Introduction: In the following example I try to set environment variables according to the incoming request’s ‘HTTP_HOST’ value. The following example pertains to Magento Webshop software which offers a different Store view for every domain configured to land in the main store. Prerequisites: – Magento is been configured, apart from its default Store View, to …
Category: Apache
Apache 1.3 and 2.x Tips and tricks
Installing the missing mcrypt module for PHP 7.2
Inroduction: Because of the module mcrypt for PHP neot being maintained since a bout 10 years the PHP team has decided to drop it from the PHP version 7.2 on. For PHP applications that need this module here are the instructions to compile and install it for PHP 7.2. Reference: https://lukasmestan.com/install-mcrypt-extension-in-php7-2/ STEPS: We need to …
Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch
Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch Ubuntu 16.04 HOWTO: Install On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages. $ sudo apt-get …
Configuring Letsencrypt in ISPConfig 3.1
Intro: Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy. Here is how we can also use Letsencrypt with ISPConfig 3.1. Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/ STEPS: Define ISPconfig to use the new SSL certificate with symbolic links. (If you don’t know how to use symbolic links this how-to …
Verifying PHP syntax.
After an upgrade from php 5.6 to 7.0/7.1 many php scripts gave me trouble. So I looked for a way to test the php syntax before errors showed up later when the sites are live. I found this one which is quite helpful: find . -name “*.php” -exec php -l {} \; 1>/dev/null
piwik: Could not open input file: ./console
Introduction: In order to know the location of the visits your website received before you started using Piwik with GeoIP you need to run a command. The reference to this command is at: https://piwik.org/faq/how-to/faq_167/ Problem: Unfortunately after having logged in as root in the server this command gave me the following error: Could not open …
Hardening the SSL security in Apache, Dovecot and Postfix
Introduction: After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this. I found very good sites which helps me making these improvements: https://weakdh.org/sysadmin.html https://wiki.dovecot.org/SSL/DovecotConfiguration Click to access applied-crypto-hardening.pdf Based on this site and extending to cover dovecot mail service here …
Installing TeamPass in Debian Jessie
Introduction: TeamPass is a very good Web application which can store securely Passwords for single person or teams. Here are the steps I used to install it in Debian Jessie. These instructions can also be used with no or minimal changes to install TeamPass in other Debian or Ubuntu systems. These instruction are partly based …
Upgrading Apache2 from Debian Wheezy to Jessie
Introduction: As I tried to make a full distribution upgrade from Wheezy to Jessie the upgrade of Apache2 didn’t go well at all: dpkg kept coming up with dependencies errors and post-install scripts errors. Unfortunately I don’t have a sample of these errors here. Since I had to dist-upgrade over 30 servers of the same …
Upgrading php from 5.4 to 5.6 in Debian Wheezy
In order to upgrade PHP from 5.4 to 5.6 we need to use the DOTDEB repositories by which many other packages will also be upgraded. Here are the steps. References: https://www.dotdeb.org/instructions/ STEPS: Edit the file /etc/apt/sources.lst and add the following lines: deb http://packages.dotdeb.org wheezy all deb-src http://packages.dotdeb.org wheezy all deb http://packages.dotdeb.org wheezy-php56-zts all deb-src http://packages.dotdeb.org …
Activating SPDY in Apache 2.4 (Ubuntu 14.04)
SPDY is a new protocol created by Google and given to the Apache Foundation which allows faster Web traffic under SSL. Apache 2.4 is SPDY capable but its module is not included in Ubuntu 14.04 LTS Server. Here are some instructions that allow to get, install and enable SPDY feature foe Apache 2.4 under Ubuntu …
Using HTTPS as proxy backend in Apache 2.4
Introduction: In Apache 2.4 in a Vhost in order to be able to proxy to a backend with HTTPS using either a self-signed or expired certificate on the backend we need to include the following directives: SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off You also need to enable the required Apache2 modules …
Testing SSL Connections with SSLyze, Nmap or OpenSSL
Introduction: OpenSSL is a great tool to check SSL connections to servers. The difficulty here is when one want a full scan of all possible SSL Cyphers and protocols used by a server. That is where SSLyze comes in handy. This tool is a Python script which will scan the target host/port for SSL handshake …
Issue free and CA signed SSL certificates for web servers from LetsEncrypt
Introduction: SSL Certificates provide two functions: 1. Authentication 2. Encryption Encryption can be achieved without authentication but, for some reason, someone decided to join them together in one certificate. It seem to make sense for banks and serious e-commerce sites which need to be properly authenticated. Therefore when the HTTPS protocol got developed it was …
Creating a web certificate CSR file.
