Table of Contents
Apache
Apache Tips & Tricks:
To provide a seamless Redirect from http://site/anypage.etc to http://newsite/anypage.etc
The code should go into the specific Virtual Host or apache2.conf (httpd.conf on apache 1.3):
Redirect 301 /site http://newwebsite/site Redirect 301 / http://newweb/ RedirectMatch 301 ^/ http://new-website.com/ #The above can be in a directory x levels deep. RedirectMatch 302 ^/ /temporary-offline.html
See the following for RedirectMatch: http://www.askapache.com/htaccess/301-redirect-with-mod_rewrite-or-redirectmatch.html Got from Skynet config - Thanks Lads.
Redirect from http to https
If you want to force people to use https and/or redirect them seamlessly to https without them having to type in the address here is how you can do it with apache using a .htaccess file:
SSLRequireSSL ErrorDocument 403 https://securewebsite/page.html
Note the above is only a hack. It will break if a similar 403 (which means access is denied) is caught. For example if a “deny from all” is used along with the above, or permissions are set incorrectly - an endless loop will ensue. Im sure there are other ways of seamlessly redirecting http to https, however there is a quick one.
Apache Error Codes
200 OK 201 Created 202 Accepted 203 Non-Authorative Information 204 No Content 205 Reset Content 206 Partial Content 300 Multiple Choices 301 Moved Permanently 302 Moved Temporarily 303 See Other 304 Not Modified 305 Use Proxy 400 Bad Request 401 Authorization Required 402 Payment Required (not used yet) 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI Too Long 415 Unsupported Media Type 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported
Not a definitive list. Information obtained from: http://bignosebird.com/apache/a5.shtml
Apache REWRITE Module:
Here's a nice one - mod_rewrite which is extremely powerful. I am but using 1 or 2 examples. Write the following examples straight into a .htaccess file
#1. writes all html files as php Options +FollowSymlinks RewriteEngine on RewriteRule ^(.*)\.html$ $1.php [[nc]] #2. redirects all .html files to newserver.php files Options +FollowSymlinks RewriteEngine on Rewriterule ^(.+)\.html$ http://www.server.com/$1.php [[r=301,nc]] #3. **This is the best one** for reasons I wont divulge. It does need tweaking, but works. Options +FollowSymlinks RewriteEngine on Rewriterule ^(.*)$ http://internal-lan-server/$1 [[P]]
Display text (footer) under an Apache file listing
Put the following code in a .htaccess file, or in the apache.conf
ReadmeName filetoputatbottom //or ReadmeName /path/to/file
The filetoputatbottom may have to be a html page in order to be included correctly. If the above doesnt work, put a .html extension to the file and update the htaccess accordingly. Thats it. You will see somethimg similar to: http://sburke.eu/webdev/apachefooterlisting/ This is very useful for showing a README explaination underneath a listing of files with which to download. Download or install instructions can be placed here as required.
OK. Here's the References:
http://www.widexl.com/scripts/documentation/mod_rewrite.html
http://adstil.indiatimes.com/manual/misc/rewriteguide.html (Apache 1.3 THO)
AllowOverride in Apache Configs for .htaccess
Apache's default AllowOverride in www.website.com/pageabc is None. This means that .htaccess files in pageabc do not work. Instead of allowing the complete AllowOverride All, certain pieces and directives can be allowed or disallowed. This is much better, because there is a lot of stuff that can be overriden using the AllowOverride All.
AllowOverride Limit Indexes Limit allows deny, allow from etc. etc. Indexes allows control over how indexes are displayed AllowOverride FileInfo >Allows use of rewrite in .htaccess files.
The full doc is at:
http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride
Allow Override for Mod_rewrite Its quite common to have rewrite rules in a htaccess file. Without allowing full overrride, the following can be done:
<Directory /> Options FollowSymLinks Indexes MultiViews AllowOverride FileInfo </Directory>
htaccess Auth using LDAP and htpasswd
1. LDAP Auth Only
LDAP_Debug On AuthName "Only LDAP domain1 or domain2" AuthType Basic AuthOnBind On LDAP_Server "ldap server ip" LDAP_Port 389 UID_Attr cn Sub_DN "OU=Users,ou=staff" AltSub_DN "OU=Users,ou=undergraduate" Base_DN "DC=ul,DC=campus" require user first1.lastname1 first2.lastname2 first3.lastname3
2. Htpasswd Auth Only
Run the following from the cmd line:
htpasswd -bn username pass
Put the above username:DGdmxkU03XUJo into a .htpasswd file and call as follows using a .htaccess:
AuthUserFile /home/user/.htpasswd AuthName "Only htpasswd users" AuthType Basic require valid-user #or specifically as follows: require user username
3. LDAP and htpasswd Auth
AuthLDAPAuthoritative Off AuthUserFile /home/user/.htpasswd LDAP_Debug On AuthName "LDAP domain1 or domain2; or htpasswd users." AuthType Basic AuthOnBind On LDAP_Server "ldap server ip" LDAP_Port 389 UID_Attr cn Sub_DN "OU=Users,ou=staff" AltSub_DN "OU=Users,ou=undergraduate" Base_DN "DC=ul,DC=campus" require user first1.lastname1 first2.lastname2 first3.lastname3 htpasswduser1 htpasswduser2
htaccess examples complete
Multiviews - Automatically append file extension
If you have the following file: /var/www/foo.html and browse to http://localhost/foo foo.html will be shown! The option MultiViews controls this. Typically this option would be in the VirtualHost. It can also be disabled with “Options -MultiViews” in a .htaccess.
This MultiViews caused problems when doing rewrites.
Reference: http://www.gerd-riesselmann.net/archives/2005/04/beware-of-apaches-multiviews
Apache2 Common Configs
How to setup CGI with Apache: http://httpd.apache.org/docs/2.0/howto/cgi.html
Core Directives, Usage and Syntax: http://httpd.apache.org/docs/2.0/mod/core.html
Apache Rewrite via mod_proxy
If you have a webserver running on an internal LAN, and you have a website/access on a external webserver on the LAN, it is possible to proxy requests via the External webserver to inside your LAN. http://192.168.20.20 = Apache on Internal LAN http://193.1.1.10 = Apache acessible Externally and Internally.
mkdir /home/user/public_html/internalweb vi /home/user/public_html/internalweb/.htaccess RewriteEngine on Rewriterule ^(.*)$ http://192.168.20.20/$1 [[P]]
Then browse to http://193.1.1.10/internalweb, and up comes the website on your Internal LAN.
Links:
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Centralised Apache Logging
After a recent oom by Apache, I wanted to be able to see exactly what requests were handled/recieved by apache during a specific timeframe. It was a bit of a pain having to go looking in the many access log files, one for each vhost. As a result I wanted to setup a global access log file ontop of the existing current log files for each vhost.
This global log file will also be used later on to graph bandwidth usage across multiple vhosts.
The config was simple.
#1 vi /etc/apache2/apache2.conf #Include the following line, underneath the existing LogFormat entries. LogFormat "%h %t %v %X %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" global #For a complete list of what the above letters mean, head over to: http://httpd.apache.org/docs/2.0/mod/mod_log_config.html #2 vi /etc/apache2/sites-enabled/vhost-name #Include the following line, underneath the existing CustomLog entry. Two CustomLog entries can be made, and both will log correctly :) CustomLog /var/log/apache2/global_access.log global
I tried entering the CustomLog entry in apache2.conf, which should theoretically log everything, it didn't and I had to add the CustomLog entry to all vhost configs. This might have been to do with the fact that there was a current CustomLog entry in each vhost, and it was taking preference, and that both CustomLog entries had to be made in the one location, which was in the vhost in my situation. Be careful of the fact that this file will grow substantially in size!! Check that it will get rotated by logrotate.d in /etc/logrotate.d/apache2. By default all *.log files in /var/log/apache2/ get rotated and compressed. References: <br> http://httpd.apache.org/docs/2.0/logs.html <br> http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#customlog <br> http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#formats <br>
More to follow on generating nice stats from this global log file.
Additional Modules Used
mod_evasive
apt-get install libapache2-mod-evasive Mod_evasive prevents against ddos and scripted bots which can hammer a website. (I got 100's and hundreds of referral spam with “GET / HTTP/1.1” Mediawiki kept eating up resources.) After the above apt-get install command, its all setup and ready to go. I was able to trigger the “403 Forbidden” error by refreshing a page as fast as I could on my browser. (Also done a CTRL+r in elinks very fast). I was initially quite worried it would catch a lot of false results, so I setup logging and email logging.
apt-get install libapache2-mod-evasive mkdir /var/log/apache2/mod-evasive chown www-data:www-data /var/log/apache2/mod-evasive vi /etc/apache2/apache2.conf #add <IfModule mod_evasive20.c> DOSEmailNotify root@burkesys.com DOSLogDir /var/log/apache2/mod-evasive </IfModule> ln -s /usr/bin/mail /bin/mail #Done. Watch Logs. #The default settings for mod_evasive on Debian Lenny are stored in: zless /usr/share/doc/libapache2-mod-evasive/README.gz #Lets see how these settings go. APACHE v2.0 ----------- <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>
References:
- /usr/share/doc/libapache2-mod-evasive <br>
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437824 (bug about mails not been sent in lenny) <br>