linux : fedora 22 : apache : error 403 for some images

I've been wondering, on and off, on why SOME of the images on my web server results to error 403 Forbidden. Change your SElinux context setting, then you should be fine.

# chcon -Rht httpd_sys_content_t <image directory>


ps. read this: https://wiki.centos.org/HowTos/SELinux/

linux: apache forbidden access to files in symbolic link directory

i have a directory in /home/user/ which i wanted to expose to the web server for web access

but i got a forbidden message everytime i accessed my files in that folder

i read somewhere that you need to have your actual parent directories with an x mode so i checked my /home/user directory
# ll /home/

then added an x mode to it
# chmod +x /home/user
# ll /home/

after which i did the same to its parent /home directory

issue solved ;)

linux: apache 2.4.6 apr not found

got apr not found when compiling apache 2.4.6

to fix:

download apr and apr-util from http://apr.apache.org/
extract apr and apr-util and place in ./scrlib/apr and ./scrlib/apr-util respectively

configure http with --with-included-apr

(http://stackoverflow.com/questions/9436860/apache-httpd-setup-and-installation)

apache: define multiple domain over http & https

to define multiple domain, make sure you include NameVirtualHost setting and <VirtualHost> entries in your apache configuration file.

i got the ff warning messages when i forgot to include these settings:
[] [warn] VirtualHost 127.0.0.1:443 overlaps with VirtualHost 127.0.0.1:443, the first has precedence, perhaps you need a NameVirtualHost directive
[] [warn] _default_ VirtualHost overlap on port 443, the first has precedence


here's what i have in my apache configuration file for multiple domain handling over http and https:
# this is important to handle different domains and ports
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
        ServerName mydomain1.ph
        ServerAlias www.mydomain1.ph
        DocumentRoot /usr/local/apache2/htdocs/
</VirtualHost>

<VirtualHost *:80>
        ServerName mydomain2.ph
        ServerAlias www.mydomain2.ph
        DocumentRoot /usr/local/apache2/htdocs/mydomain2
</VirtualHost>





<VirtualHost *:443>

        ServerName mydomain1.ph

        ServerAlias www.mydomain1.ph

        DocumentRoot /usr/local/apache2/htdocs/

        SSLEngine  on

        SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

        SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

</VirtualHost>




<VirtualHost *:443>

        ServerName mydomain1.ph

        ServerAlias www.mydomain2.ph

        DocumentRoot /usr/local/apache2/htdocs/mydomain2

        SSLEngine  on

        SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

        SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

</VirtualHost>

http: couple of ways to forward http requests

if you have a domain name that points to an ip and you want to serve another page...

if hosted on a different machine which also has a public ip, you can easily redirect requests by javascript's window.location
ex.
<script language="JavaScript">window.location="http://x.x.x.x";</script>

or encapsulate the page in an html frame
ex.
<frameset frameborder="NO" cols="100%,*" rows="*" border="0" framespacing="0">
                <frame name="topFrame" scrolling="auto" src="http://x.x.x.x" />
</frameset>

if hosted on a different machine which has no public ip, you can do port forwarding using your firewall
ex.
in iptables forwarding public ip x.x.x.x port 81 to local ip y.y.y.y port 80:
-A PREROUTING -d x.x.x.x -p tcp --dport 81 -j DNAT --to y.y.y.y:80
-A POSTROUTING -d y.y.y.y -p tcp --dport 80 -j SNAT --to x.x.x.x:81

or if you want to serve another domain on the same machine, you can use apache's virtual host
ex.
NameVirtualHost *:80
<VirtualHost *:80>
        ServerName alternate.mydomain.ph
        DocumentRoot /usr/local/apache2/htdocs/alternate
</VirtualHost>

linux: php basic installation with apache configuration

download a php source file and install
# ./configure
# make
# make install

copy php.ini-dist to /usr/local/lib/php.ini

edit your php.ini file and set the following:
extension_dir = "/usr/local/apache2/modules/" # this is my apache modules directory
include_path = "/usr/local/lib/php
extension=php_mysql.so
if you have pgsql add:
extension=php_pgsql.so

edit your /etc/ld.so.conf file and add the following:
/usr/local/lib
/usr/local/include
if you have pgsql add:
/usr/local/pgsql/lib

load ldconfig
# ldconfig -v

edit your apache httpd.conf configuration file
verify that the line below is not in comment:
LoadModule php5_module modules/libphp5.so
then add the following lines:
                -AddType application/x-httpd-php .php
                -AddType application/x-httpd-php-source .phps
                -AddType application/x-httpd-php .phtml
restart your apache server

create a test php file with the content below:
<?php phpinfo(); ?>
then test by browsing your test php file

sometimes it takes a while before php pages work after installation. give it a few minutes before testing

coldfusion: display 404 error instead of cf file not found error

to display apache's 404 error instead of coldfusion's file not found error:

coldfusion's file not found error message

edit  coldfusionmx/runtime/servers/default/SERVER-INF/default-web.xml

1. set keepGenerated to true:

 <servlet>
   <servlet-name>JSPServlet</servlet-name>
   <servlet-class>jrun.jsp.JSPServlet</servlet-class>
   <load-on-startup>1</load-on-startup>
   <init-param>
     <param-name>keepGenerated</param-name>
     <param-value>true</param-value>
   </init-param>
   <init-param>
     <param-name>translationDisabled</param-name>
     <param-value>false</param-value>
   </init-param>
   <init-param>
     <param-name>cacheTags</param-name>
     <param-value>true</param-value>
   </init-param>
 </servlet>


2. comment servlet mapping for jsplicenseservlet

<!--
 <servlet-mapping>
   <servlet-name>JspLicenseServlet</servlet-name>
   <url-pattern>*.jsp</url-pattern>
 </servlet-mapping>
-->


