How to: Apache authentication using LDAP Server

Posted on in Categories Apache, Linux, UNIX last updated October 31, 2007

Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.

=> Apache authentication and authorization using LDAP

How to: Debug SSL certificate problems from the shell prompt

Posted on in Categories Apache, Howto, Linux, Security, Shell scripting, Sys admin, Tips, Troubleshooting, UNIX last updated October 18, 2007

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.

To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
Where,

  • s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.

For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
Output:

CONNECTED(00000003)
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
   i:/C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6
MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw
MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl
cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM
dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2
ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz
2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY
Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck
n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW
BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U
xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA
bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5
MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP
ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w==
-----END CERTIFICATE-----
subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company [email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1066 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4
    Session-ID-ctx:
    Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D
    Key-Arg   : None
    Start Time: 1192732059
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
Output:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
SSL_connect:SSLv3 read finished A
SSL handshake has read 1066 bytes and written 316 bytes
SSL-Session:

Further readings:

=> OpenSSL man pages and documentation.

Convert pixmaps file into a Windows .ico file to create a favicon.ico file with GIMP

Posted on in Categories Apache, Debian Linux, Howto, lighttpd, Linux, Linux desktop, Tips, Ubuntu Linux last updated October 8, 2007

Favorites icon (favicon) file is placed in a web server root directory. It is a page icon or associated with a particular website. For example when you visit our site you see favicon in the browser’s URL bar, next to the site’s name. Also it appears next to the site’s name in lists of bookmarks, and next to the page’s title in a tabbed document interface.

There is a tool called ppmtowinicon which convert 1 or more portable pixmaps into a Windows .ico file You need to specify one or more portable pixmaps as input and it produces a Microsoft Windows .ico file as output. A Windows icon contains 1 or more images, at different resolutions and color depths. Microsoft recommends including at least the following formats in each icon (size and bits-per-pixel):
=> 16 x 16 – 4 bpp
=> 32 x 32 – 4 bpp
=> 48 x 48 – 8 bpp

How to create a favicon.ico with GIMP

How to create a favicon.ico with GIMP

You need to install netpbm – a graphics conversion tools under Linux / UNIX. You also need GIMP – the GNU Image Manipulation program to create a favicon on Linux.

Install netpbm and GIMP

Use apt-get command to install packages under Debian / Ubuntu Linux:
$ sudo apt-get install netpbm gimp

Step # 1: Convert logo to ppm raw format

  1. Open your logo using GIMP
  2. Now cut and paste logo in square
  3. Next resize logo by visiting Image > Scale image option. Set pixel size to 16 x 16 or 32 x 32 or 48 x 48.
  4. Next click on File > Save as > Enter file name as favicon.ppm > Click on Save > Raw Encoding > Ok

Step # 2: Convert portable pixmaps into a Windows .ico file

Now run the following command to create a .ico file:
$ ppmtowinicon -output favicon.ico favicon.ppm

Step # 3: Upload favicon.ico file

Upload favicon.ico file to webserver root directory such as /var/www/html or /srv/httpd/cyberciti.biz.

Step # 4: Favicon example

To activate favicon, modify your site pages or template by placing following code between <head>…</head> section:

<link rel="shortcut icon" href="/favicon.ico" />

Download of the day: phpMyVisites free and open source websites statistics and analytics software

Posted on in Categories Apache, Download of the day, lighttpd, Linux, UNIX, Windows server last updated October 3, 2007

phpMyVisites is a free and powerful open source (GNU/GPL) software for websites statistics and audience measurements software. I’m currently using this software and it totally rocks. This software gives out lots of information on websites visitors, visited pages, software/hardware utilization. The installation is entirely automated and very simple. I’m currently using the same software here. This software is much better than old AWstats package. Web analytics is the study of the behaviour of website visitors. In a commercial context, web analytics especially refers to the use of data collected from a web site to determine which aspects of the website work towards the business objectives; for example, which landing pages encourage people to make a purchase.

From the project home page:

phpMyVisites is web statistics software. It is also often called web analytics. phpMyVisites is open source and free. You can download it, install it on your webserver, and get your first statistics after 2 minutes! Then all these numbers may be very useful to improve your website results. If you understand how your visitors behave, if you try to analyse your audience and extract information from the web analytics reports, you can definitely boost your website!

Software features

  • A clean and user-friendly interface to present data and to aid in data analysis.
  • Clear and concise graphics presenting important information in an easy-to-understand format.
  • Free: phpMyVisites is completely free.
  • Precise visitor statistics over a period of time (day/week/month/year).
  • Visitor Frequency: new visitors, regular (known) visitors, and how often visitors view the web site.
  • Management of web site statistics and all file types (PDF, Image, etc.).
  • Web site page classification available (by groups, by subgroups, etc.).
  • Visitor Analysis: Statistics for pages where visitors leave the web site and for pages where the visitors enter the web site.
  • Geographical Statistics: Classification by continent/country (interactive world map).
  • Technical Configuration Statistics: Web browsers, resolution, managed plug-in, etc.).
  • Complete and clear statistics about web site discovery: How do visitors come to the web site?
  • Live Clearly Defined Web Site Discovery Tools: Search Engines, Web Sites, Partner Sites, Newsletters and Direct Access
  • Able to detect more than 300 internationally-used search engines and keyword associations.
  • Define web sites as partners and add an unlimited number of newsletters.
  • One software installation and track all your website
  • Receive web site statistics everyday by e-mail, by RSS feed, etc.
  • And much more..

phpMyVisites free and open source websites statistics and analytics software

phpMyVisites free and open source websites statistics and analytics software
You can see sample reports and screenshots here

Download phpMyVisites

You need a webserver such as Apache, Lighttpd, IIS, etc.) that supports the following :

  1. php > 4.3
  2. Mysql database
  3. GD Library
  4. TTF support (Freetype) etc

=> Visit official site to download phpMyVisites software.

Troubleshooting: Slow Apache / IIS / Lighttpd Webserver Website Problems

Posted on in Categories Apache, Howto, lighttpd, Linux, Troubleshooting, UNIX last updated October 2, 2007

A small how to written to assist sys admins. It offers tools and high level advice to solve slow websites problems:

Oh boy it’s been an intense 4 weeks. I was pulled in to assist with troubleshooting several major failures at work with loosely related systems. Including my own. All systems are public facing, hence the intensity.

This article attempts to capture a high level view of one of the problems and the methods and tools used (not how to use the tools, that’s for another time) to try and solve it. I’m not putting all the details in. Some details are emphatically not appropriate, other details won’t increase understanding of the methodology and process taken.

In the interest of helping other sysadmins, I’ve linked to the various tools used. Some are well known, others more obscure.

=> Advanced Sysadmin Troubleshooting: Slow Websites (via RootPrompt)

Apache mod_rewrite examples for new Linux / UNIX admin

Posted on in Categories Apache, FreeBSD, Linux, OpenBSD, OS X, UNIX, Windows server last updated September 26, 2007

Apache’s mod_rewrite considered as one of the difficult module to configure and use. This article will lead you through rewrite rules, regular expressions, and rewrite conditions, and provide a great list of examples:

Apache’s low-cost, powerful set of features make it the server of choice for organizations around the world. One of its most valuable treasures is the mod_rewrite module, the purpose of which is to rewrite a visitor’s request URI in the manner specified by a set of rules.

=> Learn Apache mod_rewrite: 13 Real-world Examples

Howto Setup Linux Apache Web Server Cluster with Linux Virtual Server and Heartbeat

Posted on in Categories Apache, Business, High performance computing, Howto, Linux, Linux distribution, Suse Linux last updated August 23, 2007

This article explains howto setup and running with the Linux Virtual Server and Linux-HA.org’s Heartbeat in 5 easy steps. You can construct a highly available Apache Web server cluster that spans multiple physical or virtual Linux servers with Linux Virtual Server (LVS) and Heartbeat v2:

Spreading a workload across multiple processors, coupled with various software recovery techniques, provides a highly available environment and enhances overall RAS (Reliability, Availability, and Serviceability) of the environment. Benefits include faster recovery from unplanned outages, as well as minimal effects of planned outages on the end user.

This article illustrates the robust Apache Web server stack with 6 Apache server nodes (though 3 nodes is sufficient for following the steps outlined here) as well as 3 Linux Virtual Server (LVS) directors. We used 6 Apache server nodes to drive higher workload throughputs during testing and thereby simulate larger deployments. The architecture presented here should scale to many more directors and backend Apache servers as your resources permit, but we haven’t tried anything larger ourselves. Figure 1 shows our implementation using the Linux Virtual Server and the linux-ha.org components.

Howto Setup Linux Apache Web Server Cluster with Linux Virtual Server and Heartbeat

However article failed to mention few things such as redundant networking, a cluster file system / shared storage and other stuff. Nevertheless tutorial is a good start for new Linux admin.

=> Set up a Web server cluster in 5 easy steps

Display or list web server headers

Posted on in Categories Apache, CentOS, Debian Linux, Howto, lighttpd, Linux, UNIX, Windows server last updated August 16, 2007

If you are looking to debug a problem with HTTP server and would like to see HTTP requests / header responses in raw format, use shell tools or Firefox extensions.

Why do I need to dig out web server headers?

[a] Help debugging web application.

[b] See which kind of web server the remote site is using.

[c] See the cookies sent by remote site

[d] Learn http protocol and much more

Let us see Linux / UNIX command line tools to dig out headers.

wget command

wget command is not just downloading utility. It can be served as debugging tool. You need to pass -S option to wget command, which will print the headers sent by HTTP servers and responses sent by FTP servers.
$ wget -S http://theos.in
Output:

--01:32:15--  http://theos.in/
           => `index.html'
Resolving theos.in... 74.86.49.131
Connecting to theos.in|74.86.49.131|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Connection: close
  X-Pingback: http://theos.in/xmlrpc.php
  Content-Type: text/html; charset="UTF-8"
  Date: Thu, 16 Aug 2007 20:02:16 GMT
  Server: lighttpd
Length: unspecified [text/html]

    [     <=>                                                                                                                              ] 44,214        32.56K/s

01:32:17 (32.50 KB/s) - `index.html' saved [44214]

If you are just intrested in headers pass –spider option to wget. With this option wget behave as a Web spider, which means that it will not download the pages, just check that they are there.
$ wget -S --spider http://theos.in/

Other command line tools

UNIX / Linux offers so many options. You can try out old good telnet command, lynx browser, curl command and other tools:
$ lynx -head -dump http://theos.in/
$ curl -I http://theos.in/

You can use telnet as follows:
$ telnet theos.in 80
Output:

HEAD /index.php HTTP/1.1

Firefox extension

If you are using Windows or just wanted to get information on fly, try firefox extension – LiveHTTPHeaders. It adds a ‘Headers’ tab in ‘View Page Info’ of a web page. You can also see a tool in the ‘Tools->Web Development’ menu to be able to display http headers in real time while pages are being downloaded from the Internet or web server. It also allows you edit request headers and replay an URL (good for testing web app security).

Download LiveHTTPHeaders

=> Visit project download page here

Other options

You can use specialized tools such as WireShark network protocol analyzer or tcpdump for the same purpose.

Security breach: Facebook index.php source code leaked

Posted on in Categories Apache, Beyond nixCraft, Security last updated August 12, 2007

Facebook is one of the famous web 2.0 portal, its php source code was leaked on the Internet. This blog post has posted index.php home page source code. According to facebook:

Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way.

However a misconfigured webserver can easily give out php file to all end users.

PHP Log All Errors to a Log File to Get Detailed Information

Posted on in Categories Apache, Howto, lighttpd, Linux, php, Security, UNIX last updated July 29, 2007

PHP offers simple but effective solution to log all errors to a log fiie.
On all production web server you must turn off displaying error to end users via a web browser. Remember PHP gives out lots of information about path, database schema and all other sort of sensitive information. You are strongly advised to use error logging in place of error displaying on production web sites. The idea is quite simple only developer should able to see php error log.
Continue reading “PHP Log All Errors to a Log File to Get Detailed Information”