Pages

Showing posts with label APACHE. Show all posts
Showing posts with label APACHE. Show all posts

Thursday, May 9, 2024

Enhancing PHP Security: Best Practices and Configuration Tips


PHP, as a server-side scripting language, is widely used to create dynamic web pages. However, ensuring the security of PHP applications is crucial to protect against hacking attempts and malware injections. This article discusses essential PHP security practices and configuration tips to enhance the security of your PHP applications.

Viewing PHP Settings: Before diving into security configurations, it's essential to understand how to view PHP settings. One simple way is to create a PHP file with the phpinfo() function and then browse that fie to access the PHP information page
<?php phpinfo(); ?>
Preventing Hacking Attempts:

Disable Functions: PHP provides the disable_functions directive to disable certain functions for security reasons. Common functions like exec, passthru, shell_exec, and others can pose security risks. Ensure to disable them in the php.ini file
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source

Safe Mode: Safe mode is a security feature designed to prevent PHP scripts from executing commands at the operating system level. To disable safe mode, modify the php.ini file
safe_mode = Off
open_basedir Restriction: Use the open_basedir directive to define the locations from which PHP is allowed to access files. Configure it in WHM (Web Host Manager) to restrict access to specific directories.

Register Globals: Register Globals is an internal PHP setting that can pose security risks by automatically creating variables from input data. It's recommended to disable register globals in the php.ini file
register_globals = off
allow_url_fopen: The allow_url_fopen setting prevents URLs from being used in PHP include() statements, reducing the risk of including malicious code. Disable it in the php.ini 
allow_url_fopen = Off
Magic Quotes: Magic Quotes automatically escape special characters in PHP variables to prevent SQL injection attacks. However, it's deprecated and can lead to security vulnerabilities. Disable it in the php.ini file:
magic_quotes_gpc = Off

Conclusion: Implementing these PHP security best practices and configuration tips can significantly enhance the security of your PHP applications. Regularly review and update your PHP configurations to stay protected against evolving security threats. By prioritizing security measures, you can ensure the integrity and reliability of your PHP-based web applications.

Saturday, November 12, 2016

Wordpress : Mixed Content Warnings with HTTPS

If want to make sure that your server/website is ready to handle HTTPS traffic. You can do this via your /wp-config.php file.

/* Handle HTTPS Protocol */
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
  $_SERVER['HTTPS']='on';

This will make it so that your website/server accepts all HTTPS requests, and also enables HTTPS

Wednesday, June 18, 2014

Openstack Icehouse Part 3 NOVA

COMPUTE SERVER CONFIGURATION On Controller


yum -y install openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient

openstack-config --set /etc/nova/nova.conf database connection mysql://nova:nova4mar@controller/nova
openstack-config --set /etc/nova/nova.conf DEFAULT rpc_backend qpid
openstack-config --set /etc/nova/nova.conf DEFAULT qpid_hostname controller

openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.216.130
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 192.168.216.130
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.216.130

mysql -u root -p
CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova4mar';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova4mar';
exit

#Create the Compute service tables:

su -s /bin/sh -c "nova-manage db sync" nova



keystone user-create --name=nova --pass=nova4mar --email=nova@example.com
keystone user-role-add --user=nova --tenant=service --role=admin

openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_uri http://controller:5000
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password nova4mar
keystone service-create --name=nova --type=compute --description="OpenStack Compute"
keystone endpoint-create --service-id=$(keystone service-list | awk '/ compute / {print $2}') --publicurl=http://controller:8774/v2/%\(tenant_id\)s --internalurl=http://controller:8774/v2/%\(tenant_id\)s --adminurl=http://controller:8774/v2/%\(tenant_id\)s

service openstack-nova-api start
service openstack-nova-cert start
service openstack-nova-consoleauth start
service openstack-nova-scheduler start
service openstack-nova-conductor start
service openstack-nova-novncproxy start
chkconfig openstack-nova-api on
chkconfig openstack-nova-cert on
chkconfig openstack-nova-consoleauth on
chkconfig openstack-nova-scheduler on
chkconfig openstack-nova-conductor on
chkconfig openstack-nova-novncproxy on

nova image-list



Add a rule to the default Nova Security Group to allow SSH access and Ping to instances:
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0


