Archive for the ‘Web Server’ Category

To create virtual host in Apache is very easy. In 2.4, it becomes easier because Apache will automatically process those and NameVirtualHost won’t have any effect.

I assume you have read this nice guide, https://httpd.apache.org/docs/2.4/vhosts/examples.html

If it’s still not working, set your SELinux permissive.

Advertisements

openssl s_client -connect www.example.com:443 -tls1_2
nmap --script ssl-enum-ciphers -p 443 www.example.com

Credit:http://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce

Background: We have a load balancer powered by LVS + ldirectord. You can find the guide on how to set it up by your own Here.

Recently when we increased the web server pool to 10 servers, we found that the load is not perfectly balanced. After reading some documentation, we found that it could be related to LVS persistence.

Below are some very interesting findings.

quiescent = yes|no

If yes, then when real or failback servers are determined to be down,
they are not actually removed from the kernel’s LVS table. Rather,
their weight is set to zero which means that no new connections will be
accepted.

This has the side effect, that if the real server has persistent
connections, new connections from any existing clients will continue to
be routed to the real server, until the persistent timeout can expire.
See ipvsadm for more information on persistent connections.

This side-effect can be avoided by running the following:

echo 1 > /proc/sys/net/ipv4/vs/expire_quiescent_template

If the proc file isn’t present this probably means that the kernel
doesn’t have LVS support, LVS support isn’t loaded, or the kernel is
too old to have the proc file. Running ipvsadm as root should load LVS
into the kernel if it is possible.

If no, then the real or failback servers will be removed from the
kernel’s LVS table. The default is yes.

If defined in a virtual server section then the global value is
overridden.

Default: yes
net.ipv4.vs.expire_nodest_conn=0

maintain entry in table (but silently drop any packets sent), allowing service to continue if the ipvsadm table entries are restored.

net.ipv4.vs.expire_nodest_conn=1

expire the entry in table immediately and inform client that connection is closed. This is the expected behaviour by some people when running `ipvsadm -C`
expire_quiescent_template - BOOLEAN

0 - disabled (default)
not 0 - enabled

When set to a non-zero value, the load balancer will expire
persistant templates when the destination server is quiescent. This
may be useful, when a user makes a destination server quiescent by
setting its weight to 0 and it is desired that subsequent otherwise
persistant connections are sent to a different destination server.
By default new persistant connections are allowed to quiescent
destination servers.

If this feature is enabled, the load balancer will expire the
persistance template if it is to be used to schedule a
new connection and the destination server is quiescent.

Source:

http://linux.die.net/man/8/ipvsadm

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.persistent_connection.html

Chrome gave me the above error when I moved our self-hosted bootstrap.js to S3.

To fix this is very easy, just login to S3 console and click the bucket and under permission, click Add CORS Configuration.

S3 will provide a sample configuration in the popup dialog, just update the AllowedOrigin element to set your domain. You can have multiple AllowedOrigin elements. For example, the result could be

    <CORSConfiguration>
        <CORSRule>
            <AllowedOrigin>http://www.yourdomain.com</AllowedOrigin>
            <AllowedOrigin>https://www.anotherdomain.com</AllowedOrigin>
            <AllowedMethod>GET</AllowedMethod>
            <MaxAgeSeconds>3000</MaxAgeSeconds>
            <AllowedHeader>Authorization</AllowedHeader>
        </CORSRule>
    </CORSConfiguration>

You may receive the following error when you restart your apache web server

apr_sockaddr_info_get() failed for xxxxxx
apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName

To fix this error is very simple, just set the ServerName in httpd.conf, for example:

ServerName localhost

http://www.lullabot.com/blog/article/installing-memcached-redhat-or-centos

we are required to enable HttpOnly in all our servers because it presents a potential XSS vulnerability. For more information on httpOnly, please read https://www.owasp.org/index.php/HttpOnly.

