Deploying Microsoft FrontPage 2000 UNIX Web Services
Liam Widdowson Microsoft FrontPage 2000 is a client/server application that simplifies authoring, management, and publishing of Web sites through a user-friendly GUI. It allows the implementation of seemingly complicated features, such as search engines, feedback forms, and discussion forums (that traditionally require CGI programming) with a few mouse clicks. Whether you're an enterprise rolling out FrontPage to manage your intranet content, or an ISP responding to customer demand, you can implement FrontPage-enabled Web services without Windows NT. The FrontPage client and Web server communicate with a proprietary protocol that is layered over HTTP with CGI. Files are uploaded using HTTP POST instead of ftp . User authentication is done with individual .htaccess files in each user's public_html directory. This allows multiple authors to have publishing rights to a single Web site. See Jimmy Ball's article (Sys Admin, February 1999) for detailed information on .htaccess files. Microsoft offers FrontPage extensions for a wide variety of UNIX platforms and Web servers (see Table 1). However, the UNIX version lacks comprehensive documentation, and if not properly implemented, can lead to frustration and serious security issues. In this article, I hope to provide the information you won't find in the documentation and lead you through what is required to get a FrontPage Web server configured securely. Installing the Web Server If you have Web servers in production, I suggest installing FrontPage on a separate server (significant configuration changes are required). Also, by isolating your FrontPage server, you can apply a specific security model. For this article, I use Slackware Linux v4.0 and Apache v1.3.9. You may use any flavor of UNIX/Web server you prefer, as long as it is supported (see Table 1). If your UNIX does not have a Web server installed, I recommend the Apache Web server. Binaries and source distributions are available from:
http://www.apache.org/dist/ You may prefer the precompiled packages available at:
http://www.sunfreeware.com (Solaris SPARC/Intel) http://hpux.cs.utah.edu/ (HP-UX) Before beginning installation of Apache, create a user that will be responsible for running the httpd process. I usually create one named www and place it in the same group as the users on my system. Your useradd statement should look like:
# useradd -d /usr/local/apache -g users -s /bin/false www By default, the Apache Web server installs into /usr/local/apache. You can alter this by specifying a different path at compile time with configure's prefix option:
./configure --prefix=/opt/apache More information on configure options can be found in the INSTALL file within the Apache distribution. If you experience problems compiling Apache, visit the FAQ at:
http://www.apache.org/docs/misc/FAQ.html Once Apache is installed, you'll need to alter parts of the Apache configuration. Edit the httpd.conf (usually /usr/local/apache/conf/httpd.conf). Uncomment or add the following lines:
ResourceConfig conf/srm.conf Microsoft's extensions add three lines of text per FrontPage Web to srm.conf. Since Apache v1.3.X ships with all configuration data stored in httpd.conf, this must be altered. You'll also need to change a few other parameters. The Apache AllowOverride directive allows you to globally control what security features users can specify in their .htaccess files. For FrontPage to work, you must set:
AllowOverride All If this is not changed, users will be able to write to each other's Web space. You'll also want to change the DirectoryIndex directive to:
Direc0toryIndex index.html index.htm default.htm default.html This will allow files named as above to be considered index or starting pages. You must also specify the user that runs Apache. This can be done with the following lines:
User www Group users See Listings 4 and 5 for example httpd.conf and srm.conf configuration files. Once you've made the relevant configuration changes, start up Apache:
# /usr/local/apache/bin/apachectl start Test your Web server by telneting to port 80 and typing GET / HTTP/1.0. You should see something similar to the following:
$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Sat, 25 Sep 1999 08:45:36 GMT Server: Apache/1.3.9 (Unix) ETag: W/"7b6-90-37e3b144" Accept-Ranges: bytes Content-Length: 144 Connection: close Content-Type: text/html Now that your Web server is working, it's time to install Microsoft's FrontPage Extensions. Installing Microsoft FrontPage 2000 Server Extensions Download a copy of Microsoft's FrontPage 2000 extensions for UNIX from:
http://msdn.microsoft.com/workshop/languages/fp/2000/unixfpse.asp You must download the fp_install.sh script and the version of FrontPage to suit your platform, (e.g., fp40.linux.tar.gz). Once these files are downloaded, place them in a temporary directory, and as root run fp_install.sh. Answer the following prompts as shown:
Are you satisfied with your backup of the system (y/n) [N]? Ensure there is a backup copy of your Web server's configuration files (httpd.conf, srm.conf, etc.). Answer “yes” when ready:
FrontPage Extensions directory [/usr/local/frontpage/]: Choose the target installation path for the extensions: Where is the zcat which can uncompress gz files? The script then prompts for the path of zcat (usually /bin/zcat, /usr/bin/zcat or /usr/local/bin/zcat, etc.). It will then begin decompressing and installing the extensions:
Do you want to install a root web (y/n) [Y]? It then prompts you to install a root Web. The root Web is the FrontPage Web for the root content directory of your Web server, (e.g., http://www.mycompany.com.au/). You need to install this, so say “yes”:
Server config filename: Enter the path to your server's config file (e.g., /usr/local/apache/conf/httpd.conf).
FrontPage Administrator's user name: A prompt for the FrontPage Administrator's user name will appear. This username is used by the client to publish content into the root Web. While it does not necessarily need to align to a UNIX username, doing so eases administration. I prefer to choose the UNIX username that runs Apache (in this case, www).
Unix user name of the owner of this new web:[www] Unix group of this new web:[users] A prompt for the UNIX UID and GID for the root Web administrator will appear. You should choose the UNIX userid and group with which you are running Apache (www and users):
1. ncsa
2. apache
3. apache-fp
4. netscape-fasttrack
5. netscape-enterprise
6. stronghold
What type of Server is this:
You will then be prompted for the type of Web server you are running. Since I'm using Apache, I choose option 2. Do not choose apache-fp:
Password for user "www": You will then be prompted for the password for your rootweb's administrator. Note this does not align with your UNIX password:
1. LATIN1 (ISO 8859-1) 2. LATIN2 (ISO 8859-2) 3. EUCJP (Japanese EUC) 4. EUCKR (Korean EUC) Which local character encoding does your system support: [1] Choose the correct local character encoding used on your system. This is usually LATIN1 (for most English speaking countries):
1. English 2. French 3. German 4. Italian 5. Japanese 6. Spanish What should the default language be: [1] Choose the default language you want FrontPage to use:
Install new sub/per-user webs now (y/n) [Y]? You will then be asked to install new sub/per-user Webs now. Choose “no” here, as this will be covered later:
Do you want to install Virtual Webs (y/n) [Y]? The same applies for Virtual Webs. Choose “no” here:
Installation completed! Exiting... A few additions should be made to the FrontPage configuration file that will be specific to each site. Edit the file /usr/local/frontpage/version4.0/frontpage.cnf. I suggest adding settings that specify SMTP details, security logging, and script language type. Add the following settings (customize for your site):
SMTPHost:smtp-relay.mycompany.com.au SendMailCommand:/usr/sbin/sendmail %r MailSender:frontpage-formhandler@mycompany.com.au. Logging:1 ScriptLanguage:JavaScript< A complete list of options is available at:
http://officeupdate.microsoft.com/frontpage/wpp/serk/apndx03.htm Congratulations! You have now installed FrontPage extensions on your Web server. You can now publish and manage content in the root of your site. This may be enough for a corporate intranet, but if you want virtuals or per-user Web sites, keep reading. Sub/Per-User Webs A sub/per-user Web is the personal FrontPage Web space of a valid UNIX user (e.g., http://www.mycompany.com.au/~user). You must enable FrontPage authoring extensions for each individual user. Per-user Webs are designated by placing a tilde “~” in front of the Web name. This is a straightforward task that can be automated. You can even create a Web front-end, as I have done in the past. A simple shell script to add a sub/per-user Web is shown in Listing 1. Apache must be restarted after adding a per-user Web. The script does this by issuing the command /usr/local/apache/bin/apachectl restart. Virtual Webs Adding a virtual Web is a two-step process. You must first add the virtual to the Web server and then to FrontPage. Apache is capable of doing two types of virtual hosting. The first type of hosting uses a single IP address for all virtuals. DNS and HTTP/1.1 headers are used to distinguish each site. The second type of virtual hosting uses a single IP address for each virtual. This has the advantage of working with ancient browsers, but large sites could potentially waste significant chunks of IP space. I recommend using single IP, because as HTTP/1.1 is supported in all recent browsers. The virtual entry in httpd.conf should look similar to this:
<VirtualHost 192.168.18.215>
ServerAdmin webmaster@mycompany.com.au
DocumentRoot /home/user/public_html
ServerName www.inodes.org
ErrorLog /home/user/logs/inodes.org/error_log
CustomLog /home/user/logs/inodes.org/access_log common
</VirtualHost>
where the IP address in <VirtualHost> is the IP of your Web server (for single IP hosting) or the new IP assigned to your server. Restart Apache and check that the virtual is working correctly. Once this has been done, you must add the domain to FrontPage. I have written a shell script to automate this process (Listing 2). Now that the relevant virtuals and per-user Webs have been added to your server, you can start publishing content with the FrontPage client. Using the FrontPage Client The FrontPage 2000 server extensions are compatible with Microsoft FrontPage 98 and 2000 client. The client consists of two parts -- a WYSIWYG HTML editor/client, and the Microsoft Personal Web server. The user edits or designs sites with the client and publishes them to the local Microsoft Personal Web server. Once satisfied with the content, the site is then published to the remote FrontPage server. To test your FrontPage server, start up the FrontPage client. You will be presented with the “Getting Started” Wizard. Choose “Create a New FrontPage Web” and click “OK”. You will be then presented with the screen in Figure 1. Choose the style of Web you wish to create and then click “OK”. The navigation overview then appears (see Figure 2). You can add and delete documents or links in this area. By clicking on each page, you will be able to edit it with the WYSIWYG HTML editor. Once you've finished editing your site, click the “Publish” button to upload it to the remote FrontPage Web server. You will then be prompted with a dialog box (see Figure 3). Enter the URL where you would like to publish the page. It may be http://www.mycompany.com.au/~user/ for a per-user Web, or http://www.inodes.org for a virtual. Click “OK” when you've entered the correct URL. A dialog box will appear prompting for a username and password. Enter the username and password that you set up with the scripts in the previous section. Click “OK” and your site transfer will begin. Once the transfer has finished, start your favorite Web browser and point it to the URL in question. You should see your new site. Installing ftp Despite being able to publish sites with FrontPage, you may find yourself needing ftp. I suggest using ProFTPD. It is available from:
http://www.proftpd.org Download the latest copy and compile it. ProFTPD has been designed to be similar to Apache in terms of configuration. Like Apache, the configure script also accepts a prefix option to specify the installation path. Check the INSTALL file in the distribution for more details. To ensure a high level of security, you'll need to make changes to the default ProFTPD configuration file (usually /usr/local/etc/proftpd.conf). I suggest adding two security measures. First, chroot the user's environment and second, disallow users from reading or writing to the FrontPage system directories ~/public_html/_vti_*/. Your ProFTPD configuration should look like the one in Listing 3. Once you've customized the configuration file, start ProFTPD (usually /usr/local/sbin/proftpd). ProFTPD can also be run from inetd. See the ProFTPD documentation for further information. Security For your Microsoft FrontPage Web server to be secure, the OS and surrounding services must first be hardened. Ensure you are not running any services that are not required, and consider putting your host behind a firewall. See Patrick Lambert's “Implementing Security on Linux” article (Sys Admin, October 1999) for further information. Other excellent resources include Dave Zwieback's article, “Hardening a Host” (Sys Admin, September 1999) and O'Reilly's Practical UNIX & Internet Security, 2nd Edition. When securing Microsoft FrontPage servers, the most important question is: Who are my authors? If you are in a friendly environment, you may be able to safely allow your users to use ftp and Microsoft FrontPage for publishing. You may also enable shell access for quick editing of pages, etc. However, in an open public environment, such an ISP or Web hosting firm, you must take a strong stance on security. Do not enable shell access. Users could possibly replace the various FrontPage executables in ~/public_html/_vti_* with Trojans, etc. Only enable ftp services if they are sufficiently hardened (e.g., chrooted and with measures in place to disallow alterations to the _vti_* service directories). Conclusion Implementing Microsoft FrontPage 2000 extensions under UNIX can be a complicated task. It does, however, have its rewards. You are able to rely on the stability and scalability of a UNIX based platform, while still supporting proprietary Microsoft extensions. There are many ways to implement FrontPage under UNIX and you may have already used a different method. Microsoft includes a patched version of Apache called apache-fp with the extensions. This special version of Apache offers better FrontPage integration, but I have elected not to use this for security reasons. There is also a freely available Apache module called mod_frontpage that can be downloaded at:
http://www.darkorb.net/pub/frontpage/ Note that it is possible to integrate ASP (Active Server Pages) with your FrontPage server. Your UNIX server will then become an almost complete Windows NT/IIS replacement. There are many products available. ChilliSoft has released UNIX ASP software that is compatible with Apache. Further information can be found at: http://www.chillisoft.com/. In this article, I have touched on all the elements you need to get your FrontPage server up and running. There are many other features and options available to administrators and users. See the SERK (server extensions resource kit) for further configuration options and features. References RFC1945 Hypertext Transfer Protocol -- HTTP/1.0: http://www.cis.ohio-state.edu/htbin/rfc/rfc1945.html
RFC2616 Hypertext Transfer Protocol -- HTTP/1.1: http://www.cis.ohio-state.edu/htbin/rfc/rfc2616.html
Microsoft FrontPage 2000: http://www.microsoft.com/frontpage/
Microsoft FrontPage 2000 Download: http://msdn.microsoft.com/workshop/languages/fp/2000/unixfpse.asp
Microsoft FrontPage 2000 Server Extensions Resorce Kit: http://officeupdate.microsoft.com/frontpage/wpp/serk/
About the Author
Liam Widdowson is a UNIX systems administrator at Telstra Internet Data Operations. Liam is currently completing his Bachelor of Engineering degree at the University of Technology, Sydney, Australia. He can be reached at lbw@telstra.com.
|