Skip to content

Entries tagged "apache".

Listing your own customers in Spamhaus RBL

Recently I had problems with a web server denying connections (HTTP error 406) from a certain IP address.
At first I thought it was because of some wacky firewall or tcpwrapper rule.
I couldn't be more wrong - It was mod_security verifying the remote IP against Spamhaus RBL...
While it may seem like a good idea at first, turns out it is not:
1. Because it slows down the request (as Apache has to lookup IPs against the RBL all the time).
2. Some IPs are in a RBL for the wrong reason.

As it turns out that particular IP belongs to BT,
and BT in their infinite wisdom decided to list in Spamhaus a good part of their IP space... Cool, huh?
More info here (and a screenshot for posterity here).
You got to love the corporations!

mod_substitute in rhel/centos 5

Apparently mod_substitute has finally been backported into rhel 5:
Transaction Check Error:
  file /usr/lib64/httpd/modules/mod_substitute.so from install of httpd-2.2.3-43.el5.centos.3.x86_64 conflicts with file from package mod_substitute-2.2.11-1.el5.ld.x86_64

No need for 3rd party repos for this module anymore. Hurray! :-)

Instant image gallery with Apache's mod_autoindex and fancybox

For some time now I've been using Google's Picasaweb for sharing some photos with friends and relatives, however in the recent years I've been trying to distance myself from Google's services and run my own since I have the know-how and the resources, plus Picasaweb has a ridiculously small quota - 1 GB.
As such I've decided to just put the images in some directory online and let mod_autoindex list them, but this kind of listings can be hard to browse since you have to go back all the time for a new image's link - and here's where fancybox is useful.
fancyBox is a tool that offers a nice and elegant way to add zooming
functionality for images, html content and multi-media on your webpages.
It is built at the top of the popular JavaScript framework 
jQuery and is both easy to implement and a snap to customize.


And here's what needs to be done:
1. Create a directory called fancybox in the root directory of your web site
2. Download https://github.com/fancyapps/fancyBox/zipball/v2.1.3 and upload the source and lib directories from it to the directory we created at step 1
3. In the same fancybox directory create a HTML file called fancybox.html with the following contents: http://img.nux.ro/fancybox/fancybox.txt
4. Upload your directory containing the pictures to the web site
5. Create in the said directory an .htaccess file with the following contents:
Options +Indexes
ReadmeName /fancybox/fancybox.html
6. You're done, you can now browse to www.yourwebsite.tld/imagedirectory and enjoy the experience

Here's a demo: http://img.nux.ro/tuxwallpapers/

Voila! A nice, simple gallery involving no server-side scripting languages, just using the powerful Apache server and Javascript.
Credits go to Matt who's blog post gave me the idea and my friend Adrian who suggested fancybox and helped adjusting the Javascript code to my needs (since I have zero js skills). Thanks!

Cloudstack becomes an Apache top-level project

And so Cloudstack has graduated from the Apache Incubator!

Fireworks, trumpets!

Official announcement here.

Apache Cloudstack homepage.

Setting up Confluence behind mod_proxy

I've recently tried to set up Confluence behind Apache HTTPD (mod_proxy) and it did not go as smoothly as the Atlassian docs suggest.

Here's what needs doing:
1 - Go here and download the 64 bit Linux installer (I'm on Centos 6 64bit)
2 - Make it executable and execute it, use the default values when asked or what you think is appropriate
3 - If you want to use a MySQL DB download this and extract from it mysql-connector-java-5.1.27-bin.jar, putting it in /opt/atlassian/confluence/confluence/WEB-INF/lib/ on the server
4 - Restart Confluence: service confluence restart
5 - Go to http://confluence.example.com:8090 and finish the setup, then go in Confluence Admin -> General Configuration and edit the Site Configuration Edit, updating Server Base Url to match the subdomain you want to use in the end, e.g. http://confluence.example.com or https://confluence.example.com if you want SSL. Save the settings.
6 - Enable proxing in Apache httpd; edit /etc/httpd/conf/httpd.conf and modify your virtualhost such that it looks like this:
<VirtualHost 12.34.56.78:443>
DocumentRoot "/var/www/confluence"
ServerName confluence.example.com
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8090/
ProxyPassReverse / http://127.0.0.1:8090/
</VirtualHost>
7 - Edit /opt/atlassian/confluence/conf/server.xml and add this in the Connector's line: proxyName="confluence.example.com" proxyPort="443" scheme="https" so that it resembles this
8 - Restart both httpd and confluence services
9 - Go to https://confluence.example.com and enjoy!

The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks:
https://www.imperialviolet.org/2014/10/14/poodle.html (local copy)
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.


- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.