Mostly about my amusement

Tag: apache (page 1 of 1)

Why not use SSL and be done with it?

On the Internet there has been talk about Google and SSL based web sites. Apparently you may get a small boost if you switch to https. I myself doubt that (I’m jaded that way) and the additional SSL math will slow down busy sites a little. But I don’t get enough traffic to care really and I do like to play. This seems easy enough to do.

I Like Server Based Solutions and I Cannot Lie

I use WordPress multisite and on my web server I have a valid SSL certificate installed. I’m already using Apache’s mod_substitute to modify https://blog.dembowski.net/ to https: before it get’s sent to the browser for my SSL site.

Why not switch to SSL and be done with it? I could have used a tool to change all the WordPress database references to https but I’m running multisite and I wanted to be a little more site specific so I added this to my .htaccess file above the WordPress part but below the “Get Lost, I don’t like you” part.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} blog.dembowski.net [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://blog.dembowski.net/$1 [R=301,L]
</IfModule>

So far it hasn’t broken anything and is limited to my this one and not the other sites. I’ll keep an eye on it but there’s no reason for me not to leave it that way. I like server based solutions but for other people a HTTPS plugin may be an easier way to go.

The only downside is that I will need to maintain my SSL certificate but I plan to do that anyway.

So this means I wear a tin foil hat?

Not really but it does mean in most cases people visiting my site will get the traffic encrypted between my site and their browsers.

*Adjusts Tin Foil Hat™ and skips conversation about  SSL transactions and man in the middle interception*

It’s more a concern that someone will have some key logger or other hack installed on their machine.

Sniffing unencrypted data on the Internet is easy. Doing so for encrypted SSL traffic is more difficult. It would require the Bad Guy or Spook to have access to the private certificate issued by the certificate authority. Or exploit a server bug and harvest the SSL private certificate from the web server. That would never happen right…?

If your interested in how it all works then start with this Wikipedia article on TLS. This Digicert article is good too and may be easier reading. In the meanwhile anyone coming to my site will get redirected to the SSL based version.

Opensuse and apache vhosts

OpenSUSE Logo from OpenSUSE.usThis happens often. I do something on my servers and six months later I try to rebuild from scratch what I did and wish I wrote it down. This is one of those blog posts.

I reviewed my Apache error logs and noticed that WordPress was tossing fatal PHP errors. I was pretty sure it was a particular plugin but I had made so many changes to Apache and PHP5 and I thought it would be easier to remove and re-install Apache and PHP5. So I switched my blog to my backup VPS, updated DNS and took apart my server.

That turned out to be a little painful and more work looking up how to set it up.

Removing the packages was simple. I just ran rpm -qa | egrep “php5|apache” to get the list of packages and created a small shell script to removed them. But I had forgotten how I had setup the virtual servers for more than one website. I wanted to avoid using the old config because I was sure I had made mistakes.

I had setup the main server dixie.dembowski.net and that worked. My MRTG and Cricket scripts were displaying correctly. Getting additional virtual hosts turned out to be easy.

In /etc/apache2/vhosts.d directory is a file called vhost.template. I copied that file and called it blog.dembowski.net.conf. I edited that copy and change all the dummy-host.example.com to the fully qualified name of my server. In vi thats just :0,%s/dummy-hosts.example.com/blog.dembowski.net/g and all the dummy names were changed.

I removed the cgi portion and added some additional Directory, AllowOverride, and Options statements. I set -Indexes and made other changes so that the rewrite rules for WordPress will work.

I saved that file in /etc/apache2/vhosts.d and that permited that my blog virtual server to work. But that caused my existing server dixie.dembowski.net to stop working. That was simple to fix. I created a file in /etc/apache2/vhosts.d called _dixie.dembowski.net.conf. The underscore character ensures that this file will be read first; the first virtual server becomes the default.

This file was very short and contained only these lines:

NameVirtualHost *:80
<virtualHost *:80>
ServerName dixie.dembowski.net
DocumentRoot /srv/www/htdocs
</virtualHost>

This let the web server at /srv/www/htdocs work as if had before I made the virtuals.