The process of buying an SSL certificate for a web site is usually as follows: – You create a secret key and CSR files using the method showm in this post. – You cut and paste the content of the CSR file into a field in a SSL Vendor web site – The SSL vendor …
Configuring HAproxy load balancer in Ubuntu 14.04
Goal: In this example HTTP requests are proxied directly as HTTP requests to the HTTP web servers. In the case of HTTPS requests, they are handled with the certificates by HAproxy and then proxied to the web servers as HTTP requests. SSLCertificates: The certificates for all virtualhosts being proxied are stored as one PEM format …
Installing pure-ftpd in Debian/Ubuntu
Difficulty with FTP servers and firewall: If you configure a firewall for a host which runs an FTP server you normally need to leave the ports 1024-65365 range open, since you never know which port the FTP server will use to send data to the FTP client. This situation is quite critical if you have …
Fine tune Ubuntu TCP stack for web server
The following tips taken from the site will help reduce the TCP latency of Ubuntu as a web server : http://www.cyberciti.biz/faq/linux-tcp-tuning/
Limiting the number of connected clients on a VirtualHost in Apache
Problem: When a DDOS attack or a burst of requests are coming at the same time in my Apache2 Web server, the whole server can run out of RAM and crash. Possible solution: Limit the number of simultaneous connections to your Web server per VirtualHost Method: One simple and effective method done directly on the …
Using mod_cluster in Apache
The newly discovered Apache module mod_cluster seems to offer many advantages compared to mod_jk which could be used in the new Apache/Jboss environment. The following features are listed: – Dynamic configuration of httpd workers – Server-side load balance factor calculation – Fine grained web-app lifecycle control – AJP is optional – Compatible staring at JBoss …
Configuring Apache to handle WebSocks
WebSocks is supported by Apache starting at version 2.4.xx. Here are some minimal configuration for Apache 2.4.xx. in Ubuntu 14.04.x Install the proper modules: a2enmod proxy a2enmod proxy_wstunnel Configure the VirtualHost (only the WebSock part is shown here) # Make sure the backend server gets the right URL in ‘Location:’ http Header ProxyPreserveHost On # …
Customizing apache2-suexec-custom
Apache2 Suexec module comes with at least 2 flavors in many distributions of Linux. – apache2-suexec-pristine: Apache HTTP Server standard suexec program for mod_suexec – apache2-suexec-custom: Apache HTTP Server configurable suexec program for mod_suexec Many times when I’ve been trying to use the standard mod_suexec with mod_fcgi (useful for WordPress installations),the mod_suexec complains that the …
Installing VSFTPD for FTP-SSL web sites upload on Ubuntu
In order to force an exclusive use of the SSL/TLS connectivity to users here is how to install it: Note: This tutorial was base from this site: https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-an-ubuntu-vps Install the vsftpd package sudo apt-get install vsftpd Edit the /etc/vsftpd.conf configuration file and add the following at the end of the file or alternatively adapt the …
Selectively blocking / redirecting HTTP requests per country of origin with Apache
If you need to block or redirect requests that are originated from certain countries, here is a good method using geoIP information. Install the GeoIP binaries and Apache module: apt-get install geoip-bin libgeoip1 libapache2-mod-geoip a2enmod geoip service apache2 restart Example of blocking requests from germby(DE) in a VirtualHost configuration: SetEnvIf GEOIP_COUNTRY_CODE DE BlockCountry Deny from …
phpmyadmin: The mcrypt extension is missing. Please check your PHP configuration.
