Running Your Own Web Server

The magazine of the Melbourne PC User Group
Running Your Own Web Server — Part 2
Roger Brown

Roger Brown continues his excellent article with easy to follow exercises showing how to set up and run your own Web Server

Now that the basics are out of the way, let's explore how to add some extra capability to your Web site. If you have followed the steps in my first article on this subject, already you will have:

a functional Web site utilising the easy to use AnalogX Server

your own domain name or subdomain name enabling your site to be viewed on the Internet

This article will show you how to add extra capability using the scripting language PHP and the popular Apache Web server. But first, a word about security.

Security

If you are running your own Web site, you are in effect inviting people, many of whom you will not know, to access some of the files on your computer. While your Web server software should prevent intruders from getting to any part of your computer that you wish to protect, there are some important precautions you need to take. For the most part these are precautions that you should already be taking, but they become much more important when you are running server software that allows incoming connections.

Precautions

Be absolutely scrupulous about keeping your operating system up to date. All operating system patches and updates should be installed immediately they become available. If you use Windows, the automatic update facility must be turned on.

You must have a functioning and effective firewall and you should check its effectiveness by testing at an external testing site such as http://grc.com. Ideally all ports other than those you intend to be open (such as port 80 for your Web server) should show as "Stealth" as in the example shown in Figure 1.

Figure 1. A successful grc.com test.

Your antivirus software must be up-to-date and set to automatically update its virus definitions daily.
You should regularly (at least weekly) scan your system with the appropriate anti-spyware and anti-Trojan software - in Windows try Spybot and Ad-Aware.

There's no need to become alarmed about security, but you need to be aware that unless you take security issues seriously, a Web server (or any server) can provide intruders with an opportunity to use your system to spread their spam, viruses and other electronic infection. Appropriate precautions will minimize the chances of this occurring.

Installing Easy PHP

As I mentioned last time, much of the extra capability you can add to your Web site through running your own server depends upon you installing:

a Web server more capable than the SimpleServer we have used so far - in other words, Apache.
a scripting language that you can use with the Web server to perform various tasks - the popular PHP scripting language is specifically designed for this purpose
a database to enable the server to store and recall information - the capable MySQL database works well with both Apache and PHP

The key is to get these three programs working together properly, and oddly enough, that is somewhat more difficult to achieve in Windows than it is in Linux, largely because all three were originally designed for the latter environment.

Fortunately with Windows we can use EasyPHP, an excellent package that installs versions of all three programs and configures them to work properly together. (Note: installing Apache and PHP under Linux is outside the scope of this article but in many cases that is handled by the installation process of your Linux distribution).

So Let's Get Into It

1. Download and install EasyPHP from http://www.easyphp.org/.
2. Fire up EasyPHP from your start menu. You will be presented with a neat control panel as shown in Figure 2, showing that both the Apache and MySQL servers are running. (PHP is not a server so it is not shown.)	Figure 2. The EasyPHP Control panel.
3. Test the operation of the Web server by browsing to the URL http://localhost. At this stage you will see only a default page (Figure 3) , but the server is running. Our next task is to configure the server and to get PHP running.	Figure 3. The EasyPHP default page.

Configuring Apache

There is no need to change too much of Apache's default configuration, but we do want Apache pointing to our Web page rather than to its default page. Apache keeps its configuration information in a file named HTTPD.CONF which you must edit manually (unless of course you use Linux where there is an excellent utility named Webmin that will do the job for you). See PC Update, May 2003 or online at http://www.melbpc.org.au/pcupdate/2305/2305article7.htm.

If you installed EasyPHP to its default location, you will find HTTPD.CONF at
C:\Program Files\EasyPHP1-8\conf_files\httpd.conf.
Open this file in a text editor and find the section shown in Figure 4.
Disable the default "Document Root" entry by commenting it out (prefix it with the hash character to make it a comment line) and add a new line pointing to the location of your Web site, in the manner shown in Figure 4 below)
Then scroll down to find the section shown in Figure 5 below.
Again, change the default entry and point it to your Web site. Save the changes.
Use the EasyPHP control panel to stop and restart Apache. Browse to http://localhost and if all has gone well, your site will appear.

#
ServerName localhost
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#

#DocumentRoot "C:/PROGRA~1/EASYPH~1/www"
DocumentRoot "C:\Documents and Settings\Roger Brown\My Documents\sample_webserver"
#
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of permissions.
#
<Directory /> Options FollowSymLinks Indexes
AllowOverride All
</Directory>

Figure 4. The first modification to file httpd.conf. (Substitute the directory name with yours.)

# you might expect, make sure that you have specifically enabled it below.
#
#
# This should be changed to whatever you set DocumentRoot to be.
#
#<Directory "C:/PROGRA~1/EASYPH~1/www">
<Directory "C:\Documents and Settings\Roger Brown\My Documents\sample_webserver">
#

Figure 5. The second modification to file httpd.conf.. (Substitute the directory name with yours.)

Testing PHP

Now we must check to determine whether PHP is working properly. To do this, you must:

Create a text file named 1.php, type the three lines of code shown in Listing 1 below and save the file in your Web site directory.

Listing 1

<?
phpinfo();
?>

Browse to the URL http://localhost/1.php. You should see a screen as shown in Figure 6. This indicates PHP is working.

By the way, congratulations are in order here. You have just created your first PHP routine. Even with a tiny routine like this there are some important points to notice:

First (even if it is obvious), the file must have a ".php" extension
All PHP routines start with <? and end with ?>. That's because PHP files can contain standard HTML as well as the PHP code. We will see examples of this later.
Every PHP statement must end with a semi-colon

Figure 6. Your first PHP routine in action.

Let Us Continue
Open the php configuration file PHP.INI in your text editor. The location of the file is shown in Figure 6. Find the "display_errors" entry and, as recommended in the notes in the file, change the value from On to Off. See Figure 7 below. With that completed we are ready to do some serious work with Apache and PHP working together.

; - Show all errors, except for notices
;
;error_reporting = E_ALL & ~E_NOTICE
;
; - Show only errors
;
;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
;
; - Show all errors
;
error_reporting = E_ALL
;
; Print out errors (as a part of the output). For production web sites,
; you’re strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production
; web site may reveal security information to end users, such as file paths
; on your Web server, your database schema or other information.

display_errors = Off

; Even when display_errors is on, errors that occur during PHP’s startup
; sequence are not displayed. It’s strongly recommended to keep
; display_startup_errors off, except for when debugging.

Figure 7. The required change to file php.ini.

Using PHP For Site log-In

As a first PHP project we will use PHP to provide password log-in. This has been chosen because, while being a relatively straightforward project, it illustrates some of the essential and important features of the PHP scripting language. It's also a useful project because many people like to use personal Web sites for family related material which ideally they would prefer not be available to the general public. I have such a section on my site.

First let me say that since PHP is a comprehensive scripting language designed especially for Web server use, anyone using it will need to learn its syntax and functions. That can be done by purchasing a good reference book on the subject - just as any aspiring Web site designer needs to have at least one HTML reference book available.

Password log-in to a Web site or Web page is not difficult in itself - it's merely a case of using a form to collect the password entered by the user and performing a simple test to check whether or not that password is the one required. However, without either one's own server or equivalent access to the server on which the page is hosted and usually this access is not available with ISP hosted Web pages, there is a problem:

The only way the password verification can be run is by the use of JavaScript
JavaScript is known as a client side technology - the entire validation code has to be downloaded to the user's computer and is run by the user's Web browser. That code must in some manner, contain the password.
this means that if the user does not know the password, he/she can simply view the Web page source and discover the password. While there are ways in which the password can be effectively disguised within the Web page source code, a determined intruder will still be able to read it.

Now that you are running your own Web server, you have a better option. Using PHP we can:

have all the validation process done by the server (server-side processing)
completely hide the validation code from the end user so that a user not knowing the password can never discover it.

Let's Get Started

The theory of what we need to do is quite simple.

