FreeBSD has issued updated version of its Apache package. This release considered as important and encourage users of all prior versions to upgrade.
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unpsecified vectors.
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.
How do I upgrade Apache under FreeBSD?
Simply run the following two commands:
# portsnap fetch extract
# portupgrade -a
Recently, I noticed something strange about Apache 2.2.3 version running on CentOS Linux 5 64 bit version. We have centralized NFS server and all 3 web server load balanced using hardware front end (another box running LVS).
All Apache server picks up file via NFS i.e DocumentRoot is set over NFS. The small file such as 2 MB or 5 MB get downloaded correctly but large size files failed to download. Another problem was some clients reported that the file get download but cannot open due to file corruption issue.
After investigation and a little bit googling I came across the solution. You need to disable following two options:
- EnableMMAP - This directive controls whether the httpd may use memory-mapping if it needs to read the contents of a file during delivery. By default, when the handling of a request requires access to the data within a file -- for example, when delivering a server-parsed file using mod_include -- Apache memory-maps the file if the OS supports it.
- EnableSendfile - This directive controls whether httpd may use the sendfile support from the kernel to transmit file contents to the client. By default, when the handling of a request requires no access to the data within a file -- for example, when delivering a static file -- Apache uses sendfile to deliver the file contents without ever reading the file if the OS supports it.
However, these two directives are known to have problem with a network-mounted DocumentRoot (e.g., NFS or SMB), the kernel may be unable to serve the network file through its own cache. So just open httpd.conf on all boxes and changes the following:
Just restart the web server and voila!
# service httpd restart
You can speed up downloads or web page access time with Apache mod_deflate module. The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.
This decreases the amount of time and data transmitted over the network, resulting in faster web experience or downloads for visitors.
Make sure mod_deflate included with your Apache server (by default it is now installed with all modern distro).
How can I speed up downloads from my Apache 2.0 server?
Open httpd.conf file using a text editor such as vi:
# vi httpd.conf
Append following line:
LoadModule deflate_module modules/mod_deflate.so
Append following configuration <Location /> directive:
AddOutputFilterByType DEFLATE text/html text/plain text/xml
Above line only compress html and xml files. Here is the configuration from one of my production box:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
Close and save the file. Next restart apache web server. All of the above extension file should compressed by mod_deflate:
# /etc/init.d/httpd restart
You can also specify specific directory and enabling compression only for the html files. For example /static/help/ directory:
AddOutputFilterByType DEFLATE text/html
In real life, there are issues with compressing other types of files such as mp3 or images. If you don't want to compress images or mp3 files, add following to your configuration:
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary
Please note that this processing takes additional CPU and memory on your server as well as on the client browser. So you must make decision which document you need to compress (thanks to mdxp).