NOVA ON COMPUTE NODE


Install the Compute packages:

yum -y install openstack-nova-compute

Edit the /etc/nova/nova.conf configuration file:

openstack-config --set /etc/nova/nova.conf database connection mysql://nova:NOVA_DBPASS@controller/nova
openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_uri http://controller:5000
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password nova4mar

openstack-config --set /etc/nova/nova.conf DEFAULT rpc_backend qpid
openstack-config --set /etc/nova/nova.conf DEFAULT qpid_hostname controller

#Configure Compute to provide remote console access to instances.

openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.216.140
openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.216.140
openstack-config --set /etc/nova/nova.conf DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html

#Specify the host that runs the Image Service.

openstack-config --set /etc/nova/nova.conf DEFAULT glance_host controller

#You must determine whether your system's processor and/or hypervisor support hardware acceleration for virtual machines.

Run the following command:
$ egrep -c '(vmx|svm)' /proc/cpuinfo
If this command returns a value of one or greater, your system supports hardware acceleration which typically requires no additional configuration.
If this command returns a value of zero, your system does not support hardware acceleration and you must configure libvirt to use QEMU instead of KVM.
Run the following command:
# openstack-config --set /etc/nova/nova.conf libvirt virt_type qemu
Start the Compute service and configure it to start when the system boots:

service libvirtd start
service messagebus start
chkconfig libvirtd on
chkconfig messagebus on
service openstack-nova-compute start
chkconfig openstack-nova-compute on

Wednesday, May 28, 2014

Installing ffmpeg-php with php5.4

 

yum update
yum install gcc make automake bzip2 unzip patch subversion libjpeg-devel yasm

Installing the DAG repo for ffmpeg

yum install http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

yum install ffmpeg ffmpeg-devel ffmpeg-libpostproc
yumum install mplayer

 

In cpanel install all the needed modules

/scripts/installruby
gem install flvtool2

yum install mencoder gpac gpac-libs

Lets get ffmpeg-php

wget http://downloads.sourceforge.net/ffmpeg-php/ffmpeg-php-0.6.0.tbz2
tar xjf ffmpeg-php-0.6.0.tbz2
cd ffmpeg-php-0.6.0
sed -i 's/PIX_FMT_RGBA32/PIX_FMT_RGB32/g' ffmpeg_frame.c
phpize
./configure
make
Note: If you are running php5.4 you may need to make following change then run “make” above again:

pico ffmpeg_movie.c
in ffmpeg_movie.c:
row 311: list_entry *le; TO zend_rsrc_list_entry *le;
row 346: list_entry new_le; TO zend_rsrc_list_entry new_le;
row 360: hashkey_length+1, (void *)&new_le, sizeof(list_entry), TO hashkey_length+1, (void *)&new_le,sizeof(zend_rsrc_list_entry),

Now let’s really install everything

make test
make install
## will get a out put as below
Installing shared extensions: /usr/local/lib/php/extensions/no-debug-non-zts-20100525/

pico /usr/local/lib/php.ini
Now add following to end of file but substitute no-debug-non-zts-20100525 below for where it installed it in your “make install” command above

extension_dir = "/usr/local/lib/php/extensions/no-debug-non-zts-20100525"
extension="ffmpeg.so"

 

Thursday, May 15, 2014

Apache load balancing using mod_jk

Considering you have two tomcat server's and both are configured and port 8009 is listened by ajp in tomcat.

Download the module from http://tomcat.apache.org/download-connectors.cgi

Sample Version http://apache.mirrors.hoobly.com/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.40-src.tar.gz

#tar -xvf tomcat-connectors-1.2.37-src.tar

# cd tomcat-connectors-1.2.32-src/native/

# which usr/sbin/apxs

# ./configure --with-apxs=/usr/sbin/apxs --enable-api-compatibility

# make

# make install

after completed this activity you will get mod_jk.so file in /usr/lib64/httpd/modules/mod_jk.so

or else copy the modules to apache's module directory.