This was the error message I got in PhpMyadmin in Ubuntu 14.04-2. The mcrypt extension is missing. Please check your PHP configuration. So I found the following solution in: http://askubuntu.com/questions/460837/mcrypt-extension-is-missing-in-14-04-server-for-mysql/477608#477608 First, I’m not really sure that this directory needs to be created, but since it’s in php.ini configuration, I’d rather make sure all will work …
Using CURL for sending crafted HTTP POST authenticated queries
CHALLENGE: I came across a situation where I needed to send an HTTP request using the POST method with some POST data but after I have authenticated with name and password. SOLUTION:(using curl tool) The trick here is to preserve the SESSIONID of the authenticated response for the second POST request. EXAMPLE: I needed to …
Monitoring latency time of http requests
Here is a simple but useful command which shows the latency time of http requests. You can adjust the delay between repeats as well as the URL being queried. Reference: http://www.shellhacks.com/en/Check-a-Website-Response-Time-from-the-Linux-Command-Line host=”www.google.de”; delay=5; while true ; do echo -n “Response time for http://$host:” ;curl -s -w %{time_total}\\n -o /dev/null http://$host ;sleep $delay; done Results: Response …
Proxy Rewrite to an URL with a non valid Cert
If we do a Proxy Rewrite to an URL with a non valid Cert, we have to deactivate the SSL validation in the vhost where the Proxy Rewrite resides as follows: SSLProxyEngine On SSLProxyVerifyDepth 0
Verifying a SSL certificate chain
In order to see if an SSL web site has the proper SSL Certificate chain, this simple command can help: echo “” | openssl s_client -showcerts -servername web.site.com -connect web.site.com:443 -CApath /etc/ssl/certs/ Example: echo ” ” | openssl s_client -showcerts -servername tipstricks.itmatrix.eu -connect tipstricks.itmatrix.eu:443 -CApath /etc/ssl/certs Result:(most important extract from full result) CONNECTED(00000003) depth=2 C …
Dump only headers of HTTP request and response
In roder to only get the headers of any HTTP request and response here is a smal command that does it well: Eg. curl -sv http://my.website.com/index.html >/dev/null
ModSecurity: Rules must have at least id action
After compiling ModSecurity 2.8.0 with Apache 2.4.10 I got the the folowing error when trying to start Apache2: ModSecurity: Rules must have at least id action After Google-ing it I found this site that explains what went wrong: https://evilazrael.de/content/modsecurity-rules-must-have-least-id-action According to this site the labeling(identification) of the rules was optional till the version 2.7.0, after …
Changing the domain name of WordPress
SITUATION: You’ve had a WordPress site since a while and want to change its URL by which it is called. WordPress needs to have a constant URL to be able to work. If you just configure the web server to use another URL, it won’t work. The original URL stored in your WordPress database, which …
Dynamically change Apache response content
Although the example below doesn’t quite represent a very good one in terms of real life problem, nevertheless it shows how to implement a dynamic web server response content modification. These replacements are done in application server responses before they leave Apache web server. In this example we are dynamically replacing parts of the URI …
Creating a XEN machine and Installing Group Office in Debian Wheezy
Introduction In this Tutorial I will explain the steps I did to create a Xen Virtual Machine with minimal packages and then install the latest Group Office Web based Collaboration software. You’ll need to be fluent in Linux and Xen because I don’t explain much here. Note: My hypervisor is Xen 4.0 in Debian Squeeze …
vhosts calling themselves behind load balancer
PROBLEM: If a virtualhost configured behind a load balancer originated http/https, requests using the proxy module in destination to the Internet IP of the virtual host, the route of the packet would then have to be: Vhost ==ProxyModule==>> LoadBalancer ==>> Loop to itself ==>> Vhost For technical reasons I needed to avoid this route. This …
Some tools for SSL certificates
Checking that a certificate is paired to the key Example: openssl rsa -noout -modulus -in mycert.key |openssl md5 33c63cb62080fdf2bc06c47a59e02917 openssl x509 -noout -modulus -in mycert.crt |openssl md5 33c63cb62080fdf2bc06c47a59e02917 Both results should be the same Generating a certificate for VSFTP openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem Creating a self signed …
Limiting connections per Virtual Host with mod_bw
Introduction: In order to limit the number of simultaneous connections to a Web server (for the whole server) the following Core directive is used in our Live web servers, limiting it to 2000 simultaneous connections per web server. MaxClients 2000 In the case of wanting to limit the number of simultaneous connections per VirtualHost we …
Redirect POST requests
Since quite a while it was not possible to use the Apache mod_rewrite to redirect POST resquests. After the browser received a redirect response code 301(permanent) or 302(temporary) from a POST request it redirected the request to the new URL but using a GET method. After research I found out that since some time the …
php5-cgi fills up memory, too many processes.
