Security Risks Associated With Local Web Servers - apache

If I set up a local server using, say, Apache or WAMP are there any associated security risks? I'm not planning on hosting or making any content "publicly accessible," I just want to set up an environment where I can learn PHP and develop using an HTML5 game engine. Sorry if this is a completely naive question; I'm just a bit confused about how server security works.

If you don't open up any ports in your router to allow for public access to your web server, then it won't add any security risks. Just installing the local web server won't do this.
On a side note, WAMP is a collection of tools that includes Apache as the web server, they are not examples of two different web servers.

Related

Is nginx needed if Express used

I have a nodeJS web application with Express running on a Digital Ocean droplet.The nodeJs application provides back-end API's. I have two react front-ends that utilise the API's with different domains. The front-ends can be hosted on the same server, but my developer tells me I should use another server to host the front-ends, such as cloudflare.
I have read that nginX can enable hosting multiple sites on the same server (i.e. host my front-ends on same server) but unsure if this is good practice as I then may not be able to use cloudflare.
In terms of security could someone tell me If I need nginx, and my options please?
Thanks
This is a way too open-ended question but I will try to answer it:
In terms of security could someone tell me If I need nginx, and my
options please?
You will need Nginx (or Apache) on any scenario. With one server or multiple. Using Express or not. Express is only an application framework to build routes. But you still need a service that will respond to network requests. This is what Nginx and Apache do. You could avoid using Nginx but then your users would have to make the request directly to the port where you started Express. For example: http://my-site.com:3000/welcome. In terms of security you would better hide the port number and use a Nginx's reverse proxy so that your users will only need to go to http://my-site.com/welcome.
my developer tells me I should use another server to host the
front-ends, such as cloudflare
Cloudflare does not offer hosting services as far as I know. It does offer CDN to host a few files but not a full site. You would need another Digial Ocean instance to do so. In a Cloudflare's forum post I found: "Cloudflare is not a host. Cloudflare’s basic service is a DNS provider, where you simply point to your existing host.".
I have read that nginX can enable hosting multiple sites on the same
server
Yes, Nginx (and Apache too) can host multiple sites. With different names or the same. As domains (www.my-backend.com, www.my-frontend.com) or subdomains (www.backend.my-site.com, www.my-site.com) in the same server.
... but unsure if this is good practice
Besides if it is a good or bad practice, I think it is very common. A few valid reasons to keep them in separated servers would be:
Because you want that if the front-end fails the back-end API continues to work.
Because you want to balance network traffic.
Because you want to keep them separated.
It is definitively not a bad practice if both applications are highly related.

What is the difference between Local Server and a Web Server?

Hi i am new to Web Services. Here is my doubt
1) If i am hosting my website then their should be a web server which should keep my website into that this also we are calling server..
2) If i want to run PHP Program in my local system i should use Local Server lie XAMPP this also we are calling server.
My doubt is for example in local system i have downloaded Xampp and i am running my server side program.. but after uploading into server how its working
also AWS, Proxy is which server???
All the servers are confusing a lot
Both web servers and local servers are just computers with software installed on them.
Not much more.
That said a web server is a computer that is connected to the internet and has some kind of a web server software installed on it.
The most common one is an HTTP server software that can serve web pages.
For example, Apache, Nginx are both HTTP servers that can serve both static and dynamic web pages to browser across the world.
Another web server can be FTP, IRC, NTP, SMTP/IMAP/POP3 (mail servers) are all web servers that just have different software installed on them and so they serve other purposes.
A local server is again a computer that serves a client within the local network or LAN.
That means that in most cases it will not be connected to the internet or if it does it will be protected with a password so not everybody can access its services.
It can act as a file server or LDAP server that are roles of a typical local server but it can also be a local web server that holds web-based application only for the local organization.
For example, a company will have a local web server with Salesforce installed on it to serve it's CRM needs.
To make a long story short both servers are just computers connected to a network. Local servers are connected to the LAN and Web Servers are connected to the WAN. Other than that it really depends on the software you install on them and the use you want to make of them.
If you need more clarification, leave a comment and I'll try to help.

