QUICK LINKS 

HTTProtect Solaris FAQ
HTTProtect Linux FAQ
HTTProtect ISP Edition for VH FAQ
VPDisk FAQ

Frequently Asked Question for ISP

Q: How do I uninstall this product?
A: Use the /usr/sbin/http_uninstall command. If you have added virtual hosts under protection, It will ask "Please remove virtualhost in GUI firstly" and stop the uninstall. Go to ISP GUI's HTTProtect Tools, choose "Virtual Host" icon and remove all the protected virtual hosts. Then, re-do the /usr/sbin/http_uninstall command to remove the HTTProtect software. This will allow you to re-use the old virtual host content if it is decided to be added for protection later on.

Q: How do I update my expired HTTProtect evaluation copy?
A: HTTProtect can be updated from expired evaluation copy to licensed one without re-install the software or reboot the server. As root, the server System Admin just issue the following command:

/lib/vpdisk/vpdadmin activate <License #> <Key>

Q: How do I upgrade HTTProtect package?
A: HTTProtect may be upgraded without reboot. Issuing the setup.sh (or install shar script), It will detect if the VPDisk in the HTTProtect package is newer than what is in your current server. If no VPDisk is updated on the newer HTTProtect package, then you don't need to remove the VPDisk, and upgrade will not require to reboot the system. See part of the install log below for detail:

...
You are installing the same version of VPDisk as currently
in your system, Please enter n to bypass VPDisk removal below.

Checking system configuration ... please wait ...

An existing VPDisk package is installed and running.
You must remove the package and reboot before installing
this new VPDisk package.

Would you like to do so now? [Y]n

Q: How do I protect or un-protect a directory on my Web server?
A: HTTProtect is designed to protect the web site on a web server. If you are using Apache, Apache related directories, Webserver Root, HTML Document Root, CGI Root, Conf Root and Modules Root, are automatically protected after installation. After logging into the HTTProtect web admin GUI, protection is done by clicking on the lock icon under the "size" row of the File Manager. A directory is protected if a closed lock icon is shown, while an open lock icon indicates that a directory is not protected.

Q: How do I set the HTML Root path to a different path then the default HTML Root path in Apache ?
A: If Apache is used as your web server, you should update the httpd.conf file under the Apache directory. Change the DocumentRoot according to the HTML Root path currently used for your homepage. During installation of HTTProtect, you need to update only the HTML Document Root accordingly and leave the rest of Apache directories un-touched. This will protect your homepage. In the case you do not have Apache, you can install it from our CD. Once you have Apache installed, you can update httpd.conf accordingly. Apache needs to be restarted when the httpd.conf is modified.

Q: How do I restart Apache?
A: Use the "apachectl" command as shown below:
On Solaris 8 systems:
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl start
On Linux 2.4 systems:
/usr/sbin/apachectl stop
/usr/sbin/apachectl start

Q: What is the lock_list? How do I protect my system commands?
A: Some system directories are or can be hardened by HTTProtect after initial installation. The list of hardened directories is located in /etc/omnisecure/lock_list. Following is a sample of the lock_list file.

/usr/local;node;firm
/sbin;tree;firm+

For each line entry, the 1st argument is the directory to be hardened. The 2nd argument is the node or tree. And the 3rd argument is 'firm' for node and 'firm+' for tree. In this example, the first line indicates that the directory, /usr/local, is locked at the node with a firm lock. The second line shows that the directory tree within /sbin is locked with the firm+ lock. Type man omnish for argument usage.

CAUTION: On the initial installation of HTTProtect software, the default lock_list is placed under /etc/omnisecure directory. Your system administrator needs to update the lock_list manually and harden it.

Q: How do I harden and/or un-harden a directory on the server?
A: System hardening on the web server is done through the file called lock_list. To do hardening/unhardening, one needs to update the lock_list file. This must be performed within the sys admin interface, /bin/omnish. Execute the following command after the lock_list is modified for the new hardening to take effect:

Hardening: omnish -h
Un-hardening: omnish -u

CAUTION: The lock_list is used for system directory hardening purpose, Web related directory protection should be done in GUI.

Q: How do I change my "omnish" pass phrase?
A: Type: omnish -c

Q: What if I forgot my "omnish" pass phrase?
A: It is not possible to recover the existing omnish pass phrase. However, it can be reset to re-create a new one. This method can be used to recover a system if the pass phrase is lost. Following is the procedure:

• Reboot the server into single user mode:
  On Solaris systems, hit the Stop key along with the A key to halt the server, then type boot -s at the OK prompt.
  On Linux systems, type shutdown -r now, then type linux single at the LILO prompt.
• Remove the old HTTProtect sys admin id file:
  On the command line type rm /etc/omnisecure/.vpdlock
• Re-boot the system:
  On Solaris systems, type boot on the command line.
  On Linux systems, type shutdown -r now
• Initialize new password:
  On the command line execute omnish and you will be prompted to set up a new password.

