Date: Mon, 21 Oct 2013 22:20:54 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43017 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201310212220.r9LMKsln096922@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Oct 21 22:20:54 2013 New Revision: 43017 URL: http://svnweb.freebsd.org/changeset/doc/43017 Log: Some tightening in the DNS, HTTP, and FTP sections. The DNS and HTTP sections still need a good go-through. Clarify the introductions to these sections. Fix some acronyms along the way. To be followed by a white-space fix. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon Oct 21 17:46:02 2013 (r43016) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Mon Oct 21 22:20:54 2013 (r43017) @@ -3006,58 +3006,33 @@ dhcpd_ifaces="dc0"</programlisting> --> <title>Domain Name System (<acronym>DNS</acronym>)</title> - <sect2> - <title>Overview</title> - <indexterm><primary>BIND</primary></indexterm> - <para>&os; utilizes, by default, a version of BIND (Berkeley - Internet Name Domain), which is the most common implementation - of the <acronym>DNS</acronym> protocol. - <acronym>DNS</acronym> is the protocol through which names are - mapped to <acronym>IP</acronym> addresses, and vice versa. - For example, a query for - <hostid role="fqdn">www.FreeBSD.org</hostid> will receive a - reply with the <acronym>IP</acronym> address of The &os; - Project's web server, whereas, a query for - <hostid role="fqdn">ftp.FreeBSD.org</hostid> will return the - <acronym>IP</acronym> address of the corresponding - <acronym>FTP</acronym> machine. Likewise, the opposite can - happen. A query for an <acronym>IP</acronym> address can - resolve its hostname. It is not necessary to run a name + <para>Domain Name System (<acronym>DNS</acronym>) is the protocol through which domain names are + mapped to <acronym>IP</acronym> addresses, and vice versa. By default, &os; installs the Berkeley + Internet Name Domain (<acronym>BIND</acronym>), which is the most common implementation + of the <acronym>DNS</acronym> protocol. The &os; version provides enhanced security features, a new file + system layout, and automated &man.chroot.8; + configuration. BIND is maintained by the + <ulink url="https://www.isc.org/">isc.org</ulink>. + It is not necessary to run a name server to perform <acronym>DNS</acronym> lookups on a system.</para> - <para>&os; currently comes with <acronym>BIND</acronym>9 - <acronym>DNS</acronym> server software by default. Our - installation provides enhanced security features, a new file - system layout and automated &man.chroot.8; - configuration.</para> - <indexterm><primary>DNS</primary></indexterm> <para><acronym>DNS</acronym> is coordinated across the Internet through a somewhat complex system of authoritative root, Top Level Domain (<acronym>TLD</acronym>), and other smaller-scale - name servers which host and cache individual domain - information.</para> - - <para>Currently, BIND is maintained by the - Internet Systems Consortium - <ulink url="https://www.isc.org/"></ulink>.</para>; - </sect2> - - <sect2> - <title>Terminology</title> - - <para>To understand this document, some terms related to - <acronym>DNS</acronym> must be understood.</para> + name servers, which host and cache individual domain + information. Table 28.4 describes some of the terms associated with <acronym>DNS</acronym>:</para> <indexterm><primary>resolver</primary></indexterm> <indexterm><primary>reverse <acronym>DNS</acronym></primary></indexterm> <indexterm><primary>root zone</primary></indexterm> - <informaltable frame="none" pgwide="1"> + <table frame="none" pgwide="1"> + <title><acronym>DNS</acronym> Terminology</title> <tgroup cols="2"> <colspec colwidth="1*"/> <colspec colwidth="3*"/> @@ -3117,7 +3092,7 @@ dhcpd_ifaces="dc0"</programlisting> </row> </tbody> </tgroup> - </informaltable> + </table> <indexterm> <primary>zones</primary> @@ -3159,7 +3134,6 @@ dhcpd_ifaces="dc0"</programlisting> of a hostname is much like a file system: the <filename class="directory">/dev</filename> directory falls within the root, and so on.</para> - </sect2> <sect2> <title>Reasons to Run a Name Server</title> @@ -4431,56 +4405,45 @@ $include Kexample.com.+005+nnnnn.ZSK.key <secondary>setting up</secondary></indexterm> <indexterm><primary>Apache</primary></indexterm> - <para>&os; is used to run some of the busiest web sites in the - world. The majority of web servers on the Internet are using - the <application>Apache HTTP Server</application>. - <application>Apache</application> software packages should be - included on the &os; installation media. If - <application>Apache</application> was not installed while - installing &os;, then it can be installed from the - <filename role="package">www/apache22</filename> port.</para> - - <para>Once <application>Apache</application> has been installed - successfully, it must be configured.