Apache のバックアップ(No.6)

バックアップ一覧
差分を表示
現在との差分を表示
ソースを表示
Apache へ行く。
- 1 (2008-06-25 (水) 17:36:36)
- 2 (2008-07-19 (土) 14:11:43)
- 3 (2008-09-09 (火) 19:43:09)
- 4 (2008-11-10 (月) 11:54:36)
- 5 (2008-12-13 (土) 01:14:58)
- 6 (2009-02-08 (日) 15:04:11)
- 7 (2009-03-20 (金) 04:07:00)

Apache

http://httpd.apache.org/download.cgi WebDev? ModSecurity?

tar zxvf httpd-2.0.52.tar.gz
cd httpd-2.0.52
./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so
--enable-auth_digest --enable-deflate
--enable-dav=yes --with-berkeley-db=/usr/local/BerkeleyDB.4.3
--enable-proxy --enable-rewrite --enable-unique-id
--with-ldap --enable-ldap --enable-auth-ldap --with-included-apr

--with-ldap --enable-ldap --enable-authnz-ldap --with-included-apr

--enable-module=all --enable-mods-shared=all

make
make install

Undefined symbols:
 "_apr_socket_sendfile", referenced from:
     _sendfile_it_all in libmain.a(core_filters.o)

ldd /usr/local/apache2/bin/httpd

http://forums.devside.net/viewtopic.php?t=123

groupadd httpd
useradd httpd -g httpd -d /dev/null -s /sbin/nologin

http://apr.apache.org/download.cgi

wget http://ftp.kddilabs.jp/infosystems/apache/apr/apr-1.2.12.tar.gz
wget http://ftp.kddilabs.jp/infosystems/apache/apr/apr-util-1.2.12.tar.gz
tar xzvf apr-1.2.12.tar.gz 
tar xzvf apr-util-1.2.12.tar.gz
cd apr-1.2.12
./configure
make
make instal
cd ../apr-util-1.2.12
./configure --with-apr=/usr/local/apr
make
make install

↑

2.2

mod_proxy_balancer + mod_disk_cache on Apache 2.2.3

↑

./apachectl start

./apacehctl stop

./apachectl restart

↑

http://www.sixapart.jp/movabletype/developers/naoya/archives/2004/10/apache_20_mod_p.html

↑

Alias /test /usr/local/test
<Directory /usr/local/test>
 Options All MultiViews
 AllowOverride All
</Directory>

Options +ExecCGI +MultiViews

<Directory /usr/local/test> 





</Directory>

SSLRequireSSL

↑

Satisfy any
<Files ~ "^.(htpasswd|htaccess)$">
deny from all
</Files>

/usr/local/apache2/bin/htpasswd -bc test.conf admin passwd

AuthUserFile?

htdigest -c passwdfile authname username


AuthType Digest
Require valid-user

Digest: uri mismatch

http://issues.apache.org/bugzilla/show_bug.cgi?id=27758
http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html

BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

http://sourceforge.net/projects/modauthmysql/

apxs -c -L/usr/local/mysql/lib/mysql -I/usr/local/mysql/include/mysql
-lmysqlclient -lm -lz mod_auth_mysql.c

apxs -i mod_auth_mysql.la

LoadModule mysql_auth_module modules/mod_auth_mysql.so

apachectl restart

create database webauth;
GRANT SELECT ON webauth.* to webauth@localhost identified by 'yourpasswd';
use webauth
create table auth_user (
 name varchar(50) not null,
 pass varchar(50) not null,
 active varchar(1) not null,
 primary key (name)
);


require valid-user











AuthMySQLUserCondition "active=1"

UserCondition?

↑

mod_rewrite

RewriteEngine on
RewriteBase /hoge/
RewriteRule ^(.*)$ /hogehoge/$1 [R=301,L]

RewriteEngine on
RewriteRule /hoge$ /hogehoge/index.html [R=301,L]

http://tech.bayashi.net/svr/doc/apache/mod_rewrite.html
http://japache.infoscience.co.jp/rewriteguide/

↑

mod_deflate

↑

mod_authnz_ldap

<Location /svn>
 DAV svn
 SVNParentPath /usr/local/svn-rep
 AuthType Basic
 AuthName test
 AuthBasicProvider     ldap
 AuthzLDAPAuthoritative        off
 AuthLDAPURL   ldap://localhost/ou=sales,o=example,c=jp?uid
 require valid-user
</Location>

AuthType Basic
AuthLDAPUrl ldap://localhost/ou=People,dc=my-domain,dc=com?uid
AuthName test
require valid-user

mod_authnz_ldap

↑

ScriptAlias /cgi-bin/ /webroot/cgi-bin/

SetHandler cgi-script or AddHandler cgi-script .cgi .pl
Options +ExecCGI

AddHandler?