Problem Description: I just solved a strange situation where peu-à-peu the number of php5-cgi processes kept on increasing till all the RAMS were used and the system went to a crawl no more responding to web requests. Cause: After the maximum number of requests got reached for a php5-cgi requests the process gets detached from …
Verifying Web Server certificates
In the world of so many types and variations of available certificates it is sometimes difficult to be sure that the components of a certificate are fitting together. For this purposes here are some commands that will help. Verifying the a certificate chain Whether the certificates are WEB certificates or CA(Certificate of Authority) all the …
Compiling an Apache module after Apache is been compiled
Sometimes one discovers a module which would be lovely to include in an already compiled Apache. I’m using here an example of a vanilla Apache I compiled. Constants: Source path of Apache: /www/src/ Path of compiled Apache: /www/apache/ Module to compile: proxy_http Compiling the module: cd /www/src/modules/proxy /www/apache/bin/apxs -i -a -c mod_proxy_http.c This will: – …
Load Balancing with Apache
Introduction: I’ve been confronted with the task of installing 2 web servers and a load balancer all made of Apache2. Requirements: – 1 Load balancer made of apache2 configured for 2 Web sites – The load balancer should implement Cookies based stikyness for clients to land all their requests on the same web server initially …
Changing the URL of WordPress
Lately after a friend had develloped a new web site under (eg.)new.mywebsite.com when it needed to go live to www.mywebsite.com although the admin settings were changed and the Apache configuration as well, many links still were pointing to new.mywebsite.com. Now what to do? I searched the Net and found this great beb site which explains …
Combining Apache PHP module and fcgi in Debian Squeeze/Wheezy
Many help sites that show you how to install and configure the Apache module mod_fcgid ask you to uninstall the Generic Apache PHP module(mod_php5). Although mod_fcgid offers some advantages to the mod_php5, uninstalling the mod_php5 need not be, especially if you are running applications that don’t need to run under mod_fcgid and it uses simple …
Warning: curl_exec() has been disabled for security reasons
In Powerpress plugin of WordPress I’ve been confronted with this error: Warning: curl_exec() has been disabled for security reasons Many people suggested a hack into the functions.php of WordPress. I find this solution not very good, since it’s most likely all gone after an update of WordPress. After looking for a better solution in Google …
PHP problem of ‘basedir-open’
After having upgraded Apache, PHP and other PHP modules I found out that we had problems with errors regarding restrictions of opening files within the set htdocs directory. I found that out by enabling error messages to be shown in the php.ini file. After researches on Internet I found those sites where they also had …
Detecting Browser User Agent in Mod_Rewrite
Apache mod_rewrite can be used to detect whether a browser has a WAP or Smartphone device versus a normal size browser and act accordingly. Here is a method: Creating variables for different sorts of portable devices: # Wap devices BrowserMatch “MIDP” WAP_DEVICE BrowserMatch “CLDC” WAP_DEVICE BrowserMatch “UP\.” WAP_DEVICE BrowserMatch “HTC” WAP_DEVICE BrowserMatch “LG” WAP_DEVICE BrowserMatch …
Installing Google’s Apache mod_pagespeed module.
