Archive for category apache

Apache 2.4 global IP blocking list for all vhosts

It is a pain in the ass to set a bunch of IP adresses in each vhost or where ever you need it. But with Apache 2.4 it is quiet easy to have a global list and use that anywhere in your config.

 

Define BADIPS "188.40 46.4 176.9 46.166 46.21 78.46 91.207.7.21 0.0.0.0 91.207.7.182"
<VirtualHost *:80>
    ServerName mariobrandt.de
    ServerAlias www.mariobrandt.de
    DocumentRoot /var/www/
    FileETag MTime Size
    <Directory /var/www/>
        Options Indexes FollowSymLinks Multiviews ExecCGI
        AllowOverride None
    <RequireAll>
    Require all granted
    Require not ip ${BADIPS}
    </RequireAll>
        AddHandler fcgid-script .php
        FCGIWrapper /usr/bin/php5-cgi .php
    </Directory>
    ErrorLog /var/log/apache2/mario_error.log
    LogLevel warn

    CustomLog /var/log/apache2/mario_access.log combined

</VirtualHost>

mod_fcgid is polluting my error log on windows

Well I really like mod_fcgid with PHP on my Apaches on Windows. But since every time a PHP process get it’s signal to die, mod_fcgid creates on windows an entry in the error log cause the graceful stop always fails.

There in a patch for that! I made a bug report (54597), but it didn’t go in the code yet.  If you wanna patch it yourself, here it is.

--- modules/fcgid/fcgid_pm_main.c	(revision 1448988)
+++ modules/fcgid/fcgid_pm_main.c	(working copy)
@@ -333,10 +333,17 @@ 
                                   current_node->proc_pool);
         }
         else {
+#ifndef WIN32
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, main_server,
                          "mod_fcgid: process %" APR_PID_T_FMT
                          " graceful kill fail, sending SIGKILL",
                          current_node->proc_id.pid);
+#else
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
+                         "mod_fcgid: process %" APR_PID_T_FMT
+                         " graceful kill fail, sending SIGKILL",
+                         current_node->proc_id.pid);
+#endif
             proc_kill_force(current_node, main_server);
         }
     }

Tags: , ,

apache HTTP Strict Transport Security with long duration

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
How to achieve apache with a bullet proof SSL config and HTTP Strict Transport Security (HSTS) with long duration
Here is goes

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains"
</IfModule>
SSLUseStapling on
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

This gives a A+ at Qualys SSL Labs SSL Test.

Tags: ,

current 2013 bullet proof SSL config

Now in December 2013 the best available SSL config with a 4096 bit RSA Key and httpd Apache 2.4.7 with OpenSSL/1.0.1e.

SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

YES Windows XP is no longer supported with this. But for me there is no more need to do so.

ssl test lab result

The SSL Test Lap Test shows a very good result. The Cipher Strength is at 100%. So any browser will use a 256 bit encrypted connection to that server.

What is listen on my apache port?

On Windows it seems not to be that easy figure out if some process is listening on port 80 or 443.
A simple command line command can show the pid of the process that is listening.

netstat -ano | findstr /R 0.0:80 && netstat -ano | findstr /R 0.0:443

Easy ;)

Tags:

Apache defend CRIME Attack TLS / SSL

SSL Tests like https://www.ssllabs.com/ssltest/index.html show a vulnerability against CRIME Attack. To overcome / defend that with apache you can turn off the SSL compression.

SSLCompression off

That makes it easy to defend it.

