Showing posts with label Apache. Show all posts
Showing posts with label Apache. Show all posts

Thursday, September 26, 2013

Some tips on setting up for Apache 2.2

Here's some of the things i used to set up and harden my Apache, with both performance and security in mind.
This serve as a brain dump and hopefully it help you.

ServerTokens to set from default "Full" to "Prod" so that amount of information shown by Apache is reduced.

ServerSignature to remain as default "Off" to disable version and patch level display

keepAlive to remain as default "On" so that long-lived HTTP sessions will be allowed for multiple requests to be sent over the same TCP connections.

AllowOverride to set from default "All" to "None" to prevent users from setting up .htaccess files which can override default security features.

ScriptAlias is to be commented and to disable the use of cgi-bin. Recommended to use "Directory", "SetHandler" and "Options" instead if required.

To place the "%D" (time taken to serve the request, in microseconds) in Log format. It will be helpful during troubleshooting time.

Only recommend to compile mod_ssl statiscally into Apache core. This is more for performance since nowsaday, we rely more on HTTPS services.

For at least minimum control over the Apache, enable the following modules like "mod_authz_host" for access control, "mod_dir" for directory control and "mod_rewrite" for filtering of rogue web entities.

Restrict what Apache would listen on to provide its services. e.g. Listen .

Use group or distribution email address for "ServerAdmin".

Set a timeout limit ("Timeout") for server to fail a request after waiting for a number of seconds. Default is 300.

Limit the number of requests allowed per connection ("MaxKeepAliveRequests") when KeepAlive is on. Default is 100.

Limit the time a server will wait for subsequent request ("KeepAliveTimeout") before terminating the connection. Default is 15 seconds. This one will affect how much resource Apache will hoard.

Enable "mod_deflate" for better throughput especially in high-volume web services.




# Range is 1 (least compression) to 9 (most compression)
DeflateCompressionLevel 6

    # Netscape 4.x has some problems...
    BrowserMatch ^Mozilla/4 gzip-only-text/html

    # Netscape 4.06-4.08 have some more problems
    BrowserMatch ^Mozilla/4\.0[678] no-gzip

    # Only compress for IE 7, 8 or 9 as there are bugs
    # compressing for IE 6 and older
    BrowserMatch \bMSIE(7|8|9) !no-gzip !gzip-only-text/html

    # Don't compress images and pdf
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary

    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary



To enable compression within the "vhost" or "location" for outgoing traffic.

SetOutputFilter DEFLATE

Set TraceEnable to "off"

Configure the SSLCipherSuite to use only the better cipher, e.g SSLCipherSuite ALL:!ADh:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH

Also set SSLProtocol all -SSLv2 to disable SSL version 2.

Remove contents in cgi-bin, htdocs, icons, extra and original if not required.

If you want to hide and mask away Apache identity further, update in ap_release.h to the following


#define AP_SERVER_BASEVENDOR “Restricted Server”
#define AP_SERVER_BASEPRODUCT “Secure Web Server”

Remove the welcome page if it exist.

Posted by Phantom Cloud at 9/26/2013 10:35:00 pm 0 comments
Labels:

Thursday, August 01, 2013

Blocking Rogue Scanners in Apache

Backgound

Exploring the use of mod_rewrite in Apache to block vulnerability scanners, scripties, exploit scanners and other black hats. Was wondering if the following is enough, hope that someone whose got experience in this can give some comments. :)

The Codes



#
# Hardened Apache Mod_Rewrite Security Rule
#
RewriteEngine on

#
# Known Web vulnerabilty Scanners
#
RewriteCond %{HTTP_USER_AGENT} ^.*(syhunt|sqlmap|WhatWeb|Netsparker|w3af|Nstalker|acunetix|qualys|nikto|wikto|pikto|pykto).* [NC]
RewriteRule .* - [F]


