Category Archives: WebHosting

New in Apache HTTP Server 2.4 – Authorization, FCGI Proxy, and Mod_SSL

New Authorization Containers

The authorization container directives <RequireAll>, <RequireAny> and <RequireNone> may be combined with each other and with the Require directive to express complex authorization logic.

The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin user, or belong to both the admins group and the Administrators LDAP group and either belong to the sales group or have the LDAP dept attribute sales. Furthermore, in order to access the resource, the user must not belong to either the temps group or the LDAP group Temporary Employees.

<Directory /www/mydocs>

<RequireAll>

<RequireAny>

Require user superadmin
<RequireAll>

Require group admins
Require ldap-group cn=Administrators,o=Airius
<RequireAny>


Require group sales
Require ldap-attribute dept="sales"

</RequireAny>

</RequireAll>

</RequireAny>
<RequireNone>

Require group temps
Require ldap-group cn=Temporary Employees,o=Airius

</RequireNone>


</RequireAll>

</Directory>

This is gonna be BIG! You can read the whole story at http://httpd.apache.org/docs/trunk/new_features_2_4.html

Core Enhancements

KeepAliveTimeout in milliseconds
It is now possible to specify KeepAliveTimeout in milliseconds.
Simple MPM
Cleanroom MPM implementation with advanced thread pool management
Loadable MPMs
Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.

Module Enhancements

mod_ssl
mod_ssl can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.
mod_ssl now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
mod_ssl can now be configured to share SSL Session data between servers through memcached
mod_lua
Embeds the Lua language into httpd, for configuration and small business logic functions.
mod_proxy_fcgi
FastCGI Protocol backend for mod_proxy

Program Enhancements

fcgistarter – FastCGI deamon starter utility

Module Developer Changes

Check Configuration Hook Added
A new hook, check_config, has been added which runs between the pre_config and open_logs hooks. It also runs before the test_config hook when the -t option is passed to httpd. The check_config hook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the core open_logs hook function redirects console output to the error log.
Expression Parser Added
We now have a general-purpose expression parser, whose API is exposed in ap_expr.h. This is adapted from the expression parser previously implemented in mod_include.
Authorization Logic Containers
Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>, all provided by the mod_authz_core module.
Small-Object Caching Interface
The ap_socache.h header exposes a provider-based interface for caching small data objects, based on the previous implementation of the mod_ssl session cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.

Full List of Security / Code Changes

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil ]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola ]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni , Jeff Trawick]

  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
     Ensure each subrequest has a shallow copy of headers_in so that the
     parent request headers are not corrupted.  Elimiates a problematic
     optimization in the case of no request body.  PR 48359
     [Jake Scott, William Rowe, Ruediger Pluem]

  *) mod_reqtimeout: New module to set timeouts and minimum data rates for
     receiving requests from the client. [Stefan Fritsch]

  *) mod_proxy_ajp: Really regard the operation a success, when the client
     aborted the connection. In addition adjust the log message if the client
     aborted the connection. [Ruediger Pluem]

  *) mod_negotiation: Preserve query string over multiviews negotiation.
     This buglet was fixed for type maps in 2.2.6, but the same issue
     affected multiviews and was overlooked.
     PR 33112 [Joergen Thomsen ]

  *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
     the flood of requests at bay that strike a backend webserver as
     a cached entity goes stale. [Graham Leggett]

  *) mod_proxy_http: Make sure that when an ErrorDocument is served
     from a reverse proxied URL, that the subrequest respects the status
     of the original request. This brings the behaviour of proxy_handler
     in line with default_handler. PR 47106. [Graham Leggett]

  *) mod_log_config: Add the R option to log the handler used within the
     request. [Christian Folini ]

  *) mod_include: Allow fine control over the removal of Last-Modified and
     ETag headers within the INCLUDES filter, making it possible to cache
     responses if desired. Fix the default value of the SSIAccessEnable
     directive. [Graham Leggett]

  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
     is configured for client cert auth. PR 46952.  [Joe Orton]

  *) core: Fix potential memory leaks by making sure to not destroy
     bucket brigades that have been created by earlier filters.
     [Stefan Fritsch]

  *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
     try other providers in the case of an LDAP bind failure.
     PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]

  *) mod_proxy, mod_proxy_http: Support remote https proxies
     by using HTTP CONNECT.
     PR 19188.  [Philippe Dutrueux , Rainer Jung]

  *) worker: Don't report server has reached MaxClients until it has.
     Add message when server gets within MinSpareThreads of MaxClients.
     PR 46996.  [Dan Poirier]

  *) mod_ssl: When extracting certificate subject/issuer names to the
     SSL_*_DN_* variables, handle RDNs with duplicate tags by
     exporting multiple varialables with an "_n" integer suffix.
     PR 45875.  [Joe Orton, Peter Sylvester ]

  *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
     password now result in an informational level log entry instead of
     warning level.  [Eric Covener]

  *) core: Preserve Port information over internal redirects
     PR 35999 [Jonas Ringh ]

  *) mod_filter: fix FilterProvider matching where "dispatch" string
     doesn't exist.
     PR 48054 []

  *) Build: fix --with-module to work as documented
     PR 43881 [Gez Saunders ]

  *) mod_mime: Make RemoveType override the info from TypesConfig.
     PR 38330. [Stefan Fritsch]

  *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
     rather than BAD_GATEWAY or (especially) NOT_FOUND.
     PR 46971 [evanc nortel.com]

  *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
     [Eric Covener]

  *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
     some cache entries and log a warning. Also increase the default
     LDAPSharedCacheSize to 500000. This is a more realistic size suitable
     for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
     PR 46749. [Stefan Fritsch]

  *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
     per RFC 2616, 13.8.  PR15866.  [Dan Poirier]

  *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
     the request is a CONNECT request. PR 47928
     [Bill Zajac ]

  *) mod_cache: correctly consider s-maxage in cacheability
     decisions.  [Dan Poirier]

  *) core: Return APR_EOF if request body is shorter than the length announced
     by the client. PR 33098 [ Stefan Fritsch ]

  *) mod_rewrite: Add scgi scheme detection.  [André Malo]

  *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
     LocationMatch sections.  PR 47754.  [Dan Poirier]

  *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
     [Guenter Knauf]

PHP Caching and Acceleration with XCache

Anyone who runs a dedicated server for web hosting will tell you that a great way to decrease the load on your server and decrease the page load time is to use a PHP Cache such as APC or eAccelerator. While the largest noticeable improvements are for those site that receive a lot of traffic or are under heavy load, any site, large or small can see benefit from a PHP cache. That said, in addition to the two caches mentioned above, a new player has recently entered the market: XCache.

I first started using APC about 2 years ago when the load on one of my servers was high enough that it was affecting load times and was costing me user traffic. I chose APC over eAccelerator because it was a bit easier to install (at the time) and because APC had a reputation for being a bit faster than eAccelerator. Shortly there after I noticed my httpd processes segfaulting and a bit of research also showed that APC had a bit of a record for instability under heavy load. With that in mind, I took the slight performance hit and installed eAccelerator (which is still way faster than using nothing at all).

Up until today, I was still using eAccelerator on all of my servers. However, a post on the vBulletin.com forums prompted me to give XCache, the new PHP accelerator from the maker of lighttpd, a try. I’ve got to say, while I’ve only been using it for about 6 hours at this point, it blows eAccelerator out of the water, especially once you enable multiple caches (which benefits SMP systems).

 

If you’re interested in some benchmarks of XCache, eAccelerator, APC, etc. then checkout the Five Opcode Cache Comparison on PHP on Fire.

 

Read more

Accessing a HostGator SVN repository via SVN+SSH on Windows

Accessing a HostGator SVN repository via SVN+SSH on Windows

This information should be helpful to anyone trying to access an svn repository stored on a remote (shared) server which does not expose an svn server.

My host is HostGator (good speeds, reliable ssh, cgi-only, MyISAM-only, decent support, non-existent knowledgebase). HostGator runs SSH over port 2222 which presents a few problems when trying to use traditional methods to connect to an SVN repository via SSH.

For these steps you will need Putty. Just get the whole suite.

http://kjvarga.blogspot.com/2008/04/accessing-hostgator-svn-repository-via.html

X-Content-Type-Options: nosniff header

Over the past two months, we’ve received significant community feedback that using a new attribute on the Content-Type header would create a deployment headache for server operators. To that end, we have converted this option into a full-fledged HTTP response header.  Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

For example, given the following HTTP-response:

HTTP/1.1 200 OK
Content-Length: 108
Date: Thu, 26 Jun 2008 22:06:28 GMT
Content-Type: text/plain;
X-Content-Type-Options: nosniff

<html>
<body bgcolor=”#AA0000″>
This page renders as HTML source code (text) in IE8.
</body>
</html>

Browsers sniff mime types of HTTP responses, initially because page authors frequently don’t get them right* and now because browsers have done it historically.

The worst instance related to mime sniffing is an old IE bug. As I understand it their sniffer tried some image formats and then HTML; then when they added PNG sniffing it was added to the sniff list after HTML, either by mistake or to maintain compatibility with pages that were currently being sniffed as HTML. The result of this is that even valid PNG images can be sniffed as HTML, converting a user-uploadable image into a Javascript (XSS) vector. The Chromium mime sniffer‘s comments (which are quite readable, and tabulate various browsers’ behaviors) describe this as a “dangerous mime type”.

But there are plenty of other ways that sniffing can screw you as a site author. Your only defenses if you’re building a site are:

  • either make sure user-uploaded images are on a different origin than your site’s cookies;
  • or set the Content-disposition: attachment header, preventing people from displaying the image in their browser.

I believe this bug is why you cannot view images attached to gmail messages — if you click “view image” in gmail you instead get an HTML page with an <img> tag, and if you right-click on that image and pick “view image” you’ll get it served with the attachment header.

To solve this mess, IE introduced the X-Content-Type-Options: nosniff header, which means “don’t sniff the mime type”. It looks like a reasonable workaround to me: it lets new pages opt into sane behavior without breaking old ones. Chromium added support for it.

It sounded good to developers of a Google-internal HTTP server as well; they added it by default to all responses. And then the bug reports started coming in: “Why does my page render in all browsers but Chromium?” It turned out many of these sites were sending no Content-type header, which, when coupled with the nosniff header, meant Chromium would pick the default of application/octet-stream, triggering a download box.

The fix is to match IE (r8559) for this corner case, which is to instead default to text/plain; I made wisecracks about adding an X-Content-Type-Options-Options: no-really-none-of-these-mime-shenanigans header. Adam (master of content-type sniffing, and I believe editor of the HTML5 sniffing spec) also wrote r8257. This collects stats (aggregated anonymized and only from users who have opted in) on what fraction of pages that we normally would’ve sniffed but were instead blocked by the header.

* In fairness, the greater problem is that page authors sometimes don’t control HTTP headers. They’re frequently defined by server configuration, which often requires root on the server or at least a lot more technical know-how than “click on the upload button in your website creator program”

Proxy Authentication with Squid

How does Proxy Authentication work in Squid?

Users will be authenticated if squid is configured to use proxy_auth ACLs.

Browsers send the user’s authentication credentials in the Authorization request header.

If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.

If the header is missing, Squid returns an HTTP reply with status 407 (Proxy Authentication Required). The user agent (browser) receives the 407 reply and then prompts the user to enter a name and password. The name and password are encoded, and sent in the Authorization header for subsequent requests to the proxy. Also see this example Authorization Header from .htaccess files.

NOTE: The name and password are encoded using “base64″ (See section 11.1 of RFC 2616). However, base64 is a binary-to-text encoding only, it does NOT encrypt the information it encodes. This means that the username and password are essentially “cleartext” between the browser and the proxy. Therefore, you probably should not use the same username and password that you would use for your account login.

Authentication is actually performed outside of main Squid process. When Squid starts, it spawns a number of authentication subprocesses. These processes read usernames and passwords on stdin, and reply with “OK” or “ERR” on stdout. This technique allows you to use a number of different authentication protocols (named “schemes” in this context). When multiple authentication schemes are offered by the server (Squid in this case), it is up to the User-Agent to choose one and authenticate using it. By RFC it should choose the safest one it can handle; in practice usually Microsoft Internet Explorer chooses the first one it’s been offered that it can handle, and Mozilla browsers are bug-compatible with the Microsoft system in this field.

The Squid source code comes with a few authentication backends (“helpers“) for Basic authentication. These include:

  • LDAP: Uses the Lightweight Directory Access Protocol
  • NCSA: Uses an NCSA-style username and password file.
  • MSNT: Uses a Windows NT authentication domain.
  • PAM: Uses the Unix Pluggable Authentication Modules scheme.
  • SMB: Uses a SMB server like Windows NT or Samba.
  • getpwam: Uses the old-fashioned Unix password file.
  • SASL: Uses SALS libraries.
  • mswin_sspi: Windows native authenticator
  • YP: Uses the NIS database

In addition Squid also supports the NTLM, Negotiate and Digest authentication schemes which provide more secure authentication methods, in that where the password is not exchanged in plain text over the wire. Each scheme have their own set of helpers and auth_param settings. Notice that helpers for different authentication schemes use different protocols to talk with squid, so they can’t be mixed.

For information on how to set up NTLM authentication see NTLM config examples.

In order to authenticate users, you need to compile and install one of the supplied authentication modules found in the helpers/basic_auth/ directory, one of the others, or supply your own.

You tell Squid which authentication program to use with the auth_param option in squid.conf. You specify the name of the program, plus any command line options if necessary. For example:

auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd

How do I use authentication in access controls?

Make sure that your authentication program is installed and working correctly. You can test it by hand.

Add some proxy_auth ACL entries to your squid configuration. For example:

acl foo proxy_auth REQUIRED
http_access allow foo
http_access deny all

The REQUIRED term means that any authenticated user will match the ACL named foo.

Squid allows you to provide fine-grained controls by specifying individual user names. For example:

acl foo proxy_auth REQUIRED
acl bar proxy_auth lisa sarah frank joe
acl daytime time 08:00-17:00
http_access allow bar
http_access allow foo daytime
http_access deny all

In this example, users named lisa, sarah, joe, and frank are allowed to use the proxy at all times. Other users are allowed only during daytime hours.

How do I ask for authentication of an already authenticated user?

If a user is authenticated at the proxy you cannot “log out” and re-authenticate. The user usually has to close and re-open the browser windows to be able to re-login at the proxy. A simple configuration will probably look like this:

acl my_auth proxy_auth REQUIRED
http_access allow my_auth
http_access deny all

But there is a trick which can force the user to authenticate with a different account in certain situations. This happens if you deny access with an authentication related ACL last in the http_access deny statement. Example configuration:

acl my_auth proxy_auth REQUIRED
acl google_users proxyauth user1 user2 user3
acl google dstdomain .google.com
http_access deny google !google_users
http_access allow my_auth
http_access deny all

In this case if the user requests http://www.google.com then first second http_access line matches and triggers re-authentication unless the user is one of the listed users. Remember: it’s always the last ACL on a http_access line that “matches”. If the matching ACL deals with authentication a re-authentication is triggered. If you didn’t want that you would need to switch the order of ACLs so that you get http_access deny !google_users google.

You might also run into an authentication loop if you are not careful. Assume that you use LDAP group lookups and want to deny access based on an LDAP group (e.g. only members of a certain LDAP group are allowed to reach certain web sites). In this case you may trigger re-authentication although you don’t intend to. This config is likely wrong for you:

acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED

http_access deny !ldapgroup-allowed
http_access allow all

The second http_access line would force the user to re-authenticate time and again if he/she is not member of the PROXY_ALLOWED group. This is perhaps not what you want. You rather wanted to deny access to non-members. So you need to rewrite this http_access line so that an ACL matches that has nothing to do with authentication. This is the correct example:

acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED

http_access deny !ldapgroup-allowed all
http_access allow all

This way the http_access line still matches. But it’s the all ACL which is now last in the line. Since all is a static ACL (that always matches) and has nothing to do with authentication you will find that the access is just denied.

More Info

Example .htaccess

Send Custom Headers

Header set P3P "policyref=\"http://www.askapache.com/w3c/p3p.xml\""
Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"
Header set Vary "Accept-Encoding"

Blocking based on User-Agent Header

SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT
SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT
Deny from env=HTTP_SAFE_BADBOT

proxy_auth acl causing challenge loop
> Well, I really prefer the old behaviour, so I hope the behaviour is not
> hardcoded, but configurable.

It’s not hardcoded, instead it is dependent on how your http_access rules
are constructed.

Squid prompts for login credentials if the user is denied access by an
authentication related acl (proxy_auth, proxyauth_regex, external using
%LOGIN).

http_access deny someacl authacl
prompts for new credentials if matched (denied by authacl)
http_access deny authacl someacl
does nor prompt for new credentials (denied by someacl)

Further Resources

  1. smb.conf man page
  2. smbclient man page
  3. ntlm_auth man page
  4. Configuring Squid Proxy To Authenticate With Active Directory
  5. Samba & Active Directory
  6. The Linux-PAM System Administrators’ Guide

Original Source: ProxyAuthentication © Creative Commons Attribution Sharealike 2.5 License