≡ Menu

apache server

FreeBSD Apache Multiple Vulnerabilities Fix Available

FreeBSD has issued updated version of its Apache package. This release considered as important and encourage users of all prior versions to upgrade.

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unpsecified vectors.

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

How do I upgrade Apache under FreeBSD?

Simply run the following two commands:
# portsnap fetch extract
# portupgrade -a
# portversion

CentOS 5 Apache 2.2.3 files failing to download or corrupted download file issue

Recently, I noticed something strange about Apache 2.2.3 version running on CentOS Linux 5 64 bit version. We have centralized NFS server and all 3 web server load balanced using hardware front end (another box running LVS).

All Apache server picks up file via NFS i.e DocumentRoot is set over NFS. The small file such as 2 MB or 5 MB get downloaded correctly but large size files failed to download. Another problem was some clients reported that the file get download but cannot open due to file corruption issue.

After investigation and a little bit googling I came across the solution. You need to disable following two options:

  • EnableMMAP - This directive controls whether the httpd may use memory-mapping if it needs to read the contents of a file during delivery. By default, when the handling of a request requires access to the data within a file -- for example, when delivering a server-parsed file using mod_include -- Apache memory-maps the file if the OS supports it.
  • EnableSendfile - This directive controls whether httpd may use the sendfile support from the kernel to transmit file contents to the client. By default, when the handling of a request requires no access to the data within a file -- for example, when delivering a static file -- Apache uses sendfile to deliver the file contents without ever reading the file if the OS supports it.

However, these two directives are known to have problem with a network-mounted DocumentRoot (e.g., NFS or SMB), the kernel may be unable to serve the network file through its own cache. So just open httpd.conf on all boxes and changes the following:
EnableMMAP off
EnableSendfile off

Just restart the web server and voila!
# service httpd restart

February 6, 2007 : nixCraft FAQ Roundup

Recently updated/posted Linux and UNIX FAQ:

=> Shell command or script to write simple output on screen under Linux and UNIX

=> Delete a log files in Linux or UNIX

=> VSFTPD limit the number of simultaneous vsftpd connections for a single IP address

=> Gnome Desktop Keyboard Shortcut Keys

=> Disable Advanced power management (APM) on Linux

=> Locate files on linux, FreeBSD and UNIX system

=> List installed packages on Linux or FreeBSD / OpenBSD system

=> Howto: Use mysql or run mysql queries from shell script

=> Linux configure batch jobs using at command

=> Solaris add a new swap file for database

=> Apache server view performance status with mod_status configuration

=> Howto Secure portmap service using iptables and TCP Wrappers under Linux

Speed up Apache 2.0 web access or downloads with mod_deflate

You can speed up downloads or web page access time with Apache mod_deflate module. The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.

This decreases the amount of time and data transmitted over the network, resulting in faster web experience or downloads for visitors.

Make sure mod_deflate included with your Apache server (by default it is now installed with all modern distro).

How can I speed up downloads from my Apache 2.0 server?

Open httpd.conf file using a text editor such as vi:
# vi httpd.conf

Append following line:
LoadModule deflate_module modules/mod_deflate.so

Append following configuration <Location /> directive:
<Location />
AddOutputFilterByType DEFLATE text/html text/plain text/xml

Above line only compress html and xml files. Here is the configuration from one of my production box:
<Location />
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html

Close and save the file. Next restart apache web server. All of the above extension file should compressed by mod_deflate:
# /etc/init.d/httpd restart

You can also specify specific directory and enabling compression only for the html files. For example /static/help/ directory:
<Directory "/static/help">
AddOutputFilterByType DEFLATE text/html

In real life, there are issues with compressing other types of files such as mp3 or images. If you don't want to compress images or mp3 files, add following to your configuration:
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary

Please note that this processing takes additional CPU and memory on your server as well as on the client browser. So you must make decision which document you need to compress (thanks to mdxp).

See also: