≡ Menu

Apache

If you do not control or throttle end users, your server may run out of resources. Spammers, abuser and badly written bots can eat up all your bandwidth. A webserver must keep an eye on connections and limit connections per second. This is serving 101. The default is no limit. Lighttpd can limit the throughput for each single connection (per IP) or for all connections. You also need to a use firewall to limit connections per second. In this article I will cover firewall and lighttpd web server settings to throttle end users. The firewall settings can be applied to other web servers such as Apache / Nginx and IIS server behind PF / netfilter based firewall.
[click to continue…]

Web server that use threaded processes such as Apache and others can be targeted using interesting HTTP DoS tool that has been released in wild. Tool can eat up all resources while it holds the connection open to server and keep sending incomplete HTTP requests. End result Apache run out of memory and comes under DoS attack.
[click to continue…]

Now, mod_fastcgi is configured and running. FastCGI supports connection via UNIX sockets or TCP/IP networking. This is useful to spread load among various backends. For example, php will be severed from 192.168.1.10 and python / ruby on rails will be severed from 192.168.1.11. This is only possible with mod_fastcgi.
[click to continue…]

Red Hat / CentOS Apache 2 FastCGI PHP Configuration

FastCGI is a protocol for interfacing interactive programs with a web server. FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page requests at once.

Also, PHP is not recommended with multithreaded Apache2 (worker MPM) because of performance and some 3rd party PHP extensions are not not guaranteed thread-safe.

nginx and lighttpd has inbuilt support for FastCGI. For Apache web server you need to use either mod_fastcgi or mod_fcgid.

Why use mod_fastcgi instead of mod_perl / mod_php?

From the wikipedia article:

Instead of creating a new process for every request, FastCGI can use a single persistent process which handles many requests over its lifetime. Processing of multiple requests simultaneously is achieved either by using a single connection with internal multiplexing (ie. multiple requests over a single connection) and/or by using multiple connections. Many such processes can exist, something that can increase stability and scalability. FastCGI also allows programs to get the web server to do certain simple operations, like reading in a file, before the request is handed over. Environment information and page requests are sent from the web server to the process over a TCP connection (for remote processes) or Unix domain sockets (for local processes). Responses are returned from the process to the web server over the same connection. The connection may be closed at the end of a response, but the web server and the process are left standing.

Many web site administrators and programmers are finding that the separation of web applications from the web server in FastCGI (and the simpler SCGI) has many desirable advantages over embedded interpreters (mod_perl, mod_php, etc.). This separation allows server and application processes to be restarted independently -- an important consideration for busy web sites. It also facilitates per-application security policies -- important for ISPs and web hosting companies.

In this quick tutorial, you will learn about Apache 2 + mod_fastcgi + PHP installation and configuration under Red Hat Enterprise Linux / CentOS Linux version 5.x+.
[click to continue…]

Test and Troubleshoot Chrooted Apache Jail

This is 3rd and the final installment for Apache Chroot Jail for CentOS / RHEL series. Once Apache is configured with mod_chroot, you may need to test and debug problems. This article will provide a few troubleshooting tips.
[click to continue…]

Apache Chroot Jail: Virtual Hosting

Now your chrooted Apache jail is ready. It is time to add domains using Apache virtual hosting features.
[click to continue…]

Red Hat / CentOS: Chroot Apache 2 Web Server

A chroot on Red Hat / CentOS / Fedora Linux operating changes the apparent disk root directory for the Apache process and its children. Once this is done attacker or other php / perl / python scripts cannot access or name files outside that directory. This is called a "chroot jail" for Apache. You should never ever run a web server without jail. There should be privilege separation between web server and rest of the system.

In this exclusive series, you will learn more about:

  • Securing an Apache 2 web server under Red Hat Enterprise Linux / CentOS Linux using mod_chroot
  • Virtual hosting configuration under chrooted jail.
  • Troubleshooting Chrooted Apache jail problem.

[click to continue…]