| Rev | Author | # | Line |
|---|---|---|---|
| 17 | DanielLawson | 1 | !!! Installation |
| 2 | |||
| 3 | If you're going to compile and install [Apache] from source, use the [Apache Toolbox | http://www.apachetoolbox.com/]. | ||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | !!! Securing [Apache] | ||
| 8 | |||
| 9 | [Apache] recently featured in a [list of security problems | http://isc.sans.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> : | ||
| 10 | |||
| 11 | __[CGI] scripts__: | ||
| 12 | Probably the biggest problem. Upload and [CGI] directories need to be distinct (so people can't upload "improved" [CGI] scripts) and as small as possible. | ||
| 13 | |||
| 14 | Apache2 makes it easier to run different scripts or even different Virtual Hosts as different users, rather than as the user that [Apache] is running as. | ||
| 15 | |||
| 16 | __Chroot prisons__: | ||
| 17 | Running in a chroot prison limits the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this. | ||
| 18 | |||
| 19 | See also: | ||
| 20 | * [http://httpd.apache.org/docs/misc/security_tips.html] | ||
| 21 | <br> | ||
| 22 | |||
| 23 | __FireWall~ing [Apache]__: | ||
| 24 | You probably should FireWall the [Apache] user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your WebSite. The same idea can be applied to other services. | ||
| 25 | |||
| 26 | <verbatim> | ||
| 27 | iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT | ||
| 28 | iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG | ||
| 29 | </verbatim> | ||
| 26 | CraigBox | 30 | |
| 31 | !!Two minute Apache 2 self signed SSL configuration | ||
| 32 | |||
| 33 | Can't get much better than this! From [the Ubuntu forums|http://ubuntuforums.org/showthread.php?p=19832]: | ||
| 34 | |||
| 35 | <pre> | ||
| 36 | apt-get install apache2 | ||
| 30 | CraigBox | 37 | apache2-ssl-certificate -days 3650 |
| 26 | CraigBox | 38 | </pre> |
| 30 | CraigBox | 39 | and answer the questions. It will default to 30 days if you don't specify your own number! |
| 26 | CraigBox | 40 | |
| 41 | Enable ssl: =a2enmod ssl= <br> | ||
| 42 | Configure a vhost: | ||
| 43 | <pre> | ||
| 44 | cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl | ||
| 45 | a2ensite ssl | ||
| 46 | </pre> | ||
| 47 | |||
| 48 | "/etc/apache2/sites-enabled/ssl" should look like this: | ||
| 49 | |||
| 50 | <verbatim> | ||
| 51 | NameVirtualHost *:443 | ||
| 52 | <VirtualHost *:443> | ||
| 53 | (... configure the directories too...) | ||
| 54 | </verbatim> | ||
| 55 | |||
| 56 | In /etc/apache2/ports.conf, add =Listen 443= <br> | ||
| 57 | In the middle of /etc/apache2/sites-available/ssl file, insert these two lines: | ||
| 58 | <pre> | ||
| 59 | SSLEngine On | ||
| 60 | SSLCertificateFile /etc/apache2/ssl/apache.pem | ||
| 61 | </pre> | ||
| 62 | |||
| 63 | =/etc/init.d/apache2 force-reload= and you're away. | ||
| 17 | DanielLawson | 64 | |
| 65 | !!! Extra information in directory listings | ||
| 66 | |||
| 67 | You can have additional information displayed at the top and bottom of a <tt>mod_autoindex</tt> directory listing by putting the text in a file called <tt>HEADER</tt> and <tt>README</tt>, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need <tt>~MultiViews on</tt> to be in effect for that request. | ||
| 20 | JohnMcPherson | 68 | |
| 19 | JohnMcPherson | 69 | |
| 70 | !!! Apache and [IPv6] | ||
| 20 | JohnMcPherson | 71 | Tell apache to listen on "::", which is the ipv6 version of 0.0.0.0, on whatever port. Eg, in httpd.conf: |
| 72 | <verbatim> | ||
| 73 | Listen :::80 | ||
| 74 | BindAddress :: | ||
| 75 | </verbatim> | ||
| 76 | |||
| 19 | JohnMcPherson | 77 | If you want a ~VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ~ServerName or ~ServerAlias. Eg: |
| 78 | |||
| 79 | <verbatim> | ||
| 80 | $ host wlug.org.nz | ||
| 81 | wlug.org.nz A 203.97.10.50 | ||
| 82 | $ host -t aaaa wlug.org.nz | ||
| 83 | wlug.org.nz AAAA record currently not present | ||
| 84 | $ host -t a www.wlug.org.nz | ||
| 85 | www.wlug.org.nz CNAME hoiho.wlug.org.nz | ||
| 86 | hoiho.wlug.org.nz A 203.97.10.50 | ||
| 87 | $ host -t aaaa www.wlug.org.nz | ||
| 88 | www.wlug.org.nz CNAME hoiho.wlug.org.nz | ||
| 89 | hoiho.wlug.org.nz AAAA 2002:CB61:A32:0:0:0:0:1 | ||
| 90 | </verbatim> | ||
| 91 | |||
| 92 | !Doesn't Work: | ||
| 93 | <verbatim> | ||
| 94 | <VirtualHost wlug.org.nz:80> | ||
| 95 | ServerName www.wlug.org.nz | ||
| 96 | ServerAlias wlug.org.nz | ||
| 97 | ServerAlias www2.wlug.org.nz | ||
| 98 | ... | ||
| 99 | </verbatim> | ||
| 100 | |||
| 101 | (Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.) | ||
| 102 | |||
| 103 | !Does work: | ||
| 104 | |||
| 105 | <verbatim> | ||
| 106 | <VirtualHost www.wlug.org.nz:80> | ||
| 107 | ServerName www.wlug.org.nz | ||
| 108 | ServerAlias wlug.org.nz | ||
| 109 | ServerAlias www2.wlug.org.nz | ||
| 110 | ... | ||
| 111 | </verbatim> | ||
| 21 | JohnMcPherson | 112 | |
| 113 | |||
| 114 | !!! Rotating your logs | ||
| 115 | |||
| 116 | Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8). | ||
| 117 | |||
| 118 | Change your ~TransferLog lines to: | ||
| 119 | |||
| 120 | <verbatim> | ||
| 121 | TransferLog "|/path/to/rotatelogs /your/log/file.log 64800" | ||
| 122 | </verbatim> | ||
| 123 | |||
| 124 | Read the ManPage for more information, or replace with ~CronoLog which has more features. | ||
| 125 | |||
| 126 | !! Errors on log rotation | ||
| 127 | Some people encounter a problem where apache dies on logrotation. | ||
| 128 | It's not the actual rotation that's the problem, it's the "graceful | ||
| 129 | restart" that the logrotate program sends to apache. This only seems | ||
| 130 | to affect people using Debian Woody, and only with some undetermined | ||
| 131 | set of conditions. Here is our setup: | ||
| 132 | <verbatim> | ||
| 133 | ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server | ||
| 134 | ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers | ||
| 135 | ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache | ||
| 136 | ii libapache-mod-gzip 1.3.19.1a-5 HTTP compression module for Apache | ||
| 137 | ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory | ||
| 138 | ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server | ||
| 139 | ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server | ||
| 140 | ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache | ||
| 141 | ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment | ||
| 142 | </verbatim> | ||
| 143 | We are using backports of apache 1.3, for [IPv6] support. | ||
| 22 | JohnMcPherson | 144 | Other possibly relevant info: |
| 145 | <verbatim> | ||
| 146 | ii php4 4.1.2-7.0.1 | ||
| 147 | ii php4-cgi 4.1.2-7.0.1 | ||
| 148 | ii php4-ldap 4.1.2-7.0.1 | ||
| 149 | ii php4-pgsql 4.1.2-4 | ||
| 150 | ii phppgadmin 2.4.1-2 | ||
| 151 | </verbatim> | ||
| 152 | Also using a 2.6 series Linux Kernel. | ||
| 21 | JohnMcPherson | 153 | |
| 154 | When it happens, the following is in /var/log/apache/error.log: | ||
| 155 | <verbatim> | ||
| 156 | [Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart | ||
| 157 | accept_mutex_on: Identifier removed | ||
| 158 | [Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured | ||
| 159 | -- resuming normal operations | ||
| 160 | [Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec) | ||
