Category Archives: Apache2

Protect your server from the POODLE attack

You can protect your server from the POODLE attack, as described here, by disabling the SSLv3 protocol on your (Ubuntu) Apache webserver. This is easily done by changing a single configuration file. Edit the file /etc/apache2/apache2.conf  and search for the line containing SSLProtocol. Change this line from

to

This disables SSLv3 connections to your server. Restart your apache webserver

and then test if the changes were successfull:

1. Try to open a SSLv2 connection; this should give you an error:

openssl s_client -ssl2 -connect bjdejong.nl:443

2. Try to open a SSLv3 connection; this should give you an error:

openssl s_client -ssl3 -connect bjdejong.nl:443

3. Try to open a TLS connection; this should give you no error:

openssl s_client -tls1 -connect bjdejong.nl:443

If everything went ok you are protected against the POODLE attack.

Share

Ubuntu Apache problems on Azure

Apache SSLCipherSuite settings1pix apache-logo

Got the error below in your apache error log when trying to start the Apache server?

[Mon Jan 19 20:19:24 2015] [error] Unable to configure permitted SSL ciphers

Then you have permitted ciphers in your apache.conf  (at /etc/apache2 ) that are not compatible with your openssl configuration (probably version 1.01, check with openssl version). To solve this problem remove the +TLSv1.1:+TLSv1.2 from the line starting with SSLCipherSuite.

Restart your apache server; it should be running now….

Want to get rid of the Apache2 message “Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName”?

Edit your /etc/hosts  file and add the FQDN to the line that contains
127.0.0.1    localhost

 

Share

Ubuntu iptables redirect

computer-firewalliptables redirect

Having trouble ssh-ing on port 22?  Then try to use another port with help of your iptables firewall. With iptables it is possible (among other things) to redirect traffic on an incoming port to another port of your choice.

To save your current firewall setup you could choose to save your configuration with:

Restoring your old configurations is as easy as:

Execute the following command to redirect traffic on port 443 to port 22:

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 22

Now to create socks a tunnel on the 443 port execute the following command (add the -vvv option to get debugging info from ssh):

To use this connection in the browser tell the browser to use a socks proxy on port 8080 or use the tsocks  command to “socksify a tool” for example an ssh session to other servers.

tsocks ssh uid@hostname

 

Share

XDebug NetBeans Apache configuration

So you want to debug your PHP website code with xdebug netbeans? In this post I will explain how to configure XDebug / Apache and NetBeans to start a debug session for your website.

First of all install the necessary components:

Restart the apache webservice and check for any errors:

Create a new website configuration in /etc/apache2/sites-available  :

Update your hosts file so you can easily test this new site .Add the following line to the file /etc/hosts :

Next enable remote debugging with XDebug. Although you just installed XDebug it will be disabled by default.

Create a script index.php  to see your changes to the apache / php configuration in the directory /var/www/xdebugger/www :

Navigate to http://www.xdebugger.tst

xdebugoff

As you can see in the picture above XDebug is not enabled. To enable the XDdebug feature add the following lines (if not already there) to the file /etc/php5/apache2/conf.d/20-xdebug.ini :

Now restart your apache service once more; execute the script and check the xdebug.remote_enable  setting:

Execute

Navigate to http://www.xdebugger.tst

xdebugon

 

Now goto your netbeans IDE and create a new project:

Set the main project to the newly created project:

Next start your first debugging session!

Additonal information about configuring NetBenas can be found here

Share

Analyze IP addresses accessing your Apache server

The awk command below retrieves the first column of your apache log file which containsscript the IP address of the browser accessing your host (if you have a virtual host setup with the vhost_combined CustomLog you should retrieve column 2 instead).

After retrieving the column it is sorted and all unique values are determined and counted. After that the list of unique values and there count is sorted (reverse) to get the top list of IP’s.

Output of this statement:

 

 

Share

Apache deny and allow access from ipaddress

With help of a .htaccess file we can deny or allow access from a specific ip address or range of ip addresses.

Deny access from all IP addresses in the range 192.168.2.*:

The line order allow,deny means that Apache should first evaluate the allow entries (which states that everyone is allowed access) and then the deny entries (which states that the range 192.168.19.* is denied access). Effectively this means that the range 192.168.19.* is denied access.

Order of evaluation is allow, deny; so this means:
allow access from all
deny access from 192.168.19.

Allow only access from the IP range 192.168.19.*:

Order of evaluation is deny, allow; so this means:
deny access from all
allow from 192.168.19.

Share

Configure Apache

Perform a clean Apache install:

After that copy original configuration files:

To prevent users from getting a directory listing add the next line to the bottom of your apache2.conf:
Options -Indexes

A fresh apache install has the following modules installed

As you can see the rewrite module is missing from this list. You can simple active this module by executing:

a2enmod rewrite

 

 

Share

Add SSL to localhost on apache / linux

Generate a Certificate Signing Request

1. Generate the keys for the Certificate Signing Request (CSR)

2. Create the insecure key.

3. Create the CSR.

Fill in the appropriate information.

4. Create the self-signed certificate

This creates server.crt

5. Install the self-signed certificate

Now you can configure apache with the ability to use public-key cryptography to use the certificate and key files.

Configure Apache to use SSL on local host

6. Enable ssl

7. Edit your default-ssl site (make backup copy)

Change:

To:

8. Enable the default-ssl site.

8. Restart the server.

Navigate to https://localhost and examine your certificate details

Share

Ubuntu Apache + MySQL + WordPress

Install devenv with Ubuntu + Apache + MySQL

Create a new virtual machine and mount your Ubuntu ISO as CDROM drive. Startup the new virtual machine and install Ubuntu with default options.

After Ubuntu installation is complete be sure to add the guest additions to your system (keep your original configuration when asked):

Ubuntu windows appearing slow? See this url: http://askubuntu.com/questions/207813/why-does-an-ubuntu-12-10-guest-in-virtualbox-run-very-very-slowly/214968#214968

Upgrade and update your system to make sure you have the latest and the greatest software:

Mandatory components for your development environment

Optional (but useful tools)

WebMin server administration

When you want to mount an external CIFS filesystem (for example your NAS) install the CIFS utility package.

Mount a cifs remote file system:

Setup WordPress installatie

For pretty URL’s to work make sure the rewrite module is enabled in Apache. You can do this with the WebMin tool; in Webmin goto “Servers”, “Apache Webserver”, select the “Global configuration” tab, select “Configure Apache modules”, check the “Rewrite” module.

Changes take effect immediately.

Setup the MySQL database

Share