Apache 2.4 Disallow access to a certain location if a query string is set

Posted on by mario

Disallow access / require an IP to a certain location if a query string is set

 <LocationMatch ^/test.php>
        <If "%{QUERY_STRING} =~ /action=login/">
            Require ip 192.168.178.100
        </If>
    </LocationMatch>

http://localhost/test.php works for everyone.

http://localhost/test.php?action=login works only for the ip 192.168.178.100

The “new” Apache 2.4 is different if you compare it to the 2.2 version of things. But once you understand it, it makes things easier and more readable. With 2.2 you would have needed more lines and mod_rewrite to get that working. See also Apache 2.4.x Better than rewriting

SSLCipherSuite alias crypto wars

Posted on by mario

Choosing the correct SSL cipher can be very difficult. Having the best encryption, still fast, having a “Modern compatibility”.

 

The current best solustion is with all browsers to have 256 bit encryption ( Chrome is currently the only browser that uses only 128 bit with this config).
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

— Edit —

Chrome might barf about a not modern config, hoever the encryption is not 256 in all cases. That is why I switched back to

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

debian boots into uefi shell

Posted on by mario

Today one of my linux servers did not boot. Instead there was a grub uefi shell. Typing the help command listed a bunch of commands in dark blue on a dark grey. Not easy to read. Trying to use the gui did not solve the problem. Resetting the config did also not help. Some forum posts said to create a symlink to the efi file. My issue was that /boot/efi is a separate partion due btrfs on the my system.

What did work was using the command line to add the efi again.

bcfg boot add 0 fs0:\EFI\debian\grubx64.efi "Debian"

However writing in english mode on a german style keyboard is often “times of wonder”. Use # ( hash) for the backslash and ä for the quotes. I still wonder why I have to use a backslash on a linux system…

You Know You’re a ChileHead if

Posted on by mario
  1. You don’t have to worry about your roommates stealing your food
  2. Your toilet paper spontaneously combusts after use
  3. You’re tired of people asking about those dried Thai peppers floating around in your breakfast cereal.
  4. More than half of the souvenirs from that last tropical vacation were hot sauces and spices
  5. You never go in to a food store without checking the price, or selection of hot peppers and hot sauces.
  6. The door of your refrigerator has more than ten bottles of hot sauce.
  7. The sissy salsa you made, accidentally, seems to set most of your coworkers on fire.
  8. “Ring of fire” and “burns twice” actually mean something to you.
  9. You have ever sent/received contraband Chile seeds from a foreign country
  10. you sweat, even in the middle of winter.
  11. You carry one of those little Tabasco bottles around with you. Just in case.
  12. When cooking, you often start sneezing. Just because.

Public Key Pinning php for httpd apache

Posted on by mario

Public Key Pinning Extension for HTTP (HPKP) on Apache2. HPKP tries to detect MITM attacks with valid certificates. The browser stores the hash code in the internal storage and verifies the public key against that sum.

Since it is not that easy to create a public pin under windows, here is a php script that does this

<?php
// openssl x509 -in example.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
if(!isset($argv['1'])){
    die('certificate not set');
}
$certificate = $argv['1'];
$public_key = openssl_get_publickey(file_get_contents($certificate));
$public_key_details = openssl_pkey_get_details($public_key);
$public_key_pem = $public_key_details['key'];

//Convert PEM to DER before SHA1'ing
$string_start = '-----BEGIN PUBLIC KEY-----';
$string_end = '-----END PUBLIC KEY-----';
$pem_trimed = substr($public_key_pem, (strpos($public_key_pem, $string_start)+strlen($string_start)), (strlen($public_key_pem) - strpos($public_key_pem, $string_end))*(-1));
$der = base64_decode($pem_trimed);

// 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= is an empty hash
echo PHP_EOL. "Header always set Public-Key-Pins 'pin-sha256=\"" . base64_encode(openssl_digest($der,'sha256',true)) ."\"; pin-sha256=\"bZ3qT75yZLagDEADBEEF0h3KAseeheXXJ5dliOfLB2A=\"; max-age=5184000'". PHP_EOL;

Add that config statement to correct SSL vhost

 

C:\>php public_pinning.php example.crt

<VirtualHost *:443>
	ServerName example.com
    ServerAlias www.example.com
Header always set Public-Key-Pins "pin-sha256=\"bZ3qT75yZLagDEADBEEF0h3KAseeheXXJ5dliOfLB2A=\"; "pin-sha256=\"sef3575yZLagDEADBEEF0h3KAseeheXXJ5dliOfLdfe=\"; max-age=5184000"

