Apache
Apache2 Virtualhosting with a Single SSL Host
Mar 13th
To start, Apache2 cannot process multiple ssl virtualhosts. It can handle multiple regular virtualhosts, and a single ssl host.
Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol. [1]
NameVirtualHost IP1:80
NameVirtualHost IP1:443
ServerName main_server:80
DocumentRoot "/var/www/html"
ServerName 2nd_server:80
DocumentRoot "/var/www/2nd_server"
ServerName 3rd_server:80
DocumentRoot "/var/www/3rd_server"
ServerName main_server
DocumentRoot "/var/www/secure_html"
SSLEngine on
I plan to implement a store to sell various items, and I want to make people feel comfortable. To feel comfortable the visitor needs to see the lock icon in their web browser, and maybe a third party certification so the title bar becomes green in newer browsers.
Apache Security – Necessary Settings
Feb 20th
PHP is powerful, and allows static html pages to become dynamic. It also allows information to translate into commands and functions. Because of this you should implement a variety of security features. The biggest security feature, which increases security of the host machine, is setting the basedir parameter. This locks PHP functions to a particular directory, not allowing them to run processes or effect files further down the tree. Use nano and the cntrl-w function to search for “open_basedir” in /etc/php5/apache/php.ini. It will most likely be commented with a # sign. Remove the # sign and add the document root of your website. If you virtualhost, you can add the root of all documents served.
Also turn off several other parementers.
allow_url_fopen
allow_url_include
display_errors
register_globals
safe_mode
Also turn off the Magic Quotes options in php.ini. In /etc/apache2/apache2.conf turn off the signature option. Search for “ServerSignature”. There is an apache modules that should be iplemented; mod security; I’ll save it for the next post.
Lighttpd – A lighter Web Server
Dec 26th
The first thing to do it get lighttpd installed with php and mysql working smoothly. Rather than reiterating the same content here is a convenient post:
http://www.howtoforge.com/lighttpd_mysql_php_debian_etch
Interesting options and various configuration for lighttpd can be found here:
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions
One insteresting, built in, option is throttling. Use connection.kbytes-per-second and you can effectivly limit users to particular data transmission rates. There is also a compression module, and a caching module. Much like apache these modules can be installed with apt-get. Issue:
sudo apt-cache search lighttpd
This will list various packages that can be installed. I know the apache modules are packaged as libapache2-mod-*.
With built in round robin and proxy modules this is an interesting package to investigate using.
DOS and Brute Force Prevention Using Fail2ban
Mar 16th
Dealing with dos and brute force attacks can be a daunting challenge. You can manually adjust your firewall to block particular ip addresses, but why not automate the process? What if a program can monitor your authentication, and other log files for suspicious activity? In these log files is a tremendous amount of info about failed login attempts, and how many times an ip address connects to your web server. Using this information a program can automatically adjust your firewall to block the offending ip addresses. Fail2ban does just this. The program automatically monitors the log files of many programs. Most important is apache, and ssh. http://www.fail2ban.org/wiki/index.php/Main_Page
Debian Mod Cband for Apache
Nov 16th
To install type: sudo apt-get install libapache2-mod-cband Then add the following to your apache2.conf file: LoadModule cband_module /usr/lib/apache2/modules/mod_cband.so On Fedora there is modules folder link in the /etc/httpd configuration folder. This blog post details configuring a virtualhost with cband throttling: http://www.bgevolution.com/blog/index.php/apache-mod-cband/
