Penguin
Annotated edit history of ApacheNotes version 30, including all changes. View license author blame.
Rev Author # Line
17 DanielLawson 1 !!! Installation
2
3 If you're going to compile and install [Apache] from source, use the [Apache Toolbox | http://www.apachetoolbox.com/].
4
5
6
7 !!! Securing [Apache]
8
9 [Apache] recently featured in a [list of security problems | http://isc.sans.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> :
10
11 __[CGI] scripts__:
12 Probably the biggest problem. Upload and [CGI] directories need to be distinct (so people can't upload "improved" [CGI] scripts) and as small as possible.
13
14 Apache2 makes it easier to run different scripts or even different Virtual Hosts as different users, rather than as the user that [Apache] is running as.
15
16 __Chroot prisons__:
17 Running in a chroot prison limits the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this.
18
19 See also:
20 * [http://httpd.apache.org/docs/misc/security_tips.html]
21 <br>
22
23 __FireWall~ing [Apache]__:
24 You probably should FireWall the [Apache] user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your WebSite. The same idea can be applied to other services.
25
26 <verbatim>
27 iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT
28 iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
29 </verbatim>
26 CraigBox 30
31 !!Two minute Apache 2 self signed SSL configuration
32
33 Can't get much better than this! From [the Ubuntu forums|http://ubuntuforums.org/showthread.php?p=19832]:
34
35 <pre>
36 apt-get install apache2
30 CraigBox 37 apache2-ssl-certificate -days 3650
26 CraigBox 38 </pre>
30 CraigBox 39 and answer the questions. It will default to 30 days if you don't specify your own number!
26 CraigBox 40
41 Enable ssl: =a2enmod ssl= <br>
42 Configure a vhost:
43 <pre>
44 cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
45 a2ensite ssl
46 </pre>
47
48 "/etc/apache2/sites-enabled/ssl" should look like this:
49
50 <verbatim>
51 NameVirtualHost *:443
52 <VirtualHost *:443>
53 (... configure the directories too...)
54 </verbatim>
55
56 In /etc/apache2/ports.conf, add =Listen 443= <br>
57 In the middle of /etc/apache2/sites-available/ssl file, insert these two lines:
58 <pre>
59 SSLEngine On
60 SSLCertificateFile /etc/apache2/ssl/apache.pem
61 </pre>
62
63 =/etc/init.d/apache2 force-reload= and you're away.
17 DanielLawson 64
65 !!! Extra information in directory listings
66
67 You can have additional information displayed at the top and bottom of a <tt>mod_autoindex</tt> directory listing by putting the text in a file called <tt>HEADER</tt> and <tt>README</tt>, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need <tt>~MultiViews on</tt> to be in effect for that request.
20 JohnMcPherson 68
19 JohnMcPherson 69
70 !!! Apache and [IPv6]
20 JohnMcPherson 71 Tell apache to listen on "::", which is the ipv6 version of 0.0.0.0, on whatever port. Eg, in httpd.conf:
72 <verbatim>
73 Listen :::80
74 BindAddress ::
75 </verbatim>
76
19 JohnMcPherson 77 If you want a ~VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ~ServerName or ~ServerAlias. Eg:
78
79 <verbatim>
80 $ host wlug.org.nz
81 wlug.org.nz A 203.97.10.50
82 $ host -t aaaa wlug.org.nz
83 wlug.org.nz AAAA record currently not present
84 $ host -t a www.wlug.org.nz
85 www.wlug.org.nz CNAME hoiho.wlug.org.nz
86 hoiho.wlug.org.nz A 203.97.10.50
87 $ host -t aaaa www.wlug.org.nz
88 www.wlug.org.nz CNAME hoiho.wlug.org.nz
89 hoiho.wlug.org.nz AAAA 2002:CB61:A32:0:0:0:0:1
90 </verbatim>
91
92 !Doesn't Work:
93 <verbatim>
94 <VirtualHost wlug.org.nz:80>
95 ServerName www.wlug.org.nz
96 ServerAlias wlug.org.nz
97 ServerAlias www2.wlug.org.nz
98 ...
99 </verbatim>
100
101 (Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.)
102
103 !Does work:
104
105 <verbatim>
106 <VirtualHost www.wlug.org.nz:80>
107 ServerName www.wlug.org.nz
108 ServerAlias wlug.org.nz
109 ServerAlias www2.wlug.org.nz
110 ...