#
# Random Underground Web Exploit Scanners
#
RewriteCond %{HTTP_USER_AGENT} ^.*(04\/XP|2search|3653Client|ActMon|adfsgecoiwnf|adlib|AdTools|Agentcc|AHTTPConnection|al|Aldi|Alerter|API\sGuide\stest\sprogram|Arrow\sSearch|asd|AskInstallChecker|Async\sHTTP\sAgent|Atomic\_Email\_Hunter|AutoHotkey|AutoIt|Avzhan\sDDoS\sBot|BGroom|Binget\sPHP\sLibrary|BlackSun\BOT\/0\.1|Brontok|Browser\sPal|Brutus\sAET|BysooTB|Casino|changhuatong|CholTBAgent|cibabam|ClickAdsByIE|CodeguruBrowser|core\-project|CPUSH\_HOMEPAGE|CPUSH\_UPDATER|ctwopop|darkness|DataCha0s|Delphi|DigExt|DMFR|Downloader1|DriveCleaner\sUpdater|Duckling|dwplayer|eAnthMngr|ed2k\sedonkey2000\sruntime\sdetection|EI|EmailSiphon|ErrCode|ErrorFix|ewBrandTest|EzReward|Feat2\sUpdater|Flag|Flame|Flipopia|FPRecover|FPUpdater|FSD|FSW|GabPath|gbot|Godzilla|Google\sbot|GPInstaller|GPRecover|GPUpdater|Hardcore\sSoftware|http\sprotocol|HTTP\sWininet|HTTPCSDCENTER|iamx|iebar|IEP|IEToolbar|iexp\-get|iMeshBar|INet\s\-\sWin32\.Virus\.Jusabli\.A|InfoBot|Install\sStub|Installer|IST|istsvc|javasw\s\-\sTrojan\.Banload|Known\sSkunkx\sDDOS\sBot|Lizard|Lotto|MacProtector|Macrovision\_DM\_2\.4\.15|malware|MBVDFRESCT|mdms|me0hoi|meterpreter|MGS\-Internal\-Web\-Manager|Mirar\_KeywordContentHijacker|Morfeus|Morfeus\sScanner|Moxilla|Mozilla\/\/4\.0|Mozzila|MSDN\sSurfBear|msndown|Museon|My\sAgent|MyApp|MyBrowser|MyLove|MYURL|MyWay|MyWebSearchSearchAssistance|Navhelper|Need2Find|NOKIAN95\/WEB|NSIS\_DOWNLOAD|NSIS\_Inetc|NSIS\_INETLOAD|NSISDL|OCInstaller|OCRecover|Oncues|Opera\/8\.89\s\-\sP2P\-Worm\.Win32\.Palevo\.ddm|Opera\/9\.80\sPesto\/2\.2\.15|OSSProxy|Our\_Agent|Pass|Pcast\sLive|PcPcUpdater|pcsafe|PinballCorp\-BSAI\/VER\_STR\_COMMA|PoisonIvy\sRAT|poller|Popup\sStopper|PrivacyInfoUpdate|ProxyDown|psi|PyCurl|qixi|QvodDown|RAbcLib|random|RAV1|RCleanT|REKOM|Remote\s\-\sWin32\/Babmote\.A|Revolution\sWin32|RookIE|SAcc|SAH\sAgent|ScrapeBox|Se2011|Search\sToolbar|SelectRebates|Setup\sFactory|sgrunt|Shareaza|shprrprt\-cs\-|SimpleClient|smrtshpr\-cs|snprtzdialno|spam\_bot|SpamBlockerUtility|Spedia|SpeedRunner|SpyDawn|Spy\-Locked|SpywareStrike|SQTR\_VERIFY|STORMDDOS\s\-\sBackdoor\.Win32\.Inject\.ctt|String\s\(AskPartnerCobranding\)|Strip\-Player|Stubby|StubInstaller|SysCleaner|TCYWinHTTPDownload|Tear\sApplication|TeomaBar|test\_hInternet|Tiny|TM\_SEARCH3|Travel\sUpdate|Trololo|URLBlaze|UtilMind\sHTTPGet|vaccinepc|VB\sWININET|VCTestClient|VERTEXNET|Viper|VMozilla|vyre32|W32\/Fujacks\.htm|WakeSpace|wget\s3\.0|WHCC\/|Win32|Win32\sAmti|Win32\/Ferabsa\.A|WinFix\sMaster|WMUpdate|WSEnrichment|YZF|Zango|Installer|ZC\-Bridge|zeroup|ZmEu|ZOMBIES\_HTTP\_GET).* [NC]
RewriteRule .* - [F]

#
# Denial-of-Service Tool
#
RewriteCond %{HTTP_USER_AGENT} ^.*(ApacheBench).* [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(WWW\-Mechanize|revolt|Crawl|Mail\.Ru|Walker|sbide|findlinks|spide|Ace\sExplorer|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).*  [NC]
RewriteRule .* - [F]

RewriteLogLevel 2
RewriteLog logs/rewrite.log

More Questions


What if the scanners change their user-agent strings? Should i change the way to block these scanners instead? e.g. access string?


I get 403 in the access log files but inside rewrite.log, it just say which rule is invoked but didn't record the user-agent string detected. Is there a way to increase verbosity without going too high in the RewriteLogLevel?

Posted by Phantom Cloud at 8/01/2013 11:48:00 pm 0 comments
Labels:

Friday, June 07, 2013

Apache on Windows cant start because of SSLSessionCache error

Received a call that a new setup of Apache could not start up no matter how she tweak the configurations.

She is on MS Windows Server 64bit, Apache 2.2.24 64 bit, etc, etc..

Event log:












Another event log that points the exact problem.















As i administer a large set of servers that are of different flavours, first i did a comparison between the UNIX httpd.conf and this Windows one. Noticed that there is this chuck "(x86)" is in the windows configuration file.

 Microsoft used this (x86) string to differentiate between 64bit and 32bit programs and Apache is unable to interpret it.

 In the UNIX world, we can usually use escaping to workaround but i'm not sure if this can work in windows world as setting to 8.3 format using \~1 or \~2 does not work 100% of the time.

 In the end, just advise her to point the path to another path that does not have any parenthesis. The Apache work like a charm.

 Job done!

Posted by Phantom Cloud at 6/07/2013 11:05:00 pm 0 comments
Labels:

Wednesday, August 01, 2012

Enabling Host based SSL vhost using SNI in Apache 2.2

Multiple virtual host on the same IP


It is not unusual to host multiple website using the same IP address over HTTP (port 80). In fact, it is very easy to build a family of websites based on *.your_web_site.com, for instance

- product1.mycompany.com
- product2.mycompanycom
- product3.mycompany.com
- product4.mycompany.com

and so on and so forth.

The problem.

 

It is when the system needs to move to HTTPS (port 443), problem arises. Upon migrating all the configuration to ssl.conf in Apache, you may hit the following

[Mon Jul 30 18:18:43 2012] [warn] Init: SSL server IP/port conflict: product2.mycompany.com:443 (/usr/local/apache2.2.22/conf/second_vhost.conf:1) vs. product1.mycompany.com:443 (/usr/local/apache2.2.22/conf/first_vhost.conf:1)
[Mon Jul 30 18:18:43 2012] [warn] Init: SSL server IP/port conflict: product3.mycompany.com:443 (/usr/local/apache2.2.22/conf/third_vhost.conf:1) vs. product1.mycompany.com:443 (/usr/local/apache2.2.22/conf/first_vhost.conf:1)
[Mon Jul 30 18:18:43 2012] [warn] Init: SSL server IP/port conflict: product4.mycompany.com:443

and
 
[Mon Jul 30 18:18:43 2012] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol.

