LinuxHelps.com

A blog for Linux Lovers.

Archive for the ‘Apache’ Category

Posted by sibu on August 28, 2014

Disable TRACE and TRACK Methods in Apache

For security purposes you might want to disable Trace and Track methods on  Apache Web Server.

Add the following to httpd.conf file:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

-OR-

With newer versions of Apache 1.3.34 or later or 2.0.55 or later, you can just add the following line

TraceEnable off

Posted by sibu on October 17, 2009

Options Directive

Using this Options directive controls  we can set server features  for a particular directory.

Options  can be set to None, in which case none of the extra features are enabled.

All :

All options except for MultiViews. (Default Settings).

ExecCGI :

Execution of CGI scripts using mod_cgi is permitted.

FollowSymLinks :

The server will follow symbolic links in this directory.

Includes :

Server-side includes provided by mod_include are permitted.

Indexes :

If the directory does not contain any  DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory.

MultiViews :

Content negotiated “MultiViews” are allowed using mod_negotiation.

You have to be very care full while using + and - symbols with Options

For example, without any + and - symbols:

<Directory /home/sibu>
Options Indexes FollowSymLinks
</Directory>

<Directory /home/sibu/test>
Options Includes
</Directory>

then only Includes will be set for the /home/sibu/test directory.

If the second Options directive uses the + and - symbols:

<Directory /home/sibu>
Options Indexes FollowSymLinks
</Directory>

<Directory /home/sibu/test>
Options +Includes -Indexes
</Directory>

then the options FollowSymLinks and Includes are set for the /home/sibu/test directory.

Posted by sibu on October 17, 2009

Enable Server Side Include(SSI)

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served.  Its use to add dynamically generated content to an existing HTML page.

SSI configurations

We must have mod_include module installed and enabled on apache. Also need to  have the following directive either in your httpd.conf file, or in a .htaccess file:

Options +Includes

This tells Apache that you want to permit files to be parsed for SSI directives.

It always better to tell Apache that which files should be parsed. There are two ways to do this. We can configure to parse any file with a particular file extension, such as .shtml, with the following directives:

        AddType text/html .shtml
        AddHandler server-parsed .shtml

One disadvantage to this approach is that if you wanted to add SSI directives to an existing page, you would have to change the name of that page in order to give it a .shtml extension.

The other method is to use the XBitHack directive:

        XBitHack on

XBitHack tells Apache to parse files for SSI directives if they have the execute bit set. So, to add SSI directives to an existing page, rather than having to change the file name, you would just need to make the file executable using chmod.

chmod +x pagename.html

Posted by sibu on June 11, 2009

SSL Certificates

SSL Certificates:

Normally data is sent unencrypted over Internet, which means anybody with certain tools can hack all your data. To pervent this from happening SSL (Secure Socket Layer) is used to encrypt the data stream between the Web Server and the Web Client.

Types:


* Self Signed Certificate
* Certificate issued by a trusted Certificate Authority(CA)

Why is a certificate issued by a CA necessary?


Simple - It is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority, ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Steps in generating Certificates:


* Generate a Private Key
* Generate a CSR (Certificate Signing Request)
* Generating a Self-Signed Certificate / Get the Certificate from a CA
* Installing the Private Key and Certificate
* Configuring SSL Enabled Virtual Hosts
* Restart Apache and Test

Generate a Private Key:


* OpenSSL tool is used for this purpose, make sure openssl is installed
* It is always ideal to include the domain names in file names

openssl genrsa -out /etc/httpd/conf/ssl.key/domain.key 1024

Generate a CSR:


* Once the Private Key is created, use it to generate a CSR
* Avoid entering data for extra attributes like : “A Challenge Password”, since this might be asking you for the passphrase each time you restart Apache

openssl req -new -key /etc/httpd/conf/ssl.key/domain.key -out /etc/httpd/conf/ssl.crt/domain.csr


Generating a Self-Signed Certificate / Get the Certificate from CA

* A Self-Signed Certificate is one that we create by ourself
* However, using a self-signed certificate will generate an error in clients browser that, “igning certificate authority is unknown and not trusted”.

openssl x509 -req -in /usr/local/apache/ssl.crt/domain.csr -signkey /usr/local/apache/ssl.key/domain.key -out /usr/local/apache/ssl.crt/domain.crt

* And to get a Certificate from a CA, all you have to do is send them a copy of the Private key and CSR ytou have just generated on the server

* Copy all the certificates generated to appropriate folders

Configuring SSL Enabled Virtual Hosts

Configure your httpd.conf to encorporate the SSL Certificates with Apache Server

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domain.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domain.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

Posted by sibu on May 24, 2009

Apache error: Invalid command ‘BytesLog’

If you receive the following error,

Invalid command ‘BytesLog’, perhaps mis-spelled or defined by a module not included in the server configuration

while restarting apache in cPanel servers , do the following steps.