Restricting Solr Queries to Web Application

I have an instance of Solr (not Solrcloud) installed on my server, Apache/2.4.7 (Ubuntu), and would like to use with a php web application. I have password protected the admin page, but queries can still be run remotely. I want to restrict my Solr app so that it can only be queried (both read and write) by a web application (php, with Solarium) stored on the same server. What is the best way to do this?
This is more of a server administration question, so it would be better suited on Superuser. That being said, you have a few options:
Make Solr listen to connections on the internal or loopback interface only. This would be 127.0.0.1 or 192.168/16 etc. In solr.in.sh, you can send a parameter to Solr to tell it which IP it should bind to: SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"
Configure your firewall to only allow connections from IPs that should be able to access Solr.
Configure Solr Authentication and Authorization. Zookeeper is required to make this work (you'll have to be running in SolrCloud mode).
Unpack the bundled jetty and set up authentication there. This is not really a good idea, as it will make it harder to upgrade.
The methods suggested in 1 & 2 can also be combined with a proxying / forwarding web server that performs authentication in front of the service (using mod_proxy and friends on other httpds) if you need the service to be exposed through a non-trusted interface.

Hosting Slim Framework Rest API in Windows

I created an api using SLIM framework, but the services are not accessible to public as they are limited to localhost. how to host the services on a realtime server, so that, they can be accessible from anywhere?
please some one help me
This question requires more detail in order to answer properly.
If you are hosting your API on a windows server, then it is likely you have configured some kind of "WAMP" stack, correct? Or maybe serving PHP through IIS? This are important questions because we need to know what port you have bound your web application server to, which leads us to the next question...
Where are you hosting the server which is running the application which bound to what port?
Ultimately, a public, external IP will need to be either:
a. NAT'ed to the internal IP of your web server instanced
b. Port-forwarded to the internal IP of the server running your web application
Still, we are making a lot of assumptions here because getting a web application "accessible from anywhere" will require different work depending on your environment.
Here is the most basic example:
You are at home, running this API on your Windows workstation and will like to be able to hit it from a remote location.
Ensure Windows firewall allows inbound traffic to the port on which your application is running (probably port 80/HTTP, maybe 443/HTTPS).
Log into your ISP's router and configure port-forwarding to ensure inbound traffic on, say, port 80, is routed to the internal IP of the workstation running the API.
That's all there is to it.
Keep in mind that this also assumes that your ISP even allows you to expose your own web server to the internet on port 80 (or 443). Also, since we know nothing about your environment, this is all pure conjecture. Please provide more information you would like a real answer.
The most traditional way to host Slim Framework, would be through Apache. Install Apache and be sure you have the proper network settings to allow inbound connections, but more information about your setup could be needed for proper guidance.
http://httpd.apache.org/docs/2.4/platform/windows.html
When Apache is installed and working, you need to set Rewrite rules on the URL, information on that can be found on http://docs.slimframework.com/routing/rewrite/.
Your question on the verge of off topic, it probaly is, but read up on what questions can be asked and not, here on Stackoverflow, hope i could help.

websockets apache server compatibility

I want to make an app that displays new data whenever they arrive inside a folder via xml. I want to use html5 web sockets but I am confused on how it should be done. I am using xaamp on my machine for development. Do I have to install another server to use websockets? Is apache as it is compatible and if yes how do I make the connection with the client. Thank you in advance..
Your options are:
Use something like mod_websocket, as pointed out by Phillip Kovalev. Or pywebsocket. You could also try PHP WebSocket.
Use a dedicated self-hosted realtime web technology for realtime communication between server and client. If you do this you'll also need to define a way of application to realtime web server communications - normally achieved through message queues.
Use a hosted realtime web solution and offload the realtime push aspect of your application.
There are concerns about using Apache with this type of technology since this technology maintains long-running persistent connections between the server and client and Apache isn't know to be too great at this. So, the best solution may be to:
Go with a 2nd dedicated realtime web server in conjunction with using Apache as your application server
Use a self-hosted realtime web server that has the ability to handle many concurrent connections
Use a hosted service along with your Apache application server.
If you don't expect many concurrent connections or if you are just trying out the technology then it's possible that Apache alone will be all you need.
Look at mod_websocket. It supports latest and commonly implemented by browsers vendors protocol version.