As SSL seesion is separate transaction that take place before HTTP session begins, it is impossible for the browser or the client to determine the SSL vhost it is supposed to access. Only IP and port is accessible at this stage and Apache will just return the first vhost if found which matches the port and iP address specified.

workaround?


The usual advise is to use a separate IP for each SSL vhost but this is merely a workaround. In addition, with the public IPs (v4) becoming scarce, soon we will run out of IP (v4).

Solution


With Apache 2.2.12 and newer PLUS OpenSSL 0.9.8j, it is possible to build what we have done on HTTP onto HTTPS.

We will need SNI (subject name indication). This allows you to host multiple SSL websites on the same IP address. This is effectively providing host headers for SSL.

Not much information (many questions but not much answer with good explanation) has been found on the internet to get SNI support, hence the below steps to help folks out.

background

The procedures is done on RHEL 4.6 64bit. I believe this should work for the variants of *NIX. We will do the following
  • Upgrade OpenSSL to v0.9.8x
  • Upgrade Apache to 2.2.22 with SNI support.

Upgrade Openssl with SNI support

Unpack openssl-0.9.8x.tar.gz then try the following

# ./config enable-tlsext shared
# make
# make install
 


Openssl 0.9.x series uses 'enable-tlsext' while Openssl 1.x series uses '--enable-tlsext' switch
ensure that you use the 'shared' command, else the config will fail

After its done, check that openssl is installed with the correct version

[root@server bin]# /usr/local/ssl/bin/openssl version
OpenSSL 0.9.8x 10 May 2012

Install Apache with openssl 0.9.8x support + SNI

Unpack httpd-2.2.22.tar.gz and then try the following

# LDFLAGS=-L/usr/local/ssl/lib/ CPPFLAGS=-I/usr/local/ssl/include/ ./configure --with-included-apr --prefix=/usr/local/apache2222_pntest/ --enable-so --with-ssl=/usr/local/ssl/lib/ --enable-ssl=static --enable-mods-shared='all proxy rewrite'
# make
# make install
 

LDFLAGS is to include any library path that is not default within the httpd binary directory.
CPPFLAGS is for including the header files for compilation that is not default within the httpd binary directory.

Configure the Apache

Now that Apache is installed, configure your httpd.conf and ssl.conf.

To prevent non SNI browsers from having issues connecting, add in below in ssl.conf

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off

Setup the environment

Lastly, add in LD_LIBRARY_PATH into /etc/profile so that the libraries can be found.

LD_LIBRARY_PATH="/usr/local/ssl/lib/:LD_LIBRARY_PATH"
export LD_LIBRARY_PATH

Check that now Apache can link to the new openssl library

[root@server bin]# ldd httpd | grep ssl
        libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 (0x00002b7019d09000)
        libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8 (0x00002b7019f58000)
 
If environment is not setup properly, ldd will report that the library is "missing" Also you may need to re-apply your profile by either logout/login or ". /etc/profile".


Result


With SNI support, you should see the following line only in the error log.
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

Client supportability

SNI support in browsers is as follows
  • FF 2.0 and newer
  • IE7 + vista and newer
  • Chrome + vista
  • Opera 8
  • Safari 8.2.1
My reference: <http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI>

~Done.

Posted by Phantom Cloud at 8/01/2012 11:08:00 pm 0 comments
Labels:

Saturday, June 30, 2012

Installing IBM Websphere Applicationi Server (WAS) 6 Plugin on Apache 2.2.22

Learnt that plugin setup for WAS is different from the setting up in BEA weblogic environment.

WAS plugin require an installation while we just need to put in the plugin for BEA weblogic. Here's the steps to get WAS running.

Installing the Plugin in the web server.


Download the installation file from IBM. i.e. "Tiv_Middl_Inst_750_1of3_Linux_x86-64.tar" since i'm using linux for my web server.

Transfer the tar file into the web server and unpack.

Was only able to install using the supplied GUI so be prepared to export display.

# cd linux64/WS-WAS_ND_7.0_Supplemental
# gunzip C1G36ML.tar.gz
# tar xfp C1G36ML.tar
# cd plugin
# export BROWSER=/usr/bin/mozilla
# export DISPLAY=10.10.10.16:0.0
# ./launchpad.sh
need to have your xwin or xmanager ready.

My template cfg.xml file is now at "/opt/IBM/WebSphere/Plugins/config/myapp/plugin-cfg.xml"

Copy the configuring script to the WAS server.

There is a customised configuration script that you need to run at the WAS server to generate the real cfg.xml file. It is usually in the plugin bin, i.e. "/opt/IBM/WebSphere/Plugins/bin/configuremyappserver.sh"
copied this to the root directory of WAS, i.e. /opt/was/IBM/WebSphere/AppServer/bin and run it.

