Slusar,Michael | 23 Jul 16:25 2014
Picon

Forcing 256-bit AES encryption on server

Does anyone know how to set up SSL options in httpd.conf or ssl.conf? I am trying to force the server to use 256-bit AES Encryption when the client\server hello handshake is performed.
 
Michael Slusar | Cerner Corporation |
michael.slusar <at> cerner.com
www.cerner.com
<< OLE Object: Picture (Device Independent Bitmap) >>
 
 
 
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
Mark jensen | 22 Jul 17:20 2014
Picon

How to allow a directory and don't allow a sub-directory?

I want to allow a directory " /var/www/html/ldap" to two users according to IPs (192.168.1.2 192.168.1.7):

<Directory /var/www/html/ldap>
      Order allow,deny
      Allow from 192.168.1.2 192.168.1.7
      Satisfy any
      AuthName "LDAP Authentication"
      AuthType Basic

      AuthBasicProvider ldap
      AuthzLDAPauthoritative off
      AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
      Require valid-user
</Directory>

but I don't want to allow a sub directory to 192.168.1.7 (I want it to be allowed only to 192.168.1.2):

I have tried to add:

<Directory /var/www/html/ldap//manager>
      Order allow,deny
      Allow from 192.168.1.2
      Satisfy any
      AuthName "LDAP Authentication"
      AuthType Basic

      AuthBasicProvider ldap
      AuthzLDAPauthoritative off
      AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
      Require valid-user
</Directory>

but it seems that 192.168.1.7 can reach to manager directory  because it is a part of ldap directory, how can I forbid this?
Mark jensen | 22 Jul 16:38 2014
Picon

After authentication, How to authorize users according to IP (or host)?

According to this page: http://httpd.apache.org/docs/current/mod/mod_authz_host.html , we can authorize the users  after Authentication, Is this true?

My problem is I'm trying to authenticate all my users (using LDAP) except some IPs, it have worked will:

<Directory /var/www/html/ldap>
      Order allow,deny
      Allow from 192.168.1.2 192.168.1.7
      Satisfy any
      AuthName "LDAP Authentication"
      AuthType Basic

      AuthBasicProvider ldap
      AuthzLDAPauthoritative off
      AuthLDAPURL ldap://192.168.1.3/dc=hiast,dc=com?uid?sub?(objectClass=*)
      Require host
</Directory>

but when I add this line "Require ip 192.168.1.2"

<Directory /var/www/html/ldap>
      Order allow,deny
      Allow from 192.168.1.2 192.168.1.7
      Satisfy any
      AuthName "LDAP Authentication"
      AuthType Basic
      Require ip 192.168.1.2
      AuthBasicProvider ldap
      AuthzLDAPauthoritative off
      AuthLDAPURL ldap://192.168.1.3/dc=hiast,dc=com?uid?sub?(objectClass=*)
      Require valid-user
</Directory>


apache let 192.168.1.2 && 192.168.1.7 to enter the directory, so where is the authorization? How can I make this directory available only for 192.168.1.2 and not to 192.168.1.7?
Rose, John B | 21 Jul 20:47 2014
Picon

Keeping an archive of httpd processes

Any suggestions on mechanism to archive httpd processes over a couple months?

The idea being to  see the peak number of httpd processes reached during say 2 months?

Thanks
Mark jensen | 21 Jul 17:39 2014
Picon

RE: How to set a custom DNS to Apache?


Dear Richard Thanks for yor reply

> At a content delivery level, apache and squid are almost
> antithetical. So, while squid may find it desirable/necessary to
> play DNS games as part of meeting its content delivery goals, that's
> not something apache needs to do (since if you need to play the
> games you use squid).

> You could, of course, set up a virtual host (at the OS level) and
> put a private DNS server there (along with your apache server). Of
> course, you have to know a decent amount about DNS to be able to
> configure it to do what you're seemingly after anyway.

> In short, controlling apache access by host/domain is at best light
> security. You would be rather better off using IPnumbers instead.

> - Richardbut for me to be sure , can I have two virtual machines, one has DNS and the other has Apache and configure the machine of Apache to use the DNS of the other machine, all will be good to me?

Thanks again.


Jim Jagielski | 21 Jul 17:03 2014

[ANNOUNCEMENT] Apache HTTP Server 2.4.10 Released

            Apache HTTP Server 2.4.10 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.10 of the Apache
HTTP Server ("Apache").  This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release.

CVE-2014-0117 (cve.mitre.org)
 mod_proxy: Fix crash in Connection header handling which 
 allowed a denial of service attack against a reverse proxy
 with a threaded MPM.

CVE-2014-3523 (cve.mitre.org)
 Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
 installations). Workaround: AcceptFilter <protocol> {none|connect}

CVE-2014-0226 (cve.mitre.org)
 Fix a race condition in scoreboard handling, which could lead to
 a heap buffer overflow.

CVE-2014-0118 (cve.mitre.org)
 mod_deflate: The DEFLATE input filter (inflates request bodies) now
 limits the length and compression ratio of inflated request bodies to avoid
 denial of sevice via highly compressed bodies.  See directives
 DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
 and DeflateInflateRatioBurst.

CVE-2014-0231 (cve.mitre.org)
 mod_cgid: Fix a denial of service against CGI scripts that do
 not consume stdin that could lead to lingering HTTPD child processes
 filling up the scoreboard and eventually hanging the server.  By
 default, the client I/O timeout (Timeout directive) now applies to
 communication with scripts.  The CGIDScriptTimeout directive can be
 used to set a different timeout for communication with scripts.

Also in this release are some exciting new features including:

 *) Proxy FGI and websockets improvements
 *) Proxy capability via handler
 *) Finer control over scoping of RewriteRules
 *) Unix Domain Socket (UDS) support for mod_proxy backends.
 *) Support for larger shared memory sizes for mod_socache_shmcb
 *) mod_lua and mod_ssl enhancements
 *) Support named groups and backreferences within the LocationMatch,
    DirectoryMatch, FilesMatch and ProxyMatch directives.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.4.10 is available for download from:

 http://httpd.apache.org/download.cgi

Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.4 please see:

 http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.10 includes only
those changes introduced since the prior 2.4 release.  A summary of all 
of the security vulnerabilities addressed in this and earlier releases 
is available:

 http://httpd.apache.org/security/vulnerabilities_24.html

This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.

 http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Mark jensen | 21 Jul 01:05 2014
Picon

RE: How to set a custom DNS to Apache?

sorry, I don't understand all of your answer, especially about the 2nd question, In Squid to set a custom DNS
they add one line to the squid.conf file:

dns-server IP_Address

for example:

dns_server 192.168.1.2 

and all DNS queries will go to this server(192.168.1.2).

Is there any thing similar to that in Apache ( I didn't get it from your previous answer).

Thanks in advanced 		 	   		  
Mark jensen | 21 Jul 00:18 2014
Picon

How to set a custom DNS to Apache?

I have read about Authoriztion in Apache:
Require host example.org
Require host .net example.edu

    This configuration will cause
    Apache to perform a double reverse DNS lookup on the client IP
    address, regardless of the setting of the HostnameLookups directive. 

1- What is the DNS that Apache ask for the IP of the client ?
2- Can I change it to let Apache ask a custom DNS ( somehting like DNS-SERVER-IP 192.168.1.10)?

 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
brian | 20 Jul 00:54 2014

Problem with suexec in apache 2.4

I'm getting a 404 when I try to use suexec. I'm using centos 7, apache 2.4.9, and php 5.5.14. I compiled from source.


Here is my virtual host:

-----------------------------------------

<VirtualHost *:80>

ServerAdmin admin <at> example.com

ServerName tst01.local

DocumentRoot "/home/tst01/public_html"


#for suexec

SuexecUserGroup tst01 tst01

ScriptAlias /php5-cgi /home/tst01/bin/php-cgi

Action php5-cgi /php5-cgi

AddHandler php5-cgi .php


<Directory /home/tst01/public_html>

Options Indexes FollowSymLinks

AllowOverride all

Require all granted

</Directory>


<Directory /home/tst01/bin>

Options Indexes FollowSymLinks ExecCGI

AllowOverride all

Require all granted

</Directory>



ErrorLog /home/tst01/logs/error.log

CustomLog /home/tst01/logs/access.log combined

</VirtualHost>

-----------------------------------------


My /etc/hosts has: 10.0.2.15 tst01.local


I have the file /home/tst01/public_html/whoami.php

--------------------------------------------

<?php echo "Output of the 'whoami' command:<br /><br />";

echo exec('/usr/bin/whoami');?>

---------------------------------------------

I changed the permissions to 755


The file has /home/tst01/bin/php-cgi

--------------------------------------------

#!/bin/bash

/usr/local/php5p5/bin/php-cgi "$ <at> "

--------------------------------------------

It permissions is 755 and owner is tst01


In a browser if I go to http://tst01.local/whoami.php. I get a 404 with the msg "The requested URL /php5-cgi/whoami.php was not found on this server".


I can run php without suexec when I link directly to the php in /usr/local.


I'm trying to replace suphp. I'm open to other options.


Brian


<!-- <at> page { margin: 0.79in } P { margin-bottom: 0.08in } A:link { so-language: zxx } -->
Mark jensen | 19 Jul 23:15 2014
Picon

can Apache do a sql query and Authenticate only some users?

Hello

we know that we can protect some pages in our apache server using authentication:

http://httpd.apache.org/docs/2.2/howto/auth.html

but what if I have already authenticate the users using something else and add this users to a DB, Is there a
way to configure Apache to do a query to the DataBase and don't ask for credentials if it find the user in this
DB, in short words can Apache authenticate only some users ( which aren't found on DB) and don't ask for
authentication credentials for users that found on DB.

Is there any tutorial that will help me in Apache website?

 
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
s7r | 19 Jul 15:58 2014

security guidelines for a shared hosting server


Hi,

I need some help in securing a server for shared hosting accounts
(apache virtual hosts).

Among others, I would like to restrict .cgi, py, pl scripts from being
run or served by the server, so I think I should put a .htaccess file in
/var/www for restricting, but can't a customer simply put another
.htaccess file in his home folder (a subfolder of /var/www) and rewrite
my rules?

What other things do I need to disable in apache and php (besides
sendmail and curl fopen) in order to make a secure shared hosting server?

Thank you in advance, any help is highly appreciated - pls provide with
the exact syntax to input and where to input.

--

-- 
Roberto
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11

Gmane