Google has recently published an Apache module which should optimize web sites delivery daynamically. I was quite suspicious about such tool and though that this could only work at the costs of page outlook quality, meaning web pages not being displayed quite the same as the original. After experimenting with it I was quite please …
Configuring Apache2 mod_deflate
Here are some recommended settings of the mod_deflate in Apache2. The main principle is to define which type of files are and which ones are not to be compressed. These settings DON’T override the fact that if a device/browser doesn’t have the following header in its request the requested file/component will NOT be compressed at …
Using Environment variables in Apache rewrite rules
Problem: Setting multiple variables(%1-%9) in rewrite rules with RewriteCond will get rewritten by the subsequent RewriteCond for the same rewrite rule pack. eg. RewriteCond %{REQUEST_URI} ID([^/]+) RewriteCond %{REQUEST_URI} ID2([^/]+) RewriteRule ^/login.php /newlogin.php?NewID=%1&NewID2=%2 The above rule is not practical in real world, there are better ways to do this. But just as an example, we can …
Setting a Cookie from Query String
In some very special task we needed (don’t ask me why) to use the value of the Query string to set a response cookie. Meaning we grab the query string in a format of Name=value to set a cookie in the response header. eg. http://www.myserver.com/myimage.gif?mycookie=myvalue sets the cookie in the client’s browser as: Name of …
Installing eAccelerator for PHP in Debian Squeeze
This great application really speeds-up the processing and therefore delivery of complex web sites based on PHP, for example from CMS like Typo3. Here is how to install it. Credits FROM: http://www.debiantutorials.com/installing-eaccelerator/ and https://github.com/eaccelerator/eaccelerator/wiki/InstallFromSource Instructions in German: http://www.sysadminslife.com/linux/eaccelerator-php-beschleuniger-installation-unter-debian-5-lenny-und-ubuntu/ Download it cd /tmp wget http://github.com/downloads/eaccelerator/eaccelerator/eaccelerator-0.9.6.1.tar.bz2 Unpack it tar -xvjf eaccelerator-0.9.6.1.tar.bz2 Prepare for compiling it apt-get install …
Solving the problem of MaxRequestLen in mod_fcgid
Sometimes we get the following message in error.log and sometimes not. The reason is that the size of MaxRequestLen is not high enough: mod_fcgid: HTTP request length 135714 (so far) exceeds MaxRequestLen (131072) Solution: Add the following entry in the file: /etc/apache2/mods-available/fcgid.conf raise the value from the default 131072 to 15728640 (15MB) or higher if …
Compiling and install the missing dotdeb php5-fileinfo package
Dotdeb has done a terrific job at precompiling some PHP 5 packages and environment for us. Unfortunately in Dotdeb version of Debian Squeeze PHP5 packages I found the package php5-fileinfo to be missing. So here are the blind steps (without explanations) on how to compile and install this package. This is just an example unig …
Using cache control with Apache
This article has no structure really. It is a gathering of important information and own findings concerning caching of web elements. Caching controls of web elements General rules: – The header ‘Expires:’ is an implementation of the HTTP/1.0 – The header ‘Cache-Control: max-age=xxxx’ is an implementation of the HTTP/1.1 and OVERRIDES ‘Expires:’ Extract from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html: …
Web client authentication using SSL/PKI and PHP
To authenticate web clients using a browser is no difficulty when one has imported the PKI certificate in the browser. But how can we do that with a php driven process and use it as client. Here is some short PHP code that will do exactly that. Note: the CA, PKI certificate(CRT) and private key(KEY) …
Installing and configuring Apache2 mod_secutity on Debian Squeeze
Install the Debian version of mod_security packages from Debian reposirory apt-get install libapache-mod-security Create an Apache config directory for mod_security mkdir /etc/apache2/modsecurity-core-rules chmod 600 /etc/apache2/modsecurity-core-rules Download and install the mod_security core rules wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz tar vfx modsecurity-core-rules_2.5-1.6.1.tar.gz -C /etc/apache2/modsecurity-core-rules/ Create a symlink to adapt to all mod_security core rules(or change all the rules 🙂 ln …
Web Authentication using LDAP
These instructions have nothing special about them. There are many such instructions on the internet. The purpose here is only as reference for myself and maybe you as well. Here I’m assuming that you have installed openLDAP and created users and groups in LDAP server. In the following examples the users and groups login names …
LDAP Installation in Debian Lenny + Web LDAP Browser
NOTE: These instructions are assuming that the LDAP client runs on the same machine as the LDAP server runs. Environment: IP: 192.168.100.27 LDAP Client Machine names: ldapc.itmatrix.srv ldapc LDAP Server Machine names: ldaps.itmatrix.srv ldaps NOTE: This tutorial is a short and updated version of the one found at: http://techpubs.spinlocksolutions.com/dklar/ldap.html Edit /etc/hosts and se the content …
Apache 2.2 caching
In Apache 2.2 there are 2 types of advanced caching available: – Memory based caching – Disk based caching Here are some tips and links related to the disk cache feature: APACHE 2.2 cache cleaning command: Recomended to run regularly from cron job # Runs as cron job, in nice mode, and limits the cache …
Apache Log format codes
Extracted from: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat Format String Description ============= ============================================================================================================ %% The percent sign %a Remote IP-address %A Local IP-address %B Size of response in bytes, excluding HTTP headers. %b Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a ‘-‘ rather than a 0 when no bytes are sent. %{Foobar}C The contents of …
Remote logging of Apache logs
Since Apache doesn’t provide the possibility to send it’s logs to a remote server we use the PIPE loging capability as follows: Principle: ====== 1) – Send logs to a local script via STDOUT 2) – The script uses the command logger to send each log line to the local rsyslog 3) – rsyslog via …
Apache mod_deflate controls
Ive been looking for a way to set the DEFLATE globally and then disable it individually as needed either in vhosts or in containers. There are two way to configure the DEFLATE: – INCLUDE-ALL-with-Exceptions : Compress all content except the exceptions defined – EXCLUDE-ALL-with-Exceptions : Compress none of the contents except the exceptions defined The …
IP List of China and Korea for IPTABLES
Just download: http://www.okean.com/antispam/iptables/rc.firewall.sinokorea This script that can be downloaded regularly needs to be converted before it can be used. In this list the destination ports is 25 (SMTP). For web access blocking, the port needs to be changed to 80,443,25,110,22,995 etc. . A small script can be used to get the list, convert it before …
Get the country and city of client IP
wget -O- -q http://api.hostip.info/get_html.php?ip=195.80.230.182 or lynx -dump “http://api.hostip.info/get_html.php?ip=195.80.230.182”
Compile Apache 2 in Debian/Ubuntu/Mint/..
Introduction: Steps to compile Apache: – Installation of needed development packages – Prepare the directories needed – copy the config file and script below – Run the script below Installation of needed development packages Needed for Apache mod_deflate libzip-dev (sources) libzip1 (bin libs.) zlib1g-dev (sources) Needed for Mod_security libpcre3-dev libpcrecpp0 libxml2-dev Compiling script Configuration file …
Get the response content in terminal
w3m -dump http://my.server.com
Preventing loging for some documents types
eg. SetEnvIfNoCase Request_URI “.*\.html” !NOLOG CustomLog /var/log/httpd/main.log j_common env=!NOLOG
Get RSS with bash
#!/bin/bash lynx -source http://rss.freshmeat.net/freshmeat/feeds/fm-releases-global | sed -n ‘s/.*//gp’ | sed ‘s/
Compiling a new standard Apache DSO module