3. comment index.jsp in welcome-file-list

 <welcome-file-list>
  <welcome-file>index.html</welcome-file>
<!--
  <welcome-file>index.jsp</welcome-file>
-->
 </welcome-file-list>


edit your apache/httpd.conf

1. remove .jsp from AddHandler

web server: a few notes on security hardening

server access hardening

1. dont allow root in sshd, set protocol and max tries
 in /etc/ssh/sshd_config, set
  Protocol 2
  PermitRootLogin no
  MaxAuthTries 3

2. remove remote root login
 in /etc/securetty, remove all entries except for "console"

3. set idle timeout
 in /etc/profile, add
  TMOUT=7200

4. set password policy
 in /etc/login.defs, set
  PASS_MAX_DAYS 30
  PASS_MIN_LEN 8

web access hardening

1. remove http mod_rewrite (to disable http trace/track method)
 in /usr/local/apache2/conf/httpd.conf, set
  RewriteEngine Off

2. display http 413 error message (for web server cross-site scripting vulnerability due to 413 error message)
 in /usr/local/apache2/conf/httpd.conf, uncomment
  ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

3. apply SSL to portion of website that uses logon credentials or entire website (for credentials with encryption)

4. implement input validation (for more web server cross-site scripting vulnerability) see owasp.org for details

5. ignore session id provided by user. generate your own session id after authentication. (for session fixation vulnerability) see owasp.org for details

apache: ssl setup

1. configure your apache with ssl
    # ./configure --prefix=/usr/local/apache2 --enable-rewrite --enable-ssl --with-ssl=/usr/include/openssl

2. create a sign key without pass phrase *
    # openssl genrsa -out server.key 1024
    or if with pass phrase
    # openssl genrsa -des3 -out server.key 1024

3. create a certificate request. use this when you purchase your certificate. (or do no. 4 for self signed certificate)
    # openssl req -new -key server.key -out server.csr
    (leave the challenge password blank)

4. create a self signed certificate
    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

5. modify your httpd.conf file to add ssl key and cetrificate
    <VirtualHost 127.0.0.1:443>
        SSLEngine on
        SSLCertificateFile /usr/local/apache2/conf/server.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/server.key
    </VirtualHost>

6. place your ssl key and certificate files into the directory paths you supplied in your httpd.conf (above)

7. start apache with ssl
    # /etc/init.d/httpd startssl

* you should NOT generate the RSA private key with a pass phrase if you have scripts that restart apache with ssl automatically, else, it will require you to enter the pass phrase before it starts apache with ssl

8. edit apache startup script to launch with ssl
    include DSSL in start start script /etc/init.d/httpd
    $HTTPD -k $ARGV -DSSL

9. allow ssl port through your firewall. if you're using iptables, add this
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

to verify the contents of the certificate request, use the this comand:
# openssl req -noout -text -in server.csr

to view the contents of the private key, use the command below:
# openssl rsa -noout -text -in server.key

to use SSLv3 instead of TLSv3, add this in ssl.conf:
SSSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite SSLv3:+HIGH:+MEDIUM

to test ssl connection
# openssl s_client -connect localhost:443

apache - mod python - tilecache: installation on minimal centos 4.6

my apache - mod_python - tilecache installation notes on minimal centos 4.6 (final)

1. from base system installation, install the ff:
glibc-kernel-headers
glibc-headers
glibc-devel
cpp
gcc

2. install apache
# ./configure -prefix=/usr/local/apache2 -enable-so -enable-rewrite -with-mpm=prefork
# make
# make install

3. install mod_python
http://www.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz
# ./configure --with-appxs=/usr/local/apache2/bin/apxs
(if you get an error: apxs not found or not executable, locate your apxs)

# make
make failed: [mod_python.so] Error 1

* install python from source to include libraries
download http://www.python.org/ftp/python/2.5.1/Python-2.5.1.tgz
# ./configure
# make
# make install

...continue mod_python installation
# ./configure --with-appxs=/usr/local/apache2/bin/apxs
# make
# make install

4. configure apache
# vi /etc/apache2/apache2.conf
add:
LoadModule python_module /usr/lib/apache2/modules/mod_python.so

5. test python
# vi /usr/local/apache2/conf/httpd.conf
add:
<Directory /usr/local/apache2/htdocs/pytest/>
 AddHandler mod_python .py
 PythonHandler test
 PythonDebug On
</Directory>

# test.py

from mod_python import apache

def handler(req):
          req.log_error('handler')
          req.content_type = 'text/plain'
          req.send_http_header()
          req.write('mptest.py\n')
          return apache.OK

6. install tilecache
download http://www.tilecache.org/tilecache-2.01.tar.gz
extract into your web directory
# python ez_setup.py
# python tilecache_install_config.py

7. configure apache for tilecache
# vi /usr/local/apache2/conf/httpd.conf
add:
AddHandler python-program .py
PythonHandler TileCache.Service
PythonOption TileCacheConfig /path/to/tilecache.cfg

<Directory /usr/local/apache2/htdocs/tilecache/>
    AddHandler python-program .py
    PythonHandler TileCache.Service
    PythonOption TileCacheConfig /usr/local/apache2/htdocs/tilecache/tilecache.cfg
</Directory>

<Location /mpinfo>
      SetHandler mod_python
      PythonHandler mod_python.testhandler
</Location>

8. test by browsing:
http://x.x.x.x/tilecache/tilecache.cgi?LAYERS=basic&SERVICE=WMS%20&VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG:4326&BBOX=-180,-90,0,90%20&WIDTH=256&HEIGHT=256

tada!