 

if get it , going well

Installation part has been completed, let's start configuration part

4. Open httpd.conf file and add end of line.

# vi /etc/httpd/conf/httpd.conf

JkWorkersFile "/etc/httpd/conf/worker.properties"
JkLogFile "/var/log/httpd/mod_jk.log"
JkRequestLogFormat "%w %V %T"
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

The below two lines in the virtualhost.

JkMount / loadbalancer
JkMount /status status

Content of the worker.properties

cat /etc/httpd/conf/worker.properties
worker.list=loadbalancer,status

worker.template.type=ajp13
worker.template.connection_pool_size=50
worker.template.socket_timeout=1200

worker.node2.reference=worker.template
worker.node1.port=8009
worker.node1.host=54.86.231.61
worker.node1.type=ajp13
worker.node2.jvm_route=node1

worker.node2.port=8009
worker.node2.host=54.86.17.252
worker.node2.type=ajp13
worker.node2.jvm_route=node2

worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
#worker.loadbalancer.sticky_session=TRUE

to check the status

worker.status.type=status

 

 

 

Tomcat-Static-Unicast-Clustering

Tomcat needs to be configured to allow for setup of cluster of two nodes over unicast. Following is section of my ${LIFERAY_HOME}/tomcat-6.0.32/conf/server.xml on server1 (replace node1 with node2 and swap location of IP_ADDRESSES and change unique_id to anything 16 bit long other than{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2}, on server.xml in server2) which allowed for this. IP_ADDRESSES here refer to private ip addresses of server1 and server2 respectively.

================================

<Engine name="Catalina" defaultHost="localhost" jvmRoute="node1">

<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster" channelSendOptions="6" channelStartOptions="3">

<Manager className="org.apache.catalina.ha.session.DeltaManager" expireSessionsOnShutdown="false" notifyListenersOnReplication="true" />

<Channel className="org.apache.catalina.tribes.group.GroupChannel">

<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
autoBind="0" selectorTimeout="5000" maxThreads="6"
address="IP_ADDRESS_SERVER1" port="4444" />
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"
timeout="60000"
keepAliveTime="10"
keepAliveCount="0"
/>
</Sender>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpPingInterceptor" staticOnly="true"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor">
<Member className="org.apache.catalina.tribes.membership.StaticMember"
host="IP_ADDRESS_SERVER2"
port="4444"
uniqueId="{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2}"/>
</Interceptor>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve" filter="" />
<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve" />
<ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>

=================================

Monday, May 12, 2014

Apache load balancer

An add-in module that acts as a software load balancer and ensures that traffic is split across back-end servers or workers to reduce latencies and give users a better experience.

mod_proxy_balancer distributes requests to multiple worker processes running on back-end servers to let multiple resources service incoming traffic and processing. It ensures efficient utilization of the back-end workers to prevent any single worker from getting overloaded.

When you configure mod_proxy_balancer, you can choose among three load-balancing algorithms: Request Counting, Weighted Traffic Counting, and Pending Request Counting, which we'll discuss in detail in a moment. The best algorithm to use depends on the individual use case; if you are not sure which to try first, go with Pending Request Counting.

The add-in also supports session stickyness, meaning you can optionally ensure that all the requests from a particular IP address or in a particular session goes to the same back-end server. The easiest way to achieve stickyness is to use cookies, either inserted by the Apache web server or by the back-end servers.

A general configuration for load balancing defined in /etc/httpd/httpd.conf would look like this:

<Proxy balancer://A_name_signifying_your_app>
BalancerMember http://ip_address:port/ loadfactor=appropriate_load_factor # Balancer member 1
BalancerMember http://ip_address:port/ loadfactor=appropriate_load_factor # Balancer member 2
ProxySet lbmethod=the_Load_Balancing_algorithm
</Proxy>
You can specify anything for a name, but it's good to choose one that's significant. BalancerMember specifies a back-end worker's IP address and port number. A worker can be a back-end HTTP server or anything that can serve HTTP traffic. You can omit the port number if you use the web server's default port of 80. You can define as many BalancerMembers as you want; the optimal number depends on the capabilities of each server and the incoming traffic load. The loadfactor variable specifies the load that a back-end worker can take. Depending upon the algorithm, this can represent a number of requests or a number of bytes. lbmethod specifies the algorithm to be used for load balancing.

