New in Apache HTTP Server 2.4 – Authorization, FCGI Proxy, and Mod_SSL

New Authorization Containers

The authorization container directives <RequireAll>, <RequireAny> and <RequireNone> may be combined with each other and with the Require directive to express complex authorization logic.

The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin user, or belong to both the admins group and the Administrators LDAP group and either belong to the sales group or have the LDAP dept attribute sales. Furthermore, in order to access the resource, the user must not belong to either the temps group or the LDAP group Temporary Employees.

<Directory /www/mydocs>

<RequireAll>

<RequireAny>

Require user superadmin
<RequireAll>

Require group admins
Require ldap-group cn=Administrators,o=Airius
<RequireAny>


Require group sales
Require ldap-attribute dept="sales"

</RequireAny>

</RequireAll>

</RequireAny>
<RequireNone>

Require group temps
Require ldap-group cn=Temporary Employees,o=Airius

</RequireNone>


</RequireAll>

</Directory>

This is gonna be BIG! You can read the whole story at http://httpd.apache.org/docs/trunk/new_features_2_4.html

Core Enhancements

KeepAliveTimeout in milliseconds
It is now possible to specify KeepAliveTimeout in milliseconds.
Simple MPM
Cleanroom MPM implementation with advanced thread pool management
Loadable MPMs
Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.

Module Enhancements

mod_ssl
mod_ssl can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.
mod_ssl now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
mod_ssl can now be configured to share SSL Session data between servers through memcached
mod_lua
Embeds the Lua language into httpd, for configuration and small business logic functions.
mod_proxy_fcgi
FastCGI Protocol backend for mod_proxy

Program Enhancements

fcgistarter – FastCGI deamon starter utility

Module Developer Changes

Check Configuration Hook Added
A new hook, check_config, has been added which runs between the pre_config and open_logs hooks. It also runs before the test_config hook when the -t option is passed to httpd. The check_config hook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the core open_logs hook function redirects console output to the error log.
Expression Parser Added
We now have a general-purpose expression parser, whose API is exposed in ap_expr.h. This is adapted from the expression parser previously implemented in mod_include.
Authorization Logic Containers
Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>, all provided by the mod_authz_core module.
Small-Object Caching Interface
The ap_socache.h header exposes a provider-based interface for caching small data objects, based on the previous implementation of the mod_ssl session cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.

Full List of Security / Code Changes

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil ]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola ]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni , Jeff Trawick]

  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
     Ensure each subrequest has a shallow copy of headers_in so that the
     parent request headers are not corrupted.  Elimiates a problematic
     optimization in the case of no request body.  PR 48359
     [Jake Scott, William Rowe, Ruediger Pluem]

  *) mod_reqtimeout: New module to set timeouts and minimum data rates for
     receiving requests from the client. [Stefan Fritsch]

  *) mod_proxy_ajp: Really regard the operation a success, when the client
     aborted the connection. In addition adjust the log message if the client
     aborted the connection. [Ruediger Pluem]

  *) mod_negotiation: Preserve query string over multiviews negotiation.
     This buglet was fixed for type maps in 2.2.6, but the same issue
     affected multiviews and was overlooked.
     PR 33112 [Joergen Thomsen ]

  *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
     the flood of requests at bay that strike a backend webserver as
     a cached entity goes stale. [Graham Leggett]

  *) mod_proxy_http: Make sure that when an ErrorDocument is served
     from a reverse proxied URL, that the subrequest respects the status
     of the original request. This brings the behaviour of proxy_handler
     in line with default_handler. PR 47106. [Graham Leggett]

  *) mod_log_config: Add the R option to log the handler used within the
     request. [Christian Folini ]

  *) mod_include: Allow fine control over the removal of Last-Modified and
     ETag headers within the INCLUDES filter, making it possible to cache
     responses if desired. Fix the default value of the SSIAccessEnable
     directive. [Graham Leggett]

  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
     is configured for client cert auth. PR 46952.  [Joe Orton]

  *) core: Fix potential memory leaks by making sure to not destroy
     bucket brigades that have been created by earlier filters.
     [Stefan Fritsch]

  *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
     try other providers in the case of an LDAP bind failure.
     PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]

  *) mod_proxy, mod_proxy_http: Support remote https proxies
     by using HTTP CONNECT.
     PR 19188.  [Philippe Dutrueux , Rainer Jung]

  *) worker: Don't report server has reached MaxClients until it has.
     Add message when server gets within MinSpareThreads of MaxClients.
     PR 46996.  [Dan Poirier]

  *) mod_ssl: When extracting certificate subject/issuer names to the
     SSL_*_DN_* variables, handle RDNs with duplicate tags by
     exporting multiple varialables with an "_n" integer suffix.
     PR 45875.  [Joe Orton, Peter Sylvester ]

