≡ Menu

apache web server

Red Hat / CentOS Apache 2 FastCGI PHP Configuration

FastCGI is a protocol for interfacing interactive programs with a web server. FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page requests at once.

Also, PHP is not recommended with multithreaded Apache2 (worker MPM) because of performance and some 3rd party PHP extensions are not not guaranteed thread-safe.

nginx and lighttpd has inbuilt support for FastCGI. For Apache web server you need to use either mod_fastcgi or mod_fcgid.

Why use mod_fastcgi instead of mod_perl / mod_php?

From the wikipedia article:

Instead of creating a new process for every request, FastCGI can use a single persistent process which handles many requests over its lifetime. Processing of multiple requests simultaneously is achieved either by using a single connection with internal multiplexing (ie. multiple requests over a single connection) and/or by using multiple connections. Many such processes can exist, something that can increase stability and scalability. FastCGI also allows programs to get the web server to do certain simple operations, like reading in a file, before the request is handed over. Environment information and page requests are sent from the web server to the process over a TCP connection (for remote processes) or Unix domain sockets (for local processes). Responses are returned from the process to the web server over the same connection. The connection may be closed at the end of a response, but the web server and the process are left standing.

Many web site administrators and programmers are finding that the separation of web applications from the web server in FastCGI (and the simpler SCGI) has many desirable advantages over embedded interpreters (mod_perl, mod_php, etc.). This separation allows server and application processes to be restarted independently -- an important consideration for busy web sites. It also facilitates per-application security policies -- important for ISPs and web hosting companies.

In this quick tutorial, you will learn about Apache 2 + mod_fastcgi + PHP installation and configuration under Red Hat Enterprise Linux / CentOS Linux version 5.x+.
[click to continue…]

If you noticed a lot of extra "MSIE 6.0" agents in Apache web server log, try following .htaccess code (hat tip to pixelbeat)

Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Many of our regular readers like to know more about lighttpd hotlink protection using mod_rewrite. Lighttpd can use HTTP referrer to detect hotlink and can be configured to partially protect hosted media from inline linking, usually by not serving the media or by serving a different file.

Lighttpd anti hotlinking configuration - redirect to another media

Open lighttpd.conf configuration file:
# vi /etc/lighttpd/lighttpd.conf
Append the following directive to redirect to a default picture called /hotlink.png:

$HTTP["referer"] =~ ".*BADDOMAIN\.com.*|.*IMAGESUCKERDOMAIN\.com.*|.*blogspot\.com.*" {
  url.rewrite = ("(?i)(/.*\.(jpe?g|png))$" => "/hotlink.png" )
}

So if anyone from *.blogspot.com linked www.cyberciti.biz/image.png it will be replaced with www.cyberciti.biz/hotlink.png. I've written small script to detect excessive hotlink from log file and ban all those domains. Most types of electronic media can be redirected this way, including video files, music files, and animations etc.

Related: Apache web server user can stop leechers using mod_rewrite / .htaccess rules.

This is a user contributed tutorial.

ProFTPD is an enhanced, secure and highly configurable FTP server. Its configuration syntax is very similar to apache web server. It offers several functionalities such as:
+ multiple virtual server
+ anonymous
+ authenticated access
+ chroot jail support
+ SSL/TLS encryption
+ RADIUS, LDAP and SQL support etc

Install ProFTPD server

Type the following command as root user:
# yum install proftpd
Start ProFTPD when the system reboot:
# chkconfig --level 3 proftpd on
To start proftpd ftp service, enter:
# service proftpd start
To Stop proftpd ftp server, enter:
# service proftpd stop
To restart proftpd ftp service, enter:
# service proftpd restart
To reload the configuration file, enter:
# service proftpd reload

/etc/proftpd.conf - Proftpd configuration file

The default configuration file is located at /etc/proftpd.conf. To edit the configuration file, enter:
# vim /etc/proftpd.conf
Checking the syntax of the configuration file
# proftpd -t6

Virtual users authentication configuration

When you install ProFTPD, it is almost ready to use by anonymous users, you only have to uncomment anonymous section in /etc/proftpd.conf but if you want authenticated access then you must configure extra directives, keep in mind these to virtual users authentication.

  • AuthUserFile : Specify the users file, has the same format as /etc/passwd
  • AuthGroupFile : Specify the groups file, has the same format as /etc/group

Open /etc/proftpd.conf file:
# vi /etc/proftpd.conf
These files can be created with ftpasswd tool, here is an example:
# ftpasswd --passwd --name {username} --file /etc/ftpd.passwd --uid {5000} --gid {5000} --home /var/ftp/username-home/ --shell /bin/false
# ftpasswd --group --name group1 –file /etc/ftpd.group --gid 5000 --member username

For example, add a ftp user called tom for cyberciti.biz domain (ftpcbz group):
# ftpasswd --passwd --name tom --file /etc/ftpd.passwd --uid 5001 --gid 5001 --home /var/ftp/tom/ --shell /bin/false
# ftpasswd --group --name ftpcbz –file /etc/ftpd.group --gid 5000 --member tom

Then the above directives must be set in this way :

AuthUserFile	/etc/ftpd.passwd
AuthGroupFile	/etc/ftpd.group

Warnings! The created user must have UNIX permission under his home directory.