 

Let's look at how to configure each of the three options.
Get an Open Source Support Quote

Request Counting
With this algorithm, incoming requests are distributed among back-end workers in such a way that each back end gets a proportional number of requests defined in the configuration by the loadfactor variable. For example, consider this Apache config snippet:
<Proxy balancer://myapp>
BalancerMember http://192.168.10.11/ loadfactor=1 # Balancer member 1
BalancerMember http://192.168.10.10/ loadfactor=3 # Balancer member 2
ProxySet lbmethod=byrequests
</Proxy>
In this example, one request out of every four will be sent to 192.168.10.11, while three will be sent to 192.168.10.10. This might be an appropriate configuration for a site with two servers, one of which is more powerful than the other.

 

Weighted Traffic Counting Algorithm
The Weighted Traffic Counting algorithm is similar to Request Counting algorithm, with a minor difference: Weighted Traffic Counting considers the number of bytes instead of number of requests. In the configuration example below, the number of bytes processed by 192.168.10.10 will be three times that of 192.168.10.11.
<Proxy balancer://myapp>
BalancerMember http://192.168.10.11/ loadfactor=1 # Balancer member 1
BalancerMember http://192.168.10.10/ loadfactor=3 # Balancer member 2
ProxySet lbmethod=bytraffic
</Proxy>
Pending Request Counting Algorithm
The Pending Request Counting algorithm is the latest and most sophisticated algorithm provided by Apache for load balancing. It is available from Apache 2.2.10 onward.

 

In this algorithm, the scheduler keeps track of the number of requests that are assigned to each back-end worker at any given time. Each new incoming request will be sent to the back end that has least number of pending requests – in other words, to the back-end worker that is relatively least loaded. This helps keep the request queues even among the back-end workers, and each request generally goes to the worker that can process it the fastest.

 

If two workers are equally lightly loaded, the scheduler uses the Request Counting algorithm to break the tie.
<Proxy balancer://myapp>
BalancerMember http://192.168.10.11/ # Balancer member 1
BalancerMember http://192.168.10.10/ # Balancer member 2
ProxySet lbmethod=bybusyness
</Proxy>
Enable the Balancer Manager
Sometimes you may need to change your load balancing configuration, but that may not be easy to do without affecting the running server. For such situations, the Balancer Manager module provides a web interface to change the status of back-end workers on the fly. You can use Balancer Manager to put a worker in offline mode or change its loadfactor. You must have mod_status installed in order to use Balance Manager. A sample config, which should be defined in /etc/httpd/httpd.conf, might look like:

 

<Location /balancer-manager>

SetHandler balancer-manager

Order Deny,Allow
Deny from all
Allow from .test.com
</Location>
Once you add directives like those above to httpd.conf and restart Apache you can open the Balancer Manager by pointing a browser at http://test.com/balancer-manager.

 

<VirtualHost *:80>
ProxyRequests off

ServerName domain.com

<Proxy balancer://mycluster>
# WebHead1
BalancerMember http://10.176.42.144:80
# WebHead2
BalancerMember http://10.176.42.148:80

# Security "technically we aren't blocking
# anyone but this the place to make those
# chages
Order Deny,Allow
Deny from none
Allow from all

# Load Balancer Settings
# We will be configuring a simple Round
# Robin style load balancer. This means
# that all webheads take an equal share of
# of the load.
ProxySet lbmethod=byrequests

</Proxy>

# balancer-manager
# This tool is built into the mod_proxy_balancer
# module and will allow you to do some simple
# modifications to the balanced group via a gui
# web interface.
<Location /balancer-manager>
SetHandler balancer-manager

# I recommend locking this one down to your
# your office
Order deny,allow
Allow from all
</Location>

# Point of Balance
# This setting will allow to explicitly name the
# the location in the site that we want to be
# balanced, in this example we will balance "/"
# or everything in the site.
ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/

</VirtualHost>

 

========================

Enable proxy_module, proxy_balancer_module and proxy_http_module in httpd.conf of Apache web server
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so
Add proxy pass along with balancer name for application context root. In this example, I have proxy path as examples and balancer name as mycluster. Very important to include stickysession as not having this option will distribute same request to multiple tomcat server and you will have session expiry issues in application.