  *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
     password now result in an informational level log entry instead of
     warning level.  [Eric Covener]

  *) core: Preserve Port information over internal redirects
     PR 35999 [Jonas Ringh ]

  *) mod_filter: fix FilterProvider matching where "dispatch" string
     doesn't exist.
     PR 48054 []

  *) Build: fix --with-module to work as documented
     PR 43881 [Gez Saunders ]

  *) mod_mime: Make RemoveType override the info from TypesConfig.
     PR 38330. [Stefan Fritsch]

  *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
     rather than BAD_GATEWAY or (especially) NOT_FOUND.
     PR 46971 [evanc nortel.com]

  *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
     [Eric Covener]

  *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
     some cache entries and log a warning. Also increase the default
     LDAPSharedCacheSize to 500000. This is a more realistic size suitable
     for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
     PR 46749. [Stefan Fritsch]

  *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
     per RFC 2616, 13.8.  PR15866.  [Dan Poirier]

  *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
     the request is a CONNECT request. PR 47928
     [Bill Zajac ]

  *) mod_cache: correctly consider s-maxage in cacheability
     decisions.  [Dan Poirier]

  *) core: Return APR_EOF if request body is shorter than the length announced
     by the client. PR 33098 [ Stefan Fritsch ]

  *) mod_rewrite: Add scgi scheme detection.  [André Malo]

  *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
     LocationMatch sections.  PR 47754.  [Dan Poirier]

  *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
     [Guenter Knauf]

List of .htaccess Examples

Some Good Official Tutorials

Sample .htaccess file from htaccess Google Group

Read more of this post

htaccess tips

shark .htaccess

htaccess Guide Sections

htaccess from the Apache htaccess tutorial. Check out and use the 404 Error Page WordPress Plugin

MAIN HTACCESS SETTINGS AND OPTIONS

 Options: ALL,FollowSymLinks,Includes,IncludesNOEXEC,SymLinksIfOwnerMatch
##########

## MAIN DEFAULTS ###
Options +ExecCGI -Indexes
DirectoryIndex index.html index.htm index.php
DefaultLanguage en-US
AddDefaultCharset UTF-8
ServerSignature Off

## ENVIRONMENT VARIABLES ###
SetEnv PHPRC /webroot/includes
SetEnv TZ America/Indianapolis
SetEnv SERVER_ADMIN webmaster@domain.tld

## MIME TYPES ###
AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico

## FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER ###
-> http://www.htaccesselite.com/addtype-addhandler-action-vf6.html
AddType application/octet-stream .mov .mp3 .zip 

Htaccess ErrorDocuments

======== 1xx
ErrorDocument 100 /error-100/
ErrorDocument 101 /error-101/
ErrorDocument 102 /error-102/
======== 2xx
ErrorDocument 200 /error-200/
ErrorDocument 201 /error-201/
ErrorDocument 202 /error-202/
ErrorDocument 203 /error-203/
ErrorDocument 204 /error-204/
ErrorDocument 205 /error-205/
ErrorDocument 206 /error-206/
ErrorDocument 207 /error-207/
======== 4xx
ErrorDocument 400 /error-400/
ErrorDocument 401 /error-401/
ErrorDocument 402 /error-402/
ErrorDocument 403 /error-403/
ErrorDocument 404 /error-404/
ErrorDocument 405 /error-405/
ErrorDocument 406 /error-406/
ErrorDocument 407 /error-407/
ErrorDocument 408 /error-408/
ErrorDocument 409 /error-409/
ErrorDocument 410 /error-410/
ErrorDocument 411 /error-411/
ErrorDocument 412 /error-412/
ErrorDocument 413 /error-413/
ErrorDocument 414 /error-414/
ErrorDocument 415 /error-415/
ErrorDocument 416 /error-416/
ErrorDocument 417 /error-417/
ErrorDocument 418 /error-418/
ErrorDocument 419 /error-419/
ErrorDocument 420 /error-420/
ErrorDocument 421 /error-421/
ErrorDocument 422 /error-422/
ErrorDocument 423 /error-423/
ErrorDocument 424 /error-424/
ErrorDocument 425 /error-425/
ErrorDocument 426 /error-426/
======== 5xx
ErrorDocument 500 /error-500/
ErrorDocument 501 /error-501/
ErrorDocument 502 /error-502/
ErrorDocument 503 /error-503/
ErrorDocument 504 /error-504/
ErrorDocument 505 /error-505/
ErrorDocument 506 /error-506/
ErrorDocument 507 /error-507/
ErrorDocument 508 /error-508/
ErrorDocument 509 /error-509/
ErrorDocument 510 /error-510/