I restart Apache and all is well. I did the same thing for my one SSL host in Apache. Unlike clear text http, the SSL based https can’t do multiple SSL sites on one IP address/TCP port. I could run one on 443 and another on a different port, but I don’t bother as I only need one SSL based site.

As long as a DNS entry exists to point that name to your IP address, you can have multiple web sites served from one IP address.

Internet! You kids get off the lawn!

I have a few blog entries about Gundam episodes and Gunpla and I often put up graphics either of the model I’m assembling or image from the anime I am watching.

This is the Internet and I don’t mind people copying the images onto their website. I mean, why would I? Some of the images aren’t mine, like the Ubuntu logo. if I get an e-mail from Sunrise about a Gundam 00 image, I’d be shocked and flattered.

But I do not like hotlinking and had been blacklisting new URLs on a regular basis. Hotlinking is when some individual on the Internet decides he likes something on my website, so he loads it directly from my server onto his page.

Myspace users do that a lot.

So rather than continue looking at my logs and zapping offenders one at a time, I finally put in the following into my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://blog.dembowski.net/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.dembowski.net/ [NC]
RewriteCond %{HTTP_REFERER} !^http://.*.google..*/ [NC]
RewriteCond %{HTTP_REFERER} !^http://.*.yahoo..*/ [NC]
RewriteCond %{HTTP_REFERER} !^http://.*.msn..*/ [NC]
RewriteRule .*.(gif|jpg|jpeg|png)$ - [F,NC]

This lets search engines that I like get copies of the images (I run a web server on the Internet, I want people to find me). The second line lets the web server load images if there is no referer.

If you try to load an images onto your website from my web server, and you are not on the approved list, then the image will not load. I thought about putting in a “Don’t hotlink you loser” image but why bother? I just want hotlink to my website to stop.

.htaccess to prevent wp-pass.php redirects

I was checking out my server logs (gripping reading, could not put it down) when I saw these two entries:

208.78.98.108 - - [09/Jul/2007:20:28:07 -0400] "GET /wp-pass.php?_wp_http_referer=http://topnlpsites.com/images/gif/echo.txt? HTTP/1.1" 403 860 "-" "libwww-perl/5.803"
81.169.188.151 - - [09/Jul/2007:20:54:39 -0400] "GET /wp-pass.php?_wp_http_referer=http://doublezer0.free.fr/echo.txt? HTTP/1.1" 403 1032 "-" "libwww-perl/5.69"

File wp-pass.php? Where’d that come from?

See the BUGTRAQ explanation here. By passing arguments to wp-pass.php, the wp-pass.php file will send the requesting browser to the URL that wp_http_refferer points to. By using a simple script the WordPress installation is easily verified as susceptible.

The bad buy sends out a SPAM or bogus link that points to a WordPress installation and that WordPress blog redirects the request to where ever the attacker wants. This is not earth shattering but really annoying.

Luckily Apache’s .htaccess is our friend. In my blog root at the end of my .htaccess file I added the following two lines:

RewriteCond %{REQUEST_URI} ".*wp-pass.php"
RewriteRule .* - [F]

I do not have any password protected posts so I don’t use that file (which is all I gather it is for…) and after implementing this my blog continues to work fine. Any requests that match that rewrite conditions gets a return value of 403: Forbiden.

This is to be fixed in WordPress 2.2.2 says the posting. The BUGTRAQ posting also mentions wp-includes/pluggable.php, wp-includes/functions.php maybe vulnerable due to the use of problematic code.

Moving WordPress

This blog was running on Stefan’s DSL connection and with me tinkering with it I was using up his bandwidth. Usually when he was trying to connect to the office and get some work done.

I have a very good connection to the Internet via Optimum Online. It’s a dynamically assigned address but does not change and even if it does I run a dynamic DNS client to tell my DNS server when I’ve moved. So I decided that I would move the blog and change the whole URL. Easy right?