Q: What if I set a different HTML root path during installation than that in the httpd.conf file?
A: Your HTTProtect GUI will have icons missing. The DocumentRoot path in httpd.conf file MUST be the same as the one that you enter at the "Enter document root" prompt during installation. You may re-install the product to correct an incorrect entry.

Q: Does this product have SMP support?
A: No, it only support single CPU.

Q: What can HTTProtect not do?
A: HTTProtect is designed to protect the web contents of ISP and its Virtual Hosts. It is the ISP admin's responsibility to make sure correct files, directory paths are set, and network interfaces are up. HTTProtect does not have the capabilities to configure these items.

Q: How do I support ~userid/public_html?
A: Below is a sample configuration of /etc/httpd/conf/httpd.conf:

<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).

#
#UserDir disable

#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>

<Directory /home/*/public_html>

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>

<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

ScriptAliasMatch ^/~([^/]*?)/cgi-bin/(.*) "/home/$1/cgi-bin/$2"

NOTES:

1. "userid" account must already exist and have permission of 711.
2. The public_html and cgi-bin directories under "userid" account must have permission of 755.
3. When the ISP admin adds Virtual Host for "userid", the Virtual Host Name should use "userid" not "~userid".
4. After ISP admin has added this "userid" account, the account owner can then register for web content protection at http://YYY/~userid/cgi-bin/httprotect/httprotect (where YYY is the ISP Server that hosts "userid" account).

Q: How do I setup the Virtual Host with shared IP?
A: Below is a sample configuration of /etc/httpd/conf/httpd.conf:

#ISP IP also shared with Vhost1 and Vhost2:

NameVirtualHost 60.186.154.41

#ISP:
<VirtualHost 60.186.154.41>
DocumentRoot /var/www.serviceprovider.com/html
ServerName www.serviceprovider.com

ScriptAlias /cgi-bin/ "/var/www.serviceprovider.com/cgi-bin/"
ErrorLog logs/www.serviceprovider.com-error_log
</VIrtualHost>

<Directory "/var/iwww.service.provider.com/cgi-bin">
AllowOverride None

Options None
Order allow,deny
Allow from all
</Directory>

#IVhost1

<VirtualHost 60.186.154.41>
DocumentRoot /var/www.company1.com/html
ServerName www.company1.com
ScriptAlias /cgi-bin/ "/var/www.company1.com/cgi-bin/"
ErrorLog logs/www.company1.com-error_log
CustomLog logs/www.company1.com-access_log combined

</VirtualHost>

#IVhost2
<VirtualHost 60.186.154.41>
DocumentRoot /var/www.company2.com/html
ServerName www.company2.com

ScriptAlias /cgi-bin/ "/var/www.company2.com/cgi-bin/"
ErrorLog logs/www.company2.com-error_log
CustomLog logs/www.company2.com-access_log combined
</VirtualHost>

The /etc/hosts file or DNS server should be updated accordingly to view the virtual hosts. For example:

127.0.0.1 www.serviceprovider.com, localhost
127.0.0.1 www.company1.com, www.company2.com

Register the VH at http://www.company#.com/cgi-bin/httprotect/httprotect.

Q: How do I setup a Virtual Host with separate IPs?
A: Below is a sample configuration from /etc/httpd/conf/httpd.conf:

#ISP IP:
NameVirtualHost 60.186.154.41

#Separate VH IP:
NameVirtualHost 60.186.154.57
NameVirtualHost 60.186.154.58

#ISP:
<VirtualHost 60.186.154.41>
DocumentRoot /var/www.serviceprovider.com/html
ServerName www.serviceprovider.com
ScriptAlias /cgi-bin/ "/var/www.serviceprovider.com/cgi-bin/"
ErrorLog logs/www.serviceprovider.com-error_log
</VIrtualHost>

<Directory "/var/iwww.service.provider.com/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

#IVhost1
<VirtualHost 60.186.154.57>
DocumentRoot /var/www.company1.com/html
ServerName www.company1.com
ScriptAlias /cgi-bin/ "/var/www.company1.com/cgi-bin/"

ErrorLog logs/www.company1.com-error_log
CustomLog logs/www.company1.com-access_log combined
</VirtualHost>

#IVhost2
<VirtualHost 60.186.154.58>

DocumentRoot /var/www.company2.com/html
ServerName www.company2.com
ScriptAlias /cgi-bin/ "/var/www.company2.com/cgi-bin/"
ErrorLog logs/www.company2.com-error_log
CustomLog logs/www.company2.com-access_log combined
</VirtualHost>

The appropriate hostname need to be set on each hostname interface (in this case eth0):

 /etc/hostname.eth0
 /etc/hostname.eth0:1
 /etc/hostname.eth0:2

With "www.serverviceprovider.com" on hostname.eth0, 
"www.company1.com" on /etc/hostname.eth0:1 and 
"www.company2.com" on /etc/hostname.eth0:2.