</para> - - <note> - <para>This section covers version 2.2.X of the - <application>Apache HTTP Server</application> as that is the - most widely used version for &os;. For more detailed - information beyond the scope of this document about - <application>Apache</application> 2.X, please see - <ulink url="http://httpd.apache.org/"></ulink>.</para>; - </note> + <para>The open source + <application>Apache HTTP Server</application> is the most widely + used web server. &os; does not install this web server by default, + but it can be installed from the + <filename role="package">www/apache24</filename> package or port.</para> + + <para>This section summarizes how to configure and start version 2.<replaceable>x</replaceable> of the + <application>Apache HTTP Server</application>, the + most widely used version, on &os;. For more detailed + information about + <application>Apache</application> 2.X and its configuration directives, refer to + <ulink url="http://httpd.apache.org/">httpd.apache.org</ulink>.</para>; <sect2> - <title>Configuration</title> + <title>Configuring and Starting Apache</title> <indexterm><primary>Apache</primary> <secondary>configuration file</secondary></indexterm> - <para>The main <application>Apache HTTP Server</application> + <para>In &os;, the main <application>Apache HTTP Server</application> configuration file is installed as - <filename>/usr/local/etc/apache22/httpd.conf</filename> on - &os;. This file is a typical &unix; text configuration file - with comment lines beginning with the <literal>#</literal> - character. A comprehensive description of all possible - configuration options is outside the scope of this book, so - only the most frequently modified directives will be described - here.</para> + <filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>. + This ASCII text file begins + comment lines with the <literal>#</literal>. The + most frequently modified directives are:</para> <variablelist> <varlistentry> <term><literal>ServerRoot "/usr/local"</literal></term> <listitem> - <para>This specifies the default directory hierarchy for + <para>Specifies the default directory hierarchy for the <application>Apache</application> installation. Binaries are stored in the <filename class="directory">bin</filename> and <filename class="directory">sbin</filename> subdirectories of the server root, and configuration files are stored in <filename - class="directory">etc/apache</filename>.</para> + class="directory">etc/apache2<replaceable>x</replaceable></filename>.</para> </listitem> </varlistentry> @@ -4488,8 +4451,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key <term><literal>ServerAdmin you@your.address</literal></term> <listitem> - <para>The address to which problems with the server should - be emailed. This address also appears on some + <para>The email address to receive problems with the server. This address also appears on some server-generated pages, such as error documents.</para> </listitem> </varlistentry> @@ -4498,21 +4460,20 @@ $include Kexample.com.+005+nnnnn.ZSK.key <term><literal>ServerName www.example.com</literal></term> <listitem> - <para><literal>ServerName</literal> allows an + <para>Allows an administrator to set a host name which is sent back to - clients for the server. This is useful if the host is - different than the one that it is configured with (i.e., - use <hostid>www</hostid> instead of the host's real - name).</para> + clients for the server. For example, + <hostid>www</hostid> can be used instead of the actual host + name.</para> </listitem> </varlistentry> <varlistentry> <term><literal>DocumentRoot - "/usr/local/www/apache22/data"</literal></term> + "/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term> <listitem> - <para><literal>DocumentRoot</literal>: The directory + <para>The directory where documents will be served from. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other @@ -4525,18 +4486,14 @@ $include Kexample.com.+005+nnnnn.ZSK.key <application>Apache</application> configuration file before making changes. When the configuration of <application>Apache</application>, is complete, save the - file and verify the configuration using &man.apachectl.8;. - To do this, issue <command>apachectl configtest</command> - which should return <literal>Syntax OK</literal>.</para> - </sect2> - - <sect2> - <title>Running <application>Apache</application></title> + file and verify the configuration using apachectl(8). + Running <command>apachectl configtest</command> + should return <literal>Syntax OK</literal>.</para> <indexterm><primary>Apache</primary> <secondary>starting or stopping</secondary></indexterm> - <para>The <filename role="package">www/apache22</filename> port + <para>The <filename role="package">www/apache24</filename> port installs an &man.rc.8; script to aid in starting, stopping, and restarting <application>Apache</application>, which can be found in <filename @@ -4546,13 +4503,13 @@ $include Kexample.com.