Web Stack Project

For this project option, you will implement a full Web stack that is capable of hosting dynamic applications with static file acceleration. This Web stack will include the nginx, Apache Httpd, and Apache Tomcat servers running inside a virtual machine. A browser connected to the virtual machine from the host computer on port 9443 will be able to reach the Web stack via an encrypted (TLS) connection. Alpine Linux will be used as the operating system inside the virtual machine.

Background

Building a Web stack in a Linux environment is an extremely common task, and there is a considerable amount of documentation available online. The critical part to this project is integrating the server stack into a set of servers with nginx at the front. In this setup, nginx acts as a reverse proxy for both the Httpd and Tomcat servers.

Figure 1 depicts the design of the Web stack. The resulting system has a single virtual machine, configured to forward TCP port 9443 on the host to port 443 on the guest. Within the guest, nginx is listening on port 443 and implements Transport Layer Security (TLS) using a self-signed certificate. Static files (like HTML or image files) are served directly by nginx from a directory inside the virtual machine. Dynamic Web content written in PHP is served by Apache Httpd, but the connection to Httpd goes through nginx first (this is called reverse proxying). Similarly, dynamic Web content written in Java is served by Apache Tomcat, but the connection to Tomcat is also proxied through nginx.

This setup is extremely common, as it allows a single port on a single server to be exposed through a firewall, improving cybersecurity by reducing the number of services directly exposed to the Internet (i.e. decreasing the attack surface of the system). A firewall inside the virtual machine ensures that only TCP port 443 is made available for outside connections. All other ports should drop incoming traffic (except for an optional SSH server on TCP port 22).

The following are links to resources that may be helpful. However, some additional research will be required to implement this project.

• Apache (Alpine Wiki)
• Apache HTTP Server Version 2.4 Documentation
• Nginx (Alpine Wiki)
• nginx Documentation
• Tomcat (Alpine Wiki)

Project Requirements

A successful implementation of this project:

1. Has a working Alpine Linux environment running in a virtual machine.
2. Has port 9443 on the host computer forwarded to port 443 on the virtual machine.
3. Permits a Web browser on the host computer to connect to https://localhost:9443 and make a secure TLS (still also sometimes called SSL) connection using a self-signed certificate.
4. Serves static files directly from nginx inside the virtual machine.
5. Serves dynamic content, generated from PHP code, from Apache Httpd running inside the virtual machine. The connection to Httpd is reverse-proxied through nginx inside the virtual machine.
6. Serves dynamic Java-based content from an Apache Tomcat server running inside the virtual machine. The connection to Tomcat is reverse-proxied through nginx inside the virtual machine.
7. Has a working firewall that blocks all incoming connections to the virtual machine’s operating environment except those to TCP port 443. (Optionally, the virtual machine may permit SSH on TCP port 22.)
8. Minimizes the server tokens displayed by nginx, Httpd, and Tomcat whenever error message pages are displayed. In particular, the operating system and software versions should not be displayed on an error page, as these pieces of data give information to potential hackers.

To calculate the Project Outcome grade at the end of the semester, the Web Stack Project Rubric will be used.

Milestones

Milestone 1

For Milestone 1, prepare a video presentation that covers the following items:

1. Demonstrate that Alpine Linux is installed and is running properly in a virtual machine.
2. Show that you have the APK repository configuration set up correctly. Be sure to show the content of your /etc/apk/repositories file.
3. Show that you have installed the base set of packages required for nginx, Apache Httpd, and Apache Tomcat. (Note that you might find you need more packages as the project progresses.)

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 1.

Milestone 2

For Milestone 2, prepare a video presentation that covers the following items:

1. Show how you created a self-signed SSL certificate.
2. Show that you have port 9443 on your host system forwarded to port 443 on your virtual machine.
3. Demonstrate that you have nginx running on port 443 in the virtual machine, with TLS implemented using a self-signed certificate. Show that you can connect to https://localhost:9443 on your host system and get an nginx test page (after bypassing the security warning about the self-signed certificate).
4. Show the part of your nginx configuration that implements SSL.
5. Show that you have configured nginx to serve static content (like HTML pages or images) from a directory inside the virtual machine (into which you have put some static content). Demonstrate that the server correctly serves the static content by visiting it in the browser.
6. Visit a nonexistent page on your server, and show that the error message presented by nginx doesn’t give away the operating system or nginx version.
7. Give a brief explanation of why it is better to have nginx serve static content directly, instead of configuring nginx to proxy static content served by Httpd. I haven’t told you why this design is better, but you should be able to find the answer with a small amount of online research.

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 2.

Milestone 3

For Milestone 3, prepare a video presentation that covers the following items:

1. By demonstrating commands inside your virtual machine, show that Apache Httpd is running, and state on which port you have it running.
2. Show the source code for a PHP script, then show that script executing on your virtual machine. The script must be executing in Apache, but the connection to Apache must be reverse-proxied through nginx. In other words, the browser must be going to an address that starts with https://localhost:9443 (and not some other port).
3. Visit a nonexistent page in the same directory as the one you proxied to Apache Httpd. Show that the resulting error pages do not give away details about the operating system or server version.
4. Explain how you got PHP working in Httpd. Show which package(s) and configuration change(s) you made.
5. Show the portion of your nginx configuration that implements reverse proxying to Httpd.

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 3.

Milestone 4

For Milestone 4, prepare a video presentation that covers the following items:

1. A demonstration that your entire Web stack works by visiting https://localhost:9443 on your host system. Show that static pages, PHP pages (proxied through to Httpd), and Java Web applications (proxied through to Tomcat) work properly.
2. Show the output of the following commands inside your VM to verify the firewall is set up properly. Both commands need to be run as the root user.

iptables -S
ip6tables -S

3. Show your Apache Tomcat configuration and your nginx configuration for reverse proxying to Apache Tomcat.
4. Reflect on the project. What did you learn about the technologies you used? What did you learn about teamwork?

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 4.

Tips

• See the QEMU Network options for the arguments to forward a host port to the guest if you use QEMU for virtualization. If you’re using a different virtualization tool, consult its documentation for the correct way to configure port forwarding.
• The software you need to create a self-signed certificate is OpenSSL. There are plenty of tutorials online for creating self-signed certificates.
• To be able to demonstrate that nginx is serving static files, you need some static files to serve. HTML files, pictures, and similar content would work for this purpose. I recommend configuring nginx to serve static files from a single directory on the VM, then showing the configuration (and a demo) in your presentation.
• You will need a PHP script to test that you have Apache running PHP correctly. The PHP script doesn’t need to be fancy at all, but it does need to have at least some dynamic content in it. There are several ways to make Httpd handle PHP, and you may use any of them in this project. PHP was the language you learned in CSCI 303.
• You will also need a Java web application to test Tomcat. It doesn’t matter what the application does, but I’d suggest finding a precompiled .war file to deploy instead of trying to build from source. You can find one online, or just deploy Tomcat’s Sample Application.
• It might be easier to take a divide-and-conquer approach to getting the server stack working. Start by setting up nginx and getting that part working. Then, configure Apache and PHP, connecting to Apache directly by forwarding an extra port from the host. Once you know Apache is working properly on its own, configure the reverse proxy from nginx. Do the same thing for the Tomcat server.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.