the most famous htaccess guide of them all

AddLanguage aa .aa # Afar
AddLanguage ab .ab # Abkhazian
AddLanguage af .af # Afrikaans
AddLanguage am .am # Amharic
AddLanguage gu .gu # Gujarati
AddLanguage ha .ha # Hausa
AddLanguage he .he # Hebrew
AddLanguage hi .hi # Hindi
AddLanguage hr .hr # Croatian
AddLanguage hu .hu # Hungarian
AddLanguage hy .hy # Armenian
AddLanguage ia .ia # Interlingua
AddLanguage id .id # Indonesian
AddLanguage ie .ie # lnteriingue
AddLanguage ik .ik # Knupiak
AddLanguage is .is # Icelandic
AddLanguage it .it # Italian
AddLanguage iu .iu # Inuktitut (Eskimo)
AddLanguage ja .ja # Japanese
AddLanguage jw .jw # Javanese
AddLanguage ka .ka # Georgian
AddLanguage kk .kk # Kazakh
AddLanguage kl .kl # Greaenlandic
AddLanguage km .km # Cambodian
AddLanguage kn .kn # Kannada
AddLanguage ko .ko # Korean
AddLanguage ks .ks # Kashmiri
AddLanguage ku .ku # Kurdish
AddLanguage ky .ky # Kirghiz
AddLanguage la .la # Latin
AddLanguage ln .ln # Lingala
AddLanguage lo .lo # Laothian
AddLanguage lt .lt # Lithuainnian
AddLanguage lv .lv # Latvian, Lettish
AddLanguage mg .mg # Malagasy
AddLanguage mi .mi # Maori
AddLanguage uk .uk # Ukrainian
AddLanguage ur .ur # Urdu
AddLanguage uz .uz # Uzbek
AddLanguage vi .vi # Vietnamese
AddLanguage vo .vo # Volapuek
AddLanguage wo .wo # Wolof
AddLanguage xh .xh # Xhosa
AddLanguage yi .yi # Yiddish
AddLanguage yo .yo # Yoruba
AddLanguage za .za # Zhuang
AddLanguage zh .zh # Chinese
AddLanguage zu .zu # Zulu

Authentication, Security, SSL in .htaccess

HTACCESS SCRIPTING, ACTION, ADDHANDLER

 Handlers be builtin, included in a module, or added with Action directive
 default-handler: default, handles static content (core)
      send-as-is: Send file with HTTP headers (mod_asis)
      cgi-script: treat file as CGI script (mod_cgi)
       imap-file: Parse as an imagemap rule file (mod_imap)
     server-info: Get server config info (mod_info)
   server-status: Get server status report (mod_status)
        type-map: type map file for content negotiation (mod_negotiation)
  fastcgi-script: treat file as fastcgi script (mod_fastcgi)
##########

-> http://www.askapache.com/php/

## PARSE AS CGI ###
AddHandler cgi-script .cgi .pl .spl

## RUN PHP AS APACHE MODULE ###
AddHandler application/x-httpd-php .php .htm

## RUN PHP AS CGI ###
AddHandler php-cgi .php .htm

## CGI PHP WRAPPER FOR CUSTOM PHP.INI ###
AddHandler phpini-cgi .php .htm
Action phpini-cgi /cgi-bin/php5-custom-ini.cgi

## FAST-CGI SETUP WITH PHP-CGI WRAPPER FOR CUSTOM PHP.INI ###
AddHandler fastcgi-script .fcgi
AddHandler php-cgi .php .htm
Action php-cgi /cgi-bin/php5-wrapper.fcgi

## CUSTOM PHP CGI BINARY SETUP ###
AddHandler php-cgi .php .htm
Action php-cgi /cgi-bin/php.cgi

## PROCESS SPECIFIC FILETYPES WITH CGI-SCRIPT ###
Action image/gif /cgi-bin/img-create.cgi

## CREATE CUSTOM HANDLER FOR SPECIFIC FILE EXTENSIONS ###
AddHandler custom-processor .ssp
Action custom-processor /cgi-bin/myprocessor.cgi

HTACCESS HEADERS, CACHING OPTIMIZATION

      300   5 M
     2700  45 M
     3600   1 H
    54000  15 H
    86400   1 D
   518400   6 D
   604800   1 W
  1814400   3 W
  2419200   1 M
 26611200  11 M
 29030400   1 Y (never expire)
-> http://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching.html

   Header set Cache-Control "max-age=2592000"

   Header set Cache-Control "max-age=604800"

   Header set Cache-Control "max-age=600"

   Header unset Cache-Control

## ALTERNATE EXPIRES CACHING ###
-> htaccesselite.com/d/use-htaccess-to-speed-up-your-site-discussion-vt67.html
ExpiresActive On
ExpiresDefault A604800
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType text/css A2592000
ExpiresByType text/html A300

