-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
88 lines (64 loc) · 4.45 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#######################################################################################
# #
# A SECURE WEB-SERVER #
# #
#######################################################################################
# #
# MSc Individual Project by Stefan Peer at King's College London, 2012 #
# #
# Copyright (c) Stefan Peer, August 2012 #
# #
# Subversion Repository: svn.sws.peerweb.it #
# Github Repository: github.com/speer/sws #
# #
# Email: [email protected] #
# #
#######################################################################################
1. About the Project
2. System Requirements
3. Installation
4. Running the software
1. About the Project
The research project of this thesis comprises the design, implementation and test of a
secure web-server. We mainly focused on the implementation of the so called Privilege
Separation principles, which state that a program can be split up into several parts
with different privilege levels. By applying these principles to a web-server, we
wanted to create a system, which behaves in a solid way on attacks of malicious users.
Our server architecture contains three different types of processes, which run with
different privileges. In order to obtain maximum security, clients interact just with
unprivileged processes, that cannot harm the system. However a privileged process is
also needed for performing specific tasks. This process stays in background, isolated
from being directly accessed, and cannot therefore be easily taken over by an attacker.
The system was developed using the Python programming language and represents a fully
functional web-server, that is able to serve static and dynamic websites. A major
challenge during the project has been represented by the asynchronous Interprocess
Communication. Privilege Separation split up the program among several processes.
Realising the communication between these processes required to take into consideration
various issues related to concurrency, efficiency and functionality.
The ultimate goal of this thesis project was to understand, whether Privilege
Separation can make a web-server more secure. We compared our system, with the world's
most used web-server, Apache. The evaluation showed, that Privilege Separation
influences the security of a web-server in a positive way, however affects its
performance negatively.
2. System Requirements
- The software has been tested on Ubuntu 11.04, but should work on any Unix based
operating system, with a kernel version later than 2.5.44.
- It was developed for Python 2.7.1+, and tested using standard CPython.
- The libmagic C library has to be installed on the system, otherwise the mime-type
detection will fail.
3. Installation
3.1 Copy everything from the /code folder into a desired directory
3.2 Edit the /code/sws file and specify the location of the configuration directory
3.3 Inside the configuration directory create file named sws.conf, see example
configuration file in /example/sws.conf.
3.4 Inside the configuration directory create a folder named sites-enabled.
3.5 Create at least one virtualhost configuration file (.conf) in the sites-enabled
folder (see example in /example/vh.conf).
3.6 Set mandatory configuration directives in sws.conf configuration file and every
virtualhost configuration file. For help on directives, see project report.
Set settings such as user, group, errordocumentroot, errordocuments,
accesslog, errorlog, documentroot, etc.
4. Running the software
The software can be started using the script called sws, which can be found in the
/code folder. It supports the commands start, stop and restart.
eg. ./sws start