Welcome to Stronghold Web Server

Welcome to Version 4.0 of Stronghold Web Server.

This guide shows you how to install Stronghold on Red Hat Linux Advanced Server (“Stronghold for Red Hat Linux Advanced Server”) and on other systems (“Stronghold Cross-platform”). This manual also provides some basic administration information; for comprehensive information on Apache and Apache directives, refer to the Apache Desktop Reference that is included in the Stronghold Web Server product box.

In the remainder of this chapter you will find an overview of the enhancements in this release as well as some useful information about this manual.

What’s New in This Release

This version of Stronghold Web Server has a variety of improvements for better security, improved ease of use, better interoperability, and increased performance.

Security Enhancements

Stronghold is Open Source

The Stronghold Web Server is now completely open source. Previously some parts of Stronghold were based on proprietary parts written inside C2Net. Since the first release of Stronghold 3.0 we have worked with the community to give back our proprietary parts. Most of the proprietary parts that were in Stronghold 3.0 are now a standard part of the various Apache, mod_ssl, and OpenSSL projects.

Stronghold is a distribution that contains various open source components. These components have different open source licenses including the LGPL, GPL, and the Apache Software License.

OpenSSL

We use the open source OpenSSL library to provide cryptography and SSL functionality. The OpenSSL Project is a collaborative, Open Source effort to develop a robust, commercial-grade, and full-featured, toolkit. It implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Red Hat is proud to have contributed significant resources to help found the OpenSSL project.

More secure defaults

We have gone through the packages that make up Stronghold and applied sensible configuration choices to maximize security. For example, PHP defaults to secure mode and Stronghold by default has user directories turned off.

Automatic security updates

Both versions of Stronghold 4.0 feature an automatic package delivery and installation solution, so applying security patches to your web server is as simple as entering a single command.

Registered Stronghold users have access to a dedicated Red Hat Network channel that gives notifications of new software and important security patches. It is also the portal for receiving and monitoring technical support incidents.

mod_status_xml and the Stronghold Server Status Reporting Service are companions to Red Hat Network. mod_status_xml is an Apache module that displays current server status in XML format. The Stronghold Server Status Reporting Service regularly collects that status data and maps the trends. It even allows you to register multiple servers with the service and compare the reports side-by-side.

Go to http://stronghold.ic.redhat.com to register your server for the service.

Common build, QA, and security environment

By leveraging the resources of Red Hat we put Stronghold through the same vigorous QA and testing procedures as other Red Hat products. Bug tracking and security errata procedures have been upgraded internally. All the components inside Stronghold are tracked by Red Hat for security issues; rather than having to subscribe to many security lists, you can rely on Red Hat to tell you about any issues that affect software included inside Stronghold.

Support for cryptographic hardware

Busy secure sites can benefit from hardware acceleration, and may wish to store their private keys out of the reach of the web server. Stronghold contains support for a large and increasing number of hardware cryptographic accelerators.

Compatibility with the Common Vulnerabilities and Exposures dictionary

Red Hat is pleased to work with the Mitre CVE project to standardize vulnerability names, giving you accurate information about security vulnerabilities in order for you to make informed decisions.

Improved private key and certificate request generation tools

Stronghold now has improved private key and certificate request generation tools. These tools use a text-based user interface to make the previously complex procedures quick, easy, and intuitive.

Ease-of-Use Enhancements

RPM Distribution: RPM-based software distribution supports easy installation and upgrade capabilities even on non-Red Hat Linux platforms.
Apache Desktop Reference: This releases comes with a copy of Ralf Engelschall’s Apache Desktop Reference, the best Apache reference available.

Interoperability Enhancements

Web Application Development Tools Added

Integrates Perl 5.6 (Practical Extraction and Report Language) and PHP 4.1.0.

A "module" is software that enables you to extend the capabilities of Apache. mod_perl is the module that enables you to do this by writing your code in Perl, as opposed to using C. For example, you can write code that will rewrite HTTP requests, restrict access to certain pages, or perform database lookups.

PHP (Hypertext Preprocessor) is an HTML-embedded scripting language that enables you to create web pages dynamically. PHP offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is as a replacement for CGI scripts.

Java Support

Tomcat 4.0.1 and mod_webapp for JavaServer Page 1.2 and Java Servlet 2.3 support.

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies.

XML Application Server

AxKit is an XML Application Server for Apache that is built using mod_perl. It provides on-the-fly conversion from XML to formats such as HTML, WAP, or text using either W3C standard techniques, or flexible custom code. It ends the high overhead and steep learning curves normally associated with Application Servers such as the major J2EE ones. AxKit uses a built-in Perl interpreter for XML transformation. It is a relatively new product that recently became an official Apache project.

