===== Apache =====

==== Apache Tips & Tricks: ====
To provide a seamless Redirect from http://site/anypage.etc to http://newsite/anypage.etc

The code should go into the specific Virtual Host or apache2.conf (httpd.conf on apache 1.3):
<code>
 Redirect 301 /site http://newwebsite/site
 Redirect 301 / http://newweb/
 
 RedirectMatch 301 ^/ http://new-website.com/
 #The above can be in a directory x levels deep.
 
 RedirectMatch 302 ^/ /temporary-offline.html
</code>

See the following for RedirectMatch: http://www.askapache.com/htaccess/301-redirect-with-mod_rewrite-or-redirectmatch.html
Got from Skynet config - Thanks Lads.

==== Redirect from http to https ====
If you want to force people to use https and/or redirect them seamlessly to https without them having to type in the address here is how you can do it with apache using a .htaccess file:
<code>
 SSLRequireSSL
 ErrorDocument 403 https://securewebsite/page.html
</code>

Note the above is only a hack. It will break if a similar 403 (which means access is denied) is caught. For example if a "deny from all" is used along with the above, or permissions are set incorrectly - an endless loop will ensue. Im sure there are other ways of seamlessly redirecting http to https, however there is a quick one.

=== Apache Error Codes ===
<code>
 200 OK 
 201 Created 
 202 Accepted 
 203 Non-Authorative Information 
 204 No Content 
 205 Reset Content 
 206 Partial Content 
 300 Multiple Choices 
 301 Moved Permanently 
 302 Moved Temporarily 
 303 See Other 
 304 Not Modified 
 305 Use Proxy 
 400 Bad Request 
 401 Authorization Required 
 402 Payment Required (not used yet) 
 403 Forbidden 
 404 Not Found 
 405 Method Not Allowed 
 406 Not Acceptable (encoding) 
 407 Proxy Authentication Required  
 408 Request Timed Out 
 409 Conflicting Request 
 410 Gone 
 411 Content Length Required 
 412 Precondition Failed 
 413 Request Entity Too Long 
 414 Request URI Too Long 
 415 Unsupported Media Type 
 500 Internal Server Error 
 501 Not Implemented 
 502 Bad Gateway  
 503 Service Unavailable  
 504 Gateway Timeout  
 505 HTTP Version Not Supported 
</code>
Not a definitive list. Information obtained from: http://bignosebird.com/apache/a5.shtml
==== Apache REWRITE Module: ====
Here's a nice one - mod_rewrite which is extremely powerful. I am but using 1 or 2 examples. Write the following examples straight into a .htaccess file :-)
<code>
 #1. writes all html files as php
 Options +FollowSymlinks
 RewriteEngine on
 RewriteRule ^(.*)\.html$ $1.php [[nc]]

 #2. redirects all .html files to newserver.php files
 Options +FollowSymlinks
 RewriteEngine on
 Rewriterule ^(.+)\.html$ http://www.server.com/$1.php [[r=301,nc]]

 #3. **This is the best one** for reasons I wont divulge. It does need tweaking, but works.
 Options +FollowSymlinks
 RewriteEngine on
 Rewriterule ^(.*)$ http://internal-lan-server/$1 [[P]]
</code>

==== Display text (footer) under an Apache file listing ====
Put the following code in a .htaccess file, or in the apache.conf
<code>
 ReadmeName filetoputatbottom
 //or
 ReadmeName /path/to/file
</code>
The filetoputatbottom may have to be a html page in order to be included correctly. If the above doesnt work, put a .html extension to the file and update the htaccess accordingly.
Thats it. You will see somethimg similar to:
http://sburke.eu/webdev/apachefooterlisting/
This is very useful for showing a README explaination underneath a listing of files with which to download. Download or install instructions can be placed here as required.

OK. Here's the References:


http://www.widexl.com/scripts/documentation/mod_rewrite.html

http://adstil.indiatimes.com/manual/misc/rewriteguide.html (Apache 1.3 THO)

http://corz.org/serv/tricks/htaccess2.php

http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html

==== AllowOverride in Apache Configs for .htaccess ====
Apache's default AllowOverride in www.website.com/pageabc is None. This means that .htaccess files in pageabc do not work. Instead of allowing the complete AllowOverride All, certain pieces and directives can be allowed or disallowed. This is much better, because there is a lot of stuff that can be overriden using the AllowOverride All.
<code>
 AllowOverride Limit Indexes
 Limit allows deny, allow from etc. etc. Indexes allows control over how indexes are displayed
 AllowOverride FileInfo
 >Allows use of rewrite in .htaccess files.
</code>
The full doc is at:

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

** Allow Override for Mod_rewrite **
Its quite common to have rewrite rules in a htaccess file. Without allowing full overrride, the following can be done:
<code>
         <Directory />
                 Options FollowSymLinks Indexes MultiViews
                 AllowOverride FileInfo
         </Directory>
</code>

==== htaccess Auth using LDAP and htpasswd ====
1. LDAP Auth Only
<code>
 LDAP_Debug On
 AuthName "Only LDAP domain1 or domain2"
 AuthType Basic
 AuthOnBind On
 LDAP_Server "ldap server ip"
 LDAP_Port 389
 UID_Attr cn
 Sub_DN "OU=Users,ou=staff"
 AltSub_DN "OU=Users,ou=undergraduate"
 Base_DN "DC=ul,DC=campus"
 require user first1.lastname1 first2.lastname2 first3.lastname3
</code>
2. Htpasswd Auth Only

Run the following from the cmd line:
<code>
 htpasswd -bn username pass
</code>
Put the above username:DGdmxkU03XUJo into a .htpasswd file and call as follows using a .htaccess:
<code>
 AuthUserFile /home/user/.htpasswd
 AuthName "Only htpasswd users"
 AuthType Basic
 require valid-user
 #or specifically as follows:
 require user username
</code>
3. LDAP and htpasswd Auth
<code>
 AuthLDAPAuthoritative Off
 AuthUserFile /home/user/.htpasswd
 LDAP_Debug On
 AuthName "LDAP domain1 or domain2; or htpasswd users."
 AuthType Basic
 AuthOnBind On
 LDAP_Server "ldap server ip"
 LDAP_Port 389
 UID_Attr cn
 Sub_DN "OU=Users,ou=staff"
 AltSub_DN "OU=Users,ou=undergraduate"
 Base_DN "DC=ul,DC=campus"
 require user first1.lastname1 first2.lastname2 first3.lastname3 htpasswduser1 htpasswduser2
</code>
==== htaccess examples complete ====
http://www.askapache.com/htaccess/ultimate-htaccess-file-sample.html

==== Multiviews - Automatically append file extension ====
If you have the following file: **/var/www/foo.html** and browse to **http://localhost/foo** foo.html will be shown! The option MultiViews controls this. Typically this option would be in the VirtualHost. It can also be disabled with "Options -MultiViews" in a .htaccess.

This MultiViews caused problems when doing rewrites.

Reference: http://www.gerd-riesselmann.net/archives/2005/04/beware-of-apaches-multiviews

==== Apache2 Common Configs ====
How to setup CGI with Apache: http://httpd.apache.org/docs/2.0/howto/cgi.html

Core Directives, Usage and Syntax: http://httpd.apache.org/docs/2.0/mod/core.html


==== Apache Rewrite via mod_proxy ====
If you have a webserver running on an internal LAN, and you have a website/access on a external webserver on the LAN, it is possible to proxy requests via the External webserver to inside your LAN.
http://192.168.20.20  = Apache on Internal LAN
http://193.1.1.10  = Apache acessible Externally and Internally.
<code>
 mkdir /home/user/public_html/internalweb
 vi /home/user/public_html/internalweb/.htaccess
 RewriteEngine on
 Rewriterule ^(.*)$ http://192.168.20.20/$1 [[P]]

</code>
Then browse to http://193.1.1.10/internalweb, and up comes the website on your Internal LAN.

----

Links: 

http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html


===== Centralised Apache Logging =====
After a recent oom by Apache, I wanted to be able to see exactly what requests were handled/recieved by apache during a specific timeframe. It was a bit of a pain having to go looking in the many access log files, one for each vhost. As a result I wanted to setup a global access log file ontop of the existing current log files for each vhost.

This global log file will also be used later on to graph bandwidth usage across multiple vhosts.

The config was simple.
<code>
 #1 vi /etc/apache2/apache2.conf
 #Include the following line, underneath the existing LogFormat entries.
 LogFormat "%h %t %v %X %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" global
 #For a complete list of what the above letters mean, head over to: http://httpd.apache.org/docs/2.0/mod/mod_log_config.html
 
 #2 vi /etc/apache2/sites-enabled/vhost-name
 #Include the following line, underneath the existing CustomLog entry. Two CustomLog entries can be made, and both will log correctly :)
 CustomLog /var/log/apache2/global_access.log global
</code>

I tried entering the CustomLog entry in apache2.conf, which should theoretically log everything, it didn't and I had to add the CustomLog entry to all vhost configs. This might have been to do with the fact that there was a current CustomLog entry in each vhost, and it was taking preference, and that both CustomLog entries had to be made in the one location, which was in the vhost in my situation.  
Be careful of the fact that this file will grow substantially in size!! Check that it will get rotated by logrotate.d in /etc/logrotate.d/apache2. By default all *.log files in /var/log/apache2/ get rotated and compressed.
References: <br>
http://httpd.apache.org/docs/2.0/logs.html <br>
http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#customlog <br>
http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#formats <br>

More to follow on generating nice stats from this global log file.

===== Additional Modules Used =====
==== mod_evasive ====
 apt-get install libapache2-mod-evasive
Mod_evasive prevents against ddos and scripted bots which can hammer a website. (I got 100's and hundreds of referral spam with "GET / HTTP/1.1" Mediawiki kept eating up resources.) After the above apt-get install command, its all setup and ready to go. I was able to trigger the "403 Forbidden" error by refreshing a page as fast as I could on my browser. (Also done a CTRL+r in elinks very fast). I was initially quite worried it would catch a lot of false results, so I setup logging and email logging.

<code>
 apt-get install libapache2-mod-evasive
 mkdir /var/log/apache2/mod-evasive
 chown www-data:www-data /var/log/apache2/mod-evasive
 
 vi /etc/apache2/apache2.conf
 #add
 <IfModule mod_evasive20.c>
        DOSEmailNotify      root@burkesys.com
        DOSLogDir           /var/log/apache2/mod-evasive
 </IfModule>
 
 ln -s /usr/bin/mail /bin/mail
 
 #Done. Watch Logs.
 #The default settings for mod_evasive on Debian Lenny are stored in:
 zless /usr/share/doc/libapache2-mod-evasive/README.gz
 #Lets see how these settings go.
 APACHE v2.0
 -----------
 <IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
 </IfModule>

</code>
References:
  * /usr/share/doc/libapache2-mod-evasive <br>
  * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437824  (bug about mails not been sent in lenny) <br>
  * http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ <br>
  * http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz:a/mod_evasive/README <br>
  * http://edouard.peller.in/how-to-install-mod_evasive-on-debian-etch/ <br>
  * http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html <br>
  * http://linuxharbour.com/content/protect-ddos-attach-apache-debian-lenny <br>
  * http://www.novell.com/communities/node/3025/protecting-apache-against-dos-attack-modevasive <br>