Apache

From Wiki

Revision as of 22:32, 17 March 2011 by Admin (Talk | contribs)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Apache Tips & Tricks:

To provide a seamless Redirect from http://site/anypage.etc to http://newsite/anypage.etc

The code should go into the specific Virtual Host or apache2.conf (httpd.conf on apache 1.3):

Redirect 301 /site http://newwebsite/site
Redirect 301 / http://newweb/

RedirectMatch 301 ^/ http://new-website.com/
#The above can be in a directory x levels deep.

RedirectMatch 302 ^/ /temporary-offline.html

See the following for RedirectMatch: http://www.askapache.com/htaccess/301-redirect-with-mod_rewrite-or-redirectmatch.html Got from Skynet config - Thanks Lads.

Redirect from http to https

If you want to force people to use https and/or redirect them seamlessly to https:// without them having to type in the address here is how you can do it with apache using a .htaccess file:

SSLRequireSSL
ErrorDocument 403 https://securewebsite/page.html

Note the above is only a hack. It will break if a similar 403 (which means access is denied) is caught. For example if a "deny from all" is used along with the above, or permissions are set incorrectly - an endless loop will ensue. Im sure there are other ways of seamlessly redirecting http to https, however there is a quick one.

Apache Error Codes

200 OK 
201 Created 
202 Accepted 
203 Non-Authorative Information 
204 No Content 
205 Reset Content 
206 Partial Content 
300 Multiple Choices 
301 Moved Permanently 
302 Moved Temporarily 
303 See Other 
304 Not Modified 
305 Use Proxy 
400 Bad Request 
401 Authorization Required 
402 Payment Required (not used yet) 
403 Forbidden 
404 Not Found 
405 Method Not Allowed 
406 Not Acceptable (encoding) 
407 Proxy Authentication Required  
408 Request Timed Out 
409 Conflicting Request 
410 Gone 
411 Content Length Required 
412 Precondition Failed 
413 Request Entity Too Long 
414 Request URI Too Long 
415 Unsupported Media Type 
500 Internal Server Error 
501 Not Implemented 
502 Bad Gateway  
503 Service Unavailable  
504 Gateway Timeout  
505 HTTP Version Not Supported 

Not a definitive list. Information obtained from: http://bignosebird.com/apache/a5.shtml

Apache REWRITE Module:

Here's a nice one - mod_rewrite which is extremely powerful. I am but using 1 or 2 examples. Write the following examples straight into a .htaccess file :-)

#1. writes all html files as php
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)\.html$ $1.php [nc]
#2. redirects all .html files to newserver.php files
Options +FollowSymlinks
RewriteEngine on
Rewriterule ^(.+)\.html$ http://www.server.com/$1.php [r=301,nc]
#3. This is the best one for reasons I wont divulge. It does need tweaking, but works.
Options +FollowSymlinks
RewriteEngine on
Rewriterule ^(.*)$ http://internal-lan-server/$1 [P]

Display text (footer) under an Apache file listing

Put the following code in a .htaccess file, or in the apache.conf

ReadmeName filetoputatbottom
//or
ReadmeName /path/to/file

The filetoputatbottom may have to be a html page in order to be included correctly. If the above doesnt work, put a .html extension to the file and update the htaccess accordingly. Thats it. You will see somethimg similar to: http://sburke.eu/webdev/apachefooterlisting/ This is very useful for showing a README explaination underneath a listing of files with which to download. Download or install instructions can be placed here as required.

OK. Here's the References:


http://www.widexl.com/scripts/documentation/mod_rewrite.html

http://adstil.indiatimes.com/manual/misc/rewriteguide.html (Apache 1.3 THO)

http://corz.org/serv/tricks/htaccess2.php

http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html

AllowOverride in Apache Configs for .htaccess

Apache's default AllowOverride in www.website.com/pageabc is None. This means that .htaccess files in pageabc do not work. Instead of allowing the complete AllowOverride All, certain pieces and directives can be allowed or disallowed. This is much better, because there is a lot of stuff that can be overriden using the AllowOverride All.

AllowOverride Limit Indexes
//Limit allows deny, allow from etc. etc. Indexes allows control over how indexes are displayed
AllowOverride FileInfo
//Allows use of rewrite in .htaccess files.

The full doc is at:

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

Allow Override for Mod_rewrite Its quite common to have rewrite rules in a htaccess file. Without allowing full overrride, the following can be done:

        <Directory />
                Options FollowSymLinks Indexes MultiViews
                AllowOverride FileInfo
        </Directory>


htaccess Auth using LDAP and htpasswd

1. LDAP Auth Only

LDAP_Debug On
AuthName "Only LDAP domain1 or domain2"
AuthType Basic
AuthOnBind On
LDAP_Server "ldap server ip"
LDAP_Port 389
UID_Attr cn
Sub_DN "OU=Users,ou=staff"
AltSub_DN "OU=Users,ou=undergraduate"
Base_DN "DC=ul,DC=campus"
require user first1.lastname1 first2.lastname2 first3.lastname3

2. Htpasswd Auth Only

Run the following from the cmd line:

htpasswd -bn username pass

Put the above username:DGdmxkU03XUJo into a .htpasswd file and call as follows using a .htaccess:

AuthUserFile /home/user/.htpasswd
AuthName "Only htpasswd users"
AuthType Basic
require valid-user
#or specifically as follows:
require user username