+005+nnnnn.ZSK.key startup, add the following line to <filename>/etc/rc.conf</filename>:</para> - <programlisting>apache22_enable="YES"</programlisting> + <programlisting>apache24_enable="YES"</programlisting> <para>If <application>Apache</application> should be started with non-default options, the following line may be added to - <filename>/etc/rc.conf</filename>:</para> + <filename>/etc/rc.conf</filename> to specify the needed flags:</para> - <programlisting>apache22_flags=""</programlisting> + <programlisting>apache24_flags=""</programlisting> <para>The <application>Apache</application> configuration can be tested for errors after making subsequent @@ -4561,7 +4518,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key or by the &man.service.8; utility by issuing one of the following commands:</para> - <screen>&prompt.root; <userinput>service apache22 configtest</userinput></screen> + <screen>&prompt.root; <userinput>service apache24 configtest</userinput></screen> <note> <para>It is important to note that the @@ -4571,11 +4528,10 @@ $include Kexample.com.+005+nnnnn.ZSK.key </note> <para>If <application>Apache</application> does not report - configuration errors, the - <application>Apache</application> <command>httpd</command> - can be started with &man.service.8;:</para> + configuration errors, start <command>httpd</command> + with &man.service.8;:</para> - <screen>&prompt.root; <userinput>service apache22 start</userinput></screen> + <screen>&prompt.root; <userinput>service apache24 start</userinput></screen> <para>The <command>httpd</command> service can be tested by entering <literal>http://<hostid @@ -4585,7 +4541,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key domain name of the machine running <command>httpd</command>, if it is not the local machine. The default web page that is displayed is - <filename>/usr/local/www/apache22/data/index.html</filename>.</para> + <filename>/usr/local/www/apache24/data/index.html</filename>.</para> </sect2> <sect2> @@ -4915,128 +4871,107 @@ DocumentRoot /www/someotherdomain.tld </authorgroup> </sect1info> --> - <title>File Transfer Protocol (FTP)</title> + <title>File Transfer Protocol (<acronym>FTP</acronym>)</title> - <indexterm><primary>FTP servers</primary></indexterm> + <indexterm><primary><acronym>FTP</acronym> servers</primary></indexterm> - <para>The File Transfer Protocol (FTP) provides users with a + <para>The File Transfer Protocol (<acronym>FTP</acronym>) provides users with a simple way to transfer files to and from an - <acronym role="File Transfer Protocol">FTP</acronym> server. - &os; includes <acronym - role="File Transfer Protocol">FTP</acronym> server - software, <application>ftpd</application>, in the base system. - This makes setting up and administering an - <acronym role="File Transfer Protocol">FTP</acronym> server on - &os; very straightforward.</para> + <acronym>FTP</acronym> server. + &os; includes <acronym>FTP</acronym> server + software, <application>ftpd</application>, in the base system.</para> + + <para>&os; provides several configuration files for controlling access + to the <acronym>FTP</acronym> server. This section summarizes + these files. Refer to &man.ftpd.8; for more details about the + built-in <acronym>FTP</acronym> server.</para> - <sect2> - <title>Configuration</title> + <sect2> + <title>Configuration</title> <para>The most important configuration step is deciding which - accounts will be allowed access to the FTP server. A normal - &os; system has a number of system accounts used for various - daemons, but unknown users should not be allowed to log in - with these accounts. The <filename>/etc/ftpusers</filename> - file is a list of users disallowed any FTP access. By - default, it includes the aforementioned system accounts, but - it is possible to add specific users here that should not be - allowed access to FTP.</para> + accounts will be allowed access to the <acronym>FTP</acronym> server. A + &os; system has a number of system accounts which + should not be allowed <acronym>FTP</acronym> access. + The list of users disallowed any <acronym>FTP</acronym> access + can be found in <filename>/etc/ftpusers</filename>. + By + default, it includes system accounts. Additional + users that should not be + allowed access to <acronym>FTP</acronym> can be added.</para> <para>In some cases it may be desirable to restrict the access of some users without preventing them completely from using - FTP. This can be accomplished with the - <filename>/etc/ftpchroot</filename> file. This file lists - users and groups subject to FTP access restrictions. Refer to - &man.ftpchroot.5; for more details.</para> + <acronym>FTP</acronym>. This can be accomplished be creating + <filename>/etc/ftpchroot</filename> as described in &man.ftpchroot.5;. This file lists + users and groups subject to <acronym>FTP</acronym> access restrictions.