The value of --shell option must be set to /bin/false if you want to improve the security of the FTP server.

Sometimes ProFTPD throws many errors when you try to authenticated trough virtual users then you must look these directives and theris recommend values.

Don't check against /etc/shells
RequireValidShell off
Don't check against /etc/passwd, use only AuthUserFile
AuthOrder mod_auth_file.c.
Disable PAM authentication
PersistentPasswd off
AuthPAM off

To jail users to theirs respective home directories, add following to config file:
DefaulRoot ~

Playing with files access permission

The general syntax is as follows:
Umask FILEMODE DIRMODE.

Sets the mask of the newly created files and directories. FILEMODE and DIRMODE must be an octal mode, in the format 0xxx. If DIRMODE is omitted then DIRMODE = FILEMODE.

Some examples:

Umask 022

  • The owner has rw permissions over the files and full access over directories.
  • The group has r permission over the files and rx over directories.
  • The world has r permission over the files and rx over directories.

More restrictive:
Umask 026 027

  • The owner has rw permissions over the files and full access over directories.
  • The group has r permission over the files and rx over directories.
  • The world doesn't have any permission over the files neither over directories.

To Deny every one except admin changes files permission via ftp put this in your context:

AllowUser admin
DenyAll

Firewall Configuration - Open FTP port

See FAQ section for further details on iptables configuration.

Further readings:

  1. Proftpd project
  2. ProFTPD unofficial documentation

This article / faq is contributed by Yoander Valdés Rodríguez (yoander). nixCraft welcomes readers' tips / howtos.

Red Hat has open-sourced its identity-management and security system to promote its assertion that open-source software provides the most secure infrastructure. From the press release:

Red Hat Certificate System was acquired from AOL three years ago as part of the Netscape technology acquisition. In keeping with our commitment to open source software, today Red Hat has released all of the source code to Red Hat Certificate System. Much of the technology in Red Hat Certificate System was already open source, including the Apache web server, Red Hat Directory Server and the FIPS140-2 level 2 validated NSS cryptographic libraries, but today’s move further demonstrates Red Hat’s belief that the open source development model creates more secure software.

I think the freeIPA project is really good addition. It provides central management of identity, policy, and auditing for Unix and Linux using open-source and open-standards technologies.

freeIPA under Fedora Linux
(Fig. 01: freeIPA running under Fedora Linux [Image Credit freeIPA project])

This article explains howto setup and running with the Linux Virtual Server and Linux-HA.org's Heartbeat in 5 easy steps. You can construct a highly available Apache Web server cluster that spans multiple physical or virtual Linux servers with Linux Virtual Server (LVS) and Heartbeat v2:

Spreading a workload across multiple processors, coupled with various software recovery techniques, provides a highly available environment and enhances overall RAS (Reliability, Availability, and Serviceability) of the environment. Benefits include faster recovery from unplanned outages, as well as minimal effects of planned outages on the end user.

This article illustrates the robust Apache Web server stack with 6 Apache server nodes (though 3 nodes is sufficient for following the steps outlined here) as well as 3 Linux Virtual Server (LVS) directors. We used 6 Apache server nodes to drive higher workload throughputs during testing and thereby simulate larger deployments. The architecture presented here should scale to many more directors and backend Apache servers as your resources permit, but we haven't tried anything larger ourselves. Figure 1 shows our implementation using the Linux Virtual Server and the linux-ha.org components.

Howto Setup Linux Apache Web Server Cluster with Linux Virtual Server and Heartbeat

However article failed to mention few things such as redundant networking, a cluster file system / shared storage and other stuff. Nevertheless tutorial is a good start for new Linux admin.

=> Set up a Web server cluster in 5 easy steps

This is an interesting article.

For people migrating from Windows to Linux, the Apache Web server is entirely different world from Microsoft Internet Information Server. Apache can be alienating to IIS / Windows administrators, because migrating to Apache is more than just copying files.

The IIS to Apache migration process needs to be handled with the same care and perspective as the process of migrating desktops and their attendant applications. In some cases, IIS to Apache may be even more difficult and may have a larger impact on users and administrators.

In this article, author talk about the process of migrating a site from IIS to Apache, with Red Hat Linux as the specific target.