3. LDAP and htpasswd Auth

AuthLDAPAuthoritative Off
AuthUserFile /home/user/.htpasswd
LDAP_Debug On
AuthName "LDAP domain1 or domain2; or htpasswd users."
AuthType Basic
AuthOnBind On
LDAP_Server "ldap server ip"
LDAP_Port 389
UID_Attr cn
Sub_DN "OU=Users,ou=staff"
AltSub_DN "OU=Users,ou=undergraduate"
Base_DN "DC=ul,DC=campus"
require user first1.lastname1 first2.lastname2 first3.lastname3 htpasswduser1 htpasswduser2

htaccess examples complete

http://www.askapache.com/htaccess/ultimate-htaccess-file-sample.html

Multiviews - Automatically append file extension

If you have the following file: /var/www/foo.html and browse to http://localhost/foo foo.html will be shown! The option MultiViews controls this. Typically this option would be in the VirtualHost. It can also be disabled with "Options -MultiViews" in a .htaccess.

This MultiViews caused problems when doing rewrites.

Reference: http://www.gerd-riesselmann.net/archives/2005/04/beware-of-apaches-multiviews

Apache2 Common Configs

How to setup CGI with Apache: http://httpd.apache.org/docs/2.0/howto/cgi.html

Core Directives, Usage and Syntax: http://httpd.apache.org/docs/2.0/mod/core.html


Apache Rewrite via mod_proxy

If you have a webserver running on an internal LAN, and you have a website/access on a external webserver on the LAN, it is possible to proxy requests via the External webserver to inside your LAN. http://192.168.20.20 = Apache on Internal LAN http://193.1.1.10 = Apache acessible Externally and Internally.

mkdir /home/user/public_html/internalweb
vi /home/user/public_html/internalweb/.htaccess
RewriteEngine on
Rewriterule ^(.*)$ http://192.168.20.20/$1 [P]

Then browse to http://193.1.1.10/internalweb, and up comes the website on your Internal LAN.


Links:

http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html


Centralised Apache Logging

After a recent oom by Apache, I wanted to be able to see exactly what requests were handled/recieved by apache during a specific timeframe. It was a bit of a pain having to go looking in the many access log files, one for each vhost. As a result I wanted to setup a global access log file ontop of the existing current log files for each vhost.

This global log file will also be used later on to graph bandwidth usage across multiple vhosts.

The config was simple.

#1 vi /etc/apache2/apache2.conf
#Include the following line, underneath the existing LogFormat entries.
LogFormat "%h %t %v %X %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" global
#For a complete list of what the above letters mean, head over to: http://httpd.apache.org/docs/2.0/mod/mod_log_config.html

#2 vi /etc/apache2/sites-enabled/vhost-name
#Include the following line, underneath the existing CustomLog entry. Two CustomLog entries can be made, and both will log correctly :)
CustomLog /var/log/apache2/global_access.log global

I tried entering the CustomLog entry in apache2.conf, which should theoretically log everything, it didn't and I had to add the CustomLog entry to all vhost configs. This might have been to do with the fact that there was a current CustomLog entry in each vhost, and it was taking preference, and that both CustomLog entries had to be made in the one location, which was in the vhost in my situation. Be careful of the fact that this file will grow substantially in size!! Check that it will get rotated by logrotate.d in /etc/logrotate.d/apache2. By default all *.log files in /var/log/apache2/ get rotated and compressed. References:
http://httpd.apache.org/docs/2.0/logs.html
http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#customlog
http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#formats

More to follow on generating nice stats from this global log file.

Additional Modules Used

mod_evasive

apt-get install libapache2-mod-evasive

Mod_evasive prevents against ddos and scripted bots which can hammer a website. (I got 100's and hundreds of referral spam with "GET / HTTP/1.1" Mediawiki kept eating up resources.) After the above apt-get install command, its all setup and ready to go. I was able to trigger the "403 Forbidden" error by refreshing a page as fast as I could on my browser. (Also done a CTRL+r in elinks very fast). I was initially quite worried it would catch a lot of false results, so I setup logging and email logging.

apt-get install libapache2-mod-evasive
mkdir /var/log/apache2/mod-evasive
chown www-data:www-data /var/log/apache2/mod-evasive

vi /etc/apache2/apache2.conf
#add
<IfModule mod_evasive20.c>
       DOSEmailNotify      root@burkesys.com
       DOSLogDir           /var/log/apache2/mod-evasive
</IfModule>

ln -s /usr/bin/mail /bin/mail

#Done. Watch Logs.
#The default settings for mod_evasive on Debian Lenny are stored in:
zless /usr/share/doc/libapache2-mod-evasive/README.gz
#Lets see how these settings go.
APACHE v2.0
-----------
<IfModule mod_evasive20.c>
   DOSHashTableSize    3097
   DOSPageCount        2
   DOSSiteCount        50
   DOSPageInterval     1
   DOSSiteInterval     1
   DOSBlockingPeriod   10
</IfModule>

References: /usr/share/doc/libapache2-mod-evasive
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437824 (bug about mails not been sent in lenny)
http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/
http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz:a/mod_evasive/README
http://edouard.peller.in/how-to-install-mod_evasive-on-debian-etch/
http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html
http://linuxharbour.com/content/protect-ddos-attach-apache-debian-lenny
http://www.novell.com/communities/node/3025/protecting-apache-against-dos-attack-modevasive

Personal tools