Apache Security Tip: Serve php / cgi file using different file type / extension

Posted on in Categories Apache, FreeBSD, Howto, lighttpd, Linux, Security last updated December 3, 2007

It is possible to serve .php or .cgi / .pl file using different file type / extension name. This will improve security. For example, server .html as .php file, add following to your httpd.conf or .htaccess file:
# serve .html files as php files
AddType application/x-httpd-php .html
# serve .nix files as cgi files
AddType application/x-httpd-cgi .nix

If you are using Lighttpd web server add following to serve php as .html file:
fastcgi.map-extensions = ( ".html" => ".php" )

CentOS 5 Apache 2.2.3 files failing to download or corrupted download file issue

Posted on in Categories Apache, CentOS, File system, lighttpd, Linux, Storage, Tips, Troubleshooting last updated December 1, 2007

Recently, I noticed something strange about Apache 2.2.3 version running on CentOS Linux 5 64 bit version. We have centralized NFS server and all 3 web server load balanced using hardware front end (another box running LVS).

All Apache server picks up file via NFS i.e DocumentRoot is set over NFS. The small file such as 2 MB or 5 MB get downloaded correctly but large size files failed to download. Another problem was some clients reported that the file get download but cannot open due to file corruption issue.

After investigation and a little bit googling I came across the solution. You need to disable following two options:

  • EnableMMAP – This directive controls whether the httpd may use memory-mapping if it needs to read the contents of a file during delivery. By default, when the handling of a request requires access to the data within a file — for example, when delivering a server-parsed file using mod_include — Apache memory-maps the file if the OS supports it.
  • EnableSendfile – This directive controls whether httpd may use the sendfile support from the kernel to transmit file contents to the client. By default, when the handling of a request requires no access to the data within a file — for example, when delivering a static file — Apache uses sendfile to deliver the file contents without ever reading the file if the OS supports it.

However, these two directives are known to have problem with a network-mounted DocumentRoot (e.g., NFS or SMB), the kernel may be unable to serve the network file through its own cache. So just open httpd.conf on all boxes and changes the following:
EnableMMAP off
EnableSendfile off

Just restart the web server and voila!
# service httpd restart

Apache mod_rewrite examples for new Linux / UNIX admin

Posted on in Categories Apache, FreeBSD, Linux, OpenBSD, OS X, UNIX, Windows server last updated September 26, 2007

Apache’s mod_rewrite considered as one of the difficult module to configure and use. This article will lead you through rewrite rules, regular expressions, and rewrite conditions, and provide a great list of examples:

Apache’s low-cost, powerful set of features make it the server of choice for organizations around the world. One of its most valuable treasures is the mod_rewrite module, the purpose of which is to rewrite a visitor’s request URI in the manner specified by a set of rules.

=> Learn Apache mod_rewrite: 13 Real-world Examples

Speed up Apache 2.0 web access or downloads with mod_deflate

Posted on in Categories Apache, CentOS, Debian Linux, High performance computing, Howto, Linux, RedHat/Fedora Linux, Tuning, Ubuntu Linux, UNIX last updated September 13, 2007

You can speed up downloads or web page access time with Apache mod_deflate module. The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.

This decreases the amount of time and data transmitted over the network, resulting in faster web experience or downloads for visitors.

Make sure mod_deflate included with your Apache server (by default it is now installed with all modern distro).

How can I speed up downloads from my Apache 2.0 server?

Open httpd.conf file using a text editor such as vi:
# vi httpd.conf

Append following line:
LoadModule deflate_module modules/mod_deflate.so

Append following configuration <Location /> directive:
<Location />
AddOutputFilterByType DEFLATE text/html text/plain text/xml

Above line only compress html and xml files. Here is the configuration from one of my production box:
<Location />
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html

Close and save the file. Next restart apache web server. All of the above extension file should compressed by mod_deflate:
# /etc/init.d/httpd restart

You can also specify specific directory and enabling compression only for the html files. For example /static/help/ directory:
<Directory "/static/help">
AddOutputFilterByType DEFLATE text/html

In real life, there are issues with compressing other types of files such as mp3 or images. If you don’t want to compress images or mp3 files, add following to your configuration:
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary

Please note that this processing takes additional CPU and memory on your server as well as on the client browser. So you must make decision which document you need to compress (thanks to mdxp).

See also:

Configure an Apache web server for core dump on segmentation faults

Posted on in Categories Apache, FreeBSD, Linux, Troubleshooting last updated October 31, 2007

Recently I have noticed that my Apache error log file shows it is generating segmentation faults. After doing little research I came to know that there is not simple solution to find of causes of this problem. I got an error that read as follows:

[Mon May 8 11:20:09 2006] [notice] Apache/2 (WebAppBETA) child pid 1256 exit signal Segmentation fault (11)
[Mon May 8 11:23:12 2006] [notice] Apache/2 (WebAppBETA) child pid 1301 exit signal Segmentation fault (11)

The problem is that our application development team has hacked (aka modified source code) Apache 2.0 source tree for application my company developing. To get rid of this problem I was asked to configure a Linux system so that Apache can dump core files on segmentation faults.

Apache Core Dump

Apache supports CoreDumpDirectory directive. This controls the directory to which Apache attempts to switch before dumping core. So all I need to do is put line as follows in httpd.conf:

Open httpd.conf:
# vi httpd.conf
Add following line main config section:
CoreDumpDirectory /tmp/apache2-gdb-dump
Create a directory /tmp/apache2-gdb-dump:
# mkdir -p /tmp/apache2-gdb-dump
Set permission:
# chown httpd:appserver /tmp/apache2-gdb-dump
# chmod 0777 /tmp/apache2-gdb-dump

Please note that we are using httpd user and group appserver. Please replace it with your actual Apache user:group combination.

And restart the Apache web server:
# /etc/init.d/httpd restart
OR kill Apache PID:
# kill -11 14658
Now you should see core dumps in /tmp/apache2-gdb-dump directory:
# ls /tmp/apache2-gdb-dump

How do I read the core dump files created by Apache on Linux systems?

Well I am not a developer but they are using gdb and other techniques to analyses the core dumps. Read man page of gdb for more information.

I hope that I will get a new patched version of Apache by next week. Another interesting fact I noticed that you need to configure Core Dumps on Linux only. We are also using FreeBSD for testing and it write core dump in the ServerRoot directory.

If Apache starts as root and switches to another user, the Linux kernel disables core dumps even if the directory is writable for the process. Apache (2.0.46 and later) enables core dumps on Linux 2.4 and beyond, but only if you explicitly configure a CoreDumpDirectory. :)