Howtos » apache http://howto.isgoodness.com Stuffs that are worth to mention and worth to know Sun, 27 Feb 2011 16:19:32 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Limit http methods http://howto.isgoodness.com/2009/12/limit-http-methods/ http://howto.isgoodness.com/2009/12/limit-http-methods/#comments Sat, 26 Dec 2009 21:50:46 +0000 Van Nhu http://howto.isgoodness.com/?p=398 I you have an apache server which you only use GET and POST methods I think it is better that you limit the access. Since there are many methods it is more convinient to use the opposite functions, limitExcept. Bellow is an example how it would look like. The limitExcept directive allows only GET and POST. All other request methods will be rejected.

NameVirtualHost xxx.xxx.xxx:80
<VirtualHost xxx.xxx.xxx:80>
        ServerName example.com
 
        DocumentRoot /path/to/doc/root
        <Directory /path/to/doc/root/>
                <LimitExcept POST GET>
                         Require valid-user
                </LimitExcept> 
                Options Indexes MultiViews FollowSymLinks
                Order Allow,Deny
                Allow from all
        </Directory>
...
</VirtualHost>

If you want to deny from the access you can use “Deny from all” instead of “Require valid-user”

]]> http://howto.isgoodness.com/2009/12/limit-http-methods/feed/ 0 Deny requests from specific ips, configured in virtual host http://howto.isgoodness.com/2009/12/deny-requests-from-specific-ips-configured-in-virtual-host/ http://howto.isgoodness.com/2009/12/deny-requests-from-specific-ips-configured-in-virtual-host/#comments Sat, 26 Dec 2009 20:32:40 +0000 Van Nhu http://howto.isgoodness.com/?p=382 Bad thing has hapened to me this holliday. The server has been attacked from serveral ips or more precis they used my server as proxy for attacking other targets. Lucky for me that my server is not configured for this kind of attacks. However, they kept request my server and I wanted that apache would deny all requests from those ips. This one is really tricky. I have configured for denying all except some ips, such as local, but never configured for denying some ips and allow the rest. I started reading apache docs and tried to understand. The result is as following:

NameVirtualHost xxx.xxx.xxx:80
<VirtualHost xxx.xxx.xxx:80>
        ServerName example.com
 
        DocumentRoot /path/to/doc/root
        <Directory /path/to/doc/root/>
                Options Indexes MultiViews FollowSymLinks
                Order Deny,Allow
                Deny from xx.xxx.xxx.xxx
                Deny from xxx.xxx.xxx.xxx
                Deny from ...
                # ips that not matched deny list will be permitted
        </Directory>
...
</VirtualHost>

Be aware that you can not use “Allow from all” in the end since apache deny a request only if it does not match an allow condition. So we have a deny list to match against. Ips that are not matched ips in this list will be permitted.

It says that there are no good way to protect against this kind of attacks. I hope that I can get in touch with those ip-owners and hopefully they can help me.

Some good pages

http://wiki.apache.org/httpd/ProxyAbuse

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

]]> http://howto.isgoodness.com/2009/12/deny-requests-from-specific-ips-configured-in-virtual-host/feed/ 0 Howto enable ssl and create self-signed ssl certificate http://howto.isgoodness.com/2009/11/howto-enable-ssl-and-create-self-signed-ssl-certificate/ http://howto.isgoodness.com/2009/11/howto-enable-ssl-and-create-self-signed-ssl-certificate/#comments Sun, 15 Nov 2009 14:51:18 +0000 Van Nhu http://howto.isgoodness.com/?p=345 Enable ssl
In my case it was simple. I just ran this line

a2enmod ssl

Generate self-signed ssl certificate
Solution: http://www.akadia.com/services/ssh_test_certificate.html

Just follow instruction carefully. Make sure that i step 2 you need to enter a correct “Common Name”, ie your domain. Step 5 and 6 also different for different distributions and installation …

Summary in case link above is not available anymore:
Step 1: Generate a Private Key

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key server.key -out server.csr

Step 3: Remove Passphrase from Key

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Step 4: Generating a Self-Signed Certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Installing the Private Key and Certificate
(or the location you want to store)

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Step 7: Restart Apache and Test

New problem:
ssl_error_ssl2_disabled
Solution in ssl.conf:
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
## disabled this one
#SSLProtocol all -SSLv2
## use this instead
SSLProtocol all

See also http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

New problem:
sec_error_untrusted_issuer due to self-signed SSL Certificate
But it is no problem for me since this is for my own usage and test…

]]> http://howto.isgoodness.com/2009/11/howto-enable-ssl-and-create-self-signed-ssl-certificate/feed/ 0