Next, generating the plugin xml file in WAS server.

root@myappserver:/opt/was/IBM/WebSphere/AppServer/bin> ./configuremyappserver.sh
Realm/Cell Name: <default>
Username: wasuser
Password:                                                                                                                                                    
WASX7209I: Connected to process "dmgr" on node myappserverCellManager01 using SOAP connector;  The type of process is: DeploymentManager
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[myapp, APACHE, /usr/local/apache2222, /usr/local/apache2222/conf/httpd.conf, 80, MAP_ALL, /opt/IBM/WebSphere/Plugins, unmanaged, mywebserver-node, mywebserver, linux]"

Input parameters:

   Web server name             - myappserver
   Web server type             - APACHE
   Web server install location - /usr/local/apache2222
   Web server config location  - /usr/local/apache2222/conf/httpd.conf
   Web server port             - 80
   Map Applications            - MAP_ALL
   Plugin install location     - /opt/IBM/WebSphere/Plugins
   Web server node type        - unmanaged
   Web server node name        - mywebserver-node
   Web server host name        - mywebserver
   Web server operating system - linux

Creating the unmanaged node mywebserver-node .
Unmanged node mywebserver-node is created.

Creating the web server definition for myapp.
Web server definition for myapp is created.

Start computing the plugin properties ID.
Plugin properties ID is computed.

Start updating the plugin install location.
Plugin install location is updated.

Start updating the plugin log file location.
Plugin log file location is updated.

Start updating the RemoteConfigFilename location.
Plugin remote config file location is updated.

Start updating the RemoteKeyRingFileName location.
Plugin remote keyring file location is updated.

Start saving the configuration.

Configuration save is complete.

Computed the list of installed applications.

Processing the application myapp.
Get the current target mapping for the application myapp.
Computed the current target mapping for the application myapp.
Start updating the target mappings for the application myapp.
Target mapping is updated for the application myapp.

Start saving the configuration.

Configuration save is complete.

Transfer the plugin-cfg.xml file to the web server.

 scp /opt/was/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/myappserverCell01/nodes/mywebserver-node/servers/myapp/plugin-cfg.xml user@mywebserver:/tmp/
The generated file is generally in "profiles_install_root/config/cells/cell_name/nodes/node_name/servers/web_server_name" directory
The place to put the plugin-cfg.xml file is generally in "plugins_install_root/config/web_server_name" directory

Start up Apache and test.

you should be good to go.

Posted by Phantom Cloud at 6/30/2012 09:00:00 pm 0 comments
Labels: , ,

Wednesday, June 27, 2012

Access Controls and Virtual Hosts for WebSphere Application Server

WebSphere Virtual Host


WebSphere applications are assigned to virtual hosts during installation and configuration process.

The virtual hosts are bound to one or more aliases (host names and ports), allowing a single application server to respond to multiple inbound request formats. 

The virtual host aliases that are configured within WebSphere define the pattern match possibilities for which WebSphere application server will respond with data. 

For example, if we have 7 aliases defined for a given virtual host 'foo-app' on application server, ‘fooserver′.

Virtual Host:  'foo-app'
Hostname         Port
thisport         8080
thatport         8081
secureport       8443
secureport2      9443
otherport        10001
otherport2       10002
otherport3       10003

Hence, for any inbound request for 'foo-app', if the URL does not match against the list above, the request is denied, else the client gets the access. The Application Server is the gatekeeper here.


Usually all default application server ports are removed from the ‘default_host’ virtual host once you do some 'hardening', forcing all inbound requests to be channeled through a proxy mechanism.

Hence, you will not be able to access the application 'foo-app' directly, if the default listening port is not in the list above. e.g. 'foo-app' listens on 1234. To get to 'foo-app', you need to get through the aliases above to get to 'foo-app'.

I use Apache in the web layer above Websphere Application Server. Need to install the Websphere Proxy-Plugin and generate the xml file.

When client access the URL, the GET request reaches Apache, which then checks the request against the Websphere Proxy Plugin for the host or virtual host corresponding to the requested URL. 

The Websphere Proxy Plugin has a list of valid WebSphere virtual hosts and virtual-host associated resources. Here, if matched, those requests are forwarded to the appropriate WebSphere application server. If not matched, 404 is generated.

Posted by Phantom Cloud at 6/27/2012 10:00:00 pm 0 comments
Labels: ,

Wednesday, March 21, 2012

Enable VCS SecondLevelMonitoring for Apache with Siteminder Protection

This is a record of how i setup for VCS 5.0 MP3. The following steps has been tested on RHEL4 64bit with VCS 5.0MP3 and siteminder 6QMR5 Hotfix15. Originally VCS is sending the following to apache for 2nd level probing.

[root@webserver Apache]# grep HEAD Apache.pm
  print $sock "HEAD $sGetFile HTTP/1.0" . $space;

When we manually tested with Apache, the successful command is as follows,

[root@webserver siteminder]# telnet 10.11.12.13 80
Trying 10.11.12.13...
Connected to webserver.site.com (10.11.12.13).
Escape character is '^]'.
HEAD / HTTP/1.1
Host: webserver.site.com

HTTP/1.1 200 OK
Date: Mon, 17 Nov 2008 06:20:48 GMT
Server: Apache
Last-Modified: Thu, 06 Nov 2008 06:52:31 GMT
ETag: "4c4ab-25-45affbd9a39c0"
Accept-Ranges: bytes
Content-Length: 21
Vary: User-Agent
Content-Type: text/html; charset=ISO-8859-1

Connection closed by foreign host.
[root@webserver siteminder]#

When using HTTP/1.1 with additional host line, code 200 is returned. Therefore, we can try modifying Apache.pm with the following in RED to work with Siteminder using SecondLevelMonitoring. Host identifier for siteminder.

[root@webserver Apache]# grep HEAD Apache.pm
  print $sock "HEAD $sGetFile HTTP/1.1\nHost: $sHost" . $space;

A dummy file for checking that the web service is OK.