<IfModule proxy_module>
ProxyRequests Off
ProxyPass /examples balancer://mycluster stickysession=JSESSIONID
ProxyPassReverse /examples balancer://mycluster stickysession=JSESSIONID
<Proxy balancer://mycluster>
BalancerMember http://localhost:8080/examples route=server1
BalancerMember http://localhost:8090/examples route=server2
</Proxy>
</IfModule>
As you can see in above configuration, I have added route in BalancerMember so route value can be appended to session ID. Now, let’s configure Apache to print JSESSIONID in access logs.

Add following in LogFormat directive
%{JSESSIONID}C
Ex:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"\"%{JSESSIONID}C\"" combined
Restart Apache Web Server

Friday, May 3, 2013

Hide Apache, PHP and Bind Versions

Hide Apache, PHP and Bind Versions
To Check Apache Version:

By default, Apache will send version and modules information like mod_php, mod_perl, mod_ssl in every HTTP header.

If you want to view Apache web server version and sofware of a remote server, follow this procedure.

# telnet example.com 80

Trying example.com...
Connected to example.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER
HTTP/1.1 200 OK
Date: Sun, 07 Oct 2012 12:57:57 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 JRun/4.0
Last-Modified: Tue, 03 Jan 2012 11:41:16 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.
To Hide Apache Information:
To hide the information, add the following two apache directives in Apache configuration file, (httpd.conf or apache2.conf)

ServerTokens ProductOnly

ServerSignature Off

# /etc/init.d/httpd restart

Now the output for apache header looks like below

Server: Apache
To Hide PHP Version Details

Locate php.ini loaded in the server.

Change the following option in php.ini

expose_php On

to

expose_php Off

# /etc/init.d/httpd restart
To Hide BIND Version
You can check the Bind version of a server by using the following command.

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.4"

To hide your version of bind, change the version value in named.conf as like the following.
You can give any string for the version.

options {
directory "/var/named";
version "We Just Hide It";
};

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"We Just Hide It"

Complile and install Apache

Complile and install Apache
Here i am explaining the steps to setup a LAMP server. I am hre using CentOS 5.8 64 bit to setup LAMP. There will be similar variations in other OS in LINUX. I think this will work in most of the CentOS versions.

Apache

Preliminary Checking Installations for Apache

In most of the CentOS installations httpd may be installed by default. It is better to remove those installation at first.

[root@vps ~]# rpm -q httpd
httpd-2.2.3-65.el5.centos

The following command will uninstall httpd-2.2.3-65.el5.centos rpm package.

[root@vps ~]# rpm -e httpd-2.2.3-65.el5.centos
It is needed to install the necessary compilers to use the make command. The following comand will help you to install the necessary packages.
[root@vps ~]# yum install gcc gcc-c++ -y
It is needed to Install APR and APR-UTIL packages to install Apache.

Install APR

[root@vps ~]# cd /usr/local/src
[root@vps src]# wget http://apache.techartifact.com/mirror//apr/apr-1.4.6.tar.gz
[root@vps src]# tar -xzf apr-1.4.6.tar.gz
[root@vps src]# cd apr-1.4.6
[root@vps apr-1.4.6]# ./configure --prefix=/usr/local/apr
[root@vps apr-1.4.6]# make
[root@vps apr-1.4.6]# make install
Install APR-UTIL

[root@vps ~]# cd /usr/local/src
[root@vps src]# wget http://apache.techartifact.com/mirror//apr/apr-util-1.5.2.tar.gz
[root@vps src]# tar -xzf apr-util-1.5.2.tar.gz
[root@vps src]# cd apr-util-1.5.2
[root@vps apr-util-1.5.2]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/bin/apr-1-config
[root@vps apr-util-1.5.2]# make
[root@vps apr-util-1.5.2]# make install

Compile and Install Apache 2.2.x

[root@vps ~]# cd /usr/local/src
[root@vps src]# wget http://apache.techartifact.com/mirror//httpd/httpd-2.2.24.tar.gz
[root@vps src]# tar -xzf httpd-2.2.24.tar.gz
[root@vps src]# cd httpd-2.2.24

[root@vps httpd-2.2.24]# ./configure --prefix=/usr/local/apache --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr-util/bin/apu-1-config --enable-ssl=/usr/include/openssl --enable-rewrite --enable-deflate --enable-suexec

*** You can check the option available for the configuration using the following command. As per your need, you can add new modules.

