Bosco is a computer program built to operate as a web server for Windows
operating systems. Bosco is logically equivalent to the Microsoft Internet
Information Server (IIS) and other servers such as Apache.
A good question would be: why create yet another web server? After all the IIS and Apache are competent, full featured server implementations. The answer is simple. Well, actually, simplicity and reliability is the answer. Bosco's design and implementation was kept simple so the possibility of security problems would be minimal. Bosco is built to resist hacker break-in attempts. Additionally, Bosco's setup and operation were designed to be simple. Simple configuration settings minimize the chance that a Bosco installation will be accidentally setup in an insecure manner. As with any web server, Bosco can be made insecure by using inappropriate configuration settings. Bosco's setup is clear and concise to help prevent configuration errors. As for the question, why is it named Bosco? Well, that was the name of a programming project I had started long ago and never finished. "BOSCO" was kind of acronym for the project's function. I have no clue now how I came up with that as it makes no sense to me now. When I started building a web server, I recycled that old project directory. That's how Bosco got its name. |
|
Bosco's setup is simple. Setting up Bosco for the first time should take no more
than a few minutes. The steps are:
1. Unzip the Bosco FilesBosco is distributed as a ZIP file. This file contains the Bosco server executable, example configuration files, and some "readme" files to help you get started. Use PKUNZIP or WINZIP to decompress the files into a convenient directory. If this is the initial setup of Bosco, I would recommend you create a separate directory for Bosco. The name of the directory does not really matter but I suggest you use the name "bosco". (i.e. c:\bosco). The three files you are really interested in are "bosco.exe", the server program, "bosco.conf", the configuration file, and "mime.conf", the HTTP mime type definitions. You will be editing the contents of "bosco.conf" to configure your Bosco installation. Bosco configuration entries are discussed in detail below. You will probably not need to edit "mime.conf". 2. Verify Directory ConfigurationBosco may be installed in just about any directory though using something simple like "c:\bosco" is probably a better choice. The two configuration files, "bosco.conf" and "mime.conf" must be placed in the same directory as "bosco.exe". Additionally, there must be three subdirectories created in that directory. They are named "logs" "sec" and "temp". An example directory layout might be: C:\ (The root directory) The "logs" subdirectory is where Bosco creates its log files. There are two log files: "access.log" for logging access to files and "error.log" for logging operational errors. Logs are discussed in more detail below. 3. Edit the "bosco.conf" Configuration FileBosco's configuration file, "bosco.conf" is an ASCII text file that may be edited with any convenient text editor such as "notepad". A complex configuration is typically contains only about 15 or 20 entries, one text line per entry. The minimum configuration file content that may be used is 3 entries. As an example, assume your web server is named "www.myservice.com" and your web pages are stored in your "c:\web" directory: ServiceName = www.myservice.com Directory Path = c:\web The above example will work just fine but there are a couple things you might want to add such as defining what file should be returned by default if no filename is specified in the request, and maybe whether you want to allow access to files that are in subdirectories of "c:\web". These and many other available features are discussed below. 4. Start the Bosco ServerStarting Bosco is simple too. Open a DOS console window. Change directory to to where you installed "bosco.exe". That would be the "c:\bosco" directory in the example above. Type the following command at the DOS prompt: bosco Bosco will attempt to start. Progress messages will be written to the screen. If some error prevents Bosco from successfully starting, information about that error will be written before Bosco aborts the startup. You may also examine Bosco's startup messages to verify that your configuration file settings are properly interpreted. Critical internal operational errors will be written to the console screen. Web request access and error logging will also to be written to "access.log" and "error.log". Stopping Bosco is done by hitting Control C. (i.e. holding down the "Ctrl" key and tapping the "C" key.) |
One of the more important targets in Bosco's design was operational simplicity.
No matter how robust the program code inside Bosco might be, service security
can be compromised by configuration errors. Making configuration of Bosco
simple, succinct, and clear is critical.