   ExpiresActive Off

## META HTTP-EQUIV REPLACEMENTS ###

   Header set imagetoolbar "no"

HTACCESS REWRITES AND REDIRECTS

 REQUEST METHODS: GET,POST,PUT,DELETE,CONNECT,OPTIONS,PATCH,PROPFIND,
                  PROPPATCH,MKCOL,COPY,MOVE,LOCK,UNLOCK
##########

## REWRITE DEFAULTS ###
RewriteEngine On
RewriteBase /

## REQUIRE SUBDOMAIN ###
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^subdomain\.domain\.tld$ [NC]
RewriteRule ^/(.*)$ http://subdomain.domain.tld/$1 [L,R=301]

## SEO REWRITES ###
RewriteRule ^(.*)/ve/(.*)$    $1/voluntary-employee/$2 [L,R=301]
RewriteRule ^(.*)/hsa/(.*)$     $1/health-saving-account/$2 [L,R=301]

## WORDPRESS ###
RewriteCond %{REQUEST_FILENAME} !-f    # Existing File
RewriteCond %{REQUEST_FILENAME} !-d    # Existing Directory
RewriteRule . /index.php [L]

## ALTERNATIVE ANTI-HOTLINKING ###
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?domain.tld/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F] 

## REDIRECT HOTLINKERS ###
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?domain.tld/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ http://google.com [R] 

## DENY REQUEST BASED ON REQUEST METHOD ###
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
RewriteRule ^.*$ - [F] 

## REDIRECT UPLOADS ###
RewriteCond %{REQUEST_METHOD} ^(PUT|POST)$ [NC]
RewriteRule ^(.*)$ /cgi-bin/form-upload-processor.cgi?p=$1 [L,QSA] 

## REQUIRE SSL EVEN WHEN MOD_SSL IS NOT LOADED ###
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

### ALTERNATATIVE TO USING ERRORDOCUMENT ###
-> http://www.htaccesselite.com/d/htaccess-errordocument-examples-vt11.html
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /error.php [L]

## SEO REDIRECTS ###
Redirect 301 /2006/oldfile.html http://subdomain.domain.tld/newfile.html
RedirectMatch 301 /o/(.*)$ http://subdomain.domain.tld/s/dl/$1

HTACCESS AUTHENTICATION AND SECURITY

 Require (user|group|valid-user) (username|groupname)
##########

## BASIC PASSWORD PROTECTION ###
AuthType basic
AuthName "prompt"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user

## ALLOW FROM IP OR VALID PASSWORD ###
Require valid-user
Allow from 192.168.1.23
Satisfy Any

## PROTECT FILES ###

  Order Allow,Deny
  Deny from all

## PREVENT HOTLINKING ###
SetEnvIfNoCase Referer "^http://subdomain.domain.tld/" good
SetEnvIfNoCase Referer "^$" good

   Order Deny,Allow
   Deny from all
   Allow from env=good
   ErrorDocument 403 http://www.google.com/intl/en_ALL/images/logo.gif
   ErrorDocument 403 /images/you_bad_hotlinker.gif

## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK ###
LimitRequestBody 10240000 #bytes, 0-2147483647(2GB) 

=============================================================================#
          SSL SECURITY
=============================================================================#
-> http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html
##########

## MOST SECURE WAY TO REQUIRE SSL ###
-> http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domain.tld"
ErrorDocument 403 https://domain.tld 



          SITE UNDER CONSTRUCTION
=============================================================================#
 Heres some awesome htaccess to use when you are developing a site
##########

## COMBINED DEVELOPER HTACCESS CODE-USE THIS ###

   Header set Cache-Control "max-age=5"

AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user           # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5      # Your, the developers IP address
Allow from w3.org            # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com     # Allows google to crawl your pages
Satisfy Any                  # no password required if host/ip is Allowed

## DONT HAVE TO EMPTY CACHE OR RELOAD TO SEE CHANGES ###
ExpiresDefault A5 #If using mod_expires

   Header set Cache-Control "max-age=5"

## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user           # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5      # Your, the developers IP address
Allow from w3.org            # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com     # Allows google to crawl your pages
Satisfy Any                  # no password required if host/ip is Allowed

htaccess rewrite links

htaccess and .htaccess rewrite links

Apache Documentation

First, here are several links to the definitive source for Apache 1.3 and Apache 2.0 specifically related to using .htaccess, especially for redirecting URLs and blocking bad bots and spammers.

Apache 1.3
Apache 2.0

How to Use .htaccess, mod_rewrite, and Related (for Apache)

SRC: http://brainstormsandraves.com/archives/2005/10/09/htaccess/

Follow

Get every new post delivered to your Inbox.

Join 1,240 other followers

%d bloggers like this: