smallseo.info

apache-2.4 interview questions

Top apache-2.4 frequently asked interview questions

How to fix 'logjam' vulnerability in Apache (httpd)

Recently, a new vulnerability in Diffie-Hellman, informally referred to as 'logjam' has been published, for which this page has been put together suggesting how to counter the vulnerability:

We have three recommendations for correctly deploying Diffie-Hellman for TLS:

  1. Disable Export Cipher Suites. Even though modern browsers no longer support export suites, the FREAK and Logjam attacks allow a man-in-the-middle attacker to trick browsers into using export-grade cryptography, after which the TLS connection can be decrypted. Export ciphers are a remnant of 1990s-era policy that prevented strong cryptographic protocols from being exported from United States. No modern clients rely on export suites and there is little downside in disabling them.
  2. Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE). Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers now prefer ECDHE over the original, finite field, Diffie-Hellman. The discrete log algorithms we used to attack standard Diffie-Hellman groups do not gain as strong of an advantage from precomputation, and individual servers do not need to generate unique elliptic curves.
  3. Generate a Strong, Unique Diffie Hellman Group. A few fixed groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should generate unique, 2048-bit or stronger Diffie-Hellman groups using "safe" primes for each website or server.

What are the best-practice steps I should take to secure my server as per the above recommendations?


Source: (StackOverflow)

How can I install Apache with a specific version?

Because of Ubuntu updating, I made the mistake to upgrade Apache 2.2 to 2.4—many things went wrong.

I have no idea how to specify the version after apt-get remove apache2. apt-get install apache2 always installs 2.4.

How can I do it?


Source: (StackOverflow)

What does Apache's "Require all granted" really do?

I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:

<Directory "/home/john/development/foobar/web">
    AllowOverride All 
</Directory>

But when I ran that I got a "Forbidden. You don't have permission to access /"

After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:

<Directory "/home/john/development/foobar/web">
    AllowOverride All 
    Require all granted
</Directory>

I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."

But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.


Source: (StackOverflow)

How do I redirect subdomains to a different port on the same server?

I have some subdomains I want to redirect to specific ports on the same server. Say I have

dev.mydomain.com 

I want dev.mydomain.com to transparently redirect to mydomain.com:8080 and I want to preserve the original sub-domain name the url of the browser.

How do I do this with Apache 2.2? I have Apache 2.2 running on default port 80. I can't figure out the write configuration to get this to happen.

I have already set up dev.mydomain.com to resolve in DNS to mydomain.com.

This is for an intranet development server that has a non-routable ip address so I am not so concerned about exploits and security that would compromise a publicly facing server.


Source: (StackOverflow)

Apache 2.4 + PHP-FPM + ProxyPassMatch

I recently installed Apache 2.4 on my local machine, together with PHP 5.4.8 using PHP-FPM.

Everything went quite smoothly (after a while...) but there is still a strange error:

I configured Apache for PHP-FPM like this:

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/apfelbox/WebServer"
    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1
</VirtualHost>

It works, for example if I call http://localhost/info.php I get the correct phpinfo() (it is just a test file).

If I call a directory however, I get a 404 with body File not found. and in the error log:

[Tue Nov 20 21:27:25.191625 2012] [proxy_fcgi:error] [pid 28997] [client ::1:57204] AH01071: Got error 'Primary script unknown\n'

Update

I now tried doing the proxying with mod_rewrite:

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/apfelbox/WebServer"

    RewriteEngine on    
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>

But the problem is: it is always redirecting, because on http://localhost/ automatically http://localhost/index.php is requested, because of

DirectoryIndex index.php index.html

Update 2

Ok, so I think "maybe check whether there is a file to give to the proxy first:

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/apfelbox/WebServer"

    RewriteEngine on    
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>

Now the complete rewriting does not work anymore...

Update 3

Now I have this solution:

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/apfelbox/WebServer"

    RewriteEngine on    
    RewriteCond /Users/apfelbox/WebServer/%{REQUEST_FILENAME} -f
    RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>

First check, that there is a file to pass to PHP-FPM (with the full and absolute path) and then do the rewriting.

This does not work when using URL rewriting inside a subdirectory, also it fails for URLs like http://localhost/index.php/test/ So back to square one.


Any ideas?


Source: (StackOverflow)

What is the meaning of "AH00485: scoreboard is full, not at MaxRequestWorkers"?

My Environment

  • CentOS 6.4 X86_64
  • Apache 2.4.4
  • PHP 5.4.16 (FPM)
  • 2 Intel Xeon E5-2620 @ 2.00GHz (8 core, 16 threads in each processor)
  • 48GB RAM registered memory.
  • 3 Hard Disk 15RPM 145GB in RAID0 (by BIO

Interesting Variables

    <IfModule mpm_event_module>
        StartServers             2
        ThreadLimit             196
        MinSpareThreads         96
        MaxSpareThreads        192
        ThreadsPerChild         96
        MaxRequestWorkers      192
        MaxConnectionsPerChild   96
    </IfModule>

Apache Server Status

Server Version: Apache/2.2.4 (Unix) OpenSSL/1.0.1e mod_fastcgi/mod-fastcgi-SNAP-0910052141
Server Built: May 24 2013 16:48:07


Current Time: Monday, 17-Jun-2013 09:48:11 COT
Restart Time: Monday, 17-Jun-2013 08:35:14 COT
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 1 hour 12 minutes 57 seconds
Server load: 0.05 0.10 0.09
Total accesses: 14144 - Total Traffic: 349.7 MB
CPU Usage: u.28 s.25 cu0 cs0 - .0121% CPU load
3.23 requests/sec - 81.8 kB/second - 25.3 kB/request
1 requests currently being processed, 191 idle workers

  PID | Connections       | Threads     | Async connections
      | total | accepting | busy | idle | keep-alive | closing
  ==============================================================
18997 | 3     | yes       | 1    | 95   | 0          | 3
18485 | 0     | yes       | 0    | 96   | 0          | 0
  ==============================================================
Sum   | 3     |           | 1    | 191  | 0          | 3

Error Log

The error message is

[Mon Jun 17 09:32:45.680842 2013] [mpm_event:error] [pid 8574:tid 140185091581760] AH00485: scoreboard is full, not at MaxRequestWorkers

This appears every few seconds. I don’t understand it. How can I fix it?


Source: (StackOverflow)

Apache is OK, but what is this in error.log - [mpm_prefork:notice]?

My apache server is running OK without any problems. It also doesn't issue any warning during restart. However, if I examine error.log I can see the following lines repeating from time to time:

[Wed Jun 25 18:15:56.295408 2014] [mpm_prefork:notice] [pid 8817] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4 configured -- resuming normal operations
[Wed Jun 25 18:15:56.295570 2014] [core:notice] [pid 8817] AH00094: Command line: '/usr/sbin/apache2'
[Wed Jun 25 18:26:34.511247 2014] [mpm_prefork:notice] [pid 8817] AH00169: caught SIGTERM, shutting down

What do they say? How can I fix it?


Source: (StackOverflow)

How can you gracefully restart Apache without disconnecting SSL connections?

We are trying to reload Apache gracefully using a command such as:

apache2ctl -k graceful

This works as expected for HTTP users and the Apache config is reloaded without affecting users of the website.

However, we have found that users accessing the server via HTTPS are disconnected during a graceful reload.

How can Apache be gracefully reloaded without affecting SSL connections?

In case it helps, we are using HTTP 2 on Apache 2.4.20.


Source: (StackOverflow)

Using Https between Apache Loadbalancer and backends

I am using an apache (2.4) server configured as loadbalancer in front of 2 apache servers. It works fine when I use http connections between loadbalancer and backends, however using https does not work. The configuration of the loadbalancer:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
<Proxy balancer://testcluster>
  BalancerMember https://[Backend1]:443/test
  BalancerMember https://[Backend2]:443/test
</Proxy>
ProxyPass /test balancer://testcluster

The backends only have self-signed certificates for now which is why the certificate verification is disabled.

