‘Apache’ Articles at Mario, Page 2

Fun with windows subsystem for linux

Posted on 15.02.201722.06.2020 by mario

After the install and the required reboot I was able to start bash. At first I was confused where to find the files from the home directory. It isn’t the one from windows itself.
Well I found it in AppData\Local\lxss . So each user has his / her own files.

Since I was able to find most stuff I wanted to know if I am able to compile httpd apache on it. I cloned https://github.com/jblond/debian_build_apache24.git and the build went smooth.
But apache didn’t start. Adding AcceptFilter http none and AcceptFilter https none helped. To get rid of the first error messages. But still apache wasn’t starting. Got the following error message.

[Tue Jan 24 22:31:33.590385 2017] [fcgid:emerg] [pid 1289:tid 140034843477824] (38)Function not implemented: mod_fcgid: Can't create shared memory for size 1200712 bytes

Okay, I disabled mod_fcgid and apache starts with /opt/apache2/bin/httpd -k start . Even running bash.exe ~ as Adminstrator did not solve to run fcgid.
I have to find out how to run mod_fcgid. I like to run PHP over fcgid.

http/2.0 sslciphersuites with 256 bit alias crypto wars part four

Posted on 29.11.201615.03.2018 by mario

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

http/2.0 sslciphersuites alias crypto wars part three

Posted on 22.02.201615.03.2018 by mario

It has been a while since I wrote part two of the crypto wars. Luckily Peter Mosmans has backported ChaCha20 and Poly1305 ciphers of OpenSSL 1.1.0 to 1.0.2 on github so that at least Chrome browser can use 256 bit encryption over HTTP/2

However on the httpd dev mailing list there are a few people already talking about making changes to APR and httpd so that it will compile with OpenSSL 1.1.0

The config for that is:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 
SSLCompression Off 
SSLHonorCipherOrder On 
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

Why 256 bit? 128 bit hasn’t been cracked yet. The answer is that the collection of data and the data will decrypted when the time has come with a new generation of computers.

How to set up git over apache 2.4 on Windows

Posted on 27.04.2015 by mario

How to set up git apache 2.4 on Windows

At my first shot I was abl to glone the repo but I wasn’t able to push into the repo. Setting the LogLevel to debug showed: AH01215: Service not enabled: ‘receive-pack’: C:/Program Files (x86)/Git/libexec/git-core/git-http-backend.exe

Googling suggested to enable WebDAV. I doubted that but tried it anyway. Trail and error! It did not work about. The git client showed a 403 -> an access or authentication error. The authentication triggered something in my mind. So I searched for the auth variable that git uses. Et voilà: Git uses the remote user in a different way.
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
The following set up is not secure, just for local testing. It requires a http authentication ;)

<VirtualHost *:80>
    ServerName git.local.apachehaus.de
    DocumentRoot "/Users/mario/work/git"
    CustomLog "C:\nul" common

    SetEnv GIT_PROJECT_ROOT /Users/mario/work/git
    SetEnv GIT_HTTP_EXPORT_ALL true
    SetEnv REMOTE_USER $REDIRECT_REMOTE_USER

    ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}.(pack|idx)) | git-(upload|receive)-pack))$" "C:/Program Files (x86)/git/libexec/git-core/git-http-backend.exe/$1"

    <Directory "/Users/mario/work/git">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride All
        Require all granted
    </Directory>
    <Directory "C:/Program Files (x86)/git/libexec/git-core/">
        Options ExecCGI
    </Directory>
    <Directory />
        Options Indexes FollowSymLinks ExecCGI
        Require all granted
    </Directory>
</VirtualHost>

Poodle is back and against TLS, too CVE-2014-8730

Posted on 09.12.201415.03.2018 by mario

With CVE-2014-8730 the POODLE attack is back. However with the right config it is not an issue. https://mariobrandt.de/archives/apache/current-2013-bullet-proof-ssl-config-779/ is still the right config for this :) Make sure that your server is bullet proof, too.

mod_fcgid is polluting my error log on windows

Posted on 14.06.2014 by mario

Well I really like mod_fcgid with PHP on my Apaches on Windows. But since every time a PHP process get it’s signal to die, mod_fcgid creates on windows an entry in the error log cause the graceful stop always fails.

There in a patch for that! I made a bug report (54597), but it didn’t go in the code yet. If you wanna patch it yourself, here it is.

--- modules/fcgid/fcgid_pm_main.c	(revision 1448988)
+++ modules/fcgid/fcgid_pm_main.c	(working copy)
@@ -333,10 +333,17 @@ 
                                   current_node->proc_pool);
         }
         else {
+#ifndef WIN32
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, main_server,
                          "mod_fcgid: process %" APR_PID_T_FMT
                          " graceful kill fail, sending SIGKILL",
                          current_node->proc_id.pid);
+#else
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
+                         "mod_fcgid: process %" APR_PID_T_FMT
+                         " graceful kill fail, sending SIGKILL",
+                         current_node->proc_id.pid);
+#endif
             proc_kill_force(current_node, main_server);
         }
     }

apache HTTP Strict Transport Security with long duration

Posted on 09.04.201415.03.2018 by mario

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
How to achieve apache with a bullet proof SSL config and HTTP Strict Transport Security (HSTS) with long duration
Here is goes

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains"
</IfModule>
SSLUseStapling on
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

This gives a A+ at Qualys SSL Labs SSL Test.

current 2013 bullet proof SSL config

Posted on 10.12.201315.03.2018 by mario

Now in December 2013 the best available SSL config with a 4096 bit RSA Key and httpd Apache 2.4.7 with OpenSSL/1.0.1e.

SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

YES Windows XP is no longer supported with this. But for me there is no more need to do so.

The SSL Test Lap Test shows a very good result. The Cipher Strength is at 100%. So any browser will use a 256 bit encrypted connection to that server.

What is listen on my apache port?

Posted on 15.05.2013 by mario

On Windows it seems not to be that easy figure out if some process is listening on port 80 or 443.
A simple command line command can show the pid of the process that is listening.

netstat -ano | findstr /R 0.0:80 && netstat -ano | findstr /R 0.0:443

Easy ;)

Apache defend CRIME Attack TLS / SSL

Posted on 10.10.201225.11.2012 by mario

SSL Tests like https://www.ssllabs.com/ssltest/index.html show a vulnerability against CRIME Attack. To overcome / defend that with apache you can turn off the SSL compression.

SSLCompression off

That makes it easy to defend it.

Tag: apache