Archive for the ‘apache’ Category

Apache Header Byte Range DoS Exploit…….

Saturday, September 3rd, 2011

Grrrrr, looks like there’s an unpatched exploit in *all* versions of Apache web server.

Is to do with using header byte ranges which allow http responses to be broken into smaller chunks before sending. You can read about them here and here.

There are multiple workarounds for mitigating the issue that can be read here and here.

And as of 30th August, version 2.2.20 of Apache was released which has mitigation built in (If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.)

Guess what I’m going to be doing all next week ? :-/…….

Tags: , ,
Posted in apache, internet, IT, security, unix | No Comments »

Host Multiple WordPress Instances Using a Single Hosting Account

Saturday, September 18th, 2010

Running multiple WordPress instances is easy when you have multiple databases and directories at your disposal, but often you only get x1 database and x1 hosting folder when you sign up with a web provider.

Here’s how to run multiple instances of WordPress from their own urls out of subfolders in your personal hosting space.

First, we need to create some MySQL users for assigning permissions to the database (I have created a fictional database ‘wpdb’ here). You could also do this using a GUI based tool like phpMyAdmin if you are more comfortale with that.

mysql> create database wpdb;
Query OK, 1 row affected (0.00 sec)

mysql> create user 'wp1'@'localhost' identified by 'wp1';
Query OK, 0 rows affected (0.00 sec)

mysql> create user 'wp2'@'localhost' identified by 'wp2';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on wpdb.* to 'wp1'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on wpdb.* to 'wp2'@'localhost';
Query OK, 0 rows affected (0.00 sec)

Inside my web hosting folder I created x2 subfolders, ‘blog-one’ and ‘blog-two’, so my hosting directory looks like this

Next I download the latest version of WordPress from http://wordpress.org/latest.zip to my folder. Unzip the latest.zip file, it will expand the contents out into a ‘wordpress’ folder in the current directory.

Copy the contents of the ‘wordpress’ directory into the blog-one and blog-two folders.

Now go into the the blog-one folder and rename ‘wp-config-sample.php’ to ‘wp-config.php’.

Edit the ‘wp-config.php’. file with your favourite editor and set the following values:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wpdb');

/** MySQL database username */
define('DB_USER', 'wp1');

/** MySQL database password */
define('DB_PASSWORD', 'wp1');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'wp_1_';

Now go into the the blog-two folder and rename ‘wp-config-sample.php’ to ‘wp-config.php’.

Edit the ‘wp-config.php file with your favourite editor and set the following values:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wpdb');

/** MySQL database username */
define('DB_USER', 'wp2');

/** MySQL database password */
define('DB_PASSWORD', 'wp2');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'wp_two_';

What this will do is re-use the single database, but create uniquely named tables for each instance.

The url for my normal site is http://ubuntu.lan and here you can see the blog folders ready to use in my main folder.

I can access these WordPress instances by going to ‘http://ubuntu.lan/blog-one’ or ‘http://ubuntu.lan/blog-two’. But I don’t want my site url to be anything to do with these blogs, so we can use url rewriting to change them.

Create a .htaccess file with the following contents and place it into your root web hosting folder.

RewriteEngine On

RewriteCond %{HTTP_HOST} site2
RewriteCond %{REQUEST_URI} !^/blog-two
RewriteRule ^(.*)$ blog-two/$1 [L]

RewriteCond %{HTTP_HOST} site1
RewriteCond %{REQUEST_URI} !^/blog-one
RewriteRule ^(.*)$ blog-one/$1 [L]

This will allow me to use the url ‘http:/site1′ and ‘http:/site2′ to reach my blogs. Site1 and Site2 have the same ip address as my main site. When I type ‘http://site1′ into the browser, it goes to my web host and hits my default folder. There it finds the .htaccess file and reads it. It finds an entry matching ‘site1′ which tells it to go into the ‘blog-one’ folder for content. You can replace ‘site1′ for any url name you like, as long as the ip address points to your hosting server.

If you have edited ‘wp-config.php’ correctly, when you browse to http://site1, you should get the WordPress setup screen as shown below.

Fill in your values for site name, email contact etc. etc., the install will complete and you will be given the login details for the admin account.

You should now be able to logon to the site and it should look something like this.

Now you can repeat the steps for ‘http://site2′. If all goes well, you should have a second seperate blog site like below.

And if we look at the tables in our MySQL databse we see they all have wp_1_ and wp_two_ prefixes as shown below, isolating each site in the DB.

You can repeat this multiple times to suit your needs, as long as you can point the DNS for the url to your hosting server it should work fine.

Enjoy :o)

Tags: , ,
Posted in apache, blogging, rewrite, wordpress | No Comments »

Remove Tilde From URL On OS X Personal Web Sites

Saturday, August 14th, 2010

I’ve recently been helping a friend with some web site stuff. Nothing too complex, just some php that results in some html and css.

Continually ftp’ing the files back and forth to my ISP hosted account was becoming labour intensive, so I figured I would just use the apache web server built into OS X on my Mac Mini.

Some notes:

The main apache config file is located at:

/etc/apache2/httpd.conf

Each user has a personal apache config file that specifies the location of their personal web folder location. This file is located at:

/etc/apache2/users/<username>.conf

Each user/logon gets a folder called ‘Sites’ in their home location (so /Users/<user>/Sites/). This folder is the root folder of your personal web folder name space.

When you access the site, the url to use is:

http://servername/~username

If you don’t like the tilde character (~) being part of the url, you can get around it by editing the users personal apache config file. Add the following to the top of the file:

/etc/apache/user/<username>.conf

Restart apache (either from the Preferences panel, or with ‘apachectl restart’ and you should be good to go.

So my logon on my Mac Mini is Scott. The file I need to edit is:

/etc/apache2/users/Scott.conf

And I need to add the line:

Alias /Scott “/Users/Scott/Sites/”

I also add:

Alias /scott “/Users/Scott/Sites/”

So I don’t have to worry about case sensitivity. So now instead of using:

http://mymacmini/~Scott

you should be able to use:

http://mymacmini/scott

Tags: , ,
Posted in apache, apple, unix | No Comments »

Apache2: No Listening Sockets Available…….

Friday, January 8th, 2010

Following on from the issue(s) I had with my OpenVPN server, I was still not happy/confident that in the event of a reboot or restart for any reason (wether deliberate or unintentional) all the necessary processes and services would startup successfully without some post boot intervention.

This in mind, I decided to create another server to transfer the live service(s) onto so I could get some much needed downtime on the existing server. Owing to the lack of another physical machine to do this with, I decided to create an virtual machine on our ESX cluster.

The initial steps were pretty easy, create a VM with x1 Vcpu, 1GB RAM, 30GB vdisk and x2 network interfaces. I installed Ubuntu server 9.04 i386 from the .iso and enabled LAMP and SSH. Installation completed and the system rebooted. Watching the console I saw that everything started at bootup time as it should.

Next step was to copy the websites across from the live server to this one. I installed NFS and mounted /var/www from the live server and copied all the sites across along with the relevant config files. I modified the config files to allow for the change of ip address and then restarted the system.

And that was when it started to go wrong. I only caught a glimpse of the error the first time I restarted the system. After reboot, I logged in a checked and apache was not running. Looking in /var/log/syslog did not show any clues why, even the error message itself did not seem to have been captured.

So I rebooted again and watched the console carefully, and this time saw the error :

apache2: no listening sockets available

along with

could not bind to address x.x.x.x:80 (where x was the ip address of the server)

Googling this made mention several times of other processes or programs perhaps using and blocking the socket/port in question, but this was happening at boot time, nothing else really had a chance to be up and running yet ? to test, I tried starting apache from the command prompt after bootup and it started fine, so what was going on

The main difference between this server and the live one was that this one was in a VM. Looking at the runlevel start scripts I noticed apache gets in there really early with S02apache2. Given my previous post where OpenVPN was trying to start before bridging on the live server, I wondered if perhaps the interface that Apache was trying to bind to was perhaps not quite ready at the time it tried during the boot process.

So I moved S02apache2 to S09apache2 for all runlevels and rebooted the VM again. Result, Apache was now loading as part of the boot process with no errors or manual intervention required.

So if you are also having issues with processes that do not start at boot time, but start fine after boot when you initiate them from the command prompt, you may just need to move them to a little late in the boot process to give other things time to start up beforehand.

I don’t profess to be the best system admin in the world, but I always get to the cause eventually :o)

Tags: , ,
Posted in apache, unix | No Comments »

Refreshingly Secure…….Part 3

Monday, January 4th, 2010

For the final part of reminding myself how to secure a linux website, I need to include the bit on how to force unsecure traffic to be secure. This is done using rewrite rules to rewrite the url path from http:// to https:// you can make the whole site redirect to secure, or just certain subsections of the site.

To force the whole site secure, you first need to run x2 versions of the site, a secure version listening on port 443 and a non-secure version listening on port 80. You then need a rewrite rule on the port 80 site that basically say if this url is http:// rewrite the url to be https://

The config to do this is below and needs to be included between your <VirtualHost> tags on the non-secure site config

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://www.sporticia.com/ [R]

This basically says if the url is not on port 443 then rewrite the url to be https://blah

As the re-write rules are written using regular expressions, you can actually do some pretty complex stuff, examplex of which you can find here and also here

padlock

Tags: , , ,
Posted in apache, security, ssl, unix | No Comments »

Refreshingly Secure…….Part 2

Tuesday, December 22nd, 2009

So we now have our private key .key and our public key .crt (or something to that effect).

Now we need include the files in the apache config. place the .key and .crt files where you can find them (I use /etc/apache/ssl-certs/). now you need to edit your apache config file. I’ve included a dummy version below to show you what to add and where.

You will need to add ‘SSLRequieSSL’ in between the <Directory> </Directory> tags to tell apache that the content from this directory should be encrypted, you will also need to alter the port from :80 to :443

You then need to include

SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/apache/ssl-certs/www.sporticia.com.crt
SSLCertificateKeyFile /etc/apache/ssl-certs/www.sporticia.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

to provide the location details for the private key and the certificate to be used.

The whole thing should look something like this

<VirtualHost 192.168.1.10:443>
ServerName www.sporticia.com
ServerAlias sporticia.com
ServerAdmin test@sporticia.com

DocumentRoot /var/www/sporticia.com

<Directory /var/www/sporticia.com>
SSLRequireSSL
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache/www.sporticia.com.com_error_log
CustomLog /var/log/apache/www.sporticia.com_access_log common

SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/apache/ssl-certs/www.sporticia.com.crt
SSLCertificateKeyFile /etc/apache/ssl-certs/www.sporticia.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

Restart Apache (using either ‘apachectl restart’ or ‘/etc/init.d/apache restart’) and you should now be able to browse the site using ‘https://sitename’ and you should have the little padlock icon to indicate the site is secured with an SSL certificate.

Note that while this will permit you to browse the site using https, it will not force the browser to https, if anyone tries to access the site using http they will get a 403 forbidden page.

Next post will show how to force the broswer to use the secure version of the site

padlock

Tags: , , ,
Posted in apache, security, ssl, unix | No Comments »

Refreshingly Secure…….Part 1

Friday, December 18th, 2009

Grrrrrr, some of our SSL certificates had expired on a linux server today. And, like very time I have to renew an SSL on a linux machine, there was a bit of trial and error as I tried to remember how I did it the last time.

So here’s a refresher for me and notes for anyone doing this for the first time.

SSL uses x2 keys for encryption and decryption. you create the private key on your linux server, and then use this to create a certificate signing request (csr). you then use the csr with a 3rd party certificate authority to create your certificate or public key.

the math involved is pretty heavy but this guy explains it really well using a tiny prime number so you can follow (hopefully).

First, generate your private key on the server using


openssl genrsa -out <sitename>.key 2048

replace <sitename> with the name of your site, this will help you to tell different keys apart. The 2048 at the end says how many bits in size you want the key to be, no smaller than 2048.

Next, we use the private key to create the certificate signing request (csr)


openssl req -new -key <sitename>.key -out <sitename>.csr

openssl will ask you some questions about the csr, important notes:


The country code is ‘GB’ for the United Kingdom, not ‘UK’ !!!!

The ‘Common Name’ is the url for the site you are securing (i.e. www.sporticia.com)

Remember the password you use when you create the csr, you will need it to install the certificate you create from the csr


BACKUP YOUR .key and .crt files ! if you loose them, you will have to start all over again

You can now take your .csr file along to a 3rd party certificate authority (Thwate, Go Daddy, VeriSign etc. etc.) and use it to generate your private key (.crt or certificate file).

Next post will explain how to use the keys with apache to secure the site.

padlock

Tags: , , ,
Posted in apache, security, ssl, unix | No Comments »