It’s very easy to enable it globally in .Net and Apache/PHP.

.Net 2.0+

//add the following line to the web.config system.web section
<httpCookies httpOnlyCookies="true">

Apache

//add the following line to the http.conf. Make sure mod_headers is enabled
Header edit Set-Cookie ^(.*)$ $1;HttpOnly

 

The sad story is that, one of our legacy server is running classic ASP…

I googled a few days and cannot find a working solution. Microsoft has one example on how to set cookie to httponly through ISAPI Filter (http://msdn.microsoft.com/en-us/library/ms972826), but only works for one cookie situation, which means no cookie because there is already one by default: ASPSESSIONIDxxxx.

After reading some documentation, I modified the Microsoft example to make it work for multiple cookies.

First, you need create a new Win32 Dynamic-Link Library project in Visual C++ 6.0 and create two files: httponly.cpp and httponlydef. Below are the source code for both files.

httponly.cpp

#define STRSAFE_NO_DEPRECATE

#include <windows.h>
#include <httpfilt.h>
#include "tchar.h"
#include "strsafe.h"


BOOL WINAPI GetFilterVersion(HTTP_FILTER_VERSION *pVer)
{
    pVer->dwFlags =  SF_NOTIFY_PREPROC_HEADERS  | SF_NOTIFY_SEND_RESPONSE;

    pVer->dwFilterVersion = HTTP_FILTER_REVISION;

    strcpy(pVer->lpszFilterDesc, "HttpOnly Filter, Version 1.0"); 

    return TRUE;
}


// Portion of HttpOnly
DWORD WINAPI HttpFilterProc(
   PHTTP_FILTER_CONTEXT pfc,
   DWORD dwNotificationType,
   LPVOID pvNotification) {

   // Hard coded cookie length (2k bytes)
   CHAR szCookie[2048];
   DWORD cbCookieOriginal = sizeof(szCookie) / sizeof(szCookie[0]);
   DWORD cbCookie = cbCookieOriginal;
	
      HTTP_FILTER_SEND_RESPONSE *pResponse = 
         (HTTP_FILTER_SEND_RESPONSE*)pvNotification;

      CHAR *szHeader = "Set-Cookie:";
      CHAR *szHttpOnly = "; HttpOnly";
      if (pResponse->GetHeader(pfc,szHeader,szCookie,&cbCookie)) {
         /*if (SUCCEEDED(StringCchCat(szCookie,
                                    cbCookieOriginal,
                                    szHttpOnly))) {
            if (!pResponse->SetHeader(pfc,
                                      szHeader,
                                      szCookie)) {
                        // Fail securely - send no cookie!
                        pResponse->SetHeader(pfc,szHeader,"");
               }
            } else {
               pResponse->SetHeader(pfc,szHeader,"");
	 }*/
	 pResponse->SetHeader(pfc,szHeader,"");
	 CHAR outCookie[2048];
	 char * token;
	 // the last occurence of semicolon
	 char * semi; 
	 token = strtok (szCookie,",");
	 while (token != NULL)
	 {
		strcpy(outCookie, "");
		strcat (outCookie, token);

		semi = strrchr(token, ';');
		//if the last character is ;
		if(semi - token == strlen(token) - 1){
			strcat (outCookie, " HttpOnly");
		}
		else{
			strcat (outCookie, "; HttpOnly");
		}

		pResponse->AddHeader(pfc, szHeader, outCookie);
			
		memset(outCookie, 0, 2048);
		token = strtok (NULL, ",");
	 }
   }

   return SF_STATUS_REQ_NEXT_NOTIFICATION;
}

httponly.def

LIBRARY HttpOnly
EXPORTS
    GetFilterVersion
    HttpFilterProc

For information on how to create a ISAPI filter using Visual C++, you can refer to http://blogs.msdn.com/b/david.wang/archive/2005/12/19/howto-compile-and-use-my-isapi-code-samples.aspx.