certificate. Show that you can connect to https://localhost:9443 on your host system and get an nginx test page (after bypassing the security warning about the self-signed certificate).
3. Show that you have configured nginx to serve static content (like HTML pages or images) from a directory inside the virtual machine (into which you have put some static content). Demonstrate that the server correctly serves the static content by visiting it in the browser.
4. Visit a nonexistent page on your server, and show that the error message presented by nginx doesn’t give away the operating system or nginx version.

Each person in the group should present for approximately equal time. Be sure to include the URLs to each person’s portfolio in your presentation.

Add the following items to your portfolio:

1. An excerpt from your nginx configuration showing how you got TLS (which might still be called SSL in the configuration file) working.
2. A brief explanation of how you created a self-signed certificate.
3. A short statement explaining why it is better to have nginx serve static content directly, instead of having nginx proxy static content served from Httpd. (HINT: I haven’t told you why you’re doing it this way, but it should be easy to find with a little research.)

Milestone 3

For Milestone 3, prepare a video presentation that covers the following items:

1. By demonstrating commands inside your virtual machine, show that Apache Httpd is running, and state on which port you have it running.
2. Show the source code for a PHP script, then show that script executing on your virtual machine. The script must be executing in Apache, but the connection to Apache must be reverse-proxied through nginx. In other words, the browser must be going to an address that starts with https://localhost:9443 (and not some other port).
3. Visit a nonexistent page in the same directory as the one you proxied to Apache Httpd. Show that the resulting error pages do not give away details about the operating system or server version.

Each person in the group should present for approximately equal time. Be sure to include the URLs to each person’s portfolio in your presentation.

Add the following items to your portfolio:

1. A screenshot of your PHP code running through Apache, proxied by nginx. Label the screenshot with your name and a caption explaining how the code is being run through the server stack.
2. An excerpt from the Apache configuration showing how you enabled PHP support.
3. An excerpt from the nginx configuration that you could use as a guide for reverse proxying in future projects.

Milestone 4

For Milestone 4, prepare a video presentation that covers the following items:

1. A demonstration that your entire Web stack works by visiting https://localhost:9443 on your host system. Show that static pages, PHP pages (proxied through to Httpd), and Java Web applications (proxied through to Tomcat) work properly.
2. Show the output of the following commands inside your VM to verify the firewall is set up properly. Both commands need to be run as the root user.

iptables -S
ip6tables -S

Each person in the group should present for approximately equal time. Be sure to include the URLs to each person’s portfolio in your presentation.

Add the following items to your portfolio:

1. A brief description of your iptables and ip6tables setup, including your firewall rules.
2. A brief description of the project and how you went about implementing it. Include some potential uses for your server stack in the description.
3. A statement about teamwork. Think about answers to questions that you might get asked in an interview. For example, how well did you work as part of a team? How did you divide your responsibilities between team members? How did you communicate with your teammates? How did you resolve any conflicts?

Tips

• See the QEMU Network options for the arguments to forward a host port to the guest.
• The software you need to create a self-signed certificate is OpenSSL. There are plenty of tutorials online for creating self-signed certificates.
• To be able to demonstrate that nginx is serving static files, you need some static files to serve. HTML files, pictures, and similar content would work for this purpose. I recommend configuring nginx to serve static files from a single directory on the VM, then showing the configuration (and a demo) in your presentation.
• You will need a PHP script to test that you have Apache running PHP correctly. The PHP script doesn’t need to be fancy at all, but it does need to have at least some dynamic content in it. There are several ways to make Httpd handle PHP, and you may use any of them in this project. PHP was the language you learned in CSCI 303.
• You will also need a Java web application to test Tomcat. It doesn’t matter what the application does, but I’d suggest finding a precompiled .war file to deploy instead of trying to build from source. You can find one online, or just deploy Tomcat’s Sample Application.
• It might be easier to take a divide-and-conquer approach to getting the server stack working. Start by setting up nginx and getting that part working. Then, configure Apache and PHP, connecting to Apache directly by forwarding an extra port from the host. Once you know Apache is working properly on its own, configure the reverse proxy from nginx. Do the same thing for the Tomcat server.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.