#!/usr/bin/perl
$sendmail = '/usr/sbin/sendmail';
$from = 'from@hoge.jp';
$to = 'to@hoge.jp';
$subject = 'test';
$msg = <<"_DATA_";
message
_DATA_
# sendmail
open(SDML,"| $sendmail -t -i") || die 'sendmail error';
# mailhead
print SDML "From: $from\n";
print SDML "To: $to\n";
print SDML "Subject: $subject\n";
print SDML "Content-Transfer-Encoding: 7bit\n";
print SDML "Content-Type: text/plain;\n\n";
# mail
print SDML "$msg";
# end
close(SDML);

↑

FastCGI

wget http://www.fastcgi.com/dist/fcgi.tar.gz
tar xzvf fcgi-2.4.0.tar.gz
cd fcgi-2.4.0
./configure
make
make install
ldconfig

wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.2.tar.gz
tar xzvf mod_fastcgi-2.4.2.tar.gz
cd mod_fastcgi-2.4.2

For information on installing mod_fastcgi with Apache 2.x, see the file INSTALL.AP2.

cp Makefile.AP2 Makefile
make
make install

LoadModule fastcgi_module modules/mod_fastcgi.so
<IfModule mod_fastcgi.c>
   FastCgiIpcDir /tmp/fcgi_ipc/
   AddHandler fastcgi-script .fcgi
</IfModule>

FastCGI: access for server (uid -1, gid -1) failed: read not allowed
FastCGI: can't create dynamic directory "/tmp/fcgi_ipc/dynamic": access for server (uid -1, gid -1) failed: read not allowed

chown -R httpd:httpd fcgi_ipc
chmod -R 777 fcgi_ipc

<IfModule mod_fastcgi.c>
   FastCgiIpcDir /tmp/fcgi_ipc/
   AddHandler fastcgi-script .fcgi
</IfModule>

User httpd
Group httpd

↑

#CustomLog /usr/local/apache/logs/access_log common

CustomLog /usr/local/apache/logs/access_log combined

↑

SetEnvIf Request_URI "\.(gif)|(jpg)|(png)|(css)$" nolog

SetEnvIf Remote_Addr 192.168.100. nolog

SetEnvIf Request_URI "^/_mem_bin/" worm nolog
SetEnvIf Request_URI "^/_vti_bin/" worm nolog
SetEnvIf Request_URI "^/c/" worm nolog
SetEnvIf Request_URI "^/d/" worm nolog
SetEnvIf Request_URI "^/msadc/" worm nolog
SetEnvIf Request_URI "^/MSADC/" worm nolog
SetEnvIf Request_URI "^/scripts/" worm nolog
SetEnvIf Request_URI "^/default.ida" worm nolog
SetEnvIf Request_URI "root\.exe" worm nolog
SetEnvIf Request_URI "cmd\.exe" worm nolog
SetEnvIf Request_URI "NULL\.IDA" worm nolog
CustomLog logs/access_log combined env=!nolog
CustomLog logs/worm_log combined env=worm

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

↑

~~#AddDefaultCharset ISO-8859-1~~
~~AddDefaultCharset none~~
LanguagePriority?

AddDefaultCharset Off

LanguagePriority?

#AddDefaultCharset ISO-8859-1

<meta http-equiv="Content-Type" content="text/html; charset=shift_jis">

http://web-sniffer.net/

http://httpd.apache.org/docs-2.0/mod/core.html#adddefaultcharset

↑

VirtualHost?

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.j2se.org
   ServerAlias j2se.org
   DocumentRoot H:\webroot1
   <Directory "H:\webroot1">
       AllowOverride All
       Order allow,deny
       Allow from all
   </Directory>
   CustomLog "H:\webroot1\logs\access.log" combined
   ErrorLog "H:\webroot1\logs\error.log"
</VirtualHost>
<VirtualHost *:80>
   ServerName www.hidekazu.info
   ServerAlias hidekazu.info
   DocumentRoot H:\webroot2
   <Directory "H:\webroot2">
       AllowOverride All
       Order allow,deny
       Allow from all
   </Directory>
   CustomLog "H:\webroot2\logs\access.log" combined
   ErrorLog "H:\webroot2\logs\error.log"
</VirtualHost>

VirtualHost?

<host name="hidekazu.dhs1.sst.ne.jp" ....

[uri:hidekazu.dhs1.sst.ne.jp/home/*]

ServerAlias? VirtualHost?

mkdir vhosts

VirtualHost? VirtualHost?

Include vhosts/*.conf

httpd -t -D DUMP_VHOSTS

↑

SSL

http://www.openssl.org/source/

openssl md5 * > rand.dat
openssl genrsa -rand rand.dat -des3 1024 > server.key

SSL

openssl req -new -x509 -days 365 -key ssl.key/server.key -out myserver.crt


State or Province Name   (full name)     [Berkshire]:Osaka
Locality Name            (eg, city)      [Newbury]:Osaka-shi
Organization Name        (eg, company)   [My Company Ltd]:Kaisya Co.
Organizational Unit Name (eg, section)   []:IT
Common Name              (eg, your name or your server's hostname)[]:test.com
Email Address            []:test@test.com

apachectl startssl

openssl rsa -in server.key -out server.key

openssl md5 * >rand.dat
openssl genrsa -rand rand.dat -des3 1024 > server.key
cd ..
openssl req -new -key ssl.key/server.key -out myserver.crt

GTECyberTrustRoot.crt
ComodoSecurityServicesCA.crt
www_hogehoge_jp.crt

CyberTrustRoot?

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
SSLCACertificatePath /usr/local/apache2/conf/sslroot
SSLCACertificateFile /usr/local/apache2/conf/sslroot/COMODOSECURITYSERVICESCA.CRT

http://ash.jp/sec/openssl_ca.htm
http://www.stackasterisk.jp/tech/systemConstruction/apache09_01.jsp
http://www.atmarkit.co.jp/flinux/rensai/linuxtips/702apachessl.html http://www.atmarkit.co.jp/fnetwork/rensai/pki03/pki01.html
http://www.atmarkit.co.jp/flinux/rensai/apache12/apache12a.html
http://www.atmarkit.co.jp/fnetwork/rensai/pki01/pki01.html
http://www.bitlink.co.jp/server/httpd_conf.htm

↑

SSL

FireFox?

Method Not Allowed

[error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate

OptRenegotiate? http://issues.apache.org/bugzilla/show_bug.cgi?id=12355 http://framework.g.hatena.ne.jp/tukiichi/comment?date=20070214

↑

deny from .hoge.com .hoge2.com

AllowOverride?

↑

SSI

Options +IncludesNoExec
AddType text/html .shtml
AddHandler server-parsed .shtml

<!--#include file="test2.htm"-->

IncludesNoExec?

↑

http://www.topology.org/src/bwshare/README.html

↑

ab

ab -n 100 -c 10 -w http://localhost/index.html > kekka.html

http://www.atmarkit.co.jp/flinux/rensai/apache15/apache15b.html

↑

ServerSignature Off

http://www.ne.jp/asahi/tokyo/shin/linux/apache/apache01.html

↑

ServerTokens Prod

MyMod? http://httpd.apache.org/docs/2.2/ja/mod/core.html#servertokens

↑

mod_security

http://hp.vector.co.jp/authors/VA027424/mod_security/v_1_9_stable_ja_.html http://www.modsecurity.org/download/index.html

wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz
tar xzvf modsecurity-1.8.7.tar.gz
cd modsecurity-1.8.7

cd apache2

/usr/local/apache2/bin/apxs -cia mod_security.c

LoadModule security_module    modules/mod_security.so

http://xmlsoft.org/

ftp://xmlsoft.org/libxml2/libxml2-2.6.28.tar.gz
tar xzvf libxml2-2.6.28.tar.gz
cd libxml2-2.6.28
./configure --with-zlib --with-html --with-xpath --with-xptr --with-xinclude
make
make install

wget http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz
tar xzvf modsecurity-apache_2.1.1.tar.gz

#top_dir      = /apps/apache22
top_dir      = /usr/local/apache2
INCLUDES=-I/usr/include/libxml2

make
make install

LoadModule security2_module modules/mod_security2.so

Cannot load /usr/local/apache2/modules/mod_security2.so into server: /usr/local/apache2/modules/mod_security2.so: undefined symbol: xmlFree

LoadFile /usr/lib/libxml2.so

http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz

mkdir /usr/local/apache2/conf/modsec
cd /usr/local/apache2/conf/modsec
tar xzvf modsecurity-core-rules_2.1-1.4.tar.gz

<IfModule security2_module>
  Include conf/modsec/*.conf
</IfModule>

http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf

<IfModule mod_security.c>




# script tag 
 SecFilter "<[[:space:]]*script.*>"
 SecFilter "<[[:space:]]*style.*>"
 SecFilter "<[[:space:]]*link.*>"
 SecFilter "<[[:space:]]*body[[:space:]]*>"
# suspected protocol



# call script


# event












#



</IfModule>

http://www.modsecurity.org/download/modsecurity-rules-current.tar.gz

apache2/conf/modsec/

Include conf/modsec/*.conf

modsec_audit.log

SecFilterSignatureAction "log,pass,msg:'Command execution attack'"

http://www.gotroot.com/tiki-index.php?page=mod_security+rules
http://www.atmarkit.co.jp/fsecurity/rensai/webhole11/webhole01.html
http://www.atmarkit.co.jp/fsecurity/rensai/webhole12/webhole02.html
http://www.softek.co.jp/Sec/mod_security3.html
http://hp.vector.co.jp/authors/VA027424/mod_security/mod_security_manual_v_1_8_4_ja_.html#40

↑

http://www.zdziarski.com/projects/mod_evasive/

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xzvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/local/apache2/bin/apxs -i -a -c mod_evasive20.c

LoadModule evasive20_module   modules/mod_evasive20.so

<IfModule mod_evasive20.c>
   DOSHashTableSize    3097
   DOSPageCount        2
   DOSSiteCount        50
   DOSPageInterval     1
   DOSSiteInterval     1
   DOSBlockingPeriod   10
</IfModule>

Optionally you can also add the following directives:
   DOSEmailNotify      you@yourdomain.com
   DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
   DOSLogDir           "/var/lock/mod_evasive"

PageInterval? SiteInterval? BlockingPeriod? http://d.hatena.ne.jp/stanaka/20070204/1170553603
http://itpro.nikkeibp.co.jp/article/COLUMN/20070510/270527/

↑

libwww-perl

SetEnvIf User-Agent "^libwww" deny_ua
Order allow,deny
Allow from all
Deny from env=deny_ua

SetEnvIf User-Agent "^LWP::Simple" deny_ua

↑

User-agent: *
Disallow: /secret/

↑

TIPS

↑

httpd -l

httpd -M

↑

ServerName?

↑

IndexIgnore? *.hoge

↑

File 'NONEXISTENT/charsets/?.conf' not found

http://www.hamusuta.net/mame/viewkizione.php?kizino=04022940416e4111521

↑

PidFile logs/httpd.pid

↑

apachectl graceful

↑

http://www.itmedia.co.jp/help/tips/linux/l0397.html

↑

<Limit GET POST>
 order deny,allow
 deny from all
 allow from 192.168.1
</Limit>

↑

cd httpd-2.0.54
mkdir work
cp -ip modules/mappers/mod_rewrite.c work/
cp -ip modules/mappers/mod_rewrite.h work/
cd work
/usr/local/apache2/bin/apxs -c mod_rewrite.c
/usr/local/apache2/bin/apxs -i -a -n rewrite mod_rewrite.la

mod_proxy

cd httpd-2.0.54
mkdir work
cp -ip modules//proxy/mod_proxy.c work/
cp -ip modules//proxy/mod_proxy.h work/
cd work
/usr/local/apache2/bin/apxs -c mod_proxy.c
/usr/local/apache2/bin/apxs -i -a -n proxy mod_proxy.la

[warn] proxy: No protocol handler was valid for the URL /hoge. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

/usr/local/apache2/bin/apxs -cia mod_proxy.c proxy_util.c
/usr/local/apache2/bin/apxs -cia proxy_connect.c
/usr/local/apache2/bin/apxs -cia proxy_http.c

↑

AddType application/xml .rdf
AddType text/xml;charset=UTF-8 .rdf

↑

http://httpd.apache.org/

Studying HTTP

↑

:web

↑

http://ore.dyndns.org/web/RTFM.html -- Apache

#comment