# cd /usr/local/cpanel/apache
# /usr/local/apache/bin/apxs -iac mod_log_bytes.c
# /etc/rc.d/init.d/httpd restart

It will install the missing module and restart apache

Posted by sibu on May 24, 2009

Apache Error: Unable to open logs

Sometimes apache will fail to start. It will show the following error message in apache error logs:

Unable to open logs

This is because of the low number of file descriptors. Check the current limit of file descriptors in the file /proc/sys/fs/file-max:

# cat /proc/sys/fs/file-max
1024

If fs.file-max is quite small (several thousands or so), it should be changed to a higher value.

# echo “65535″ > /proc/sys/fs/file-max

If you want this new value to survive across reboots you can add it to /etc/sysctl.conf.

# Maximum number of open files permited
fs.file-max = 65535

To load new values from the sysctl.conf file:

# sysctl -p /etc/sysctl.conf

Add `ulimit -n 65536` command to /etc/rc.d/init.d/httpd and /usr/sbin/apachectl apache startup scripts before other commands.

Now try to start httpd.

Posted by sibu on May 24, 2009

Hide Apache, PHP and kernel Version Details.

To hide the information, add the following two apache directives in Apache configuration file                    /etc/httpd/conf/httpd.conf

ServerTokens ProductOnly

ServerSignature Off

Now you need to restart your web server using the following command

#/etc/init.d/httpd restart

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

Hide PHP Version Details

If you want to hide the PHP version you need to edit the /etc/php4/apache/php.ini(For php4 users) file and /etc/php5/apache/php.ini (For php5 users)

Change the following option

expose_php On
to
expose_php Off

Now you need to restart your web server using the following command

#/etc/init.d/httpd restart

After making this change PHP will no longer add it’s signature to the web server header.

In order to hide the ‘kernel’ version, you need to compile a customo kernel. That’s the only way , as far as I know. There’s no setting to do this.

Posted by sibu on April 12, 2009

Command to view the previous load in the server.

grep average /var/log/dcpumon/toplog.*

- This command will display the load that has been in the server.

root@server]# grep average /var/log/dcpumon/toplog.*

/var/log/dcpumon/toplog.1232442601:top - 04:10:01 up 1 day, 10:31, 2 users, load average: 3.69, 3.21, 2.34
/var/log/dcpumon/toplog.1232442601:top - 04:10:04 up 1 day, 10:31, 2 users, load average: 4.27, 3.34, 2.39
/var/log/dcpumon/toplog.1232442901:top - 04:15:03 up 1 day, 10:36, 2 users, load average: 4.67, 3.88, 2.86
/var/log/dcpumon/toplog.1232442901:top - 04:15:06 up 1 day, 10:36, 2 users, load average: 4.67, 3.88, 2.86
/var/log/dcpumon/toplog.1232443202:top - 04:20:02 up 1 day, 10:41, 2 users, load average: 3.87, 3.82, 3.11
/var/log/dcpumon/toplog.1232443202:top - 04:20:05 up 1 day, 10:41, 2 users, load average: 3.87, 3.82, 3.11
/var/log/dcpumon/toplog.1232443501:top - 04:25:02 up 1 day, 10:46, 2 users, load average: 7.67, 6.40, 4.36

Posted by sibu on April 12, 2009

How to prevent hotlinking images on Apache server.

Prerequisites

* mod_rewrite must be loaded
* AllowOverride must be enabled
* FollowSymLinks must be enabled

For the sake of this example, we will assume that your website url is www.yourdomain.com, the file that is being hotlinked is widget.png, and the web page where the hotlinking is coming from is ebay.com (very common).
The Solution: using mod_rewrite and .htaccess to forbid hotlinking

Code:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule widget\.png$ - [F]

When placed in your .htaccess file this will prevent hotlinking of widget.png by any ebay auctions.

This rule explained:

1. First the RewriteEngine (the mod_rewrite module apache loaded) is turned on

Note: RewriteEngine only needs to be turned on once before any conditions or rules are defined. You do not need to turn it on, on a per-rule basis. In fact setting RewriteEngine On multiple times will result in a server error.

RewriteEngine On

2. next, for any requests coming in with an http referrer, which does NOT match www.yourdomain.com or yourdomain.com, NOT case sensitive. . .

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]

3. and the referrer IS www.ebay.com, or the referrer IS ebay.com

Code:
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]

4. for the file widget.png, send nothing, and forbid access (send a 403 Forbidden response header)

Code:
RewriteRule widget\.png$ - [F]

Alternatively: prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from ebay

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

Prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from anywhere but your own site

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

Posted by sibu on March 10, 2009

Redirection through .htaccess file

To redirect a single page

Redirect 301 /oldpage.html http://www.example.com/newpage.html

To redirect the entire site to another domain.

Redirect 301 / http://www.example.com/

Redirect www.example.com to example.com

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^example\.com
RewriteRule (.*) http://example.com/$1 [R=301,L]

Redirect example.com to www.example.com

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [L,R=301]

Redirect example.com/index.php to example.com/

Options +FollowSymLinks
RewriteEngine on
# index.php to /
RewriteCond %{THE_REQUEST} ^[A-Z]{3, 9}\ /.*index\.php\ HTTP/
RewriteRule ^(.*)index\.php$ /$1 [R=301,L]

To change the file extension.

RedirectMatch 301 (.*)\.html$ http://www.example.com$1.php