Tags: , , , ,

Compling Apache 2.4 on Ubuntu or Debian

wget http://httpd.apache.org/dev/dist/httpd-2.4.2.tar.gz
wget http://httpd.apache.org/dev/dist/httpd-2.4.2-deps.tar.gz
tar xvfz httpd-2.4.2.tar.gz
tar xvfz httpd-2.4.2-deps.tar.gz
cd httpd-2.4.2/srclib
wget http://mirror.netcologne.de/apache.org//apr/apr-iconv-1.2.1.tar.gz
tar xvfz apr-iconv-1.2.1.tar.gz
mv apr-iconv-1.2.1 apr-iconv
wget http://zlib.net/zlib-1.2.6.tar.gz
tar xvfz zlib-1.2.7.tar.gz
mv zlib-1.2.7 zlib
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.21.tar.gz
tar xvfz pcre-8.21.tar.gz
mv pcre-8.21 pcre
wget http://www.openssl.org/source/http://openssl.org/source/openssl-1.0.1.tar.gz
tar xfz openssl-1.0.1.tar.gz
cd openssl-*
./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared
make
make test
sudo make install
cd ../..
./buildconf
./configure --prefix=/opt/apache2 --enable-pie --enable-mods-shared=all --enable-so --disable-include --enable-deflate --enable-headers --enable-expires --enable-ssl=shared --enable-mpms-shared=all --with-mpm=event --enable-rewrite --with-z=/home/mario/apache24/httpd-2.4.2/srclib/zlib --enable-module=ssl --enable-fcgid --with-included-apr
make 
sudo make install
cd ..
wget http://www.trieuvan.com/apache//httpd/mod_fcgid/mod_fcgid-2.3.7.tar.gz
tar xvfz mod_fcgid-2.3.7.tar.gz
cd mod_fcgid-*
APXS=/opt/apache2/bin/apxs ./configure.apxs
make
sudo make install

For using PHP install php-cgi

add httpd.conf

FcgidMaxProcesses 50
FcgidFixPathinfo 1
FcgidProcessLifeTime 0
FcgidTimeScore 3
FcgidZombieScanInterval 20
FcgidMaxRequestsPerProcess 0
FcgidMaxRequestLen 33554432
FcgidIOTimeout 120

in each vhost

Options Indexes ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php

Tags: , , , , ,

Apache 2.4.x Better than rewriting

With httpd Apache 2.4.x is is more simple to do stuff than with 2.2.x

Like forcing the www. in front of a domain. Apache now supports the If Elseif Else :-) Pretty nice!
Light example

<If "$req{Host} != 'www.example.com'">
    RedirectMatch (.*) http://www.example.com$1
</If>

Easy, isn’t it?

A bit more old fashion way, so you can use the %{bla} stuff you already know.

<If "%{HTTP_HOST} == 'example.com'">
Redirect permanent / http://www.example.com
</If>

Also nice is the Define Directive.

OK you have to start apache with the -D parameter. Like httpd -D TEST

<IfDefine TEST>
Define servername test.example.com
</IfDefine>
<IfDefine !TEST>
Define servername www.example.com
Define SSL
</IfDefine>

If you have some example, please let me know!

Tags: , , , , ,

mod_dav_svn from subversion 1.7.x does not build against apache 2.4

Since the API in Apache 2.4.x has changed the mod_dav_svn module from svn doesn’t build currently. I made patch for that. There is only a small issue in subversion/mod_dav_svn/util.c

Index: util.c
===================================================================
--- util.c    (revision 1299310)
+++ util.c    (working copy)
@@ -627,8 +627,14 @@
         if (errscan->desc == NULL)
             continue;

-        if (errscan->save_errno != 0) {
+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)            
+        if (errscan->aprerr != 0) {
+            errno = errscan->aprerr;
+#else
+        if (errscan->save_errno != 0) {
             errno = errscan->save_errno;
+#endif
+
             ap_log_rerror(APLOG_MARK, level, errno, r, "%s  [%d, #%d]",
                           errscan->desc, errscan->status, errscan->error_id);
         }

Now it compiles against Apache 2.2 and Apache 2.4

 

Any feedback is welcome.

Tags: , , , ,

Apache 2.4 log level config

In the new apache 2.4 it is pretty cool to configure the logging via module.

LogLevel warn ssl:error auth_digest:error socache_shmcb:warn mpm_worker:warn fcgid:info

Archives by Subject:

Archives by Month: