Archive for the ‘Webserver’ Category
How to disable Apache mod_security for a website in ISPConfig 3.
If you use mod_security on your server you might encounter that a website script is not compatible with mod_security. To disable mod_security (v2) for a website, add the following code into the apache directives field:
SecRuleEngine Off
For the older mod_security 1 version, use these configuration directives:
SecFilterEngine Off
Thanks to Planetfox for this tipp.
How to force caching headers with apache and squid reverse proxy
If you use a squid reverse proxy in front of your apache webserver to reduce the load, it might happen that pages are not cached correctly because the website script running on the apache webserver sends wrong caching headers. I had this problem with a wordpress install, wordpress had always send pragma no-cache headers with the pages so squid reported a cache miss for every page request. A simple solution for this is to use apache mod_headers to delete the no chache header and replace it with a header for 10 minute cache period.
First, ensure that mod_herders is enabled. To do this in Debian and Ubuntu, run the command:
a2enmod headers
Then create a .htaccess file in the website root directoyr which contains the following lines:
Header unset Pragma
Header set Cache-Control “must-revalidate, max-age=0, s-maxage=600″
Header set Vary “Accept-Encoding”
How to use a custom php.ini with suphp
To use a custom php.ini file with SuPHP for a website, you can define the path to the php.ini file in a .htaccess file or in the apache vhost like this:
suPHP_ConfigPath /home/websites/domain.tld/
Then add a php.ini file in the directory /home/websites/domain.tld/ which may be a copy of the global php.ini were you just changed a few settings or an empty file were you add only the settings that shall be overridden in the global PHP configuration.
If you use ISPConfig 2 or 3, you can add the suPHP_ConfigPath setting also in the apache directives field of the website in ISPConfig.
Redirect a subdomain with apache mod_rewrite and keep the URL in the address bar
If you want to redirect a subdomain like sub.domain.tld into a subdirectory of the website and keep the original URL in the browser location bar, you may use the following apache directives.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^sub.domain.tld [NC]
RewriteRule ^/(.*)$ /sub/$1 [L]
This rewrite rule can be added into a .htaccess file in the website root or inside the vhost file. If you use ISPConfig 2 or 3, you can add this also into the apache directives field in the website settings.
Replace sub.domain.tld with the subdomain that shall be redirected and /sub/ with the path to the directory were the pages for this subdomain are located.
Redirect domains without www (e.g. domain.com) to www.domain.com with apache rewrite rules
If all your visitors shall access your website with a URL like www.domain.com and not without www, use the following apache rewrite rule for redirecting them.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www
RewriteRule (.*) http://www.%{HTTP_HOST}$1 [L,R]
The apache rewrite rule can be added in a .htaccess file in the website root directory or if you use ISPConfig 2 or 3, you can also add the rwrite rule into the apache directives field of the website.
How to redirect an HTTP connection to HTTPS in apache webserver
Http connections can be redirected to https with the apache mod_rewrite module, which should be available in every apache installation. Create a file with the name .htaccess in the website root directory which contains the following lines:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
If you use ISPConfig 2 or 3, you can add these lines also in the apache directives field of the website settings form instead of adding them to a .htaccess file. But the approach with the .htaccess file will work on ISPConfig as well.
How to add a root SSL certificate in ISPConfig 2
Most SSL authorities (like godaddy or instantssl) send you a root certificate which has to be installed beside the SSL certificate to proove that the SSL cert is signed from a trusted authority. To add such a root SSL certificate in ISPConfig, copy the file to the ssl subfolder of the website and then add this line into the apache directives field of the website in ISPConfig:
SSLCACertificateFile /var/www/www.yourdomain.tld/ssl/ca.txt
The path to the root certificate file has to be changed to match the path on your system.
Change the language of webalizer statistics on Debian and Ubuntu Linux
The language of the generated webslizer statistics is statically compiled into the webalizer binary. To change the language, webalizer has to be recompiled. In the following example, I will recompile webalizer to change the language to german.
Uninstall webalizer and install the GD library:
apt-get remove webalizer
apt-get install libgd2-xpm-dev
Download the latest webalizer sources and uncompress the tar archive:
cd /tmp
wget http://archive.mgm51.com/mirrors/webalizer-files/webalizer-2.01-10-src.tgz
tar xzf webalizer-2.01-10-src.tgz
cd webalizer-2.01-10
Reconfigure and compile webalizer
./configure –with-language=german
make
make install
Create a symlink so that other applications find the webalizer binary in the common place
ln -s /usr/local/bin/webalizer /usr/bin/webalizer
Cleanup
rm -f /tmp/webalizer-2.01-10-src.tgz
rm -rf /tmp/webalizer-2.01-10
Thanks to planet_fox for this FAQ.
How to access a namebased website without a DNS record
If you want to access a namebased website that you created e.g. in ISPConfig before the DNS records are setup, edit the hosts file on your workstation computer and add a line like this:
192.168.0.100 www.mydomain.com
Replace the IP address with the IP of your server and www.mydomain.com with the domain name of the website.
The hosts file on linux and MAC systems is /etc/hosts, on Windows systems the hosts file is C:\Windows\system32\drivers\etc\hosts
The above trick also works if you want to run a website in your internal network (intranet) without having a DNS server availalble for local dns resolving.
Set stricter PHP settings to secure joomla and wordpress installations
If you run a joomla or wordpress installation with mod_php, the following settings in the vhost configuration file or the “Apache directives” field in ISPConfig can be used to set stricter securitypolicys. This helps limit the impact of a possible hack to this websiteand protect the other sites on the server.
php_admin_value disable_functions “show_source system shell_exec passthru exec phpinfo popen proc_open”
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path “/var/www/webXXX/phptmp/”
php_admin_value open_basedir “/var/www/webXXX/:/tmp”
Explanation
disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.
allow_url_fopen disables the ablity to open files via an URL.
session.save_path sets the path were php stores its session files. For ISPConfig 2, the path is e.g. “/var/www/webXXX/phptmp/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/tmp/” If you dont use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.
open_basedir sets the path were php scripts are allowed to open files. For ISPConfig 2, the path is like “/var/www/webXXX/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/” If you dont use ISPConfig, set this path to a the root directory of this vhost. With :/tmp we allow php scripts to use also the /tmp directory of the server.