Archive for the ‘Webserver’ Category

Apache mod_security settings for WordPress and ModX

Monday, January 7, 2013 posted by Till

If you use the apache mod_security module on your apache server, you might encounter wrong 403 errors for several URL's of the cms systems. Here are some exception rules to avoid that:

For WordPress Blogs

<locationmatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/page.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

For the ModX CMS

<LocationMatch "/manager/index.php">
SecRuleRemoveById 300016
</LocationMatch>

<LocationMatch "/connectors/resource/index.php">
SecRuleRemoveById 300013 300014 300015 300016
</LocationMatch>

<LocationMatch "/connectors/element/tv.php">
SecRuleRemoveById 300013 300016
</LocationMatch>

Add these rules inside the vhost file of the website. If you use ISPConfig to manage the server, then add the rules in the apache directives field of the website settings in ispconfig.

Many thanks to PlanetFox for providing the rules.

If you get a 500 error in a webpage hosted on Debian Linux (6.0) with apache webserver and fastcgi, take a look into the apache error.log file. This can either be the global error.log or the error.log of the website where you got the error. If you find a error similar to this one:

[Fri Apr 10 15:18:05 2012] [warn] [client 192.168.0.55] mod_fcgid: HTTP request length 134926 (so far) exceeds MaxRequestLen (131072), referer: http://www.example.tld/administrator/index.php?option=com_installer

then the MaxRequestLen setting of mod_fccgid is too low. To fix that, edit the file /etc/apache2/mods-available/fcgid.conf

vi /etc/apache2/mods-available/fcgid.conf

and add or edit the line "MaxRequestLen 15728640" to set the Request Limit to 15MB. The resulting file should contain these settings:

AddHandler fcgid-script .fcgi
FcgidConnectTimeout 20
MaxRequestLen 15728640

Save the changes and restart apache:

/etc/init.d/apache2 restart

Apache mod-security installation on Debian 6.0 (squeeze)

Monday, January 2, 2012 posted by Till

Install the apache mod-security 2 module with apt from the Debian repositories

apt-get install libapache-mod-security

Create the folder for the mod-security configuration files

mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security

Download and unpack the mod-security rules

cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs

Configure apache to load the activated mod-security rules

vi /etc/apache2/conf.d/mod-security.conf

Include /etc/apache2/mod-security/*.conf

To enable mod-security, edit the file

vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf

and remove the # in front of the line:

SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

Then reload apache.

/etc/init.d/apache2 force-reload

Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.

tail /var/log/apache2/modsec_audit.log

You will see very likely some falsely blocked URL's. To whitelist them, you can add the ID's of the rules that should not be used in the whitelist file.

Example:

vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf

SecRuleRemoveById 960015
SecRuleRemoveById 960016

nginx server error: 413 Request Entity Too Large

Monday, November 21, 2011 posted by Till

The nginx webserver has a max. body size limit of 1 MB for requests as default. This might be too low for file uploads in scripts and you will see the following error message when you try to upload a file:

 413 Request Entity Too Large

The configuration variable for this option is "client_max_body_size" and it can be set in the http, server and location sections of the nginx configuration file. To set the Limit globally to 25 MB, edit the nginx.conf file and add:

client_max_body_size 20M;

in the http section.

Example for Ubuntu Linux:

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        geoip_country  /etc/nginx/geoip/GeoIP.dat; # the country IP database
        geoip_city     /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        client_max_body_size 20M;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

The webalizer package in Debain 6 has currently small bug as the required package for the  GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:

Error Opening file /usr/share/GeoIP/GeoIP.dat

The solution is to install the missing package manually:

apt-get install geoip-database

When you reorganize the structure of a website, you might want to redirect requests to files in a old folder to a new one without loosing the pagerank. In this example, I will redirect all requests from directory "olddir" to directory "newdir", so that requests like http://www.yourdomain.tld/olddir/page.htm get redirected to http://www.yourdomain.tld/newdir/page.htm without loosing the Google pagerank of the pages.

The following rewrite rules can be added into a .htaccess file in the website directory or in the vhost configuration.

RewriteEngine on
RewriteRule ^olddir/(.*)$ newdir/$1 [R=301,L]

This rewrite rule redirects automatically all requests to pages or subdirectorys of "olddir" to the same page or subdirectory in "newdir".

The following guide explains the installation of the apache module "mod_evasive". Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.

Installation

apt-get install libapache2-mod-evasive

Create the log directory for mod_evasive

mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive

Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load

vi /etc/apache2/mods-available/mod-evasive.load

so that it looks like this:

LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/apache2/evasive"

and restart apache:

/etc/init.d/apache2 restart

To change the language of the website statistics generated by AWStats on a Debian Linux server to e.g. german (de), edit the /etc/awstats/awstats.conf file:

nano /etc/awstats/awstats.conf

and change the value of the "Lang" variable. To change the languge to e.g. German, cahnge:

Lang="auto"

to

Lang="de"

The website statistics are generated nightly on a ISPConfig 3 server, so it may take up to 24 hours until the statistics will show up in German language.

Thanks to PlaNet Fox for this FAQ.

How to solve the PHP XCache error: /dev/zero: No space left on device

Wednesday, September 1, 2010 posted by Till

If you get the error "/dev/zero: No space left on device" in the apache error.log on a OpenVZ virtual machine, then the shared memory size in the xcache.ini is too high or the xcache.mm_path is set wrong.

Edit the file /etc/php5/conf.d/xcache.ini

vi /etc/php5/conf.d/xcache.ini

and check the mm_path. On a OpenVZ virtual machine it should be set to "/tmp/xcache" as /dev/zero might not work correctly in a virtual machine:

xcache.mmap_path = "/tmp/xcache"

Then restart apache2:

/etc/init.d/apache2 restart

and check if the error has been resolved.

If the roor still occurs after some time, you will have to reduce the xcache.size.

Edite the xcache.ini file:

vi /etc/php5/conf.d/xcache.ini

and set xcache.size to e.g. 8 MB

xcache.size  =                8M

Then restart apache2:

/etc/init.d/apache2 restart

How to enable the new multisite feature in WordPress 3.0

Sunday, June 20, 2010 posted by Till

If you recently updated to or installed WordPress 3.0, you might wonder where the menu for Multisite feature is. By default, these new functions are disabled after a WordPress update, to enable them, edit the file wp-config.php and add the line

define(‘WP_ALLOW_MULTISITE’, true);

On your next login, you will see a new menu labeled "Super Admin" which contains the functions to add new sites to wordpress.