# Build and install a distributed Apache module, say mod_foo.c, into its own DSO mod_foo.so: * Build and install via configure (preferred): $ ./configure –prefix=/path/to/install –enable-shared=foo $ make install * Build and install manually: – Edit src/Configuration: > SharedModule modules/xxxx/mod_foo.so $ make $ cp src/xxxx/mod_foo.so /path/to/install/libexec – Edit /path/to/install/etc/httpd.conf >> LoadModule foo_module /path/to/install/libexec/mod_foo.so # Build …
Mod_jk shared file size in Apache 1.3.x
It can occur that a new worker set prevents apache to start, although correct configured. Possible cause: Mod_JK shared file is too small Size must be at least: Header: 84 Bytes Per Worker: 400 Bytes Extra at the end: 800 Bytes Any type worker uses the same amount of memory(400 bytes): loadBalancers and hosts Configuration: …
Example of mod_security Configuration
SecFilterEngine DynamicOnly SecFilterScanPOST On SecFilterDefaultAction “deny,log,status:400” SecFilterSelective REQUEST_URI “
MOD GZIP Configuration in Apache 1.3.x
NOTE: The size of the zipped content(not header) is about 1/3 of original size. mod_gzip_command_version ‘/mod_gzip_status’ mod_gzip_temp_dir /tmp/mod_gzip_httpd mod_gzip_keep_workfiles No mod_gzip_minimum_file_size 1000 mod_gzip_maximum_file_size 100000 mod_gzip_maximum_inmem_size 60000 mod_gzip_min_http 1000 mod_gzip_handle_methods GET mod_gzip_item_include file \.html$ mod_gzip_item_include file \.jsp$ mod_gzip_item_include file \.do$ mod_gzip_item_include mime text/html mod_gzip_item_include mime text/plain mod_gzip_item_include mime application/x-javascript mod_gzip_item_include mime text/css mod_gzip_item_include mime text/xml mod_gzip_item_include …
Problem with openssl and Compiling Apache 2.2.11
Ursache ist, dass die Pfade richtig gesetzt werden müssen, damit ld den Parameter -lssl kennt. export LD_LIBRARY_PATH=”/www/hans/src/openssl-0.9.8j/” export LIBS=”-L/www/hans/src/openssl-0.9.8j” export CPPFLAGS=”-I/www/hans/src/openssl-0.9.8j/include/openssl” echo $LD_LIBRARY_PATH /www/jamba/src/openssl-0.9.8j/:/usr/lib/ echo $LIBS -L/www/jamba/src/openssl-0.9.8j echo $CPPFLAGS -I/www/jamba/src/openssl-0.9.8j/include/openssl
Issues on MaxClients Directive
WARNING: MaxClients of 3000 exceeds compile time limit of 2048 servers, lowering MaxClients to 2048. To increase, please see the HARD_SERVER_LIMIT define in src/include/httpd.h. Why increase MaxClients to 2048? Apache 1.x is non-threaded, so increasing MaxClients beyond 256 usually results in lower performance; often dramatically lower performance. At a prior job I worked with a …
setting Apache 2 ENVIRONMENT VARIABLES
in /etc/apache2/envvars # envvars-std – default environment variables for apachectl # # This file is generated from envvars-std.in # export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data export APACHE_PID_FILE=/var/run/apache2.pid umask 002
GZIP Log Format
LogFormat “\”%h\” \”%{HOST}i\” \”%u\” \”%t\” \”%r\” \”%>s\” \”%b\” \”%{Referer}i\” \”%{User-Agent}i\” \”%{Connection}i\” \”%{Connection}o\” \”%{Content-Type}o\” \”%T\” \”PID:%P\” \”%{mod_gzip_result}n\” \”%{mod_gzip_input_size}n\” \”%{mod_gzip_output_size}n\” \”%{mod_gzip_compression_ration}n\”” JAMBA_BASIS_LOGFORMAT_GZIP
Using mod_cband to limit bandwidth per vhost
mod_cband (http://cband.linux.pl) can do this from 0.9.6.0 version! You should use CBandExceededSpeed directive to slow down pages when the bandwidth is exceeded 🙂 See: http://www.howtoforge.com/mod_cband_apache2_bandwidth_quota_throttling http://www.icewalkers.com/Linux/Software/524590/mod_cband.html http://www.montanalinux.org/mod_cband.html http://www.uno-code.com/?q=node/64
SSL error solution
If an SSL error goes like this: In Browser: (Error code: ssl_error_rx_record_too_long) or in log file: [error] [client 81.19.201.7] Invalid method in request \\x16\\x03\\x01 Solution: Include the following directive in vhost: SSLEngine on That was it . 😉
MPM ‘worker’ configuration (Apache2)
