A) Apache2 runs in a mode called standalone mode. In this mode, the Apache server runs under root privilege and listens for client requests. When a request is received for a particular website, the Apache server launches a process, called a child process, to service it.
The child process runs under a user privilege specified using user and group core directives in /etc/apache2/envvars.
For security reasons, user, should have as less privileges as possible. In particular, it should have:
- Read-Only access on the web content folder,
- No access on the log folder /var/log/apache2.
B) IIS 7 has the following architecture components:
- Queuing of HTTP request,
- Caching of responses.
The child process runs under a user privilege specified using user and group core directives in /etc/apache2/envvars.
For security reasons, user, should have as less privileges as possible. In particular, it should have:
- Read-Only access on the web content folder,
- No access on the log folder /var/log/apache2.
B) IIS 7 has the following architecture components:
- HTTP.sys: this is the Listener module. it listens for requests on TCP port 80 by default. This module runs in Kernel mode, which has access to all hardware and system data.
HTTP.sys has the following functions:
- Queuing of HTTP request,
- Caching of responses.
- W2SVC: This is the listener adapter, it runs under user mode as LocalSystem and is responsible for:
- Configuring HTTP.sys with information obtained from WAS,
- Notifying WAS when a request enters the request queue,
- Collecting performance counters for websites. - Windows Activation Process (WAS): manage application pool configuration and workerprocesses. It runs in user mode as LocalSystem.
On startup, WAS reads configuration from applicationHost.config file and then passes them to the listener adapter W3SVC which configures HTTP.sys.
Each application or a group of applications hosted by IIS server runs inside an application pool.
An application pool is serviced by a process called worker process. A worker process of an application pool is isolated from another worker process of another application pool, this ensures a complete separation between applications in different application pools.
For a maximum isolation between applications hosted by an IIS server, you should run a single application pool per website, this is the default behavior.
The following shows a listing of four application pools in IIS Manager
- W3wp.exe: this is the worker process responsible for processing client requests.The worker process runs in user mode privilege, and uses one of the following accounts:
- Network Service : has a minimal access on the local computer and network. This is the default account used.
It is a member of the IIS_IUSRS group
- Local service : has the same access level as Network Service but with no network access. It is a member of the
IIS_IUSRS group
- System service : has a full access to the local system. You should never run application pool
under this privilege level.
The following figures shows WAS, W3SVC and W3wp in Windows2008 Task Manager
It should be noted that, by default, IUSR account is used for anonymous access, therefore IUSR access privilege should be restricted.
The processing flow for a client request, when a worker process is not yet started, is as fellow:
1. HTTP.sys receives the client request.
- It determines if it is valid. If it is not, an error code is sent back to the client,
- If the response is in the cache, it is returned to the client,
- If the response is not cached, HTTPS.sys places the request in the correct application pool
queue.
2. If there is no worker process for the application pool HTTP.sys notify WAS via W3SVC to start one
3. WAS starts a worker process
4. The worker process pulls the request from the queue and process it
5. The worker process sends the response to HTTP.sys
6. HTTP.sys sends the received response to the client
No comments:
Post a Comment