Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.
To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
- s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. Itâ€™s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.
For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
CONNECTED(00000003) depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com verify return:1 --- Certificate chain 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6 MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2 ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz 2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5 MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w== -----END CERTIFICATE----- subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com --- No client certificate CA names sent --- SSL handshake has read 1066 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4 Session-ID-ctx: Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D Key-Arg : None Start Time: 1192732059 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1066 bytes and written 316 bytes SSL-Session:
=> OpenSSL man pages and documentation.
Favorites icon (favicon) file is placed in a web server root directory. It is a page icon or associated with a particular website. For example when you visit our site you see favicon in the browser’s URL bar, next to the site’s name. Also it appears next to the site’s name in lists of bookmarks, and next to the page’s title in a tabbed document interface.
There is a tool called ppmtowinicon which convert 1 or more portable pixmaps into a Windows .ico file You need to specify one or more portable pixmaps as input and it produces a Microsoft Windows .ico file as output. A Windows icon contains 1 or more images, at different resolutions and color depths. Microsoft recommends including at least the following formats in each icon (size and bits-per-pixel):
=> 16 x 16 – 4 bpp
=> 32 x 32 – 4 bpp
=> 48 x 48 – 8 bpp
How to create a favicon.ico with GIMP
You need to install netpbm – a graphics conversion tools under Linux / UNIX. You also need GIMP – the GNU Image Manipulation program to create a favicon on Linux.
Install netpbm and GIMP
Use apt-get command to install packages under Debian / Ubuntu Linux:
$ sudo apt-get install netpbm gimp
Step # 1: Convert logo to ppm raw format
- Open your logo using GIMP
- Now cut and paste logo in square
- Next resize logo by visiting Image > Scale image option. Set pixel size to 16 x 16 or 32 x 32 or 48 x 48.
- Next click on File > Save as > Enter file name as favicon.ppm > Click on Save > Raw Encoding > Ok
Step # 2: Convert portable pixmaps into a Windows .ico file
Now run the following command to create a .ico file:
$ ppmtowinicon -output favicon.ico favicon.ppm
Step # 3: Upload favicon.ico file
Upload favicon.ico file to webserver root directory such as /var/www/html or /srv/httpd/cyberciti.biz.
Step # 4: Favicon example
To activate favicon, modify your site pages or template by placing following code between <head>…</head> section:
<link rel="shortcut icon" href="/favicon.ico" />
phpMyVisites is a free and powerful open source (GNU/GPL) software for websites statistics and audience measurements software. Iâ€™m currently using this software and it totally rocks. This software gives out lots of information on websites visitors, visited pages, software/hardware utilization. The installation is entirely automated and very simple. I’m currently using the same software here. This software is much better than old AWstats package. Web analytics is the study of the behaviour of website visitors. In a commercial context, web analytics especially refers to the use of data collected from a web site to determine which aspects of the website work towards the business objectives; for example, which landing pages encourage people to make a purchase.
From the project home page:
phpMyVisites is web statistics software. It is also often called web analytics. phpMyVisites is open source and free. You can download it, install it on your webserver, and get your first statistics after 2 minutes! Then all these numbers may be very useful to improve your website results. If you understand how your visitors behave, if you try to analyse your audience and extract information from the web analytics reports, you can definitely boost your website!
- A clean and user-friendly interface to present data and to aid in data analysis.
- Clear and concise graphics presenting important information in an easy-to-understand format.
- Free: phpMyVisites is completely free.
- Precise visitor statistics over a period of time (day/week/month/year).
- Visitor Frequency: new visitors, regular (known) visitors, and how often visitors view the web site.
- Management of web site statistics and all file types (PDF, Image, etc.).
- Web site page classification available (by groups, by subgroups, etc.).
- Visitor Analysis: Statistics for pages where visitors leave the web site and for pages where the visitors enter the web site.
- Geographical Statistics: Classification by continent/country (interactive world map).
- Technical Configuration Statistics: Web browsers, resolution, managed plug-in, etc.).
- Complete and clear statistics about web site discovery: How do visitors come to the web site?
- Live Clearly Defined Web Site Discovery Tools: Search Engines, Web Sites, Partner Sites, Newsletters and Direct Access
- Able to detect more than 300 internationally-used search engines and keyword associations.
- Define web sites as partners and add an unlimited number of newsletters.
- One software installation and track all your website
- Receive web site statistics everyday by e-mail, by RSS feed, etc.
- And much more..
You can see sample reports and screenshots here
You need a webserver such as Apache, Lighttpd, IIS, etc.) that supports the following :
- php > 4.3
- Mysql database
- GD Library
- TTF support (Freetype) etc
=> Visit official site to download phpMyVisites software.