111 </verbatim>
21 JohnMcPherson 112
113
114 !!! Rotating your logs
115
116 Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
117
118 Change your ~TransferLog lines to:
119
120 <verbatim>
121 TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
122 </verbatim>
123
124 Read the ManPage for more information, or replace with ~CronoLog which has more features.
125
126 !! Errors on log rotation
127 Some people encounter a problem where apache dies on logrotation.
128 It's not the actual rotation that's the problem, it's the "graceful
129 restart" that the logrotate program sends to apache. This only seems
130 to affect people using Debian Woody, and only with some undetermined
131 set of conditions. Here is our setup:
132 <verbatim>
133 ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server
134 ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers
135 ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache
136 ii libapache-mod-gzip 1.3.19.1a-5 HTTP compression module for Apache
137 ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory
138 ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server
139 ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server
140 ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache
141 ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment
142 </verbatim>
143 We are using backports of apache 1.3, for [IPv6] support.
22 JohnMcPherson 144 Other possibly relevant info:
145 <verbatim>
146 ii php4 4.1.2-7.0.1
147 ii php4-cgi 4.1.2-7.0.1
148 ii php4-ldap 4.1.2-7.0.1
149 ii php4-pgsql 4.1.2-4
150 ii phppgadmin 2.4.1-2
151 </verbatim>
152 Also using a 2.6 series Linux Kernel.
21 JohnMcPherson 153
154 When it happens, the following is in /var/log/apache/error.log:
155 <verbatim>
156 [Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart
157 accept_mutex_on: Identifier removed
158 [Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured
159 -- resuming normal operations
160 [Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
161 [Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem)
162 [Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error...
163 Apache is exiting!
164 </verbatim>
165
166 Each time that the reload fails, there is a message about __accept_mutex_on__ or __accept_mutex_off: Invalid argument__ in the
167 error.log file that isn't present when the reload succeeds.
168
169 Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week.
170
171 Suggested workarounds include:
172 * replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds.
173 * using cronolog or something else, and remove apache from the logrotate system.
174 * use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html).
19 JohnMcPherson 175
24 PerryLorier 176
25 JohnMcPherson 177 !!!Apache-ssl with ~AuthUserFile complains "User not found"
27 LockwoodChilds 178 * This can occur if you have:
24 PerryLorier 179 <pre>
180 ~LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so
181 ''...''
182 ~LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so
183 </pre>
184 The solution is to swap the order so that apache_ssl_module comes first. (obscure!)
27 LockwoodChilds 185 * Another possible cause is that SSLFakeBasicAuth option has been enabled when trying to use the standard basic auth i.e. "AuthType Basic" (this seems to have hit a number of debian users after the upgrade to sarge)
186 The solution is to turn off SSLFakeBasicAuth.
28 JamieCurtis 187
188 !!!Getting Apache2 + mod_auth_ldap + ldap over SSL/TLS working
189
190 * You should only do this if you have already got your webserver running through SSL/TLS, otherwise your LDAP details will go between the client and server in plaintext !
191 * Make sure you have mod_ldap and mod_auth_ldap enabled (under debian use a2enmod)
192 * You need to add the following two lines to your main apache2.conf to enable SSL:
193 <verbatim>
194 LDAPTrustedCA <CA CERT FILE>
195 LDAPTrustedCAType BASE64_FILE
196 </verbatim>
197 This assumes that you have a CA cert that has signed your LDAP servers key. The documentation suggests that if mod_ldap is compiled against openldap, you may not require this to be the case, but you __must__ add some sort of CA cert to make mod_ldap enable SSL. BASE64_FILE indicates that the CA file is in the (default for openssl) PEM format.
198 * Check that your main apache2 error log lists something like the following when it starts up:
199 <verbatim>
200 [notice] LDAP: Built with OpenLDAP LDAP SDK
201 [notice] LDAP: SSL support available
202 </verbatim>
203 * Add your authentication configuration to your Location, Directory or .htaccess files
204 <verbatim>
205 <Location /path/to/auth/stuff>
206 AuthType Basic
207 AuthName "MyAuthArea"
208 AuthLDAPURL "ldaps://<HOST>/ou=People,<BASEDN>?uid"
209 Require valid-user
210 </Location>
211 </verbatim>
19 JohnMcPherson 212
17 DanielLawson 213
18 AristotlePagaltzis 214 !!! See also
17 DanielLawson 215
216 * NameVirtualHosting
217 * ModBackhand
23 DanielLawson 218 * ApacheReverseProxy
25 JohnMcPherson 219 * [SargeApache2Notes]
29 CraigBox 220 * AwStatsNotes

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 4 times)