Distributed Authoring and Versioning (DAV) support

Integration of mod_dav, the module that provides HTTP Extensions for Distributed Authoring (DAV) capabilities for Apache web servers. The DAV protocol enables users to author content directly on the web server, without requiring other tools such as ftp or CVS.

FrontPage Support on Red Hat Linux Advanced Server

Integration of Front Page 2000 Server Extensions utilizing the Improved mod_frontpage module. Improved mod_frontpage replaces the Apache-FP patches and module supplied with the Microsoft FrontPage Server Extensions from Microsoft.

The advantages of Improved mod_frontpage include:

Improves site security by running Frontpage CGI programs in an fpEXEC wrapper instead of directly.
Uses fewer system resources.
Enables you to select which virtual servers are allowed to use the FrontPage Server Extensions.

Hardware SSL acceleration support

Stronghold supports SSL acceleration on Cryptoswift boards or on nCipher’s nFast boards. You configure hardware SSL acceleration support by editing the httpd.conf file.

Lightweight Directory Access Protocol (LDAP) support

The mod_authz_ldap module attempts to:

Map the short form of a distinguished name of a certificate and its issuer (obtained from the environment of mod_ssl) to a user-distinguished name in an LDAP directory.
Check the age of a password in an LDAP directory, denying authorization when the password is too old.
Authorize a user based on roles or on an arbitrary LDAP filter expression.
Authorize a user based on whether the user owns a file or belongs to the group owning a file.

Increased Performance

Increased Performance on Red Hat Linux Advanced Server: Integration of the Red Hat Content Accelerator (previously known as TUX, Threaded linUX http layer), version 2. Red Hat Content Accelerator provides a kernel-level proxy. It generates all static page requests and passes dynamic page requests to Stronghold. This minimizes overhead and CPU cycles, and maximizes performance.

Differences Between Stronghold on Red Hat Linux Advanced Server and Cross-Platform Systems

The following features are available only on Red Hat Linux Advanced Server:

Red Hat Content Accelerator (TUX), an ultra-high performance web server. It uses network-layer data caching to accelerate static content delivery and CGI scripts to accelerate dynamic content generation.
The Sun JDK is installed automatically.

About This Manual

This manual is available in electronic formats. You can find it on your CD-ROM, in the /docs directory of your installed server, and on the http://www.redhat.com/ site.

Terminology

This manual assumes some knowledge of UNIX operating systems. However, you may not be familiar with some of the terminology it employs to discuss Stronghold Web Server. For a comprehensive list of terms and definitions, see the Glossary.

Document Conventions

This manual uses the following highlighting conventions:

Commands, Filenames, and Computer Output: Commands, filenames, and computer output are represented with this font.
Variables: Variables are placeholders used in the documentation to indicate values that you need to input based on your system’s configuration. For example, wherever you see a reference to ServerRoot, substitute the actual path that you entered during the software installation.
Application: Application names, such as Netscape Navigator, are indicated with this font.
Keys: A [key] on the keyboard is shown in this style. For example, [Enter].
Text found on a GUI interface: Text on a GUI interface is shown in this style. For example: Click on the Apache manual link on the side bar.

Additionally, we use different strategies to draw your attention to certain pieces of information. In order of how critical the information is to your system, these items will be marked as a note or a caution. For example:

Note
If you have an existing Apache or Stronghold server on the same host, you must stop the old server or install Stronghold on ports that your server does not use.

Caution
Many third-party modules have not been thoroughly tested for use with Stronghold 4.0 and Apache 1.3.22.

Additional Resources

If you have an official edition of Red Hat Stronghold 4.0, remember to sign up for the benefits to which you are entitled as a Red Hat customer.

Red Hat Support: Get help with installation and configuration of Stronghold.
Red Hat Network: For customers running Stronghold on Advanced Server, you can easily update your packages and receive security notices that are customized for your system. Go to http://www.redhat.com/network/ for details.
Under the Brim: The Official Red Hat E-Newsletter: Every month get the latest news and product information directly from Red Hat.

To sign up, go to http://www.redhat.com/now/. You will find your Product ID on a red and white card in your Stronghold 4.0 box.

This guide is designed to provide complete information about all aspects of the server. However, it is not a comprehensive guide to the technology used in Stronghold. If you have technical questions that are not answered here or in the Apache Desktop Reference, these additional resources may provide the information you need:

Red Hat and Stronghold Resources

Because it is important to keep track of security issues, Red Hat makes available the following resources:

Stronghold announce mailing list: The Stronghold announce mailing list contains infrequent communication from Red Hat about new releases and security issues. Subscribe from the Stronghold developers' resource center: http://stronghold.redhat.com/
Security Advisories: The Errata page contains any security fixes for Stronghold; visit: http://www.redhat.com/apps/support/errata/index.html
Apache Week: Apache Week contains breaking news of general Apache security issues as well as tracking security issues through versions; see: http://www.apacheweek.com/security/