The error-log on the loadbalancer contains the following:

[proxy:error] [pid 31202:tid 140325875570432] (502)Unknown error 502: [client ...] AH01084: pass request body failed to [Backend1]:443 ([Backend1])
[proxy:error] [pid 31202:tid 140325875570432] [client ...] AH00898: Error during SSL Handshake with remote server returned by /test/test.jsp
[proxy_http:error] [pid 31202:tid 140325875570432] [client ...] AH01097: pass request body failed to [Backend1]:443 ([Backend1]) from [...] ()

The error-page in the browser contains:

Proxy Error

The proxy server could not handle the request GET /test/test.jsp.
Reason: Error during SSL Handshake with remote server

As I already stated above changing the configuration to the http protocol and port 80 works. Also https connections between the client and loadbalancer work, so the ssl module of the loadbalancer seems to be setup properly. Connecting directly to the backend via https also does not yield any errors.

Thanks in advance for your time


Edit: I figured it out, the problem is that my certificates common name does not match the server name. I thought SSLProxyVerify none would cause this mismatch to be ignored, but it doesn't. Prior to apache 2.4.5 this check can be disabled using SSLProxyCheckPeerCN off but on higher versions (I am using 2.4.7) SSLProxyCheckPeerName off also needs to be specified.

Apache documentation for sslproxycheckpeername

The working configuration looks like this:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

<Proxy balancer://testcluster>
  BalancerMember https://[backend1]:443/test
  BalancerMember https://[backend1]:443/test
</Proxy>
ProxyPass /test balancer://testcluster

Unfortunately I can't answer my own question for lack of reputation so I edited my question, I hope this helps anyone who encounters a similar problem


Source: (StackOverflow)

Configuring Apache 2.4 mod_proxy_wstunnel for Socket.IO 1.0

I'm trying to configure Apache 2.4 for proxying the websocket connection for socket.io to a node.js websocket server, using mod_proxy_wstunnel. We had this working fine with socket.io 0.9, but with the 1.0 release they changed the socket endpoint to a query parameter, and now I'm having trouble configuring apache with the correct proxy instructions.

All requests to /socket.io/?EIO=N&transport=websocket (where N is any digit, usually 2) need to be forwarded to ws://localhost:8082/socket.io/, but all other requests need to be forwarded to http://localhost:8082/socket.io/.

I've tried variations of both of the following configs:

ProxyPass /socket.io/?EIO=2&transport=websocket http://localhost:8082/socket.io/?EIO=2&transport=websocket
ProxyPassReverse /socket.io/?EIO=2&transport=websocket http://localhost:8082/socket.io/?EIO=2&transport=websocket

ProxyPass /socket.io/ http://localhost:8082/socket.io/
ProxyPassReverse /socket.io/ http://localhost:8082/socket.io/

.

RewriteRule /socket.io/?EIO=([0-9]+)&transport=websocket ws://localhost:8082/socket.io/ [QSA,P]

ProxyPass /socket.io/ http://localhost:8082/socket.io/
ProxyPassReverse /socket.io/ http://localhost:8082/socket.io/

I've gathered from my googling that ProxyPass and Locations can't target query strings, so is there any other option here? The paths are hard-coded into socket.io, so short of forking the entire library I can't change them.


Source: (StackOverflow)

How can I set up Certificate Transparency if my CA doesn't support it?

I think many of you have actually heard of Google's Certificate Transparency initiative. Now the initiave involves a public log of all certificates issued by some CA. As this is some amount of work, not all CAs have set it up yet. For example StartCom already said that's it hard to set it up from their side and a proper set up will them take months. In the mean time all the EV certificates are "downgraded" to "standard certificates" by Chrome.

Now it was stated that there are three ways of providing the neccessary records to prevent downgrading:

  • x509v3 extensions, clearly only possible to the CA
  • TLS extension
  • OCSP stapling

Now I think that the second and the third require (no?) interaction from the issuing CA.

So the question:
Can I set up certificate transparency support with my apache webserver if my CA doesn't support it and how can I do so if it's possible?


Source: (StackOverflow)

Multi-site hosting - important vulnerability being missed to secure sites from each other?

EDIT #2 July 23, 2015: Looking for a new answer that identifies an important security item missed in the below setup or can give reason to believe everything's covered.

EDIT #3 July 29, 2015: I'm especially looking for a possible misconfiguration like inadvertently permitting something that could be exploited to circumvent security restrictions or worse yet leaving something wide open.

This is multi-site / shared hosting setup and we want to use a shared Apache instance (i.e. runs under one user account) but with PHP / CGI running as each website's user to ensure no site can access another site's files, and we want to make sure nothing's being missed (e.g. if we didn't know about symlink attack prevention).

Here's what I have so far:

  • Make sure PHP scripts run as the website's Linux user account and group, and are either jailed (such as using CageFS) or at least properly restricted using Linux filesystem permissions.
  • Use suexec to ensure that CGI scripts can't be run as the Apache user.
  • If needing server-side include support (such as in shtml files), use Options IncludesNOEXEC to prevent CGI from being able to be run when you don't expect it to (though this shouldn't be as much of a concern if using suexec).
  • Have symlink attack protection in place so a hacker can't trick Apache into serving up another website's files as plaintext and disclosing exploitable information like DB passwords.
  • Configure AllowOverride / AllowOverrideList to only allow any directives that a hacker couldn't exploit. I think this is less of a concern if the above items are done properly.

I'd go with MPM ITK if it wasn't so slow and didn't run as root, but we're specifically wanting to use a shared Apache yet make sure it's done securely.

I found http://httpd.apache.org/docs/2.4/misc/security_tips.html, but it wasn't comprehensive on this topic.

If it's helpful to know, we're planning to use CloudLinux with CageFS and mod_lsapi.

Is there anything else to make sure to do or know about?

EDIT July 20, 2015: People have submitted some good alternate solutions which are valuable in general, but please note that this question is targeted only regarding the security of a shared Apache setup. Specifically is there something not covered above which could let one site access another site's files or compromise other sites somehow?

Thanks!


Source: (StackOverflow)

Upgrade HTTP connection to SSL/TLS

I currently have a server which automatically redirects all HTTP requests to the equivalent HTTPS site. The problem is that is seems like some browsers do not accept the SSL certificate (StartSSL.com) or does not support SNI, therefore they get an Certificate warning and the user won't continue surfing on the website.

Is there any mechanism that tries to make the browser use HTTPS instead of plain HTTP and when that doesn't work (e.g. certificate is no accepted or SNI not supported) it continues using HTTP.

Currently I'm using Apache 2.4 with multiple virtual hosts that all redirect the HTTP connection with Redirect / https://domain.example/.


Source: (StackOverflow)

How To Tune Apache on Ubuntu 14.04 Server

Currently on my Apache 2 (Apache 2.4.7 to be exact) on Ubuntu 14.04, I have this setting:

/etc/apache2/mods-enabled/mpm_prefork.conf

<IfModule mpm_prefork_module>
StartServers                    20
MinSpareServers                 100
MaxSpareServers                 250
MaxRequestWorkers               150
MaxConnectionsPerChild          0
</IfModule>

The server is an 8GB (RAM) Amazon server that does nothing more than load up a three-page signup form for some Google ad campaigns.

I found a script called apachetuneit.sh on the web, but then after awhile the Apache was reporting this error:

[Tue Apr 21 16:45:42.227935 2015] [mpm_prefork:error] [pid 1134] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

How can I judge how to set these settings?

I am asking specifically only for how to tune Apache 2.4 and nothing else. This is why this question is different than this question.


Source: (StackOverflow)

Is it possible to set an SSLProtocol in Apache for a single VirtualHost (poodle)?

I'm trying to test a patch for the poodle vulnerability that involves disabling SSLv3 on my web server. In order to test this on a non-production environment first, I'm setting the SSLProtocol on a VirtualHost for a different test server. My config looks something like this:

<VirtualHost *:443>
    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    ServerName test.mysite.com
    # bunch of other stuff omitted
</VirtualHost>

However even after restarting apache my test site is still claimed to be vulnerable. Is this expected to work? I'm wondering if I have to set it in the global ssl config or whether there's something else subtle that's causing the setting not to take and/or work.


Source: (StackOverflow)