Category Archives: httpd

New in Apache HTTP Server 2.4 – Authorization, FCGI Proxy, and Mod_SSL

New Authorization Containers

The authorization container directives <RequireAll>, <RequireAny> and <RequireNone> may be combined with each other and with the Require directive to express complex authorization logic.

The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin user, or belong to both the admins group and the Administrators LDAP group and either belong to the sales group or have the LDAP dept attribute sales. Furthermore, in order to access the resource, the user must not belong to either the temps group or the LDAP group Temporary Employees.

<Directory /www/mydocs>

<RequireAll>

<RequireAny>

Require user superadmin
<RequireAll>

Require group admins
Require ldap-group cn=Administrators,o=Airius
<RequireAny>


Require group sales
Require ldap-attribute dept="sales"

</RequireAny>

</RequireAll>

</RequireAny>
<RequireNone>

Require group temps
Require ldap-group cn=Temporary Employees,o=Airius

</RequireNone>


</RequireAll>

</Directory>

This is gonna be BIG! You can read the whole story at http://httpd.apache.org/docs/trunk/new_features_2_4.html

Core Enhancements

KeepAliveTimeout in milliseconds
It is now possible to specify KeepAliveTimeout in milliseconds.
Simple MPM
Cleanroom MPM implementation with advanced thread pool management
Loadable MPMs
Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.

Module Enhancements

mod_ssl
mod_ssl can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.
mod_ssl now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
mod_ssl can now be configured to share SSL Session data between servers through memcached
mod_lua
Embeds the Lua language into httpd, for configuration and small business logic functions.
mod_proxy_fcgi
FastCGI Protocol backend for mod_proxy

Program Enhancements

fcgistarter – FastCGI deamon starter utility

Module Developer Changes

Check Configuration Hook Added
A new hook, check_config, has been added which runs between the pre_config and open_logs hooks. It also runs before the test_config hook when the -t option is passed to httpd. The check_config hook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the core open_logs hook function redirects console output to the error log.
Expression Parser Added
We now have a general-purpose expression parser, whose API is exposed in ap_expr.h. This is adapted from the expression parser previously implemented in mod_include.
Authorization Logic Containers
Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>, all provided by the mod_authz_core module.
Small-Object Caching Interface
The ap_socache.h header exposes a provider-based interface for caching small data objects, based on the previous implementation of the mod_ssl session cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.

Full List of Security / Code Changes

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil ]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola ]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni , Jeff Trawick]

  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
     Ensure each subrequest has a shallow copy of headers_in so that the
     parent request headers are not corrupted.  Elimiates a problematic
     optimization in the case of no request body.  PR 48359
     [Jake Scott, William Rowe, Ruediger Pluem]

  *) mod_reqtimeout: New module to set timeouts and minimum data rates for
     receiving requests from the client. [Stefan Fritsch]

  *) mod_proxy_ajp: Really regard the operation a success, when the client
     aborted the connection. In addition adjust the log message if the client
     aborted the connection. [Ruediger Pluem]

  *) mod_negotiation: Preserve query string over multiviews negotiation.
     This buglet was fixed for type maps in 2.2.6, but the same issue
     affected multiviews and was overlooked.
     PR 33112 [Joergen Thomsen ]

  *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
     the flood of requests at bay that strike a backend webserver as
     a cached entity goes stale. [Graham Leggett]

  *) mod_proxy_http: Make sure that when an ErrorDocument is served
     from a reverse proxied URL, that the subrequest respects the status
     of the original request. This brings the behaviour of proxy_handler
     in line with default_handler. PR 47106. [Graham Leggett]

  *) mod_log_config: Add the R option to log the handler used within the
     request. [Christian Folini ]

  *) mod_include: Allow fine control over the removal of Last-Modified and
     ETag headers within the INCLUDES filter, making it possible to cache
     responses if desired. Fix the default value of the SSIAccessEnable
     directive. [Graham Leggett]

  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
     is configured for client cert auth. PR 46952.  [Joe Orton]

  *) core: Fix potential memory leaks by making sure to not destroy
     bucket brigades that have been created by earlier filters.
     [Stefan Fritsch]

  *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
     try other providers in the case of an LDAP bind failure.
     PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]

  *) mod_proxy, mod_proxy_http: Support remote https proxies
     by using HTTP CONNECT.
     PR 19188.  [Philippe Dutrueux , Rainer Jung]

  *) worker: Don't report server has reached MaxClients until it has.
     Add message when server gets within MinSpareThreads of MaxClients.
     PR 46996.  [Dan Poirier]

  *) mod_ssl: When extracting certificate subject/issuer names to the
     SSL_*_DN_* variables, handle RDNs with duplicate tags by
     exporting multiple varialables with an "_n" integer suffix.
     PR 45875.  [Joe Orton, Peter Sylvester ]

  *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
     password now result in an informational level log entry instead of
     warning level.  [Eric Covener]

  *) core: Preserve Port information over internal redirects
     PR 35999 [Jonas Ringh ]

  *) mod_filter: fix FilterProvider matching where "dispatch" string
     doesn't exist.
     PR 48054 []

  *) Build: fix --with-module to work as documented
     PR 43881 [Gez Saunders ]

  *) mod_mime: Make RemoveType override the info from TypesConfig.
     PR 38330. [Stefan Fritsch]

  *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
     rather than BAD_GATEWAY or (especially) NOT_FOUND.
     PR 46971 [evanc nortel.com]

  *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
     [Eric Covener]

  *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
     some cache entries and log a warning. Also increase the default
     LDAPSharedCacheSize to 500000. This is a more realistic size suitable
     for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
     PR 46749. [Stefan Fritsch]

  *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
     per RFC 2616, 13.8.  PR15866.  [Dan Poirier]

  *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
     the request is a CONNECT request. PR 47928
     [Bill Zajac ]

  *) mod_cache: correctly consider s-maxage in cacheability
     decisions.  [Dan Poirier]

  *) core: Return APR_EOF if request body is shorter than the length announced
     by the client. PR 33098 [ Stefan Fritsch ]

  *) mod_rewrite: Add scgi scheme detection.  [André Malo]

  *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
     LocationMatch sections.  PR 47754.  [Dan Poirier]

  *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
     [Guenter Knauf]

SUEXEC Troubleshooting for WordPress

Suexec shouldn’t be causing these problems if i5s setup right.. I use suexec on all of my servers. Member servers. servers. Posted 6 days ago servers.

Sounds to me like a permissions issue… make sure that the owner and group are correct on all the files/folders in your docroot. Also make sure the permissions of the files/folders are correct. Like the docroot folder is 751 or 755, the php files are 644, and check the php interpreter.

If you can, set up logging for Apache and that will tell u quickly what u need to do. Finally, it may just be a simple matter of modifying your httpd.conf file settings like max servers. Or it could be that the system is setup to allow the nobody user that runs Apache to have much larger limits like how many processes and files are allowed open at one time- when using suexec the server will run as the user who owns the docroot, and that user might have much more restrictive limits.

See limits.conf. There is a lot of info about this at http://httpd.Apache.org/

Control Apache CPU, Memory, and Processes with httpd.conf

The following Apache HTTPD directives are for controlling processes launched by Apache children. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase. They apply to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

Please check out the following article if you aren’t familiar with what this stuff does: Optimizing Servers and Processes for Speed with ionice, nice, ulimit.

RLimitMEM

Limits the memory consumption.
Sets the soft resource limit for all processes and the second parameter sets the maximum resource limit.
View the RLimitMEM Documentation

RLimitCPU

Limits the CPU consumption.
View the RLimitCPU Documentation

RLimitNPROC

Limits the number of processes that can be launched by processes launched by Apache children.
View the RLimitNPROC Documentation

Sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. Either parameter can be a number, or max to indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Process limits control the number of processes per user. If CGI processes are not running under user ids other than the web server user id, this directive will limit the number of processes that the server itself can create. Evidence of this situation will be indicated by cannot fork messages in the error_log.


PHP Caching and Acceleration with XCache

Anyone who runs a dedicated server for web hosting will tell you that a great way to decrease the load on your server and decrease the page load time is to use a PHP Cache such as APC or eAccelerator. While the largest noticeable improvements are for those site that receive a lot of traffic or are under heavy load, any site, large or small can see benefit from a PHP cache. That said, in addition to the two caches mentioned above, a new player has recently entered the market: XCache.

I first started using APC about 2 years ago when the load on one of my servers was high enough that it was affecting load times and was costing me user traffic. I chose APC over eAccelerator because it was a bit easier to install (at the time) and because APC had a reputation for being a bit faster than eAccelerator. Shortly there after I noticed my httpd processes segfaulting and a bit of research also showed that APC had a bit of a record for instability under heavy load. With that in mind, I took the slight performance hit and installed eAccelerator (which is still way faster than using nothing at all).

Up until today, I was still using eAccelerator on all of my servers. However, a post on the vBulletin.com forums prompted me to give XCache, the new PHP accelerator from the maker of lighttpd, a try. I’ve got to say, while I’ve only been using it for about 6 hours at this point, it blows eAccelerator out of the water, especially once you enable multiple caches (which benefits SMP systems).

 

If you’re interested in some benchmarks of XCache, eAccelerator, APC, etc. then checkout the Five Opcode Cache Comparison on PHP on Fire.

 

Read more

Allowing or Blocking based on Country with .htaccess

GeoIP Apache API

Requirements
In order to run this API, you need the following installed:

Download
Downloads are available for Apache 1.3.x and Apache 2.x.

Install
See the INSTALL file included with the mod_geoip API download for detailed instructions.

Usage
mod_geoip looks up the IP address of the client end user. If you need to input the IP address instead of simply using the client IP address, you will need to use another one of our APIs.

For the country database, mod_geoip sets two environment variables, GEOIP_COUNTRY_CODE and GEOIP_COUNTRY_NAME. For other databases, see the README file included with the mod_geoip API.

It also sets two entries in Apache’s notes table with the same names as above.

For more documentation, see the README file included with the mod_geoip API download.

Examples
Redirection with mod_geoip and mod_rewrite
Below are examples of how to perform redirection based on country with mod_geoip and mod_rewrite. This configuration should be added to your Apache httpd.conf or .htaccess file.

GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat

# Redirect one country
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^CA$
RewriteRule ^(.*)$ http://www.canada.com$1 [L]

# Redirect multiple countries to a single page
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CA|US|MX)$
RewriteRule ^(.*)$ http://www.northamerica.com$1 [L]

This example redirects all pages on your site to a corresponding page on http://www.canada.com. For more details on how to use Apache’s redirection features, see the Apache 1.3 URL Rewriting Guide.

Blocking unwanted countries
The following Apache configuration directives uses GeoIP Country to block traffic from China and Russia:

GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat

SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
# ... place more countries here

Deny from env=BlockCountry

# Optional - use if you want to allow a specific IP address from the country you denied
# (See http://httpd.apache.org/docs/1.3/mod/mod_access.html for more details)
Allow from 10.1.2.3

Allowing only specified countries
The following Apache configuration directives uses GeoIP Country to only allow traffic from US, Canada, and Mexico.

GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat

SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
# ... place more countries here

Deny from all
Allow from env=AllowCountry

# Optional - use if you want to allow a specific IP address from the country you denied
# (See http://httpd.apache.org/docs/1.3/mod/mod_access.html for more details)
Allow from 10.1.2.3