Bosco uses two configuration files: "bosco.conf" and "mime.conf". Both of these files consist of sequences of ASCII text lines. Of these two, "bosco.conf" is probably the only file you will need to work with. "mime.conf" provides entries for a simple table that equates file extensions with HTTP mime data types. "bosco.conf" consists of main sections: service wide definitions, and file directory specific definitions. Service Wide DefinitionsThe service wide configuration definitions are placed in the "bosco.conf" before any directory specific definitions. The service wide configuration items are:
These entries are discussed in detail below. Notice that only "ServiceName" need be supplied. The remaining values default to safe values. Note: Most of the directory specific configuration entries may also be placed in the service wide configuration area also. When this is done, the values supplied will be used globally for all directories defined later in the file unless overridden by entries in individual directory definitions. Directory Specific DefinitionsEach directory served by Bosco must be defined in "bosco.conf". A directory definition begins with a text line with the single word "Directory". The values associated with that directory follow that line and apply to that single directory until another "Directory" line occurs. The directory specific configuration entries are:
These entries are discussed in the sections below. Note: All of the directory specific entries except for "Path" and "Name" may be used in the service wide section of "bosco.conf". Entry FormatAll "bosco.conf" entry lines with the exception of the "Directory" line, use the following format:
For example, the path entry for a directory would be written as:
The example above describes the physical path for the virtual directory being defined as being as "c:\web". Comment LinesComment lines may be used in "bosco.conf". Comment lines are denoted by beginning them with a "#" (pound sign) character. Any text line in this file that begins with the "#" character will be ignored by Bosco. |
Web sites which serve just a single directory of web pages and images can be
described with just four configuration entries. From the site wide group of
entries, we must supply the "Name" entry. We must supply a line
containing the single word "Directory" to tell Bosco to define our
default directory. We must then supply a "Path" entry to tell
Bosco what physical directory to serve. Though it is not required, we should
also define a default file to be returned to users that access the web site
using just the service name and no filename.
The "bosco.conf" file would contain the following lines: ServiceName = www.myservice.com Directory Path = c:\web DefaultFile = index.htm Of course, you would substitute the real name of your server, the real directory name, and the real default filename. |
This section contain entries that are service wide in scope:
|
A simple Bosco installation actually needs only one directory defined. That directory is the site's default file directory. It is common, however, for sites to have additional directories defined to allow separating HTML web pages, images, and CGI scripts into separate directories with different permissions and attributes. Files served by a web server are referenced not only by name but by which file directory they reside in. The obvious exception, of course, is for the default directory. Most web sites are set up to provide access to some default directory if no directory path was supplied in the Browser's URL line. In most cases, web directories are set up provided a default file if none is specifically requested. That is to say, supplying a browser with a URL that reads "http://www.ibm.com" will typically cause IBM's main web site to return the contents of some welcoming page from a default file directory. File directories in Bosco, as with essentially all other web servers, are "virtual" directories. That is, the names of these directories when used in URLs have little or no relationship to their physical location or name in the server. For instance, a file with a URL like "http://www.microsoft.com/images/logo.gif" might actually correspond to "c:\default_site\corporate_images\logo.gif" There is one unique case for directory naming. Your default directory configuration will have a "Path" entry but will not have a "Name" entry. That is how Bosco determines that a default directory is being defined. All other virtual directories must have both a "Path" entry and a "Name" entry. Remember that a directory definition begins with a text line with the single word "Directory". The values associated with that directory follow that line and apply to that single directory until another "Directory" line occurs.
|
By default, Bosco logs all requests received and all errors it detects. Requests
are logged in a file named "access.log". Errors are logged in a file
named "error.log". Both files may be found in the Bosco
"logs" subdirectory.
A common problem encountered with busy web sites is that the volume of log entries is so high that it is difficult to distill useful information from them. Bosco includes provisions for eliminating the logging of selected events if desired. This may be done on a directory-by-directory basis. You may disable logging of requests for files in a directory or just image files in a directory. You may disable logging of errors or just "404 - Object not found" errors.
|
One of the prime reasons for developing Bosco was to defend a web site from hacker attacks. Bosco achieves most of its robustness by remaining simple internally. Servers like Apache and Microsoft's IIS support so many features that it is difficult for their developers to avoid all possible security leaks. Many of the challenges faced by those developers simply do not exist in Bosco. There are also adjustable security features in Bosco. You may enable or disable access to subdirectories in directories you define. You may enable or disable returning a listing of a directory's contents in response to requests. Bosco also allows you to limit access to directories based upon User ID, Password checks. Each directory may have its own private user list. User lists may be shared between two or more directories. (A directory may have only one list, however.) The user lists consist of simple ASCII text files with comma separated user ID, password pairs on each line. These files are kept in human readable text form. They are not encrypted so are easy to edit and maintain. Using unencrypted security files may seem at first like a security problem. The fact, though, is that if a hacker can get hold of an encrypted security file from a web server, he can usually decode one or more of the entries in a very short period of time. Only very complex (and slow running) encryption schemes would thwart this kind of attack. Bosco takes a different tack. Bosco leaves its security files unencrypted but makes it easy to keep hackers from ever having access to these files. Bosco's internal coding is specifically built to avoid allowing access to the contents of directories not explicitly enabled in the "bosco.conf" configuration file. Unless you specifically define the Bosco "sec" directory for access or give subdirectory access permission to a directory that includes "sec" as a subdirectory, hackers will not be able get to these files.