[root@vps httpd-2.2.24]# ./configure --help

[root@vps httpd-2.2.24]# make
[root@vps httpd-2.2.24]# make install

The following command will enable you to use use httpd command instead of giving full path of apachectl.

[root@vps httpd-2.2.24]# ln -s /usr/local/apache/bin/apachectl /usr/bin/httpd
Once you have done the above configuration and the creating the symbolic link, You can check the settings of Apache using the following commands.
[root@vps ~]# httpd -M
[root@vps ~]# httpd -V

Compile and Install Apache 2.4.4

***I have noted that in Apache 2.4.x, suphp-0.7.1 cannot compile with any of the php version. There no development in suphp after 2009-03-14. So i personally do not recommend Apache 2.4.x at this time.
***Also I have noted that there are some issues in Apache 2.4.x with PHP5.2.x. So think before using Apache 2.4.x in your server.

[root@vps ~]# cd /usr/local/src
[root@vps src]# wget http://apache.techartifact.com/mirror//httpd/httpd-2.4.4.tar.bz2
[root@vps src]# tar -xjf httpd-2.4.4.tar.bz2
[root@vps src]# cd httpd-2.4.4

[root@vps httpd-2.4.4]# ./configure --prefix=/usr/local/apache --enable-load-all-modules --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr-util/bin/apu-1-config --with-pcre=/usr/local/pcre/bin/pcre-config

[root@vps httpd-2.4.4]# make
[root@vps httpd-2.4.4]# make install

The following command will enable you to use use httpd command instead of giving full path of apachectl.

[root@vps httpd-2.2.24]# ln -s /usr/local/apache/bin/apachectl /usr/bin/httpd
Once you have done the above configuration and the creating the symbolic link, You can check the settings of Apache using the following commands.
[root@vps ~]# httpd -M
[root@vps ~]# httpd -V
Notes:-

It is needed to install pcre to install apache2.4.x. Locate if the 'pcre-config' is in your system. If it is not available, you will encounter the following error while the installation of Apache.

Error:
configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/

Fix:
============================================================================================

[root@vps ~]# cd /usr/local/src
[root@vps src]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.32.tar.gz
[root@vps src]# tar -xzf pcre-8.32.tar.gz
[root@vps src]# cd pcre-8.32
[root@vps pcre-8.32]# ./configure --prefix=/usr/local/pcre
[root@vps pcre-8.32]# make
[root@vps pcre-8.32]# make install
============================================================================================

Create A startup Script for httpd
Create a file /etc/init.d/httpd with the following contents in it. You have to give the pid file location, httpd and apachectl correctly in the script to run the script.
Here in my case, these are the settings.

[root@vps ~]# locate httpd.pid
/var/run/httpd.pid

================================================================================
#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /usr/local/apache/conf/httpd.conf

# Source function library.
. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi

# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""

# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=/usr/local/apache/bin/httpd
pid=/var/run/httpd.pid
prog=httpd
RETVAL=0
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd $pid
}
reload() {
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f $pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status"
echo $"|fullstatus|graceful|help|configtest}"
exit 1
esac

exit $RETVAL
================================================================================
[root@vps ~]# chmod +x /etc/init.d/httpd
[root@vps ~]# chkconfig --add httpd
[root@vps ~]# chkconfig httpd on

This will enable you to start and stop apache using the following commands

[root@vps ~]# /etc/init.d/httpd start
[root@vps ~]# /etc/init.d/httpd stop

Thursday, April 25, 2013

You can use mod_rewrite for redirecting http to https.

You can use mod_rewrite for redirecting http to https.
You need to go in the http vhost container and add the following:

========================================

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Or else, you can add the following lines

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

Tuesday, April 16, 2013

Troubleshooting apache

check httpd service is running or not

• if its not starting the check the syntax of the config file
#httpd -S (display the all files and its location )
#httpd -t or apachectl configtest
if syntax is ok the config file is correct
• check the error logs of apache
/var/log/httpd/error_log
• apache also requires working dsn client support via /etc/resolv.conf and make sure dns is working fine
• check httpd.conf file there is correct entry of server name is there or not and check the port no
• check the size of the log file if it is full then it ll cause error 500 so make sure that log files are under limit and we can us e tool called logrotate in /etc/logrorate.d/httpd create configuration file for httpd log files
• It is possible that some other process may be using port 80 or 443. Use netstat command to list open port and their owners:
#nestat -tulpn
#netstat -tulpn |grep ‘:80′
If other process using port 80 / 443, you need to stop them or assign another port to Apache

Fast up Httpd

The Apache’s configuration file is located at “/usr/local/apache/conf/httpd.conf” in a cPanel server

Timeout
This directive “Timeout” is used to define the amount of time Apache will wait for a GET, POST, PUT request and ACKs on transmissions before automatically disconnect when idle time exceeds this value. The ideal value will be 120 in heavily loaded servers. It is recommended to set this value lower if your clients have low latencies. Some time, setting this directive to a low value may pause problem, this highly depend on your network and server setup. The best is to experiment with different values to find the one that fit your need.

KeepAlive
This directive “KeepAlive” if set to “On”, enables persistent connections on the web server. For better performance, it’s recommended to set this option to “On” and allow more than one request per connection.

MaxKeepAliveRequests
This directive is used to define the number of requests allowed per connection when the KeepAlive option above is set to “On”. When the value of this option is set to “0″ then unlimited requests are allowed on the server. For server performance, it’s recommended to allow unlimited requests.

KeepAliveTimeout
This directive is used to define how much time, in seconds, Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the “Timeout” directive applies. The value of “10″ seconds is a good average for server performance. This value should be kept low as the socket will be idle for extended periods otherwise.

MaxClients
This directive is used to define the limit on the number of child processes that will be created to serve requests. The default means that up to 512 HTTP requests can be handled concurrently. This is an important tuning parameter regarding the performance of the Apache web server. For high load operation, a value of “512″ is recommended. For standard use, you can set the value to “256″.

MinSpareServers
This directive is used to define the minimum number of idle child server processes that should be created. An idle process is one which is not handling a request. If there are fewer than “MinSpareServers” idle, then the parent process creates new children at a maximum rate of 1 per second. The idle value is 10
MaxSpareServer
This directive is used to define the maximum number of idle child server processes that should be created. If there are more than “MaxSpareServers” idle child processes, then the parent process will kill off the excess processes and these extra processes will be terminated.The idle value is 15.

MaxRequestsPerChild
This option “MaxRequestsPerChild” is used to define the number of requests that an individual child server process will handle. Set this directive to “0″ to get the maximum performance and scalability for the server.

HostnameLookups
This directive if set to “Off”, specifies to disable DNS lookups. It’s recommended to set this option to “Off” in order to avoid latency to every request, to save the network traffic time, and to improve the performance of your Apache web server.

Monday, April 1, 2013

Load due to a particular domain in the server

Whenever the load in the server increases due to a particular user in the server. Check the following:

Find the domain owned by the user:

grep username /etc/userdomains

use the following command after you get the domain name:

less /usr/local/apache/domlogs/domain.com | awk ‘{print $1}’ | sort | uniq -c | sort -n

This will give the ip and number of connections in the descending order. For example:
 13832 65.52.110.145
19112 66.249.68.183
208262 157.55.16.55

In the above case we can see too many connections from those ips. This is surely abnormal. Immediately block such ips in the server using csf

csf -d IP

[if not present use iptables].

website appear’s to be loading slow?

Speed it up using gzip compress and mod_deflate. Add the following code in the .htaccess file under website folder, save it . Site should be loading pages significantly faster now!

### Enable gzip compression for PHP files
php_value output_handler ob_gzhandler

### compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

### End of compression code