Web serving security

When you provide access for visitors to your web site, you do not want to expose your viewers to information about how the site is set up and the coding that is used to generate the page.

You want their visit to your page to be easy, fast, and seamless, with all the work being done behind the scenes. As an administrator, you want to ensure that your security practices do not negatively affect your Web site. When using your iSeries™ as a web server, consider these points:

• The server administrator must define directives for the server before a client can interact with the HTTP server. There are two methods for creating security checks: general server directives and server protection directives. Any request to the web server must satisfy any and all restrictions that these directives provide before the server honors the request.
• You can create and edit these directives by using the server admin web pages for server configuration. Server directives allow you to control the overall behavior of the web server. Server protection directives allow you to specify and control the security models the server uses for specific URLs that the web server handles.
• You can use map or pass directives and the server admin web pages to configure the server.
  • Use map or pass directives to mask the file names on your iSeries web server. More specifically there are PASS server directives and MAP server directives that control the directories from which the web server serves URLs. You can also find an EXEC server directive that controls the libraries in which CGI-BIN programs reside.

    You define protection directives for each server URL. Not all URLs require a protection directive. But, if you want to control how a URL resource is accessed or by whom, then a protection directive for that URL is required.

  • Also, you can use the server Admin web pages to configure the server rather than using WRKHTTPCFG (Work with HTTP Configuration command) and typing the directives. Working with protection directives through the command line interface can be very complicated. Therefore, it is recommended that you use the Admin web pages to ensure that you set up your directives correctly.
  HTTP provides you with the capability to display data, but not alter data in a database file. However, there are some applications you will write that will need to update a database file. To do this, you can use CGI-BIN programs. For instance, you may want to create forms that, once users complete them, update an iSeries database. As security administrator, you should monitor the authorizations of that user profile and the functions that the CGI programs perform. Also, be sure to evaluate what sensitive objects might have inappropriate public authority.

  Note: Common Gateway Interface (CGI) is an industry standard for the exchange of information between a web server and computer programs that are external to it. The programs can be written in any programming language that is supported on the operating system where the web server is running.

  In addition to using CGI programs in your web pages, you may want to use Java™. You should understand Java security before you add Java to your web pages.

  The HTTP server provides an access log that you can use to monitor both accesses and attempted accesses through the server.

  The proxy server receives HTTP requests from web browsers and resends them to web servers. Web servers that receive these requests are only aware of the proxy server IP address. They cannot determine the names or addresses of the PCs that originated the requests. The proxy server can handle URL requests for HTTP, File Transfer Protocol (FTP), Gopher, and WAIS.

  You can also use the HTTP proxy support of the IBM^® HTTP Server for iSeries to consolidate web access. The proxy server can also log all URL requests that are for tracking purposes. You can then review the logs to monitor use and misuse of network resources.