</para> <indexterm> - <primary>FTP</primary> + <primary><acronym>FTP</acronym></primary> <secondary>anonymous</secondary> </indexterm> - <para>To enable anonymous FTP access to the server, create a + <para>To enable anonymous <acronym>FTP</acronym> access to the server, create a user named <username>ftp</username> on the &os; system. Users - will then be able to log on to the FTP server with a username - of <username>ftp</username> or <username>anonymous</username> - and with any password (by convention an email address for the - user should be used as the password). The FTP server will + will then be able to log on to the <acronym>FTP</acronym> server with a username + of <username>ftp</username> or <username>anonymous</username>. When prompted for the password, + any input will be accepted, but by convention, an email address + should be used as the password. The <acronym>FTP</acronym> server will call &man.chroot.2; when an anonymous user logs in, to restrict access to only the home directory of the <username>ftp</username> user.</para> - <para>There are two text files that specify welcome messages to - be displayed to FTP clients. The contents of the file + <para>There are two text files that can be created to specify welcome messages to + be displayed to <acronym>FTP</acronym> clients. The contents of <filename>/etc/ftpwelcome</filename> will be displayed to users before they reach the login prompt. After a successful - login, the contents of the file + login, the contents of <filename>/etc/ftpmotd</filename> will be displayed. Note that the path to this file is relative to the login - environment, so the file <filename>~ftp/etc/ftpmotd</filename> + environment, so the contents of <filename>~ftp/etc/ftpmotd</filename> would be displayed for anonymous users.</para> - <para>Once the FTP server has been configured properly, it must - be enabled in <filename>/etc/inetd.conf</filename>. All that - is required here is to remove the comment symbol - <quote>#</quote> from in front of the existing - <application>ftpd</application> line :</para> - - <programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> - - <para>As explained in <xref linkend="network-inetd-reread"/>, - the <application>inetd</application> configuration must be - reloaded after this configuration file is changed. Please - refer to <xref linkend="network-inetd-settings"/> for details - on enabling <application>inetd</application> on the - system.</para> - - <para>Alternatively, <application>ftpd</application> can also be - started as a stand-alone server. In this case, it is - sufficient to set the appropriate variable in - <filename>/etc/rc.conf</filename>:</para> + <para>Once the <acronym>FTP</acronym> server has been configured, set the appropriate variable in + <filename>/etc/rc.conf</filename> to start the service during boot:</para> <programlisting>ftpd_enable="YES"</programlisting> - <para>After setting the above variable, the stand-alone server - will be started at the next reboot, or it can be started - manually by executing the following command as - <username>root</username>:</para> + <para>To start the service now:</para> <screen>&prompt.root; <userinput>service ftpd start</userinput></screen> - <para>Log on to the FTP server by typing:</para> + <para>Test the connection to the <acronym>FTP</acronym> server by typing:</para> <screen>&prompt.user; <userinput>ftp localhost</userinput></screen> - </sect2> - - <sect2> - <title>Maintaining</title> <indexterm><primary>syslog</primary></indexterm> <indexterm><primary>log files</primary> - <secondary>FTP</secondary></indexterm> + <secondary><acronym>FTP</acronym></secondary></indexterm> <para>The <application>ftpd</application> daemon uses &man.syslog.3; to log messages. By default, the system log - daemon will put messages related to FTP in the - <filename>/var/log/xferlog</filename> file. The location of - the FTP log can be modified by changing the following line in + daemon will write messages related to <acronym>FTP</acronym> in + <filename>/var/log/xferlog</filename>. The location of + the <acronym>FTP</acronym> log can be modified by changing the following line in <filename>/etc/syslog.conf</filename>:</para> <programlisting>ftp.info /var/log/xferlog</programlisting> <indexterm> - <primary>FTP</primary> + <primary><acronym>FTP</acronym></primary> <secondary>anonymous</secondary> </indexterm> + <note> <para>Be aware of the potential problems involved with running - an anonymous FTP server. In particular, think twice about + an anonymous <acronym>FTP</acronym> server. In particular, think twice about allowing anonymous users to upload files. It may turn out - that the FTP site becomes a forum for the trade of unlicensed - commercial software or worse. If anonymous FTP uploads are + that the <acronym>FTP</acronym> site becomes a forum for the trade of unlicensed + commercial software or worse. If anonymous <acronym>FTP</acronym> uploads are required, then verify the permissions so that these files can not be read by other anonymous users until they have been reviewed by an administrator.</para> + </note> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310212220.r9LMKsln096922>