Posts Tagged apache

Upgrading OpenSSL on Debian 6 (squeeze) or Ubuntu 8.04 (hardy)

The Problem on the long term ubuntu 8.04 and the current stable debian is that they ship the old OpenSSL 0.9.8o With that I wasn’t able to compile the new apache 2.4.1 with all the SSL features I want. Downloading the OpenSSL source and just configure make make install didn’t help at all.

checking whether to enable mod_ssl... checking dependencies 
 checking for OpenSSL... checking for user-provided OpenSSL base directory... none 
 checking for OpenSSL version >= 0.9.7... FAILED 
 configure: WARNING: OpenSSL version is too old 
 no 
 checking whether to enable mod_ssl... configure: error: mod_ssl has been requested but can not be built due to prerequisite failures 
 mario@h2020668:~/apache24/httpd-2.4.1$ openssl version 
 OpenSSL 0.9.8o 01 Jun 2010

The only thing that helped was to use the unix config script plus the right prefix plus the shared option

wget http://openssl.org/source/openssl-1.0.1.tar.gz 
 tar xfz openssl-1.0.1.tar.gz 
 cd openssl-* 
 ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared 
 make 
 sudo make install

 

Debian is very fine, but sometimes it sucks because of the lag of new software versions

Tags: , , , ,

mod_dav_svn from subversion 1.7.x does not build against apache 2.4

Since the API in Apache 2.4.x has changed the mod_dav_svn module from svn doesn’t build currently. I made patch for that. There is only a small issue in subversion/mod_dav_svn/util.c

Index: util.c
===================================================================
--- util.c    (revision 1299310)
+++ util.c    (working copy)
@@ -627,8 +627,14 @@
         if (errscan->desc == NULL)
             continue;

-        if (errscan->save_errno != 0) {
+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)            
+        if (errscan->aprerr != 0) {
+            errno = errscan->aprerr;
+#else
+        if (errscan->save_errno != 0) {
             errno = errscan->save_errno;
+#endif
+
             ap_log_rerror(APLOG_MARK, level, errno, r, "%s  [%d, #%d]",
                           errscan->desc, errscan->status, errscan->error_id);
         }

Now it compiles against Apache 2.2 and Apache 2.4

 

Any feedback is welcome.

Tags: , , , ,

mod_fcgid is crashing apache windows and linux

With apache 2.3.15 I had kinda  the same issue with mod_fcgidon ubuntu 8.04 as on windows.  With -k restart or -k graceful the server did not die like on windows, but the server delivered than only a 200 OK response header, but nothing more. Switching from worker mpm to event mpm seemed to solve this, but the server died later :-/

Since it has talmost the same issues like on windows I could make a patch that fixes this. Grab the patch (patched against trunk) for the patch for 2.3.6

The bug 50309 is now longer than a year listet. Bad that none applied it yet.

Tags: , , , , , ,

Secure apache against CVE-2011-3389 aka Beast attack

During the summer rumours about a new attack against SSL started circulating (CVE-2011-3389).
As it turns out, the attack itself was conceived years ago, deemed impractical, but it was nevertheless fixed in TLS 1.1. The new attack technique introduced a few optimizations to make it practical.

In terms of mitigation, I expect this problem will be largely addressed on the client side, despite a potential compatibility problem that may cause some TLS sites to stop working.

With this config you can avoid that attack.

SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL

#NO Longer needed cause since IE 7 this works ;) 
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

With OpenSSL 1.0.1 it must be

SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Tags: , , , ,

vserver ubuntu IPv6 network

Since some days there is IPv6 available for my server. But I noticed it just today. Editing /etc/network/interfaces and adding a new virtual interface didn’t work at all. The /etc/init.d/networking restart just showed errors. And ifconfig venet0 wasn’t satisfying.

