apache-2.2 interview questions
Top apache-2.2 frequently asked interview questions
I want to secure a file upload directory on my server as described beautifully here, but I have one problem before I can follow these instructions. I don't know what user Apache is running as.
I've found a suggestion that you can look in httpd.conf and there will be a "User" line, but there is no such line in my httpd.conf file, so I guess Apache is running as the default user. I can't find out what that is, though.
So, my question is (are):
- how do I find out what the default
user is
- do I need to change the default user
- if the answer is yes and I change the
default user by editing httpd.conf,
is it likely to screw anything up?
Thanks!
Source: (StackOverflow)
This is a Canonical Question about Hosting multiple SSL websites on the same IP.
I was under the impression that each SSL Certificate required it's own unique IP Address/Port combination. But the answer to a previous question I posted is at odds with this claim.
Using information from that Question, I was able to get multiple SSL certificates to work on the same IP address and on port 443. I am very confused as to why this works given the assumption above and reinforced by others that each SSL domain website on the same server requires its own IP/Port.
I am suspicious that I did something wrong. Can multiple SSL Certificates be used this way?
Source: (StackOverflow)
I'm a little confused between the different MPMs offered by Apache - 'worker', 'event', 'prefork', etc.
What are the major differences between them, and how can I decide which one will be best for a given deployment?
Source: (StackOverflow)
This is a Canonical Question about File Permissions on a Linux web server.
I have a Linux web server running Apache2 that hosts several websites. Each website has its own folder in /var/www/.
/var/www/contoso.com/
/var/www/contoso.net/
/var/www/fabrikam.com/
The base directory /var/www/ is owned by root:root. Apache is running as www-data:www-data. The Fabrikam website is maintained by two developers, Alice and Bob. Both Contoso websites are maintained by one developer, Eve. All websites allow users to upload images. If a website is compromised, the impact should be as limited as possible.
I want to know the best way to set up permissions so that Apache can serve the content, the website is secure from attacks, and the developers can still make changes. One of the websites is structured like this:
/var/www/fabrikam.com
/cache
/modules
/styles
/uploads
/index.php
How should the permissions be set on these directories and files? I read somewhere that you should never use 777 permissions on a website, but I don't understand what problems that could cause. During busy periods, the website automatically caches some pages and stores the results in the cache folder. All of the content submitted by website visitors is saved to the uploads folder.
Source: (StackOverflow)
Roughly how much of a performance hit will https take compared to http for the same page? Suppose I can handle 1000 requests/s for abc.php, how much will it decrease by when accessed through https? I know this might be dependent on hardware, config, OS etc etc but I am just looking for a general rule of thumb/estimate.
Source: (StackOverflow)
Is it possible to use variables in Apache config files?
For example, when I'm setting up a site with Django+WSGI, the config file might look like:
<Directory /path/to/foo/>
Order allow,deny
Allow from all
</Directory>
Alias /foo/static /path/to/foo/static
WSGIScriptAlias /foo /path/to/foo/run_wsgi
And I'd like to turn the '/path/to/foo' into a variable so it only needs to be defined in one place. Something like:
Variable FOO /path/to/foo
…
Thanks!
Source: (StackOverflow)
which one of these two files should I use to configure Apache?
The httpd.conf is empty, while apache2.conf is not.
It confuses me!
Source: (StackOverflow)
Can anyone tell me—in a nutshell—what the purpose of these two directories are in Debian?
/etc/apache2/sites-enabled
/etc/apache2/sites-available
I notice that diffing sites-available/000-default and sites-enabled/default shows they are identical.
What gives?
Source: (StackOverflow)
I want to proxy requests from an SSL site via a non-SSL site. My Apache httpd.conf looks like this:
<VirtualHost 1.2.3.4:80>
ServerName foo.com
ProxyPass / https://bar.com/
</VirtualHost>
So, when I visit http://foo.com, I expect apache to make a request to https://bar.com and send me the the page it fetched.
Instead, I get a 500 error, and in the error log, I see:
[error] proxy: HTTPS: failed to enable ssl support for 4.3.2.1:443 (bar.com)
Presumably I'm missing a directive here. Which might it be?
Never mind the security implications. I fully understand the risks.
Source: (StackOverflow)
I'm trying to configure mercurial access using Apache http.
It requires authentication. My /etc/apache2/sites-enabled/mercurial looks like this:
NameVirtualHost *:8080
<VirtualHost *:8080>
UseCanonicalName Off
ServerAdmin webmaster@localhost
AddHandler cgi-script .cgi
ScriptAliasMatch ^(.*) /usr/lib/cgi-bin/hgwebdir.cgi/$1
</VirtualHost>
Every tutorial I read on the internet tells me to insert these lines:
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
But when I do it I get the following error:
# /etc/init.d/apache2 reload
Syntax error on line 8 of /etc/apache2/sites-enabled/mercurial:
AuthType not allowed here
My distro is a customized Ubuntu called Turnkey Linux Redmine
Source: (StackOverflow)
I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
AllowOverride All
</Directory>
But when I ran that I got a "Forbidden. You don't have permission to access /"
After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:
<Directory "/home/john/development/foobar/web">
AllowOverride All
Require all granted
</Directory>
I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."
But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.
Source: (StackOverflow)
I am working on a tiny little PHP project for a friend of mine, and I have a WAMP environment setup for local development. I remember the days when the response from my local Apache 2.2 was immediate. Alas, now that I got back from a long, long holiday, I find the responses from localhost painfully slow.
It takes around 5 seconds to get a 300B HTML page served out.
When I look at the task manager, the httpd processes (2) are using up 0% of the CPU and overall my computer is not under load (0-2% CPU usage).
Why is the latency so high? Is there any Apache setting that I could tweak to perhaps make its thread run with a higher priority or something? It seems like it's simply sleeping before it's serving out the response.
Source: (StackOverflow)
Apache is receiving requests at port :80 and proxying them to Jetty at port :8080
The proxy server received an invalid response from an upstream server
The proxy server could not handle the request GET /.
My dilemma: Everything works fine normally (fast requests, few seconds or few tens of seconds long requests are processed ok). Problems occur when request processing takes long (few minutes?).
If I issue request instead directly to Jetty at port :8080 the request is processed OK. So problem is likely to sit somewhere between Apache and Jetty where I am using mod_proxy. How to solve this?
I have already tried some "tricks" related to KeepAlive settings, without luck. Here is my current configuration, any suggestions?
#keepalive Off ## I have tried this, does not help
#SetEnv force-proxy-request-1.0 1 ## I have tried this, does not help
#SetEnv proxy-nokeepalive 1 ## I have tried this, does not help
#SetEnv proxy-initial-not-pooled 1 ## I have tried this, does not help
KeepAlive 20 ## I have tried this, does not help
KeepAliveTimeout 600 ## I have tried this, does not help
ProxyTimeout 600 ## I have tried this, does not help
NameVirtualHost *:80
<VirtualHost _default_:80>
ServerAdmin webmaster@mydomain.fi
ServerName www.mydomain.fi
ServerAlias mydomain.fi mydomain.com mydomain www.mydomain.com
ProxyRequests On
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPass / http://www.mydomain.fi:8080/ retry=1 acquire=3000 timeout=600
ProxyPassReverse / http://www.mydomain.fi:8080/
RewriteEngine On
RewriteCond %{SERVER_NAME} !^www\.mydomain\.fi
RewriteRule /(.*) http://www.mydomain.fi/$1 [redirect=301L]
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
Here is also the debug log from a failing request:
74.125.43.99 - - [29/Sep/2010:20:15:40 +0300] "GET /?wicket:bookmarkablePage=newWindow:com.mydomain.view.application.reports.SaveReportPage HTTP/1.1" 502 355 "https://www.mydomain.fi/?wicket:interface=:0:2:::" "Mozilla/5.0 (Windows; U; Windows NT 6.1; fi; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
[Wed Sep 29 20:20:40 2010] [error] [client 74.125.43.99] proxy: error reading status line from remote server www.mydomain.fi, referer: https://www.mydomain.fi/?wicket:interface=:0:2:::
[Wed Sep 29 20:20:40 2010] [error] [client 74.125.43.99] proxy: Error reading from remote server returned by /, referer: https://www.mydomain.fi/?wicket:interface=:0:2:::
Source: (StackOverflow)
What kernel parameter or other settings control the maximum number of TCP sockets that can be open on a Linux server? What are the tradeoffs of allowing more connections?
I noticed while load testing an Apache server with ab that it's pretty easy to max out the open connections on the server. If you leave off ab's -k option, which allows connection reuse, and have it send more than about 10,000 requests then Apache serves the first 11,000 or so requests and then halts for 60 seconds. A look at netstat output shows 11,000 connections in the TIME_WAIT state. Apparently, this is normal. Connections are kept open a default of 60 seconds even after the client is done with them for TCP reliability reasons.
It seems like this would be an easy way to DoS a server and I'm wondering what the usual tunings and precautions for it are.
Here's my test output:
# ab -c 5 -n 50000 http://localhost/
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 5000 requests
Completed 10000 requests
apr_poll: The timeout specified has expired (70007)
Total of 11655 requests completed
Here's the netstat command I run during the test:
# netstat --inet -p | grep "localhost:www" | sed -e 's/ \+/ /g' | cut -d' ' -f 1-4,6-7 | sort | uniq -c
11651 tcp 0 0 localhost:www TIME_WAIT -
1 tcp 0 1 localhost:44423 SYN_SENT 7831/ab
1 tcp 0 1 localhost:44424 SYN_SENT 7831/ab
1 tcp 0 1 localhost:44425 SYN_SENT 7831/ab
1 tcp 0 1 localhost:44426 SYN_SENT 7831/ab
1 tcp 0 1 localhost:44428 SYN_SENT 7831/ab
Source: (StackOverflow)
The WebSocket protocol is an extension of the HTTP protocol. However, the proxy module of Apache2 does not seem to know about it, and throws away crucial headers, converting the call to a standard HTTP call.
Is there a way to make Apache2 either (1) understand WebSocket or (2) simply blindly pass on whatever it gets?
Source: (StackOverflow)