Archive for category apache

Secure apache against CVE-2011-3389 aka Beast attack

During the summer rumours about a new attack against SSL started circulating (CVE-2011-3389).
As it turns out, the attack itself was conceived years ago, deemed impractical, but it was nevertheless fixed in TLS 1.1. The new attack technique introduced a few optimizations to make it practical.

In terms of mitigation, I expect this problem will be largely addressed on the client side, despite a potential compatibility problem that may cause some TLS sites to stop working.

With this config you can avoid that attack.

SSLProtocol all -SSLv2
SSLHonorCipherOrder On

#NO Longer needed cause since IE 7 this works ;) 
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

With OpenSSL 1.0.1 it must be


Tags: , , , ,

YSlow Etag misconfigured

YSlow hat gemeckert, dass der Etag misconfigured / falsch gesetzt sei.

Um das zu ändern muss man

FileEtag All

ändern zu

FileETag MTime Size


Wenn dann noch bei einzelnen Dateien fehler auftreten, wie z.B. dem favicon.ico fehlt der korrekte mime type.

Addtype font/truetype .ttf
AddType image/x-icon .ico



Tags: , , , ,

Apache AJP reverse proxy

With apache it is possible to have a reverse proxy with AJP instead of http. With the use of mod_proxy_ajp it is very simple to set up and faster than just plain http protocol

<VirtualHost *:80>
    ServerName jenkins
    DocumentRoot "/mario/Apache22/htdocs"
    <Directory "/mario/Apache22/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Deny from none
    <Location />
        ProxyPass ajp://localhost:8009/
        ProxyPassReverse ajp://localhost:8009/

    SetEnv vhostname jenkins
    Header add X-Server-Name %{vhostname}e

Than start the backend server, in this case only with AJP and listen only on localhost

java -jar jenkins.war --httpPort=-1 --ajp13ListenAddress=

Tags: , , , , , ,

Building 2.3.12 beta

./configure –prefix=/opt/apache2 –enable-pie –enable-mods-shared=all –enable-so –disable-include –enable-deflate –enable-headers –enable-expires –enable-ssl=shared –enable-mpms-shared=all –with-mpm=worker –enable-rewrite –with-z=/home/mario/apache24/httpd-2.3.12-beta/srclib/zlib –enable-module=ssl –enable-fcgid
sudo make install


cd ../fcgid
APXS=/opt/apache2/bin/apxs ./configure.apxs
sudo make install

configure apache 2.3 build

./configure –prefix=/opt/apache2 –enable-pie –enable-mods-shared=all –enable-authn-dbd –enable-so –disable-include –enable-deflate –enable-headers –enable-expires –enable-ssl=shared –enable-mpms-shared=all –with-mpm=worker –enable-rewrite –with-z=/home/mario/apache24/httpd-2.3.11-beta/srclib/zlib –enable-module=ssl –enable-fcgid

for fcgid

APXS=/opt/apache2/bin/apxs ./configure.apxs

Tags: , , , ,

mod lua error handling sux

I still dislike the 500 error handling in lua. Well scripting got easier with practicing :P But the error handling realy sux a lot compared to PHP where I come from. I made a bit “benchmarking”. OK I took very different scripts, but PHP seems faster to me than lua. Plus for lua is that you are able to write direcly into apache log files.

Tags: , , ,

first script for mod_lua apache2.3/2.4

function handle(r)
	r.content_type = "text/html"
	--r.headers_out["X-Powered-By"] = "mod_lua; " .. _VERSION
	return apache2.OK

Mod lua expects a function with the name handle() else there is a 500 Error. The error handling is pretty anoying…

Tags: , , , ,

compile lua on windows

Grab the “newest” (2008)
unpack it. Compiling with VC++ is very easy.

Open the x64 %comspec% /E:ON /V:ON /T:0E /K “C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\SetEnv.cmd” /Release
or x86 command line
%comspec% /k “”C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat”” x86

browse to lua folder and run

copy /y src\*.* .\


Tags: , , , , ,

build mod_geoip

Obtain GeoIP-1.4.6 from and built per included instructions.
Build Module against an IPv6 Enabled Apache Build

Obtain GeoIP-1.4.6 from and built per included instructions.
Build Module against an IPv6 Enabled Apache Build

del *.obj *.exp *.lib *.so
set APACHE=C:\Apache22
set GEOIPROOT=C:\Build\GeoIP-1.4.6
cl  /nologo /MD /O2 /LD /W3 -DWIN32 -D_WIN32 -I%GEOIPROOT%\libGeoIP -I%APACHE%\include /c /Fomod_geoip.obj mod_geoip.c
link /NODEFAULTLIB:LIBCMT kernel32.lib "%APACHE%\lib\libhttpd.lib" "%APACHE%\lib\libapr-1.lib" "%APACHE%\lib\libaprutil-1.lib" "%GEOIPROOT%\libGeoIP\GeoIP.lib" /nologo /subsystem:windows /dll /machine:I386 / mod_geoip.obj

Tags: , , ,

Giving mod_logrotate a signature

This is my first trial giving a third party module a signature.

--- mod_log_rotate.c.orig    2008-07-24 13:17:45.000000000 +0200
+++ mod_log_rotate.c    2010-11-21 02:31:43.123503300 +0100
@@ -399,6 +399,19 @@
 return add;
+/* map into the first apache */
+static int log_rotate_post_config( apr_pool_t * p, apr_pool_t * plog, apr_pool_t * ptemp, server_rec * s)
+    ap_add_version_component(p, "mod_log_rotate/1.00");
+    return OK;
+static void log_rotate_register_hooks(apr_pool_t *p)
+    ap_hook_post_config( log_rotate_post_config,   NULL, NULL, APR_HOOK_MIDDLE );
 module AP_MODULE_DECLARE_DATA log_rotate_module = {
 NULL,                       /* create per-dir config */
@@ -406,6 +419,6 @@
 make_log_options,           /* server config */
 merge_log_options,          /* merge server config */
 rotate_log_cmds,            /* command apr_table_t */
-    NULL                        /* register hooks */
+    log_rotate_register_hooks   /* register hooks */

Tags: , , ,

Archives by Subject:

Archives by Month: