| Next revision | Previous revision |
| apache [2022/07/19 19:52] – created 85.134.209.200 | apache [2022/07/19 22:39] (current) – Updated formatting admin |
|---|
| ====== Apache ====== | ===== Apache ===== |
| |
| ===== Apache Tips & Tricks: ===== | ==== Apache Tips & Tricks: ==== |
| To provide a seamless Redirect from http://site/anypage.etc to http://newsite/anypage.etc | To provide a seamless Redirect from http://site/anypage.etc to http://newsite/anypage.etc |
| |
| The code should go into the specific Virtual Host or apache2.conf (httpd.conf on apache 1.3): | The code should go into the specific Virtual Host or apache2.conf (httpd.conf on apache 1.3): |
| | <code> |
| Redirect 301 /site http://newwebsite/site | Redirect 301 /site http://newwebsite/site |
| Redirect 301 / http://newweb/ | Redirect 301 / http://newweb/ |
| | |
| RedirectMatch 302 ^/ /temporary-offline.html | RedirectMatch 302 ^/ /temporary-offline.html |
| | </code> |
| |
| See the following for RedirectMatch: http://www.askapache.com/htaccess/301-redirect-with-mod_rewrite-or-redirectmatch.html | See the following for RedirectMatch: http://www.askapache.com/htaccess/301-redirect-with-mod_rewrite-or-redirectmatch.html |
| |
| ==== Redirect from http to https ==== | ==== Redirect from http to https ==== |
| If you want to force people to use https and/or redirect them seamlessly to https:// without them having to type in the address here is how you can do it with apache using a .htaccess file: | If you want to force people to use https and/or redirect them seamlessly to https without them having to type in the address here is how you can do it with apache using a .htaccess file: |
| | <code> |
| SSLRequireSSL | SSLRequireSSL |
| ErrorDocument 403 https://securewebsite/page.html | ErrorDocument 403 https://securewebsite/page.html |
| | </code> |
| |
| Note the above is only a hack. It will break if a similar 403 (which means access is denied) is caught. For example if a "deny from all" is used along with the above, or permissions are set incorrectly - an endless loop will ensue. Im sure there are other ways of seamlessly redirecting http to https, however there is a quick one. | Note the above is only a hack. It will break if a similar 403 (which means access is denied) is caught. For example if a "deny from all" is used along with the above, or permissions are set incorrectly - an endless loop will ensue. Im sure there are other ways of seamlessly redirecting http to https, however there is a quick one. |
| |
| ==== Apache Error Codes ==== | === Apache Error Codes === |
| | <code> |
| 200 OK | 200 OK |
| 201 Created | 201 Created |
| 504 Gateway Timeout | 504 Gateway Timeout |
| 505 HTTP Version Not Supported | 505 HTTP Version Not Supported |
| | </code> |
| Not a definitive list. Information obtained from: http://bignosebird.com/apache/a5.shtml | Not a definitive list. Information obtained from: http://bignosebird.com/apache/a5.shtml |
| ==== Apache REWRITE Module: ==== | ==== Apache REWRITE Module: ==== |
| Here's a nice one - mod_rewrite which is extremely powerful. I am but using 1 or 2 examples. Write the following examples straight into a .htaccess file :-) | Here's a nice one - mod_rewrite which is extremely powerful. I am but using 1 or 2 examples. Write the following examples straight into a .htaccess file :-) |
| | <code> |
| #1. writes all html files as php | #1. writes all html files as php |
| Options +FollowSymlinks | Options +FollowSymlinks |
| RewriteEngine on | RewriteEngine on |
| Rewriterule ^(.*)$ http://internal-lan-server/$1 [[P]] | Rewriterule ^(.*)$ http://internal-lan-server/$1 [[P]] |
| | </code> |
| |
| ==== Display text (footer) under an Apache file listing ==== | ==== Display text (footer) under an Apache file listing ==== |
| Put the following code in a .htaccess file, or in the apache.conf | Put the following code in a .htaccess file, or in the apache.conf |
| | <code> |
| ReadmeName filetoputatbottom | ReadmeName filetoputatbottom |
| <nowiki>//</nowiki>or | //or |
| ReadmeName /path/to/file | ReadmeName /path/to/file |
| | </code> |
| The filetoputatbottom may have to be a html page in order to be included correctly. If the above doesnt work, put a .html extension to the file and update the htaccess accordingly. | The filetoputatbottom may have to be a html page in order to be included correctly. If the above doesnt work, put a .html extension to the file and update the htaccess accordingly. |
| Thats it. You will see somethimg similar to: | Thats it. You will see somethimg similar to: |
| ==== AllowOverride in Apache Configs for .htaccess ==== | ==== AllowOverride in Apache Configs for .htaccess ==== |
| Apache's default AllowOverride in www.website.com/pageabc is None. This means that .htaccess files in pageabc do not work. Instead of allowing the complete AllowOverride All, certain pieces and directives can be allowed or disallowed. This is much better, because there is a lot of stuff that can be overriden using the AllowOverride All. | Apache's default AllowOverride in www.website.com/pageabc is None. This means that .htaccess files in pageabc do not work. Instead of allowing the complete AllowOverride All, certain pieces and directives can be allowed or disallowed. This is much better, because there is a lot of stuff that can be overriden using the AllowOverride All. |
| | <code> |
| AllowOverride Limit Indexes | AllowOverride Limit Indexes |
| <nowiki>//</nowiki>Limit allows deny, allow from etc. etc. Indexes allows control over how indexes are displayed | Limit allows deny, allow from etc. etc. Indexes allows control over how indexes are displayed |
| AllowOverride FileInfo | AllowOverride FileInfo |
| <nowiki>//</nowiki>Allows use of rewrite in .htaccess files. | >Allows use of rewrite in .htaccess files. |
| | </code> |
| The full doc is at: | The full doc is at: |
| |
| ** Allow Override for Mod_rewrite ** | ** Allow Override for Mod_rewrite ** |
| Its quite common to have rewrite rules in a htaccess file. Without allowing full overrride, the following can be done: | Its quite common to have rewrite rules in a htaccess file. Without allowing full overrride, the following can be done: |
| | <code> |
| <Directory /> | <Directory /> |
| Options FollowSymLinks Indexes MultiViews | Options FollowSymLinks Indexes MultiViews |
| AllowOverride FileInfo | AllowOverride FileInfo |
| </Directory> | </Directory> |
| | </code> |
| |
| ==== htaccess Auth using LDAP and htpasswd ==== | ==== htaccess Auth using LDAP and htpasswd ==== |
| 1. LDAP Auth Only | 1. LDAP Auth Only |
| | <code> |
| LDAP_Debug On | LDAP_Debug On |
| AuthName "Only LDAP domain1 or domain2" | AuthName "Only LDAP domain1 or domain2" |
| Base_DN "DC=ul,DC=campus" | Base_DN "DC=ul,DC=campus" |
| require user first1.lastname1 first2.lastname2 first3.lastname3 | require user first1.lastname1 first2.lastname2 first3.lastname3 |
| | </code> |
| 2. Htpasswd Auth Only | 2. Htpasswd Auth Only |
| |
| Run the following from the cmd line: | Run the following from the cmd line: |
| | <code> |
| htpasswd -bn username pass | htpasswd -bn username pass |
| | </code> |
| Put the above username:DGdmxkU03XUJo into a .htpasswd file and call as follows using a .htaccess: | Put the above username:DGdmxkU03XUJo into a .htpasswd file and call as follows using a .htaccess: |
| | <code> |
| AuthUserFile /home/user/.htpasswd | AuthUserFile /home/user/.htpasswd |
| AuthName "Only htpasswd users" | AuthName "Only htpasswd users" |
| #or specifically as follows: | #or specifically as follows: |
| require user username | require user username |
| | </code> |
| 3. LDAP and htpasswd Auth | 3. LDAP and htpasswd Auth |
| | <code> |
| AuthLDAPAuthoritative Off | AuthLDAPAuthoritative Off |
| AuthUserFile /home/user/.htpasswd | AuthUserFile /home/user/.htpasswd |
| Base_DN "DC=ul,DC=campus" | Base_DN "DC=ul,DC=campus" |
| require user first1.lastname1 first2.lastname2 first3.lastname3 htpasswduser1 htpasswduser2 | require user first1.lastname1 first2.lastname2 first3.lastname3 htpasswduser1 htpasswduser2 |
| | </code> |
| ==== htaccess examples complete ==== | ==== htaccess examples complete ==== |
| http://www.askapache.com/htaccess/ultimate-htaccess-file-sample.html | http://www.askapache.com/htaccess/ultimate-htaccess-file-sample.html |
| http://192.168.20.20 = Apache on Internal LAN | http://192.168.20.20 = Apache on Internal LAN |
| http://193.1.1.10 = Apache acessible Externally and Internally. | http://193.1.1.10 = Apache acessible Externally and Internally. |
| | <code> |
| mkdir /home/user/public_html/internalweb | mkdir /home/user/public_html/internalweb |
| vi /home/user/public_html/internalweb/.htaccess | vi /home/user/public_html/internalweb/.htaccess |
| Rewriterule ^(.*)$ http://192.168.20.20/$1 [[P]] | Rewriterule ^(.*)$ http://192.168.20.20/$1 [[P]] |
| |
| | </code> |
| Then browse to http://193.1.1.10/internalweb, and up comes the website on your Internal LAN. | Then browse to http://193.1.1.10/internalweb, and up comes the website on your Internal LAN. |
| |
| |
| The config was simple. | The config was simple. |
| | <code> |
| #1 vi /etc/apache2/apache2.conf | #1 vi /etc/apache2/apache2.conf |
| #Include the following line, underneath the existing LogFormat entries. | #Include the following line, underneath the existing LogFormat entries. |
| #Include the following line, underneath the existing CustomLog entry. Two CustomLog entries can be made, and both will log correctly :) | #Include the following line, underneath the existing CustomLog entry. Two CustomLog entries can be made, and both will log correctly :) |
| CustomLog /var/log/apache2/global_access.log global | CustomLog /var/log/apache2/global_access.log global |
| | </code> |
| |
| I tried entering the CustomLog entry in apache2.conf, which should theoretically log everything, it didn't and I had to add the CustomLog entry to all vhost configs. This might have been to do with the fact that there was a current CustomLog entry in each vhost, and it was taking preference, and that both CustomLog entries had to be made in the one location, which was in the vhost in my situation. | I tried entering the CustomLog entry in apache2.conf, which should theoretically log everything, it didn't and I had to add the CustomLog entry to all vhost configs. This might have been to do with the fact that there was a current CustomLog entry in each vhost, and it was taking preference, and that both CustomLog entries had to be made in the one location, which was in the vhost in my situation. |
| Mod_evasive prevents against ddos and scripted bots which can hammer a website. (I got 100's and hundreds of referral spam with "GET / HTTP/1.1" Mediawiki kept eating up resources.) After the above apt-get install command, its all setup and ready to go. I was able to trigger the "403 Forbidden" error by refreshing a page as fast as I could on my browser. (Also done a CTRL+r in elinks very fast). I was initially quite worried it would catch a lot of false results, so I setup logging and email logging. | Mod_evasive prevents against ddos and scripted bots which can hammer a website. (I got 100's and hundreds of referral spam with "GET / HTTP/1.1" Mediawiki kept eating up resources.) After the above apt-get install command, its all setup and ready to go. I was able to trigger the "403 Forbidden" error by refreshing a page as fast as I could on my browser. (Also done a CTRL+r in elinks very fast). I was initially quite worried it would catch a lot of false results, so I setup logging and email logging. |
| |
| | <code> |
| apt-get install libapache2-mod-evasive | apt-get install libapache2-mod-evasive |
| mkdir /var/log/apache2/mod-evasive | mkdir /var/log/apache2/mod-evasive |
| </IfModule> | </IfModule> |
| |
| | </code> |
| References: | References: |
| /usr/share/doc/libapache2-mod-evasive <br> | * /usr/share/doc/libapache2-mod-evasive <br> |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437824 (bug about mails not been sent in lenny) <br> | * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437824 (bug about mails not been sent in lenny) <br> |
| http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ <br> | * http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ <br> |
| http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz:a/mod_evasive/README <br> | * http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz:a/mod_evasive/README <br> |
| http://edouard.peller.in/how-to-install-mod_evasive-on-debian-etch/ <br> | * http://edouard.peller.in/how-to-install-mod_evasive-on-debian-etch/ <br> |
| http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html <br> | * http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html <br> |
| http://linuxharbour.com/content/protect-ddos-attach-apache-debian-lenny <br> | * http://linuxharbour.com/content/protect-ddos-attach-apache-debian-lenny <br> |
| http://www.novell.com/communities/node/3025/protecting-apache-against-dos-attack-modevasive <br> | * http://www.novell.com/communities/node/3025/protecting-apache-against-dos-attack-modevasive <br> |