[root@webserver conf.d]# grep "sGetFile =" /opt/VRTSvcs/bin/Apache/Apache.pm
  $sGetFile =  '/ok.gif';

Without the above, the following will happen when SecondLevelMonitor is enabled, what you see in /var/VRTSvcs/log/Apache_A.log

2009/01/13 11:56:28 VCS ERROR V-16-2-13066 Thread(4136012704) Agent is calling clean for resource(webserver) because the resource is not up even after online completed.
2009/01/13 11:56:29 VCS NOTICE V-16-55005-10455 Resource(webserver) - (webserver:clean) VCSagentFW:SetupLogging:[clean] Entered by resource instance [webserver] with clean reason [3][Online Ineffective]
2009/01/13 11:56:34 VCS ERROR V-16-2-13068 Thread(4136012704) Resource(webserver) - clean completed successfully.
2009/01/13 11:56:34 VCS ERROR V-16-2-13071 Thread(4136012704) Resource(webserver): reached OnlineRetryLimit(0).
and you see in /var/log/messages 
Jan 13 11:54:27 webserver Had[31344]: VCS ERROR V-16-1-20047 (webserver) Apache:webserver:monitor:  HTTP GET test failed for host [webserver.site.com] port [80]
Jan 13 11:55:28 webserver Had[31344]: VCS ERROR V-16-1-20047 (webserver) Apache:webserver:monitor:  HTTP GET test failed for host [webserver.site.com] port [80]
Jan 13 11:56:28 webserver Had[31344]: VCS ERROR V-16-1-20047 (webserver) Apache:webserver:monitor:  HTTP GET test failed for host [webserver.site.com] port [80]
Jan 13 11:56:28 webserver AgentFramework[31357]: VCS ERROR V-16-1-13066 Thread(4136012704) Agent is calling clean for resource(webserver) because the resource is not up even after online completed.
Jan 13 11:56:28 webserver Had[31344]: VCS ERROR V-16-1-13066 (webserver) Agent is calling clean for resource(webserver) because the resource is not up even after online completed.
Jan 13 11:56:34 webserver AgentFramework[31357]: VCS ERROR V-16-1-13068 Thread(4136012704) Resource(webserver) - clean completed successfully.

Eventually, the apache service will be FAULTED. Reason behind this is due to the simple query done by Apache.pm and siteminder blocked this query. Inside /var/log/messages, you will see something similar,

Jan 13 11:56:34 webserver AgentFramework[31357]: VCS ERROR V-16-1-13071 Thread(4136012704) Resource(webserver): reached OnlineRetryLimit(0).
Jan 13 11:56:35 webserver Had[31344]: VCS ERROR V-16-1-10303 Resource webserver (Owner: unknown, Group: webserver_grp) is FAULTED (timed out) on sys webserver

Do note that this is not supported by Symantec but the suggestion came from Symantec after i logged a case with them for VCS+Apache not working with Siteminder. You may need to backup this Apache.pm file in case the file gets overwritten during patching or when you need to get support from Symantec.

 Thats all folks.

Posted by Phantom Cloud at 3/21/2012 10:20:00 am 0 comments
Labels: , ,

Monday, September 12, 2011

Listing and Verifying SSL Certificate using openssl

How to check the private key

Using openssl command,

# openssl rsa -in myserver.key -check -noout
RSA key ok
How to check SSL certificate (*.crt format) using openssl command

Using openssl command

 # openssl x509 -in myserver.crt -text -noout | more
To get only the validity dates 
 # openssl x509 -in myserver.crt -text -noout | grep "Not"
            Not Before: Apr 24 14:35:54 2010 GMT
            Not After : Jul 27 04:17:47 2011 GMT
How to check SSL certificate (*.cer format)

Using openssl command, 
 # openssl x509 -inform der -in myserver.cer -text | more
To get only the validity dates, 
 # openssl x509 -inform der -in myserver.cer -text | grep "Not"
            Not Before: Nov 14 05:44:26 2008 GMT
            Not After : Nov 14 05:54:26 2010 GMT

Posted by Phantom Cloud at 9/12/2011 12:54:00 am 0 comments
Labels: ,

SSL Certificate Monitoring

Here's a guide on how to setup monitoring for SSL certificates

It is important to ensure that the SSL certificates used in services that are fronting users or for secure communication are valid otherwise, we risk service outage because of expired certificates.

The SSL monitoring script

Using the monitoring script "SSL Certificate Check" written by Matty, we can use it to monitor the SSL certificates either by verifying the certificate itself or querying the status through the application services.

Link to detailed documentation at SSL Certificate Check

How to set it up.

I am using the script v3.21 dated Oct 2010 in the example.

1) Download at SSL Certificate Check Script

2) Deploy it to a suitable location. Give it execute permission at least 0700.

I have configured the script to the following

# Who to page when an expired certificate is detected (cmdline: -e)
ADMIN="admin@myserver.com"

# Number of days in the warning threshhold  (cmdline: -x)
WARNDAYS=100

# If QUIET is set to TRUE, don't print anything on the console (cmdline: -q)
QUIET="FALSE"

# Don't send E-mail by default (cmdline: -a)
ALARM="TRUE"

# Don't run as a Nagios plugin by default (cmdline: -n)
NAGIOS="FALSE"
where the script will notify via email (default) when the certificate has less than 100 days of validity. It will print out to console. If you don't need it, change QUIET to "TRUE".

