FAQforge » apache

Apache mod-security installation on Debian 6.0 (squeeze)

Till — Mon, 02 Jan 2012 11:20:06 +0000

Install the apache mod-security 2 module with apt from the Debian repositories

apt-get install libapache-mod-security

Create the folder for the mod-security configuration files

mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security

Download and unpack the mod-security rules

cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs

Configure apache to load the activated mod-security rules

vi /etc/apache2/conf.d/mod-security.conf

Include /etc/apache2/mod-security/*.conf

To enable mod-security, edit the file

vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf

and remove the # in front of the line:

SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”

Then reload apache.

/etc/init.d/apache2 force-reload

Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.

tail /var/log/apache2/modsec_audit.log

You will see very likely some falsely blocked URL’s. To whitelist them, you can add the ID’s of the rules that should not be used in the whitelist file.

Example:

vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf

SecRuleRemoveById 960015
SecRuleRemoveById 960016

Webalizer: Error Opening file /usr/share/GeoIP/GeoIP.dat on Debian Linux

Till — Tue, 25 Oct 2011 14:06:44 +0000

The webalizer package in Debain 6 has currently small bug as the required package for the GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:

Error Opening file /usr/share/GeoIP/GeoIP.dat

The solution is to install the missing package manually:

apt-get install geoip-database

Redirect http requests to a new folder with apache rewrite rules

Till — Fri, 12 Aug 2011 08:21:59 +0000

When you reorganize the structure of a website, you might want to redirect requests to files in a old folder to a new one without loosing the pagerank. In this example, I will redirect all requests from directory “olddir” to directory “newdir”, so that requests like http://www.yourdomain.tld/olddir/page.htm get redirected to http://www.yourdomain.tld/newdir/page.htm without loosing the Google pagerank of the pages.

The following rewrite rules can be added into a .htaccess file in the website directory or in the vhost configuration.

RewriteEngine on
RewriteRule ^olddir/(.*)$ newdir/$1 [R=301,L]

This rewrite rule redirects automatically all requests to pages or subdirectorys of “olddir” to the same page or subdirectory in “newdir”.

Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive

Till — Mon, 07 Mar 2011 13:23:21 +0000

The following guide explains the installation of the apache module “mod_evasive”. Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.

Installation

apt-get install libapache2-mod-evasive

Create the log directory for mod_evasive

mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive

Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load

vi /etc/apache2/mods-available/mod-evasive.load

so that it looks like this:

LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir “/var/log/apache2/evasive”

and restart apache:

/etc/init.d/apache2 restart

Apache webserver: redirect requests for domain.com to www.domain.com

Till — Mon, 22 Mar 2010 13:24:53 +0000

Many webmasters want to redirect users that access their websites with “domain.tld” automatically to “www.domain.tld”. If you use the Apache web server, you can do this by using Apache rewrite rules.

Add a .htaccess file with the following content in the root directory of the website:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.domain\.com
RewriteRule (.*) http://www.domain.com/$1 [L,R=301]

If you use ISPConfig as hosting control panel, you can add these rules also in the Apache directives field of the website instead of a .htaccess file

Get a list of all virtual hosts which are defined in all apache configuration files

Till — Thu, 11 Mar 2010 15:26:46 +0000

Have you ever searched where the virtual host of a website is defined in the apache config files? There is a handy option of the apache2ctl script which might help then. When you run the command:

apache2ctl -S

on the shell, you will get a list of all virtual hosts and default servers incl. the line number where it is defined. Example:

~# apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:8080                 is a NameVirtualHost
default server ispconfig.local (/etc/apache2/sites-enabled/000-ispconfig.vhost:10)
port 8080 namevhost ispconfig.local (/etc/apache2/sites-enabled/000-ispconfig.vhost:10)
*:8081                 is a NameVirtualHost
default server ispconfig.local (/etc/apache2/sites-enabled/000-apps.vhost:10)
port 8081 namevhost ispconfig.local (/etc/apache2/sites-enabled/000-apps.vhost:10)
*:80                   is a NameVirtualHost
default server ispconfig.local (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost ispconfig.local (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost example.com (/etc/apache2/sites-enabled/example.com.vhost:7)
Syntax OK

Thanks to Planetfox for this tipp.

How to disable Apache mod_security for a website in ISPConfig 3.

Till — Wed, 10 Mar 2010 14:59:06 +0000

If you use mod_security on your server you might encounter that a website script is not compatible with mod_security. To disable mod_security (v2) for a website, add the following code into the apache directives field:

SecRuleEngine Off

For the older mod_security 1 version, use these configuration directives:

SecFilterEngine Off

Thanks to Planetfox for this tipp.

How to force caching headers with apache and squid reverse proxy

Till — Tue, 02 Mar 2010 16:53:08 +0000

If you use a squid reverse proxy in front of your apache webserver to reduce the load, it might happen that pages are not cached correctly because the website script running on the apache webserver sends wrong caching headers. I had this problem with a wordpress install, wordpress had always send pragma no-cache headers with the pages so squid reported a cache miss for every page request. A simple solution for this is to use apache mod_headers to delete the no chache header and replace it with a header for 10 minute cache period.

First, ensure that mod_herders is enabled. To do this in Debian and Ubuntu, run the command:

a2enmod headers

Then create a .htaccess file in the website root directoyr which contains the following lines:

Header unset Pragma
Header set Cache-Control “must-revalidate, max-age=0, s-maxage=600″
Header set Vary “Accept-Encoding”

How to use a custom php.ini with suphp

Till — Mon, 19 Oct 2009 14:45:37 +0000

To use a custom php.ini file with SuPHP for a website, you can define the path to the php.ini file in a .htaccess file or in the apache vhost like this:

suPHP_ConfigPath /home/websites/domain.tld/

Then add a php.ini file in the directory /home/websites/domain.tld/ which may be a copy of the global php.ini were you just changed a few settings or an empty file were you add only the settings that shall be overridden in the global PHP configuration.

If you use ISPConfig 2 or 3, you can add the suPHP_ConfigPath setting also in the apache directives field of the website in ISPConfig.

Redirect a subdomain with apache mod_rewrite and keep the URL in the address bar

Till — Fri, 16 Oct 2009 09:11:09 +0000

If you want to redirect a subdomain like sub.domain.tld into a subdirectory of the website and keep the original URL in the browser location bar, you may use the following apache directives.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^sub.domain.tld [NC]
RewriteRule ^/(.*)$ /sub/$1 [L]

This rewrite rule can be added into a .htaccess file in the website root or inside the vhost file. If you use ISPConfig 2 or 3, you can add this also into the apache directives field in the website settings.

Replace sub.domain.tld with the subdomain that shall be redirected and /sub/ with the path to the directory were the pages for this subdomain are located.