We need a form to collect the password
Then we need a routine that reads the password and either displays the 'secret' information or displays an error message

<html>
<head>
<title>Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="m.css" type="text/css">
</head>
<body>

<h3>Secret Log-in</h3>

<form name="form1" method="get" action="slogin.php">
Enter your password please:    

<input type="text" name="pw"><br><br>
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>

Figure 8. File named slogin.html -- the HTML code that creates the initial log-in screen.

First here's the form - it's simple HTML. See Figures 8 and 9. There are only two critical items:

the name of the text input field that holds the password ( the name is "pw" in this example), and
the value of the action attribute of the form, which in this case runs the PHP routine (slogin.php).

Figure 9. The screen form produced by the code shown in Figure 8.

The comments in the source code explain these in more detail.

Now for the PHP routine itself. This must have the same name you specified in the action attribute of the form. The comments within the code should now make its operation self explanatory. Note however, that PHP can be embedded within normal HTML, making it much easier to use standard HTML whenever that is more convenient. See Figure 10.

<html>
<head> <meta content="text/html; charset=ISO-8859-1" http-equiv="content-
type">

<title>Secret</title>

<link rel="stylesheet" href="m.css" type="text/css">

</head>
<body>


<?php
// a simple if test for our password
// You can read more about PHP control strctures at
// <http://au.php.net/manual/en/print/language.control-structures.php#control-structures.if>
// The variable name ‘pw’ MUST match the name you used for the element
// in your form that held the password

$pw=$_GET[‘pw’];
if (strtolower($pw)<>"abracadabra" )
//this next section within the curly braces { } executes only if the password
//test fails
{
print "<h2>You are not authorised to view this page - go away!</h2)";
// this exits the page - the html below is not sent to or
// visible to the user if the password test fails
exit();
}
?>


<h2> Congratulations - you have reached my secret page!</h2>
</body>
</html>

Figure 10. File named slogin.php. This is the PHP routine that runs as the "action" associated with the HTML form.

So now that's done, let's test our password routine. Browse to the password form page and first enter an incorrect password. You should get something like Figure 12. Note that the source code for this page, as viewed from the user's browser, reveals nothing of the password verification code. The user has no way of discovering the password!

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>Secret</title>
<link rel="stylesheet" href="it.css" type="text/css">
</head>
<body>



<h2>You are not authorised to view this page - go away!</h2></h2>

Figure 11. Code example 3 — text that is returned by the server routine for a failed log-in.

Figure 12. The message displayed when an incorrect password is typed.

Now go back and enter the correct password. You should now have something like, or hopefully better than Figure 14.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>Secret</title>
<link rel="stylesheet" href="it.css" type="text/css">
</head>
<body>





<h2> Congratulations - you have reached my secret page!</h2>

</body>
</html>

Figure 13. Code example 4 — text returned by server routine for a successful log-in.

Figure 14. The message displayed after the correct password is typed.

Even now the password verification routine is not shown in the source-code.

What Have We Achieved?

If you have worked through this tutorial, you should have completed the following:

Installed and configured Apache, PHP, and MySQL to work together; that's no mean feat.
Pointed your Apache server at your Web site by editing the Apache configuration files.
Tested PHP by writing and running a very small PHP routine.
Written and tested a longer PHP routine to demonstrate some of the key features of PHP - particularly its ability to work effectively when embedded in a normal HTML page.

What's Next?

This and subsequent tutorials will show you some of the useful capabilities that PHP and MySQL can add to your Web site. However, you will need to learn the detail of the scripting and database language through your own reading and practice. There are many books on PHP as a visit to any computer bookstore will show you. See also http://www.php.net/books.php?type=PHP&lang=en for a comprehensive listing. I've found "PHP - Your Visual Blueprint For Creating Open Source, Server Side Content" by Paul Whitehead and Joel Desamero to be of considerable value.

See http://www.amazon.com/exec/obidos/ASIN/0764535617/wwwphpnet. If you can find a copy, I recommend it. In addition to that, as you've already seen, the PHP online manual can be found at http://au.php.net/manual/en/print/index.php. It's a handy reference for detailed information on PHP and its many functions.

There are many interesting projects, and a great deal of enjoyment waiting for you.

Reprinted from the July 2005 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]