A small how to written to assist sys admins. It offers tools and high level advice to solve slow websites problems:
Oh boy it’s been an intense 4 weeks. I was pulled in to assist with troubleshooting several major failures at work with loosely related systems. Including my own. All systems are public facing, hence the intensity.
This article attempts to capture a high level view of one of the problems and the methods and tools used (not how to use the tools, that’s for another time) to try and solve it. I’m not putting all the details in. Some details are emphatically not appropriate, other details won’t increase understanding of the methodology and process taken.
In the interest of helping other sysadmins, I’ve linked to the various tools used. Some are well known, others more obscure.
Apacheâ€™s mod_rewrite considered as one of the difficult module to configure and use. This article will lead you through rewrite rules, regular expressions, and rewrite conditions, and provide a great list of examples:
Apache’s low-cost, powerful set of features make it the server of choice for organizations around the world. One of its most valuable treasures is the mod_rewrite module, the purpose of which is to rewrite a visitor’s request URI in the manner specified by a set of rules.
This article explains howto setup and running with the Linux Virtual Server and Linux-HA.org’s Heartbeat in 5 easy steps. You can construct a highly available Apache Web server cluster that spans multiple physical or virtual Linux servers with Linux Virtual Server (LVS) and Heartbeat v2:
Spreading a workload across multiple processors, coupled with various software recovery techniques, provides a highly available environment and enhances overall RAS (Reliability, Availability, and Serviceability) of the environment. Benefits include faster recovery from unplanned outages, as well as minimal effects of planned outages on the end user.
This article illustrates the robust Apache Web server stack with 6 Apache server nodes (though 3 nodes is sufficient for following the steps outlined here) as well as 3 Linux Virtual Server (LVS) directors. We used 6 Apache server nodes to drive higher workload throughputs during testing and thereby simulate larger deployments. The architecture presented here should scale to many more directors and backend Apache servers as your resources permit, but we haven’t tried anything larger ourselves. Figure 1 shows our implementation using the Linux Virtual Server and the linux-ha.org components.
However article failed to mention few things such as redundant networking, a cluster file system / shared storage and other stuff. Nevertheless tutorial is a good start for new Linux admin.
If you are looking to debug a problem with HTTP server and would like to see HTTP requests / header responses in raw format, use shell tools or Firefox extensions.
Why do I need to dig out web server headers?
[a] Help debugging web application.
[b] See which kind of web server the remote site is using.
[c] See the cookies sent by remote site
[d] Learn http protocol and much more
Let us see Linux / UNIX command line tools to dig out headers.
wget command is not just downloading utility. It can be served as debugging tool. You need to pass -S option to wget command, which will print the headers sent by HTTP servers and responses sent by FTP servers.
$ wget -S http://theos.in
--01:32:15-- http://theos.in/ => `index.html' Resolving theos.in... 220.127.116.11 Connecting to theos.in|18.104.22.168|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Connection: close X-Pingback: http://theos.in/xmlrpc.php Content-Type: text/html; charset="UTF-8" Date: Thu, 16 Aug 2007 20:02:16 GMT Server: lighttpd Length: unspecified [text/html] [ <=> ] 44,214 32.56K/s 01:32:17 (32.50 KB/s) - `index.html' saved 
If you are just intrested in headers pass –spider option to wget. With this option wget behave as a Web spider, which means that it will not download the pages, just check that they are there.
$ wget -S --spider http://theos.in/
Other command line tools
UNIX / Linux offers so many options. You can try out old good telnet command, lynx browser, curl command and other tools:
$ lynx -head -dump http://theos.in/
$ curl -I http://theos.in/
You can use telnet as follows:
$ telnet theos.in 80
HEAD /index.php HTTP/1.1
If you are using Windows or just wanted to get information on fly, try firefox extension – LiveHTTPHeaders. It adds a ‘Headers’ tab in ‘View Page Info’ of a web page. You can also see a tool in the ‘Tools->Web Development’ menu to be able to display http headers in real time while pages are being downloaded from the Internet or web server. It also allows you edit request headers and replay an URL (good for testing web app security).
=> Visit project download page here
You can use specialized tools such as WireShark network protocol analyzer or tcpdump for the same purpose.
Facebook is one of the famous web 2.0 portal, its php source code was leaked on the Internet. This blog post has posted index.php home page source code. According to facebook:
Some of Facebookâ€™s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way.
However a misconfigured webserver can easily give out php file to all end users.
PPHP offers a simple but effective solution to log all errors to a log file. On all production web server, you must turn off displaying an error to end users via a web browser. Remember PHP gives out lots of information about the path, database schema and all other sorts of sensitive information. You are strongly advised to use error logging in place of error displaying on production web sites. The idea is quite simple only developer should able to see PHP error log.
Continue reading “PHP Log All Errors to a Log File to Get Detailed Information”