Configuring your own Web Server

We assume that you are configuring your own Internet server and that you already have configured your machine as a development system. We further assume that you either have a single user system, or that you are the only user on a multi-user system that has access to the Web server system.

You need to take care of following issues

• Server Security
• Error Messages and Error Handling
• Performance issues

Server Security

Once your server is connected to the Internet there is the potential risk that an unauthorized person accesses or modifies data stored on your machine.

To make up a secure system all components must be secure, the operating system, the Web server, the database system, heitml, and the pages you design.

Since heitml uses the CGI interface (or the ISAPI interface) using heitml is not more risky than writing CGI scripts (or using ISAPI). Additionally heitml provides some features to make the design of heitml pages more secure than writing CGI scripts and to limit the effect of security bugs.

However still bear in mind, that you can write insecure pages in heitml just as in any other programming language. However heitml limits the possible harm an insecure page can cause: heitml makes sure that heitml pages can access only the specified database, they can not perform arbitrary shell commands nor access files (except for include files). This means, when you program an insecure heitml page a possible intruder can read or modify the database but not read or write any other files.

To use this feature make sure that the secure parameter is not switched off. Please also configure the database system the right way! Sometimes you can execute stored procedures and similar commands and this way gain access to files, just by issuing database queries.

Please be especially careful when configuring the include path! A heitml page can include any file contained in a directory contained in the include path. The same is true for all subdirectories of these directories. There is a thin chance that though a badly written heitml page a Web user can specify an include file and can make heitml include this file. As long as the secure option is switched on, no absolute paths or .. paths can be written in heitml pages, so heitml makes sure that only files contained in an include directory or a subdirectory thereof can be included.

There are some issues to look at in conjunction with your Web server. Make sure that nobody can download the heitml Configuration file. This file contains the database password, so be careful. The setup program (for PWS and MIIS) automatically takes care of this. For the other Web servers the documentation explains how. Also make sure to block include directories from being downloaded (by not putting them into the Web tree or by assigning them a password). Block the example directory, since it contains some forms that should not be accessed from the outside. Finally make sure that the debugging mode is configured correctly (see Error Handling ).

Error Messages and Error Handling

When your Web site is running in production sometimes errors occur when a user is calling one of your pages. These errors can be caused mainly by programming errors in your heitml pages or by an offline or locked database (some database need to go offline to do backups, and database records can be locked if several users are accessing the same data).

heitml produces appropriate error messages in these situations and save debugging data for later reference. See Error Handling for details, including a configuration description.

Performance Issues

heitml can do database connection caching, when used as the Apache API version. A connection to the database is reused for several page accesses. You have to switch on the optconn option to use database connection caching.

Use the timelimit and memlimit options to limit the memory and time a single page processing can use. This is important, because otherwise a runaway page can significantly block server resources.