What works is /etc/network/interfaces just adding the loopbback

iface lo inet6 loopback
        adress ::1
        netmask 128
        gateway fe80::1

Now the trick is to add /etc/rc.local and add this before exit 0

ip addr add 2a01:238:40ab:cd12:dead:beef:dead:beef/128 dev venet0
ip route add default via fe80::1 dev venet0

Than execute /etc/rc.local
Wonder o wonder. Ifconfig works and also ping6 ipv6.example.com

Than I had to add the new ipv6 adress to my apache config

Listen [2a01:238:40ab:cd12:dead:beef:dead:beef]:80

Don’t forget a to create a symlink from rc.local to /etc/rc2.d/S21rc2.local

Tags: , , , , , , ,

YSlow Etag misconfigured

YSlow hat gemeckert, dass der Etag misconfigured / falsch gesetzt sei.

Um das zu ändern muss man

FileEtag All

ändern zu

FileETag MTime Size

 

Wenn dann noch bei einzelnen Dateien fehler auftreten, wie z.B. dem favicon.ico fehlt der korrekte mime type.

Addtype font/truetype .ttf
AddType image/x-icon .ico

 

etags

Tags: , , , ,

Apache AJP reverse proxy

With apache it is possible to have a reverse proxy with AJP instead of http. With the use of mod_proxy_ajp it is very simple to set up and faster than just plain http protocol

<VirtualHost *:80>
    ServerName jenkins
    DocumentRoot "/mario/Apache22/htdocs"
    <Directory "/mario/Apache22/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Deny from none
    </Directory>
    <Location />
        ProxyPass ajp://localhost:8009/
        ProxyPassReverse ajp://localhost:8009/
    </Location>

    SetEnv vhostname jenkins
    Header add X-Server-Name %{vhostname}e
</virtualhost>

Than start the backend server, in this case only with AJP and listen only on localhost

java -jar jenkins.war --httpPort=-1 --ajp13ListenAddress=127.0.0.1

Tags: , , , , , ,

Zend framework lucene UTF-8 problem

I had issues with the zend framework and its implementation of lucene. It saved the values from my UTF-8 database in the lucene files with characters like UTF-8 in ISO 8859-1 like on the search result page. And I wasn’t able to search case insensitive.

I noticed that the apache header (zend server CE) wasn’t sending UTF-8. So I added AddDefaultCharset utf-8 to my httpd.conf. Didn’t help.

What helped: In the Bootstrap.php adding to the init of the search

Zend_Search_Lucene_Analysis_Analyzer::setDefault(new Zend_Search_Lucene_Analysis_Analyzer_Common_Utf8());
Zend_Search_Lucene_Search_QueryParser::setDefaultEncoding('utf-8');
Zend_Search_Lucene_Analysis_Analyzer::setDefault(new Zend_Search_Lucene_Analysis_Analyzer_Common_Utf8_CaseInsensitive());

In the model it is needed to decode it to ISO 8859-1 and than save it as UTF-8. Sounds insane, but it was the only thing that works for me.

$doc->addField(Zend_Search_Lucene_Field::Text('lucene_DB_CLOUMN_NAME',utf8_decode($db_apater_result['DB_CLOUMN_NAME']),'UTF-8'));

WTF Zend Lucene!

Tags: , , , , , , , , ,

configure apache 2.3 build

./configure –prefix=/opt/apache2 –enable-pie –enable-mods-shared=all –enable-authn-dbd –enable-so –disable-include –enable-deflate –enable-headers –enable-expires –enable-ssl=shared –enable-mpms-shared=all –with-mpm=worker –enable-rewrite –with-z=/home/mario/apache24/httpd-2.3.11-beta/srclib/zlib –enable-module=ssl –enable-fcgid

for fcgid

APXS=/opt/apache2/bin/apxs ./configure.apxs

Tags: , , , ,

mod lua error handling sux

I still dislike the 500 error handling in lua. Well scripting got easier with practicing :P But the error handling realy sux a lot compared to PHP where I come from. I made a bit “benchmarking”. OK I took very different scripts, but PHP seems faster to me than lua. Plus for lua is that you are able to write direcly into apache log files.

Tags: , , ,

Archives by Subject:

Archives by Month: