Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
ApacheNotes
Edit
PageHistory
Diff
Info
LikePages
You are viewing an old revision of this page.
View the current version
.
!!! Installation If you're going to compile and install [Apache] from source, use the [Apache Toolbox | http://www.apachetoolbox.com/]. !!! Securing [Apache] [Apache] recently featured in a [list of security problems | http://isc.sans.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> : __[CGI] scripts__: Probably the biggest problem. Upload and [CGI] directories need to be distinct (so people can't upload "improved" [CGI] scripts) and as small as possible. Apache2 makes it easier to run different scripts or even different Virtual Hosts as different users, rather than as the user that [Apache] is running as. __Chroot prisons__: Running in a chroot prison limits the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this. See also: * [http://httpd.apache.org/docs/misc/security_tips.html] <br> __FireWall~ing [Apache]__: You probably should FireWall the [Apache] user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your WebSite. The same idea can be applied to other services. <verbatim> iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG </verbatim> !!! Extra information in directory listings You can have additional information displayed at the top and bottom of a <tt>mod_autoindex</tt> directory listing by putting the text in a file called <tt>HEADER</tt> and <tt>README</tt>, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need <tt>~MultiViews on</tt> to be in effect for that request. !!! Apache and [IPv6] Tell apache to listen on "::", which is the ipv6 version of 0.0.0.0, on whatever port. Eg, in httpd.conf: <verbatim> Listen :::80 BindAddress :: </verbatim> If you want a ~VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ~ServerName or ~ServerAlias. Eg: <verbatim> $ host wlug.org.nz wlug.org.nz A 203.97.10.50 $ host -t aaaa wlug.org.nz wlug.org.nz AAAA record currently not present $ host -t a www.wlug.org.nz www.wlug.org.nz CNAME hoiho.wlug.org.nz hoiho.wlug.org.nz A 203.97.10.50 $ host -t aaaa www.wlug.org.nz www.wlug.org.nz CNAME hoiho.wlug.org.nz hoiho.wlug.org.nz AAAA 2002:CB61:A32:0:0:0:0:1 </verbatim> !Doesn't Work: <verbatim> <VirtualHost wlug.org.nz:80> ServerName www.wlug.org.nz ServerAlias wlug.org.nz ServerAlias www2.wlug.org.nz ... </verbatim> (Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.) !Does work: <verbatim> <VirtualHost www.wlug.org.nz:80> ServerName www.wlug.org.nz ServerAlias wlug.org.nz ServerAlias www2.wlug.org.nz ... </verbatim> !!! Rotating your logs Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8). Change your ~TransferLog lines to: <verbatim> TransferLog "|/path/to/rotatelogs /your/log/file.log 64800" </verbatim> Read the ManPage for more information, or replace with ~CronoLog which has more features. !! Errors on log rotation Some people encounter a problem where apache dies on logrotation. It's not the actual rotation that's the problem, it's the "graceful restart" that the logrotate program sends to apache. This only seems to affect people using Debian Woody, and only with some undetermined set of conditions. Here is our setup: <verbatim> ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache ii libapache-mod-gzip 1.3.19.1a-5 HTTP compression module for Apache ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment </verbatim> We are using backports of apache 1.3, for [IPv6] support. When it happens, the following is in /var/log/apache/error.log: <verbatim> [Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart accept_mutex_on: Identifier removed [Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured -- resuming normal operations [Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec) [Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem) [Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error... Apache is exiting! </verbatim> Each time that the reload fails, there is a message about __accept_mutex_on__ or __accept_mutex_off: Invalid argument__ in the error.log file that isn't present when the reload succeeds. Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week. Suggested workarounds include: * replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds. * using cronolog or something else, and remove apache from the logrotate system. * use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html). !!! See also * NameVirtualHosting * ModBackhand
2 pages link to
ApacheNotes
:
UserSubmittedNotes
Apache