If you require to override the default settings in the script, you can use the following switches

#./sslcertcheck
Usage: ./sslcertcheck [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }

  -a                : Send a warning message through E-mail
  -b                : Will not print header
  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
  -e E-mail address : E-mail address to send expiration notices
  -f cert file      : File with a list of FQDNs and ports
  -h                : Print this screen
  -i                : Print the issuer of the certificate
  -k password       : PKCS12 file password
  -n                : Run as a Nagios plugin
  -p port           : Port to connect to (interactive mode)
  -s commmon name   : Server to connect to (interactive mode)
  -q                : Don't print anything on the console
  -v                : Only print validation data
  -x days           : Certificate expiration interval (eg. if cert_date < days)
Requirements.

mktemp package needs to be available in the server.

Usage

1) Running the script against the certificate file.

$ sslcertcheck -c /etc/httpd/conf/ssl.crt/abc.pem
Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/httpd/conf/ssl.crt/abc.pem            Valid        Jan 2 2010   807
sslcertcheck will print the file or hostname in the first column, a value to indicate if the certifciate is valid in the second column, the date the certificate will expire in the third column, and the number of days remaining until the certificate expires in the fourth column.

2) If you do not have local access to the certificate files, you can use sslcertcheck's network connectivity option to extract the certificate expiration date from a live server. To check when the certificate used by the web server will expire, the server name or IP address and a port number can be passed to sslcertcheck's "-s" (server name) and "-p" (tcp port) options:

#./sslcertcheck -s 172.21.41.136 -p 443

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
172.2.1.1:443                               Valid        Jul 24 2011  128
3) You may want to manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run sslcertcheck against that file:

The configuration file.

$ cat sslcertcheck.cfg
10.10.8.1 443
10.10.8.7 443
172.2.1.1 443
The output from the script with setting whom to email when any entry has validity less than threshold.

# ./sslcertcheck -e admin@me.com -f sslcertcheck.cfg 

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
10.10.8.1:443                                 Valid        Nov 14 2013  972
10.10.8.7:443                                 Valid        Jan 20 2014  1039
172.2.1.1:443                               Valid        Jul 24 2011  128
Thats all folks!

Posted by Phantom Cloud at 9/12/2011 12:50:00 am 0 comments
Labels: , , , ,

Sunday, September 11, 2011

How to automatically redirect HTTP to HTTPS in Apache

Redirecting HTTP to HTTPS is one common and popular way to protect user privacy and sensitive information without making user typing 'https' manually to access your site.

First, we verify that Apache is configured for HTTPS connection and necessary SSL certificates are already in placed.

Then, either we use redirect or mod_rewrite.

  • Using mod_rewrite. Add these directives to your configuration file:
    •           RewriteEngine On
          RewriteCond %{SERVER_PORT} !^443$
          RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
    Make sure you have loaded mod_rewrite module into Apache.

  • Using redirect. Add these directives to your configuration file:
    •           SSLRequireSSL
          Redirect permanent /secure https://www.domain.com/secure


The 2nd method which uses redirect uses one less module, so security wise could be better. In addition, you don't need to worry about re-writing on logs and etc. Now we restart Apache and go test it out.

Posted by Phantom Cloud at 9/11/2011 11:48:00 pm 0 comments
Labels:

How to disable weak ciphers in Apache

Rationale for disabling weak ciphers

From the whitepaper in the NLUUG autumn "security" conference in Nov 2010, Some Apache configuration updates are required to satisfy the following that needs to be disabled.
Note: This is from the NLUUG whitepaper, if the author or publisher do not agree with me posting the sreenshot, please let me know immediately and i will removed it. Thanks. The current apache default setting in my Apache ssl.conf is SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP . The older servers are even using the older openssl! The enabled ciphers are listed below. 
# openssl ciphers -v 'SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
KRB5-DES-CBC-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=MD5
KRB5-DES-CBC-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-KRB5-RC4-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=MD5  export
EXP-KRB5-RC2-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=MD5  export
EXP-KRB5-DES-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=MD5  export
EXP-KRB5-RC4-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=SHA1 export
EXP-KRB5-RC2-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=SHA1 export
EXP-KRB5-DES-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=SHA1 export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

Disabling of weak ciphers.

For the sake of better security but without compromising the user's experience, i will also use SSLv3 or TLSv1 instead of SSLv2. Futhermore, OptRenegotiate is disabled by default.

i changed the cipher suite to SSLCipherSuite ALL:!ADH:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH:+MEDIUM:+EXP which does the following:

  • Disable all Anonymous DH key exchange
  • Disable all SSL v2 ciphers
  • Disable all 56-bit export ciphers
  • Disable all 40-bit export ciphers
  • Disable all RC4 ciphers
  • Disable all single DES ciphers
  • Enable all 3DES ciphers
  • Enable all 128 bit encryption
  • Enable all export ciphers
The final list of ciphers enabled now are listed below. 
# openssl ciphers -v 'SSLCipherSuite ALL:!ADH:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH:+MEDIUM:+EXP'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

After updating the configuration in Apache, it is recommended to test the configuration, i.e. at www.ssllabs.com. The top grade is A. Try testing your web configuration and see if you get A. :)

Reference: NLUUG Autumn Security Conference Whitepaper

Posted by Phantom Cloud at 9/11/2011 11:08:00 pm 0 comments
Labels:

Disabling TRACK / TRACE in Apache

Currently, Apache does not deny TRACE requests (per RFC2616) by default. Therefore, when an HTTP TRACE request is sent to a web server that supports it, that server will respond echoing the data that is passed to it, including any HTTP headers. By definition, HTTP TRACE method ask a web server to echo the contents of the request back to the client for debugging purposes. The complete request, including HTTP headers, is returned in the entity-body of a TRACE response. An example of the response of Apache when TRACE is enabled, 

