apache-2.4 interview questions
Top apache-2.4 frequently asked interview questions
Recently, a new vulnerability in Diffie-Hellman, informally referred to as 'logjam' has been published, for which this page has been put together suggesting how to counter the vulnerability:
We have three recommendations for correctly deploying Diffie-Hellman
for TLS:
- Disable Export Cipher Suites. Even though modern browsers no longer
support export suites, the FREAK and Logjam attacks allow a
man-in-the-middle attacker to trick browsers into using export-grade
cryptography, after which the TLS connection can be decrypted. Export
ciphers are a remnant of 1990s-era policy that prevented strong
cryptographic protocols from being exported from United States. No
modern clients rely on export suites and there is little downside in
disabling them.
- Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman
(ECDHE). Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoids all
known feasible cryptanalytic attacks, and modern web browsers now
prefer ECDHE over the original, finite field, Diffie-Hellman. The
discrete log algorithms we used to attack standard Diffie-Hellman
groups do not gain as strong of an advantage from precomputation, and
individual servers do not need to generate unique elliptic curves.
- Generate a Strong, Unique Diffie Hellman Group. A few fixed groups are
used by millions of servers, which makes them an optimal target for
precomputation, and potential eavesdropping. Administrators should
generate unique, 2048-bit or stronger Diffie-Hellman groups using
"safe" primes for each website or server.
What are the best-practice steps I should take to secure my server as per the above recommendations?
Source: (StackOverflow)
Because of Ubuntu updating, I made the mistake to upgrade Apache 2.2 to 2.4—many things went wrong.
I have no idea how to specify the version after apt-get remove apache2. apt-get install apache2 always installs 2.4.
How can I do it?
Source: (StackOverflow)
I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
AllowOverride All
</Directory>
But when I ran that I got a "Forbidden. You don't have permission to access /"
After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:
<Directory "/home/john/development/foobar/web">
AllowOverride All
Require all granted
</Directory>
I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."
But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.
Source: (StackOverflow)
I have some subdomains I want to redirect to specific ports on the same server.
Say I have
dev.mydomain.com
I want dev.mydomain.com to transparently redirect to mydomain.com:8080 and I want to preserve the original sub-domain name the url of the browser.
How do I do this with Apache 2.2? I have Apache 2.2 running on default port 80. I can't figure out the write configuration to get this to happen.
I have already set up dev.mydomain.com to resolve in DNS to mydomain.com.
This is for an intranet development server that has a non-routable ip
address so I am not so concerned about exploits and security that
would compromise a publicly facing server.
Source: (StackOverflow)
I recently installed Apache 2.4 on my local machine, together with PHP 5.4.8 using PHP-FPM.
Everything went quite smoothly (after a while...) but there is still a strange error:
I configured Apache for PHP-FPM like this:
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/Users/apfelbox/WebServer"
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1
</VirtualHost>
It works, for example if I call http://localhost/info.php I get the correct phpinfo() (it is just a test file).
If I call a directory however, I get a 404 with body File not found. and in the error log:
[Tue Nov 20 21:27:25.191625 2012] [proxy_fcgi:error] [pid 28997] [client ::1:57204] AH01071: Got error 'Primary script unknown\n'
Update
I now tried doing the proxying with mod_rewrite:
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/Users/apfelbox/WebServer"
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>
But the problem is: it is always redirecting, because on http://localhost/ automatically http://localhost/index.php is requested, because of
DirectoryIndex index.php index.html
Update 2
Ok, so I think "maybe check whether there is a file to give to the proxy first:
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/Users/apfelbox/WebServer"
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>
Now the complete rewriting does not work anymore...
Update 3
Now I have this solution:
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/Users/apfelbox/WebServer"
RewriteEngine on
RewriteCond /Users/apfelbox/WebServer/%{REQUEST_FILENAME} -f
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/Users/apfelbox/WebServer/$1 [L,P]
</VirtualHost>
First check, that there is a file to pass to PHP-FPM (with the full and absolute path) and then do the rewriting.
This does not work when using URL rewriting inside a subdirectory, also it fails for URLs like http://localhost/index.php/test/
So back to square one.
Any ideas?
Source: (StackOverflow)
My Environment
- CentOS 6.4 X86_64
- Apache 2.4.4
- PHP 5.4.16 (FPM)
- 2 Intel Xeon E5-2620 @ 2.00GHz (8 core, 16 threads in each processor)
- 48GB RAM registered memory.
- 3 Hard Disk 15RPM 145GB in RAID0 (by BIO
Interesting Variables
<IfModule mpm_event_module>
StartServers 2
ThreadLimit 196
MinSpareThreads 96
MaxSpareThreads 192
ThreadsPerChild 96
MaxRequestWorkers 192
MaxConnectionsPerChild 96
</IfModule>
Apache Server Status
Server Version: Apache/2.2.4 (Unix) OpenSSL/1.0.1e mod_fastcgi/mod-fastcgi-SNAP-0910052141
Server Built: May 24 2013 16:48:07
Current Time: Monday, 17-Jun-2013 09:48:11 COT
Restart Time: Monday, 17-Jun-2013 08:35:14 COT
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 1 hour 12 minutes 57 seconds
Server load: 0.05 0.10 0.09
Total accesses: 14144 - Total Traffic: 349.7 MB
CPU Usage: u.28 s.25 cu0 cs0 - .0121% CPU load
3.23 requests/sec - 81.8 kB/second - 25.3 kB/request
1 requests currently being processed, 191 idle workers
PID | Connections | Threads | Async connections
| total | accepting | busy | idle | keep-alive | closing
==============================================================
18997 | 3 | yes | 1 | 95 | 0 | 3
18485 | 0 | yes | 0 | 96 | 0 | 0
==============================================================
Sum | 3 | | 1 | 191 | 0 | 3
Error Log
The error message is
[Mon Jun 17 09:32:45.680842 2013] [mpm_event:error] [pid 8574:tid 140185091581760] AH00485: scoreboard is full, not at MaxRequestWorkers
This appears every few seconds. I don’t understand it. How can I fix it?
Source: (StackOverflow)
My apache server is running OK without any problems. It also doesn't issue any warning during restart. However, if I examine error.log I can see the following lines repeating from time to time:
[Wed Jun 25 18:15:56.295408 2014] [mpm_prefork:notice] [pid 8817] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4 configured -- resuming normal operations
[Wed Jun 25 18:15:56.295570 2014] [core:notice] [pid 8817] AH00094: Command line: '/usr/sbin/apache2'
[Wed Jun 25 18:26:34.511247 2014] [mpm_prefork:notice] [pid 8817] AH00169: caught SIGTERM, shutting down
What do they say? How can I fix it?
Source: (StackOverflow)
We are trying to reload Apache gracefully using a command such as:
apache2ctl -k graceful
This works as expected for HTTP users and the Apache config is reloaded without affecting users of the website.
However, we have found that users accessing the server via HTTPS are disconnected during a graceful reload.
How can Apache be gracefully reloaded without affecting SSL connections?
In case it helps, we are using HTTP 2 on Apache 2.4.20.
Source: (StackOverflow)
I am using an apache (2.4) server configured as loadbalancer in front of 2 apache servers. It works fine when I use http connections between loadbalancer and backends, however using https does not work.
The configuration of the loadbalancer:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
<Proxy balancer://testcluster>
BalancerMember https://[Backend1]:443/test
BalancerMember https://[Backend2]:443/test
</Proxy>
ProxyPass /test balancer://testcluster
The backends only have self-signed certificates for now which is why the certificate verification is disabled.
The error-log on the loadbalancer contains the following:
[proxy:error] [pid 31202:tid 140325875570432] (502)Unknown error 502: [client ...] AH01084: pass request body failed to [Backend1]:443 ([Backend1])
[proxy:error] [pid 31202:tid 140325875570432] [client ...] AH00898: Error during SSL Handshake with remote server returned by /test/test.jsp
[proxy_http:error] [pid 31202:tid 140325875570432] [client ...] AH01097: pass request body failed to [Backend1]:443 ([Backend1]) from [...] ()
The error-page in the browser contains:
Proxy Error
The proxy server could not handle the request GET /test/test.jsp.
Reason: Error during SSL Handshake with remote server
As I already stated above changing the configuration to the http protocol and port 80 works. Also https connections between the client and loadbalancer work, so the ssl module of the loadbalancer seems to be setup properly.
Connecting directly to the backend via https also does not yield any errors.
Thanks in advance for your time
Edit:
I figured it out, the problem is that my certificates common name does not match the server name. I thought
SSLProxyVerify none would cause this mismatch to be ignored, but it doesn't. Prior to apache 2.4.5 this check can be disabled using
SSLProxyCheckPeerCN off but on higher versions (I am using 2.4.7)
SSLProxyCheckPeerName off also needs to be specified.
Apache documentation for sslproxycheckpeername
The working configuration looks like this:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
<Proxy balancer://testcluster>
BalancerMember https://[backend1]:443/test
BalancerMember https://[backend1]:443/test
</Proxy>
ProxyPass /test balancer://testcluster
Unfortunately I can't answer my own question for lack of reputation so I edited my question,
I hope this helps anyone who encounters a similar problem
Source: (StackOverflow)
I'm trying to configure Apache 2.4 for proxying the websocket connection for socket.io to a node.js websocket server, using mod_proxy_wstunnel. We had this working fine with socket.io 0.9, but with the 1.0 release they changed the socket endpoint to a query parameter, and now I'm having trouble configuring apache with the correct proxy instructions.
All requests to /socket.io/?EIO=N&transport=websocket (where N is any digit, usually 2) need to be forwarded to ws://localhost:8082/socket.io/, but all other requests need to be forwarded to http://localhost:8082/socket.io/.
I've tried variations of both of the following configs:
ProxyPass /socket.io/?EIO=2&transport=websocket http://localhost:8082/socket.io/?EIO=2&transport=websocket
ProxyPassReverse /socket.io/?EIO=2&transport=websocket http://localhost:8082/socket.io/?EIO=2&transport=websocket
ProxyPass /socket.io/ http://localhost:8082/socket.io/
ProxyPassReverse /socket.io/ http://localhost:8082/socket.io/
.
RewriteRule /socket.io/?EIO=([0-9]+)&transport=websocket ws://localhost:8082/socket.io/ [QSA,P]
ProxyPass /socket.io/ http://localhost:8082/socket.io/
ProxyPassReverse /socket.io/ http://localhost:8082/socket.io/
I've gathered from my googling that ProxyPass and Locations can't target query strings, so is there any other option here? The paths are hard-coded into socket.io, so short of forking the entire library I can't change them.
Source: (StackOverflow)
I think many of you have actually heard of Google's Certificate Transparency initiative. Now the initiave involves a public log of all certificates issued by some CA. As this is some amount of work, not all CAs have set it up yet. For example StartCom already said that's it hard to set it up from their side and a proper set up will them take months. In the mean time all the EV certificates are "downgraded" to "standard certificates" by Chrome.
Now it was stated that there are three ways of providing the neccessary records to prevent downgrading:
- x509v3 extensions, clearly only possible to the CA
- TLS extension
- OCSP stapling
Now I think that the second and the third require (no?) interaction from the issuing CA.
So the question:
Can I set up certificate transparency support with my apache webserver if my CA doesn't support it and how can I do so if it's possible?
Source: (StackOverflow)
EDIT #2 July 23, 2015: Looking for a new answer that identifies an important security item missed in the below setup or can give reason to believe everything's covered.
EDIT #3 July 29, 2015: I'm especially looking for a possible misconfiguration like inadvertently permitting something that could be exploited to circumvent security restrictions or worse yet leaving something wide open.
This is multi-site / shared hosting setup and we want to use a shared Apache instance (i.e. runs under one user account) but with PHP / CGI running as each website's user to ensure no site can access another site's files, and we want to make sure nothing's being missed (e.g. if we didn't know about symlink attack prevention).
Here's what I have so far:
- Make sure PHP scripts run as the website's Linux user account and group, and are either jailed (such as using CageFS) or at least properly restricted using Linux filesystem permissions.
- Use suexec to ensure that CGI scripts can't be run as the Apache user.
- If needing server-side include support (such as in shtml files), use
Options IncludesNOEXEC to prevent CGI from being able to be run when you don't expect it to (though this shouldn't be as much of a concern if using suexec).
- Have symlink attack protection in place so a hacker can't trick Apache into serving up another website's files as plaintext and disclosing exploitable information like DB passwords.
- Configure
AllowOverride / AllowOverrideList to only allow any directives that a hacker couldn't exploit. I think this is less of a concern if the above items are done properly.
I'd go with MPM ITK if it wasn't so slow and didn't run as root, but we're specifically wanting to use a shared Apache yet make sure it's done securely.
I found http://httpd.apache.org/docs/2.4/misc/security_tips.html, but it wasn't comprehensive on this topic.
If it's helpful to know, we're planning to use CloudLinux with CageFS and mod_lsapi.
Is there anything else to make sure to do or know about?
EDIT July 20, 2015: People have submitted some good alternate solutions which are valuable in general, but please note that this question is targeted only regarding the security of a shared Apache setup. Specifically is there something not covered above which could let one site access another site's files or compromise other sites somehow?
Thanks!
Source: (StackOverflow)
I currently have a server which automatically redirects all HTTP requests to the equivalent HTTPS site.
The problem is that is seems like some browsers do not accept the SSL certificate (StartSSL.com) or does not support SNI, therefore they get an Certificate warning and the user won't continue surfing on the website.
Is there any mechanism that tries to make the browser use HTTPS instead of plain HTTP and when that doesn't work (e.g. certificate is no accepted or SNI not supported) it continues using HTTP.
Currently I'm using Apache 2.4 with multiple virtual hosts that all redirect the HTTP connection with Redirect / https://domain.example/.
Source: (StackOverflow)
Currently on my Apache 2 (Apache 2.4.7 to be exact) on Ubuntu 14.04, I have this setting:
/etc/apache2/mods-enabled/mpm_prefork.conf
<IfModule mpm_prefork_module>
StartServers 20
MinSpareServers 100
MaxSpareServers 250
MaxRequestWorkers 150
MaxConnectionsPerChild 0
</IfModule>
The server is an 8GB (RAM) Amazon server that does nothing more than load up a three-page signup form for some Google ad campaigns.
I found a script called apachetuneit.sh on the web, but then after awhile the Apache was reporting this error:
[Tue Apr 21 16:45:42.227935 2015] [mpm_prefork:error] [pid 1134] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
How can I judge how to set these settings?
I am asking specifically only for how to tune Apache 2.4 and nothing else. This is why this question is different than this question.
Source: (StackOverflow)
I'm trying to test a patch for the poodle vulnerability that involves disabling SSLv3 on my web server. In order to test this on a non-production environment first, I'm setting the SSLProtocol on a VirtualHost for a different test server. My config looks something like this:
<VirtualHost *:443>
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
ServerName test.mysite.com
# bunch of other stuff omitted
</VirtualHost>
However even after restarting apache my test site is still claimed to be vulnerable. Is this expected to work? I'm wondering if I have to set it in the global ssl config or whether there's something else subtle that's causing the setting not to take and/or work.
Source: (StackOverflow)