|
CGI or Common Gateway Interface is a way in extend the functionality of a web server. Bosco recognizes two kinds of CGI extensions. The first is an executable program, typically a compiled C language program. This kind of extension has the normal Microsoft executable file extension, ".exe". When requested, Bosco runs this kind of CGI extension directly. The second kind of CGI recognized is what is typically called a "script" file. Script files are typically text files containing program code written in an interpreted language such as Perl or PHP. To handle this kind of CGI extension, you must supply the fully qualified path to an interpreter for that language in the "SetExtension" entry described below. Bosco's CGI operations are fully buffered. That is, CGI input and output is passed via intermediate files. This blocks the path of the vast majority of web site break-ins. A CGI program cannot be exploited to provide a open connection between a hacker's computer and Bosco's computer. Using intermediate files for handling CGI program input and output does not, however, assure service security. Both directly executable and script CGI extensions contain active program code that could, itself, perform operations that compromise service security. If CGI extensions are to be used, they should be obtained from only professional and trustworthy sources. Amateur programmers often do not understand security issues adequately to recognize when they have create a security problem in their code.
|
ISAPI (Internet Server Application Programming Interface) is a Microsoft specific web server extension mechanism. CGI programs and scripts are executed each time a request for one arrives. Between requests, there is no connection between the web server and the CGI program or script. This kind of operation is typically adequate for most business web applications. ISAPI service extensions, on the other hand, directly connect into the internal code of the server. This is accomplished by use of Microsoft operating system Dynamic Link Library (DLL) mechanism. ISAPI extensions are connected to they web server via an operating system LoadLibrary system call. Incoming requests are passed to the ISAPI extension using direct subroutine calls. In general, overall performance and usage by web browsers are equivalent when comparing CGI and ISAPI server extensions. ISAPI does, however, allow for somewhat more complex extensions to be built. This is primarily because ISAPI extensions are not unloaded between web requests. ISAPI service extensions are not nearly as safe to use as CGI extensions. An ISAPI extension is running as if it was an integral part of the server's program code. A programming error in an ISAPI extension can easily crash the entire server. A program crash in a CGI will have no effect the server other than to cause it to return an error message to the browser that made the request. USE ISAPI EXTENSION WITH EXTREME CAUTION! Configuring ISAPI operation is essentially the same as configuring CGI operation. Bosco does not allow ad-hoc ISAPI operation. All ISAPI extension used by Bosco must be explicitly defined in "bosco.conf". They are defined using an "SetExtension" entry. Bosco will attempt to load the specified extension when it starts up. If the ISAPI DLL specified does not exist or it does not respond to ISAPI specific requests, startup will be aborted. Bosco keeps its ISAPI DLL extensions loaded until it shuts down. The ISAPI configuration entries shown below are really just a repeat of those shown for CGI extensions above. They are shown here for constancy.
|
Keep in mind that Bosco is intended to be a reliable web server that is a simple to install and simple to manage. It is not intended to provide all of the functionality needed for very large and complex web server installations. Bosco should only be considered for use in installations where only a few thousand files will be served and no more than a few hundred users are expected to be using it at any given instant. Four small to medium sized businesses, Bosco should be more than adequate. One of the more important things to do while configuring a Bosco installation is to keep it simple. Don't create any more virtual directories than you actually need. It is not necessary to create a complex configuration to start with. Simply add whatever new directories or other feature you need, when you actually need it. Stop and restart Bosco to make those changes take effect. Bosco's configuration entries are so simple that it is quite easy to avoid making changes that damage previously existing functionality. Finally, I make no apology for limiting the functionality of Bosco. I saw no reason to create a competitor to Apache. That is a very competent server and it is free. It is, however, not simple to install or configure. There are books written and sold to teach people what to edit in the Apache configuration file to get it to do what they want. Instead, I chose to create something that is solid, reliable, simple to configure, and simple to use. Enjoy |