  1. I wanted to create the virtual host blog.dembowski.net on my basement web server dixie.dembowski.net while maintaining both virtual hosts. Oh yeah and use only one IP address.
  2. I wanted to change the host name and the web page URL from http://www.dembowski.net/wordpress/ to http://blog.dembowski.net/.

Setting up the virtual server

I added to my DNS zone dembowski.net a new record for blog.dembowski.net:

blog.dembowski.net. 3600 IN CNAME dixie.dembowski.net.

A while back I switched my server’s Linux distribution from Fedora to SuSE. One of the appeals was that SuSE comes with a reasonable configuration tool called yast.

Yast has a section for creating virtual hosts in Apache, and I thought how hard can this be?

After killing lots of time and totally breaking the web server configuration I ended up removing the Apache packages, deleting /etc/apache2 directory and /etc/sysconfig/apache2 file (options and configs remain even if you remove the software packages).

# rpm -e apache2-mod_php5 apache2-prefork apache2
# rm -rf /etc/apache2 /etc/sysconfig/apache2

I used yast to re-install the same packages, ran the online update, configured apache and got back a basic no frills web server running.

Most Linux distributions have put a conf.d directory in Apache’s configuration directory. It works like this: any file with the extension .conf gets included in the configuration. I knew about this but figured using yast would be easier.

So much for that idea. I went into yast one last time to enable the apache modules php5 and rewrite. Enabling mod_rewrite is not enough, you also need to turn on the FollowSymLinks option or it just does not work.

The configuration file I created in /etc/apache2/conf.d contains the following lines

NameVirtualHost *

<VirtualHost *>
ServerName dixie.dembowski.net
DocumentRoot /srv/www/htdocs
ServerAdmin webmaster@dembowski.net
ErrorLog /var/log/apache2/dixie.dembowski.net-error_log
CustomLog /var/log/apache2/dixie.dembowski.net-access_log combined
</VirtualHost>

<VirtualHost *>
ServerName blog.dembowski.net
DocumentRoot /srv/www/htdocs/wordpress
ServerAdmin webmaster@dembowski.net
RewriteEngine On
<Directory /srv/www/htdocs/wordpress>
Options +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/blog.dembowski.net-error_log
CustomLog /var/log/apache2/blog.dembowski.net-access_log combined
</VirtualHost>

Not too complicated really. Now when I point my web browser to either host name I get two different web pages.

Preparing WordPress

First off read this whole article, and seriously this part. The WordPress documentation is really good and helped a lot. Normally you would want to do one or the other; being a “challenging” person I was determined to do both.

I did NOT read the documentation. There is a step where you need to tell WordPress the URI for referencing itself. The documentation says Update Options -> Logout -> “Do not try to open/view your blog now!” They are not kidding around, WordPress sends you to the web page it thinks it is running on and not the host that it actually is running.

Restoring the web server files and directory onto the new box was not a problem. And the mysql backup was edited with vi and I changed all of the references from http://www.dembowski.net/wordpress/ to http://blog.dembowski.net/. I had to have missed one because every time I went to the web page http://blog.dembowski.net/ I was sent to the old server whenever I clicked on anything including the admin web pages.

There probably is a better way to do this but I eventually just put into my workstations hosts file the IP address of the new box and claimed it was www.dembowski.net. Just to play it safe I shut down the old web server, logged into the new box and fixed all of the options with the new info. Once I was all done I removed the bogus entry in my hosts file.

WordPress’s PHP scripts on my box kept running out of memory and crashed. I changed the file /etc/php5/apache2/php.ini and changed the memory_limit from 8M to 1632M That seems to have taken care of it.

All that was left to do is make sure that anyone going to the old web page gets sent to the new one. On the old server I changed the .htaccess file in the wordpress directory to now read

RewriteEngine On
RedirectMatch ^/wordpress/(.*) http://blog.dembowski.net/$1 [L,R]

Apache’s mod_rewrite rocks. This took any web requests for http://www.dembowski.net/wordpress/anything and redirected the web browser to go to the new URL with http://blog.dembowski.net/anything.

Blog successfully migrated to a new host and a new directory. Next up putting SSL back on one of my virtual web servers.