Directive Description Default (worker.MPM) ===================== =============================================================================== ==================== ListenBackLog Maximum length of the queue of pending connections 511 . MaxClients Global maximum number of connections that will be processed simultaneously 400 MaxClients SHOULD NOT be lower than (ServerLimit) x (ThreadsPerChild). Normally they should be equal. . ServerLimit Upper limit on configurable number of processes (children) 16 …
To test WAP web site with telnet
telnet http://address 80 GET / WML/1.2
Logging Apache Access logs through syslogd
Error logs can be logged very easyly to syslig using the following ErrorLog syslog:local1 Access logs must use a pipe-to-script trick as follows: In Apache config: CustomLog |/usr/local/apache/bin/apache_syslog combined As script in system: Content of /usr/local/apache/bin/apache_syslog ——————————————— logger -i -p local3.info -t TEST-APACHE ——————————————— chmod 755 /usr/local/apache/bin/apache_syslog
Brute force test Apache
apt-get install siege or apt-get install apache2-utils and use the program ‘ab‘ eg. /usr/sbin/ab -n 100 http://yoursite.com/
Running mod_gzip, mod_rewrite, and mod_proxy together in Apache 1.3.x
When using RewriteRule ….[P] with mod_gzip there are often problems To resolve this add the following directive to mod_gzip ———————————————– mod_gzip_item_include handler proxy-server ———————————————– mod_gzip_item_include mime “application/x-httpd-php.*” mod_gzip_item_include mime httpd/unix-directory mod_gzip_item_include handler ^server-status$ mod_gzip_item_exclude file \.css$ mod_gzip_item_exclude file \.js$ mod_gzip_item_exclude reqheader “Via:.*1\.0 PROXY” mod_gzip_item_exclude reqheader “Via:.*1\.0 lavoisier \(NetCache NetApp\/5\.0\.1R2\)”
Examples of mod_security diretives
SecFilterEngine On SecFilterScanPOST On SecFilterSelective “POST_PAYLOAD” “BoesesWort” “deny,log,status:412” # Ersetze BoesesWort durch das Wort, welches du sperren willst. # Speichere die Textdatei unter dem Namen .htaccess (den führenden Punkt nicht vergessen) SecFilterSelective “POST_PAYLOAD” “AnderesBoesesWort” “deny,log,status:412” # Alternative SecFilterSelective “POST_PAYLOAD” “BoesesWort” “deny,log,redirect:http.//www.deinedomain.de/seite.html”
Using curl to test PUT method to upload to web server
curl -u user:pass -T /home/guest/test.txt http://my.server.com:8082/upload/
MOD_JK configuration directives
see: http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html The following directives are normally inserted in workers.properties file connection_pool_minsize (default 0) defines, how many idle connections remain when the pool gets shrinked. By default this is half of the maximum pool size. connection_pool_size (default 0) We generally do not recommend to use this attribute in combination with Apache httpd. For Apache httpd …
Logging gzip compression factor of files
LogFormat “%h %l %u %t \”%r\” %>s %b mod_gzip:%{mod_gzip_result}n In:%{mod_gzip_input_size}nOut:%{mod_gzip_output_size}n:%{mod_gzip_compression_ratio}npct.” full_plus_gzip [17:29:14] CustomLog /var/log/httpd/mod_gzip.log full_plus_gzip Example of log entry: /reviews/cooling/HSR2_4.html HTTP/1.1″ 200 6289 mod_gzip: DECHUNK:OK In:23352 Out:6289:74pct.
Checkig the loading time a web site without loading its objects
date +%S.%N;w3m -dump http://www.mysite.de &>/dev/null;date +%S.%N
Selecting filtering what can be logged ‘per request’ level
SetEnvIfNoCase Request_URI “^/string to exclude/” drop and then between and CustomLog /var/log/httpd/www.mydomainname.com-access_log combined env=!drop
To UNSET an environment variable using SetIfEnv
eg. SetEnvIfNoCase Request_URI “.*\.html” !NOLOG Unsets the previously set NOLOG environment variable
Logformat code list
%…a: Remote IP-address %…A: Local IP-address %…B: Bytes sent, excluding HTTP headers. %…b: Bytes sent, excluding HTTP headers. In CLF format i.e. a ‘-‘ rather than a 0 when no bytes are sent. %…c: Connection status when response was completed. ‘X’ = connection aborted before the response completed. ‘+’ = connection may be kept alive …
To connect to SSL apache from command line
openssl s_client -connect localhost:443 -state -debug GET / HTTP/1.0