WebSite Professional Server Self Test

Server Self-Test & Demonstration
Security and Management

15-September-97
Security Features: Miscellaneous:

Cryptographic Security

WebSite supports the Secure Sockets Layer V3 security protocol defined for Internet usage. This protocol requires a Digital ID (commonly known as a public key certificate or cert) for your server. These are available from several Certification Authorities (CAs). WebSite Professional comes with built-in support for the major CAs and provides the ability to add more as new CAs become available. You probably noticed that WebSite Pro asks you for a password when you start the server. Until you have generated a public-private key pair, sent the public key to a Certification Authority, and received a signed certificate, you cannot use SSL.

The following test/demo requires an SSL capable browser (such as Netscape Navigator, or Internet Explorer) and requires your server to be operating in secure mode. Ignore the certificate warning you will get. Click continue or OK.

Click here to switch to SSL

You should have received a certificate warning, then, after you cleared the warning, the browser should have switched into secure mode. In Netscape, look for the blue bars and blue key. In Internet Explorer, look for the padlock icon in the lower right corner of the window.

The certificate warning indicates that the Common Name in the certificate does not match the host hame you used. In this case, for demonstration purposes, we used localhost to get to the local WebSite Pro server, clearly not its real Internet/DNS name.

Access Control

WebSite Pro has the ability to provide fine-grain control of access to documents and scripts. Access can be controlled by user, by group, by client host (domain) name, client IP address, or any combination of these. You can also disable directory browsing and file retrieval and require an SSL connection for parts of your web.

Browsers remember the username and password you enter. If you type in the correct username and password, you will be permitted to access the document, and you won't be able to try an incorrect combination until you exit and restart your browser. We suggest you start with the wrong username and/or password. Then when you try again, you'll get an access failure alert. Click the Try Again button and type in another (correct) username and password.

User and Group Access Control

WebSite Pro can provide per-directory protection to users and/or groups of users. WebSite Pro can also provide security based on NT native user and group accounts.

Passwords are case-sensitive, usernames are not.

This document can be accessed only by user Dougherty with password balloon. This document can be accessed either by user Bracewell with password MCB, or by user Denny with password Bob.

The server also permits access by groups of users. You use the the server's property sheet Groups tab to easily set up group membership. All users are automatically included in the group Users. Therefore, you can allow access to any valid user by allowing access by the group Users. This document can be accessed by any user.

Hostname and IP Address Filtering

You can also control access by host name or IP addresses. For example, this document can be accessed only by hosts within the IP address range 198.182.*.*, and this one can be accessed by any hosts except those in the IP address range 198.182.*.*. Although it is possible to filter by host name, we don't recommend it because it requires that the server do a DNS reverse lookup (to convert the IP address to the host name) on every request. This transaction may noticeably degrade the response time of the server on all requests.

Combining Username/Password and Host/IP restrictions

You can apply username/password access and IP/host filtering in an AND or OR mode. With OR, you can allow internal people to access your web (using IP filtering to reject outsiders) without needing usernames or passwords, while requiring outsiders to authenticate via username. See the Access Control tab on the server's property sheet.

Requiring SSL for access to parts of your Web

Requires your server to be in secure mode

Access control has an option to require SSL to connect to protected areas. You do not need to have user or host/IP access control on such an area, but you can combine them. For example, clicking here results in an error message (unless you are in SSL mode now). However, clicking here will let you in because the link is https:// (SSL). If you got in, you should notice that the browser is now displaying the SSL indicator.


Statistics Reports

The server will return a statistics report when it receives a URL of /~stats. Try it now.

Server Administration

You may have noticed that the server responds to certain URLs that start with the tilde character in special ways. You have seen ~imagemap and ~stats so far. As you may have guessed, there are others. The two just mentioned are safe, that is, they don't do anything except retrieve data.

The server supports a few additional special URLs, which can be used to perform some administrative tasks. These functions do something. Therefore, in keeping with the HTTP protocol, they must be issued with the POST method. Forms can issue POSTs, and they can have buttons, so you can make up an administration form that contains the special function buttons you want.

As shipped, the server is set up to protect these special URLs. since they can affect the operation of the server. In order to successfully use these functions, you must first authenticate yourself as a member of the Administrators group. If you haven't yet added yourself as a user in the Web Server realm, do so now through the Users tab of the server's propery sheet. Then add yourself to the Administrators group.

If successful, these special functions return the HTTP 204 No Response result, so the browser stays on the current page (some browsers may report link leads nowhere. This is cosmetic and is not a server error!).

Now that you know the essentials, here are the buttons:

If you cycled either the access or error log file, take a look in the logs directory. You should see the cycled-out files with extensions like .001.


Next Test Set: WSAPI, ISAPI and Perl 5 via API
Back to Top Page