# telnet myserver.com 80
Trying 10.10.10.10...
Connected to myserver. (10.10.10.10).
Escape character is '^\]'.
TRACE / HTTP/1.0
Host: myserver.com
TestA: Hello
TestB: World\\

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 10:31:38 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: myserver.com
TestA: Hello
TestB: World

Connection closed by foreign host.
The output in the 2nd and 3rd paragraph is actually the response from Apache with the exact data sent in the 1st paragraph. Status code of 200 indicate that TRACE request is allowed and hence this response. It is possible for the attackers prepare carefully crafted page to trick a browser on a user’s box to issue the TRACE request and after which pass on the cookies or authentication data to the attacker. TRACE requests can be disabled by making a change to the Apache server configuration. There are 2 methods to achieve this 1) Setting “TraceEnabled off” in httpd.conf This is only available for Apache 1.3.34, 2.0.55 and 2.2.x. 2) Using rewrite to deny TRACE request in all the vhost. This can be used universally in all the Apache versions. You can deny TRACE requests for both HTTP and HTTPS depending on your business system requirement and using either method depending on your Apache version. For example, using method 2 to disable TRACE support in Apache, here’s the example in the configuration file httpd.conf. For this purpose I have added additional lines to capture the log when the rules are invoked. After note: Apache version 1.3.34, 2.0.55 and 2.2.x and newer, please use option 1. The rest will use option 2 on all the pair. 

    Servername myserver.com
    ErrorLog logs/myserver-error.log
    CustomLog logs/myserver-access.log common

    Block TRACE/TRACK XSS vector
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} \^TRAC(E\|K)*
    RewriteRule .\* - \[F\]*
    RewriteLogLevel 9
    RewriteLog logs/rewrite_log
After TRACE support is disabled, below is the rerun of the TRACE request. 
# /usr/local/apache2/conf>telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^\]'.
TRACE / HTTP/1.0
Host: myserver.com
TestA: Hello
TestB: World

HTTP/1.1 403 Forbidden{*}
Date: Thu, 21 Jul 2011 08:06:02 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<\!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden





Forbidden

You don't have permission to access /
on this server.




Connection to localhost closed by foreign host.
We can see that Apache now response with a 400 series status code which indicate client request was denied. Output of the log shown below when the rewrite rules are invoked. 
10.10.10.10 - - [21/Jul/2011:17:09:34 +0800] [myserver.com/sid#552add28f8][rid#552b2f0bf8/initial] (2) init rewrite engine with requested uri /
10.10.10.10 - - [21/Jul/2011:17:09:34 +0800] [myserver.com/sid#552add28f8][rid#552b2f0bf8/initial] (3) applying pattern '.*' to uri '/'
10.10.10.10 - - [21/Jul/2011:17:09:34 +0800] [myserver.com/sid#552add28f8][rid#552b2f0bf8/initial] (4) RewriteCond: input='TRACE' pattern='^TRAC(E\|K)' => matched
10.10.10.10 - - [21/Jul/2011:17:09:34 +0800] [myserver.com/sid#552add28f8][rid#552b2f0bf8/initial] (2) forcing '/' to be forbidden
The examples so far shows only for HTTP, XST vulnerability can also be shown for HTTPS where we just use “openssl s_client --connect hostname:port” and using the same commands after the telnet command. Please note that this is not a vulnerability in TRACE, nor in Apache. This is more of a need to harden Apache not to divulge more information than it should.


Reference:
http://www.kb.cert.org/vuls/id/867593
http://www.apacheweek.com/issues/03-01-24

Posted by Phantom Cloud at 9/11/2011 10:50:00 pm 0 comments
Labels:

Thursday, September 24, 2009

Difference between prefork MPM and worker MPM in apache

What are MPM?

'Multi Processing Modules' aka MPM are modules that extends apache's capability to implement a hybrid multi-process multi-threaded server.

The default MPM for Unix is the Prefork module.
The Worker MPM was introduced in Apache2.

MPM uses a multi-process and multi-threaded structure.
Multi-process --> multi PIDs (use 'ps -aef' to find out)
Multi-thread --> more connections per PID. (use 'lsof' to find out. 'netstat -an' don't really see everything.)

The parent process (the one belonging to root) is started up which in turn start up the child processes.

Each child process creates a fixed number of threads as specified in the ThreadsPerChild directive.

Apache always try to maintain a pool of spare threads, which stand ready to serve incoming requests. The number of processes that will initially launched is set by the StartServers directive. Apache will try to keep the number of spare threads within the boundaries specified by MinSpareThreads and MaxSpareThreads.

The maximum number of clients that may be served simultaneously will equal to the maximum total number of threads in all processes. This is set using MaxClients directive.

Therefore, no of processes or PIDs you can have is

no of processes = MaxClients / ThreadsPerChild

Comparing Worker MPM and Prefork MPM,

Worker MPM
- worker MPM uses multiple child processes with many thread each.
- Each thread handle one connection at a time.
- Good for high-traffic, smaller memory footprint.

Prefork MPM
- prefork MPM uses multiple child processes with one thread each.
- Each process handle one connection at a time. uses more memory.
- Good for non-thread-safe third party modules.

Prefork MPM is prefered for better compatibility with older softwares or for better stability although it uses more memories.

Note that we can have one and only MPM module loaded in apache at any one time.

How to check which MPM is compiled?

# httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

Reference: http://httpd.apache.org/docs/2.0/mod/worker.html

Posted by Phantom Cloud at 9/24/2009 11:53:00 pm 5 comments
Labels:

How to Configure Multiple Apache Instances based on the default Apache in RHEL 4.6

In my environment, there are requirements to have multiple apache instances in the same servers.

One advantage is of course the obvious economic or ROI sense. Another is easier management from systems administration point of view.

Here, i have summerised the steps used in creating 2 instances using the default apache from RHEL 4.6 64bit

In this example, let me know one apache as websvc1 and another as websvc2.

step 1)
Create 2 copies of the binaries /usr/sbin/httpd

# cp -p /usr/sbin/httpd /usr/sbin/httpd_websvc2

step 2)
Create 2 copies of the apache controller /usr/sbin/apachectl

# cp -p /usr/sbin/apachectl /usr/sbin/apachectl_websvc2

step 3)
Customise the apache controller /usr/sbin/apachectl_websvc2

...
...
# the path to your httpd binary, including options if necessary
HTTPD='/usr/sbin/httpd_websvc2'
...
...
# Source /etc/sysconfig/httpd_websvc2 for $HTTPD setting, etc.
if [ -r /etc/sysconfig/httpd_websvc2 ]; then
. /etc/sysconfig/httpd_websvc2
fi
...
...

Step 4)
Create 2 copies of the apache environment configuration /etc/sysconfig/httpd

# cp -p /etc/sysconfig/httpd /etc/sysconfig/httpd_websvc2

Step 5a)
if you need to source some environment files, say for your site protection or etc, put them in /etc/sysconfig/httpd or /etc/sysconfig/httpd_websvc2

Step 5b)
You need to specify different resources and path for the 2nd and subsequent apache instances, else the 2nd apache to start up will fail. One symptom below if this is not done

- Executing 'service httpd status' shows PID of those httpd_websvc2 as well.

Things to differentiate are not limited to the following,

- pid file
- document root
- lock file
- conf file
- environment source
- etc.

Therefore, edit and append in /etc/sysconfig/httpd_websvc2

...
...
OPTIONS='-f /etc/httpd_websvc2/conf/httpd.conf -DSSL'
PIDFILE=/var/run/httpd_websvc2.pid
LOCKFILE=/var/lock/subsys/httpd_websvc2
CONFFILE=/etc/httpd_websvc2/conf/httpd.conf
...
...


Step 6)
Create 2 copies of service script /etc/init.d/httpd

# cp -p /etc/init.d/httpd /etc/init.d/httpd_websvc2


Step 7)
While setting up this, i noticed the following few scenarios

- Executing 'service httpd stop' when httpd is not running, httpd_websvc2 will be killed as well.
- Executing 'service httpd restart' when httpd is not running, httpd_websvc2 will be killed as well.

Therefore add in /etc/init.d/httpd.

# Add in to check for for HTTPD process presence
checkHttpdPID() {
HTTPDPID=`pidof -o $$ -o $PPID -o %PPID -x /usr/sbin/httpd`
if [ -z "$HTTPDPID" ]; then
echo "/usr/sbin/httpd is not running..."
exit
fi
}
...
...
stop)
checkHttpdPID
stop
;;
status)
checkHttpdPID
status $httpd
RETVAL=$?
;;
restart)
checkHttpdPID
stop
start
;;
...
...

Therefore add in /etc/init.d/httpd_websvc2

...
...
# Add in to check for for HTTPD process presence
checkHttpdPID() {
HTTPDPID=`pidof -o $$ -o $PPID -o %PPID -x /usr/sbin/httpd_websvc2`
if [ -z "$HTTPDPID" ]; then
echo "/usr/sbin/httpd_websvc2 is not running..."
exit
fi
}
...
...
if [ -f /etc/sysconfig/httpd_websvc2 ]; then
. /etc/sysconfig/httpd_websvc2
fi
...
...
apachectl=/usr/sbin/apachectl_websvc2
httpd=${HTTPD-/usr/sbin/httpd_websvc2}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd_websvc2.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd_websvc2}
...
...
stop)
checkHttpdPID
stop
;;
status)
checkHttpdPID
status $httpd
RETVAL=$?
;;
restart)
checkHttpdPID
stop
start
;;
...
...

Done.
Commands to use as below.

For websvc1
# service httpd [start/stop/restart/status/configtest]
# apachectl -tS

For websvc2
# service httpd_websvc2 [start/stop/restart/status/configtest]
# apachectl_websvc2 -tS

Thats all.
For configuration of Apache, please refer to your SOP.

Posted by Phantom Cloud at 9/24/2009 11:18:00 pm 0 comments
Labels:

Tuesday, April 29, 2008

Forward/Reverse Proxying

This post is actually a brain dump of what i know so far from reading the numerous 'guides' out there..

Forward Proxy (e.g. Webmail)

The term Forward meant in the direction from "outside world" to "inside world".
Term to use in /usr/local/apache2/conf/httpd.conf : --> ProxyPass

Scenario

1) User --> webmail.com

2) therefore --> actually the framework is as follows

Webmail.com/

3) This is used to control incoming access (with respect to the web server)


Reverse Proxy (e.g. Internal programs accessing resources outside the network)

The term used is --> ProxyPassReverse

1) This is to control internal Application to access Internet / Extranet.

2) Can use this to control the type of access and the type of traffic allowed.

Posted by Phantom Cloud at 4/29/2008 02:08:00 pm 0 comments
Labels:
Subscribe to: Posts (Atom)