| 161 | [Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem) | ||
| 162 | [Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error... | ||
| 163 | Apache is exiting! | ||
| 164 | </verbatim> | ||
| 165 | |||
| 166 | Each time that the reload fails, there is a message about __accept_mutex_on__ or __accept_mutex_off: Invalid argument__ in the | ||
| 167 | error.log file that isn't present when the reload succeeds. | ||
| 168 | |||
| 169 | Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week. | ||
| 170 | |||
| 171 | Suggested workarounds include: | ||
| 172 | * replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds. | ||
| 173 | * using cronolog or something else, and remove apache from the logrotate system. | ||
| 174 | * use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html). | ||
| 19 | JohnMcPherson | 175 | |
| 24 | PerryLorier | 176 | |
| 177 | !!!Apache-ssl with ~AuthUserFile complains "User not found" | ||
| 178 | * This can occur if you have: | ||
| 179 | <pre> | ||
| 180 | ~LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so | ||
| 181 | ''...'' | ||
| 182 | ~LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so | ||
| 183 | </pre> | ||
| 184 | The solution is to swap the order so that apache_ssl_module comes first. (obscure!) | ||
| 27 | LockwoodChilds | 185 | * Another possible cause is that SSLFakeBasicAuth option has been enabled when trying to use the standard basic auth i.e. "AuthType Basic" (this seems to have hit a number of debian users after the upgrade to sarge) |
| 186 | The solution is to turn off SSLFakeBasicAuth. | ||
| 28 | JamieCurtis | 187 | |
| 188 | !!!Getting Apache2 + mod_auth_ldap + ldap over SSL/TLS working | ||
| 189 | |||
| 190 | * You should only do this if you have already got your webserver running through SSL/TLS, otherwise your LDAP details will go between the client and server in plaintext ! | ||
| 191 | * Make sure you have mod_ldap and mod_auth_ldap enabled (under debian use a2enmod) | ||
| 192 | * You need to add the following two lines to your main apache2.conf to enable SSL: | ||
| 193 | <verbatim> | ||
| 194 | LDAPTrustedCA <CA CERT FILE> | ||
| 195 | LDAPTrustedCAType BASE64_FILE | ||
| 196 | </verbatim> | ||
| 197 | This assumes that you have a CA cert that has signed your LDAP servers key. The documentation suggests that if mod_ldap is compiled against openldap, you may not require this to be the case, but you __must__ add some sort of CA cert to make mod_ldap enable SSL. BASE64_FILE indicates that the CA file is in the (default for openssl) PEM format. | ||
| 198 | * Check that your main apache2 error log lists something like the following when it starts up: | ||
| 199 | <verbatim> | ||
| 200 | [notice] LDAP: Built with OpenLDAP LDAP SDK | ||
| 201 | [notice] LDAP: SSL support available | ||
| 202 | </verbatim> | ||
| 203 | * Add your authentication configuration to your Location, Directory or .htaccess files | ||
| 204 | <verbatim> | ||
| 205 | <Location /path/to/auth/stuff> | ||
| 206 | AuthType Basic | ||
| 207 | AuthName "MyAuthArea" | ||
| 208 | AuthLDAPURL "ldaps://<HOST>/ou=People,<BASEDN>?uid" | ||
| 209 | Require valid-user | ||
| 210 | </Location> | ||
| 211 | </verbatim> | ||
| 19 | JohnMcPherson | 212 | |
| 17 | DanielLawson | 213 | |
| 18 | AristotlePagaltzis | 214 | !!! See also |
| 17 | DanielLawson | 215 | |
| 216 | * NameVirtualHosting | ||
| 217 | * ModBackhand | ||
| 23 | DanielLawson | 218 | * ApacheReverseProxy |
| 25 | JohnMcPherson | 219 | * [SargeApache2Notes] |
| 29 | CraigBox | 220 | * AwStatsNotes |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 4 times)