8.0 Some notes on WWW servers and WWW proxy servers

By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001


There are many different webservers, all supporting the same basic functionality (that is to say making information available via HTTP and the HTTPS protocols). Some webserver products however have quirks, or additional features that may be of use when conducting web based authentication.



8.1 Apache based

Apache is one of the more popular web servers, with over 50% of the market in non-secure web serving and a good chunk of the secure market. There are a variety of non-commercial and commercial based Apache servers capable of secure webserving (generally the non-commercial ones cannot legally be used in the USA due to the RSA patent). Apache has a large number of features to help handle user sessions and otherwise track them using Perl, Java servlets and other methods. The following is a list of URL's covering the various techniques:




8.1.1 Apache-SSL

Apache-SSL has no substantial authentication features not included in the standard Apache.


8.1.2 Apache mod-ssl

Apache mod-ssl has no substantial authentication features not included in the standard Apache.


8.1.3 Raven

Raven has no substantial authentication features not included in the standard Apache.


8.1.4 Red Hat Secure Server

Red Hat Secure Server was originally based on Apache and had no substantial authentication features not included in the standard Apache.


Red Hat purchased Stronghold and has phased out this product.

8.1.5 Stronghold

Stronghold has no substantial authentication features not included in the standard Apache.


Stronghold was purchased by Red Hat.

8.2 Netscape

8.2.1 Netscape Enterprise


8.3 Roxen

Roxen supports setting a user session cookie (configured through the www interface on a per virtual server basis). Roxen also has RXML, a very powerful scripting language that has features to track the user through a session. Roxen has several excellent PDF documents on these features at their website (click on Documentation).


8.4 Zeus

Zeus has a distributed authentication and content module that allows you to host authentication and / or content on another machine. The authentication portion is a rather a simple protocol which send the name, password, a cookie, and so on, and receives a reply either specifying that the user is allowed in, not allowed in, or tell the user that they need to put a password in. An example server is given in Perl (about 100 lines of code, not to tricky) which reads authorization data from a text file, however you could write one that uses a MySQL database for example. To read the documentation on this feature either open up the help on the initial page and go to the "Documentation index", then choose "Web Server", "Modules", "distributed", or go to a server configuration page, choose modules, then "distributed" and the documentation page will be available also.


Zeus can also use any Java servlets written for Apache Jserv "out of the box". So the following items should work with no particular problems:



8.5 Novell

Novell uses Netscape FastTrack server for their web serving requirement, and with Novell 5.1 they ship IBM WebSphere Application Server 3.0 for NetWare, Standard Edition.


8.5.1 Novell BorderManager

No notes yet.


8.5.2 Novell ICS

No notes yet.


Novell ICS has been split off as part of a new company called Volera.

8.6 IBM Websphere

No notes yet.


8.7 Volera

No notes yet.


Volera is a combination of Novell ICS and other technology from Nortel and Accenture.

8.8 Squid

No notes yet



8.9 Achilles

Achilles proxies HTTP SSL connections allowing you to easily examine and modify the contents of an "encrypted" session. It is very useful for testing online authentication systems over HTTP SSL to see exactly what is going on.



[ Index | Back | Next ]