Category Archives: Apache

cPanel – Install Nginx + Varnish alongside Apache !

Nginx is a very fast webserver when compared with the default Apache offered by cPanel. Nginx is known for its high performance and low resource consumption. Servers hosting WordPress sites are employing Nginx as it improves the performance.

Nginx will work as a front end reverse proxy of your cPanel server along with apache, which will increase the performance. We have a plugin called ‘Nginx Admin’ which is a cPanel Nginx integration plugin.

Use the following steps to install it on a cPanel server :

1 ) Download the source files :

# cd /usr/local/src
# wget http://nginxcp.com/latest/nginxadmin.tar
# tar xf nginxadmin.tar
# cd publicnginx

2) Generate a Remote Access Key.

Generate a key by logging into WHM, going to Clusters, then Remote Key Access, and then clicking Generate New Key.

3) Run the script

# ./nginxinstaller install

This Nginx installation method integrates with WHM/cPanel and uses the Apache configuration files that WHM/cPanel uses by default.

After installation you can go to WHM, Plugins, and Nginx Admin to handle Nginx. From there you can restart Nginx, edit the configuration files, view logs, and more.

You can also restart Nginx on the command line with the Apache command:

# /etc/init.d/httpd restart

Now lets move ahead with the installation of Varnish.

Varnish is a caching technology known as web accelerator which is used as reverse HTTP proxy, which will enhance the performance of your website.

Varnish stores a copy of the page which is served by the web server the first time a user visits the website. Next time, when the user requests for the same page, varnish will serve the copy instead of serving it from the web server. Thus, your webserver is seldom bought into the lime-light if the used pages are being fetched, which improves the performance.

Before moving ahead, we will bind our webserver to the port 8081, in the file – /usr/local/apache/conf/httpd.conf,

Change the Portion – Listen 0.0.0.0:80 to Listen 0.0.0.0:8081 and restart the webservice.

Now, lets download and install the Varnish !

1) Add the repo : ( check the version of your OS ) : the URL given below is for CentOS / Redhat 5.x versions :

# wget http://repo.varnish-cache.org/redhat/varnish-3.0/el5/noarch/varnish-release/varnish-release-3.0-1.noarch.rpm

# rpm -Uvh varnish-release-3.0-1.noarch.rpm

2) Install the service :

# yum install varnish

3) Edit the configuration file for varnish – /etc/sysconfig/varnish and change the value of VARNISH_LISTEN_PORT to 80

# grep VARNISH_LISTEN_PORT /etc/sysconfig/varnish
VARNISH_LISTEN_PORT=80
4)  Edit Varnish config: /etc/varnish/default.vcl . Correct the backend default Port to reflect – 8081 ( the port to which webserver was bind to )

backend default {
.host = “YOUR IP ADDRESS”;
.port = “8081”;
}

5) Start Varnish service on your server

# chkconfig varnish on

# service varnish start

You are done with installing Nginx and varnish in your cPanel server, which should improve your speed and performance.

 

cPanel – Install Google mod_pagespeed module for Apache

“mod_pagespeed is an open-source Apache module created by Google to help Make the Web Faster by rewriting web pages to reduce latency and bandwidth” – http://modpagespeed.com/

To incorporate this module to your Apache webserver in a cPanel running server, do the following steps :

Note : This is meant for Apache 2.2.x versions.

1) Clone the installation scripts to the server :

# /usr/local/cpanel/3rdparty/bin/git clone https://github.com/pagespeed/cpanel.git /tmp/pagespeed/

2) Create a tar.gz custom_opt_mod for EasyApache script to be detected :

# cd /tmp/pagespeed/Easy
# tar -zcvf Speed.pm.tar.gz pagespeed

3) Move the custom mod to the place which is scanned by EasyApache ( create that folder, if not already present ) :

# mv Speed.pm Speed.pm.tar.gz -t /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/

4)  Remove the cloned script from /tmp

cd && rm -rf /tmp/pagespeed

Now, login to your cPanel WHM > EasyApache and look for “mod_pagespeed” option under the short lists along with other Apache modules. Select it,  make sure to enable deflate and version module.  Re-compile Apache webserver using this and you are good to go with PageSpeed.

– The default conf file will be under – /usr/local/apache/conf/

– Refer these sites to customize your configurations :

https://developers.google.com/speed/pagespeed

modpagespeed.com

 

mod_ruid2 – Issues in mutual exclusion ?

The mod_ruid2 Apache module changes the permissions of all of the HTTP requests for a domain to the permissions of the owner of that domain. This is just like suexec or the module mod_suphp !

If you have enabled mod_ruid2 in your server and if there are any scripts which require mutual exclusion to take place, there might be some issues being reported by Apache.

You might find something like this in the Apache error logs :

Date [emerg] (13)Permission denied: couldn't grab the accept mutex
Date [alert] Child xxx returned a Fatal error... Apache is exiting!
Date [emerg] (43)Identifier removed: couldn't grab the accept mutex

To fix this issue, edit  ‘/usr/local/apache/conf/mod_ruid2.conf‘ and add the following line :

AcceptMutex posixsem

Restart httpd service and see how things are moving !

 

Should I enable/disable mod_gzip in my server ?

mod_gzip is an external extension module for Apache, which uses Gzip compression method for a significant reduction of the volume of web page content served.

Disabling mod_gzip has advantages as well as disadvantages. Among the advantages are that you can save up some space in /tmp and the server load/resources used will be less when compared to the
scenario in which mod_gzip is enabled – because files will not have to be compressed before sending it to client. Also, mod_gzip is known to leave files in /tmp and other locations, which results in number of files being high in folders. At times, that results in thousands of files in /tmp which prevent new files being created. ie, it will cause a similar situation like /tmp being full – where OS cannot create new files in /tmp.

One of the disadvantages of disabling mod_gzip is that your server will consume more bandwidth. But this becomes a significant factor only when you have limits on the bandwidth usage.So choose for yourself considering the advantages and disadvantages of mod_gzip.

DDoS protection guide – Part 1

What is a DDoS attack ?

DDoS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan (70% of the time)– are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address.

Honestly, it would be so difficult to protect against a DDoS attack. But we can follow some steps to make our servers more watchful against them.

=====================================

CSF firewall can be fine tuned as follows :

If you have a cPanel server, navigate to WHM as : ConfigServer Security & Firewall from WHM >> Firewall Configuration. If you do not use WHM, it would be good if you install CSF and manually plug in the following setting :

Connection Tracking : This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help prevent some types of DOS attack.

=====================================

If you see your server is a bit on the slower side, check the number of connections to it using the following command.

# netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

As a preliminary step, block the IPs which doesn look valid and are offending ones using csf commands.

Another option is to go for the the MOD_EVASIVE module in the httpd configuration.

Mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool and can be easily configured to talk to ipchains, firewalls.

Mod_evasive have got many many options to gun down our requirements to handle the IPs connecting to our server.

Steps to install mod_evasive is given below :

# cd /usr/local/src/

# Download the mod_evasive_xx.xx.tar.gz file

# tar -xvzf mod_evasive_xx.xx.tar.gz

# cd mod_evasive/

# /usr/local/apache/bin/apxs -cia mod_evasive20.c

Now create a file named /usr/local/apache/conf/mod_evasive.conf and add your custom settings.

For eg :

# cat /usr/local/apache/conf/mod_evasive.conf

LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>

DOSHashTableSize 3097

//The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list

DOSPageCount 2

//This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list

DOSSiteCount 50

//This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list

DOSPageInterval 1

//The interval for the page count threshhold; defaults to 1 second intervals

DOSSiteInterval 1

//The interval for the site count threshhold; defaults to 1 second intervals

DOSBlockingPeriod 10

//The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset

</IfModule>

Now include the above file inside :

/usr/local/apache/conf/includes/pre_main_global.conf

Include “/usr/local/apache/conf/mod_evasive.conf“

Now rebuild httpd.conf :

# /scripts/rebuildhttpdconf

Now restart apache :

# /scripts/restartsrv httpd

Click here to read more on DDoS and its protection !

Apache error – No space left on device !

Facing the following error on Apache ?

Apache: [emerg] (28)No space left on device: Couldn’t create accept lock [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec) [crit] (28) No space left on device: mod_rewrite: Parent could not create RewriteLock file /usr/local/apache/logs/rewrite_lock

You might check if the disk space is full and can easily confirm that is not the reason for this error.

The reason behind the error message is Semaphores. You will have to kill the hung/stuck semaphore processes in order.

To list the PIDs of the active semaphore processes, execute:

# ipcs -s
—— Semaphore Arrays ——– key
semid owner perms nsems
0×00000000 xxxxxxxxxx apache 600 1
0×00000000 xxxxxxxxxx apache 600 1
0×00000000 xxxxxxxxxx apache 600 1
0×00000000 xxxxxxxxxx apache 600 1

To kill those process, use the command :

# ipcrm -s PID

Once those stuck/hung processes are cleared, restart your Apache service.

Apache error_log for a domain filled with PHP errors ?

There are situations in which the error_log associated with a domain fills up a good part of the disk space consumed.

Lets find what are they logging ! Is it something like,

[Date America/New_York] PHP Strict Standards: Non-static method JDispatcher::getInstance() should not be called statically in /path-to/file.php

We can see that PHP Strict-Standards errors are being reported here. As each and every strict standard errors is being reported, error_log will consume huge amount of space.

This is a change which has been seen in the newer version of PHP, which now reports E_STRICT errors on default.

To get around this issue, disable error reporting for strict standards, by adding the below line to PHP configuration file.

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT

SymLinks Attacks and prevention !

The vulnerability with Symlinks and Apache is a known cause of attack.

Initially, the attacker will find a compromised ‘single’ website or domain which has got any vulnerable scripts or 3rd party applications or any themes used in it and try to get access to the files.

Once he get access to a single domain, he moves forward by creating the symlinks to other websites or even he can symlink to / (root).

For eg, if you have the following symlink set in any domain,

link -> /root , using the directory ‘link’ anyone can actually access /root and can access any sensitive file.

Rather than manually creating this sort of symlinks, the hacker can even use any perl/cgi script to create a symlink to other users of the server.

As a basic solution for this, you can ensure that Apache is configured in a way so as not to following symlinks (Options -FollowSymLinks)

— To disable the ability for Apache to allow users to follow symbolic links in their requests, remove the FollowSymLinks directive on your Directory commands.

For example, if the below was the configuration then,

<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Remove the FollowSymLinks reference so that this reads:

<Directory "/usr/local/apache/htdocs">
Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

If you really need symlinks, you can use the“SymLinksIfOwnerMatch” option to only allow links from within the same user.

To prevent PHP from accessing any file outside of their directory, you need to specify the ‘open_basedir’ setting ( in PHP configuration file ) to only have access to their directory.

This option can be enabled from WHM. You might face the following error :

This security tweak uses Apache DSO style directives. If PHP is configured to run as a CGI, SuPHP or FastCGI process, the open_basedir setting must be manually specified in the relevant php.ini file. See the EasyApache documentation for more information.

– If the PHP handler is set as CGI or SuPHP, then tweak settings seen in WHM cannot be used to set the openbase_dir option.

– You need to manually specify the openbase_dir option in the global
PHP configuration file ( use php -i |grep php.ini to find the php.ini location )

Keep in mind, the root cause for this attack or vulnerability is due any unsecured scripts/plugins/applications which might be employed in any of the domains. So, keep you server free from it, in the first place 😀

Issue with parsing of PHP pages !

Are you facing the scenario in which the PHP page is getting downloaded to your local machine, instead of showing it ?

For example, when www.domain.com/index.php is  given in browser, the file index.php gets downloaded rather than displaying it.

This is an issue where PHP files are not properly parsed by the web-server.

To fix this issue :

— > Make sure the  php module is loaded.

 ‘LoadModule php5_module' must be passed in httpd.conf file

–> Make sure the proper PHP interpreter to handle files with a .php extension is mentioned. Something like,

'AddType application/x-httpd-php .php' is given in httpd.conf

If these lines are not found within your httpd configuration, PHP parsing can be an issue.