How to set up git over apache 2.4 on Windows

Posted on by mario

How to set up git apache 2.4 on Windows

At my first shot I was abl to glone the repo but I wasn’t able to push into the repo. Setting the LogLevel to debug showed: AH01215: Service not enabled: ‘receive-pack’: C:/Program Files (x86)/Git/libexec/git-core/git-http-backend.exe

Googling suggested to enable WebDAV. I doubted that but tried it anyway. Trail and error! It did not work about. The git client showed a 403 -> an access or authentication error.   The authentication triggered something in my mind. So I searched for the auth variable that git uses. Et voilà: Git uses the remote user in a different way.
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
The following set up is not secure, just for local testing. It requires  a http authentication ;)

<VirtualHost *:80>
    ServerName git.local.apachehaus.de
    DocumentRoot "/Users/mario/work/git"
    CustomLog "C:\nul" common

    SetEnv GIT_PROJECT_ROOT /Users/mario/work/git
    SetEnv GIT_HTTP_EXPORT_ALL true
    SetEnv REMOTE_USER $REDIRECT_REMOTE_USER

    ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}.(pack|idx)) | git-(upload|receive)-pack))$" "C:/Program Files (x86)/git/libexec/git-core/git-http-backend.exe/$1"

    <Directory "/Users/mario/work/git">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride All
        Require all granted
    </Directory>
    <Directory "C:/Program Files (x86)/git/libexec/git-core/">
        Options ExecCGI
    </Directory>
    <Directory />
        Options Indexes FollowSymLinks ExecCGI
        Require all granted
    </Directory>
</VirtualHost>

fcgid x-httpd-php-source highlighting

Posted on by mario

The new way running PHP on apache not as a module but over fcgid can increase the performance on a multicore CPU system and it is possible to run the PHP process not as the apache user (often www-data), but for example as the ftp user. So when apache creates a file the owner is not www-data, but the ftp user.
I’ve seen many setups allowing ExecCGI  for the vhost. That is a bad practice. It is much better allow it only for the needed files.

<VirtualHost *:80>
    ServerName example.local
    DocumentRoot "/Users/mario/www"
    CustomLog "C:\nul" common
    <IfModule fcgid_module>
        FcgidPassHeader Authorization
        <Files ~ "\.php$">
            Options ExecCGI
            AddHandler fcgid-script .php
            FcgidWrapper "C:/users/mario/php5/php-cgi.exe" .php
        </Files>
    </IfModule>
    <Directory "/Users/mario/www>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

With the module it was possible to highlight PHP file with x-httpd-php-source. That option is not available with fcgid. So I had to think how to enable with but not going back to the module which often crashed my apache.

 

What works is to use the php parameters on the command line.

        <Files ~ "\.phps$">
            Options ExecCGI
            AddHandler fcgid-script .php
            FcgidWrapper "C:/users/mario/php5/php-cgi.exe -s" .php
        </Files>

 

A full example on Windows.

<IfModule fcgid_module>
    FcgidConnectTimeout 10
    FcgidMaxProcesses 300
    FcgidMaxProcessesPerClass 300
    FcgidOutputBufferSize 64
    ProcessLifeTime 0
    FcgidMaxRequestsPerProcess 0
    FcgidMinProcessesPerClass 0
    FcgidFixPathinfo 0
    FcgidProcessLifeTime 0
    FcgidZombieScanInterval 20
    FcgidMaxRequestLen 536870912
    FcgidIOTimeout 120
    FcgidTimeScore 3
</IfModule>

<VirtualHost *:80>
    ServerName example.local
    DocumentRoot "/Users/mario/www"
    CustomLog "C:\nul" common
    <IfModule fcgid_module>
        FcgidInitialEnv PHPRC "C:\\Users\mario\\php5"
        FcgidInitialEnv PATH "C:\\Users\mario\\php5;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;"
        FcgidInitialEnv SystemRoot "C:\\Windows"
        FcgidInitialEnv SystemDrive "C:"
        FcgidInitialEnv TEMP "C:\\WINDOWS\\TEMP"
        FcgidInitialEnv TMP "C:\\WINDOWS\\TEMP"
        FcgidInitialEnv windir "C:\\WINDOWS"
        FcgidPassHeader Authorization
        <Files ~ "\.php$">
            Options ExecCGI
            AddHandler fcgid-script .php
            FcgidWrapper "C:/users/mario/php5/php-cgi.exe" .php
        </Files>
        <Files ~ "\.phps$">
            Options ExecCGI
            AddHandler fcgid-script .php
            FcgidWrapper "C:/users/mario/php5/php-cgi.exe -s" .php
        </Files>
    </IfModule>
    <Directory "/Users/mario/www>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>


On Linux is is just a little different


 


FCGIWrapper /usr/bin/php5-cgi .php


and only


FcgidPassHeader Authorization