I am trying to hide the Apache Web Server Information for security reasons, Previously we were getting following output on running curl command,
< Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n
But i made the changes to my conf file and added below following lines,
ServerSignature Off
ServerTokens Prod
After adding above lines in the conf file I am not getting following web server header output while running the curl command.
< Server: Apache
To get rid of the "Apache" information I followed the below link and updated ap_release.h file under Include folder of apache install directory as mentioned in the below Stack Overflow Link.
How to change Apache's 'Server:' header without mod_security?
Can someone guide me how to compile the source code, Also do we have to compile all the available source code or just the source code where I have made the modification.
Regards,
D
Related
I'm using a Debian EC2 instance running a Apache2 server (from the open semantic search package).
When I try to open a pdf file in the web browser (inline?), it opens a modified version of it when the file is located on a remote folder but not when the file is located locally.
I saw recommendation (http://www.devside.net/wamp-server/forcing-a-pdf-or-doc-to-open-in-browser-rather-than-downloading) to modify the Apache configuration file to include:
<LocationMatch "\.(?i:pdf)$">
ForceType application/pdf
Header set Content-Disposition inline
</LocationMatch>
I tried adding it to /etc/apache2/apache2.conf
But when I restart the apache server, I get the following error message:
apachectl[16425]: AH00526: Syntax error on line 207 of /etc/apache2/apache2.conf:
apachectl[16425]: Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
My questions are:
Which Apache configuration file should I modify?
Is this modification going to open the pdf file in the web browser inline without downloading / modifying the pdf file when coming from a remote folder?
Thanks!
Yoann
I suspect that it isn't the PDF that is getting corrupted, but the images inside of it.
Some time ago, some server admins were having problems with images getting corrupted by apache2. See for example serverfault and drupalQuestion.
The proposed solution is to change a couple of settings in the apache2 config file. I suspect memory mapping is the issue, which can be turned off by adding the following command to apache2.conf:
EnableMMAP Off
I hope this helps!
I am trying to enable Anti clickjacking on a website hosted by Azure.
Its a shared hosting package run on Apache server. Problem is that i cant find the correct conf file to modify and add this line of code to:
header always set x-frame-options "SAMEORIGIN"
we found a file called apache2.conf and added this but after restarting apache server the line is removed from the conf.
Anyone any ideas what i can do ?
The header code you are trying to add should be applied to a .htaccess file, placed in the folder where you want the action to happen. In your case it's likely the root of your site.
Be warned, though, that I've just ran in to an issue whereby mod_headers.c are not enabled in my container. So even if you put the code above in to a .htaccess file, it still may not work.
I'm interested in knowing where you found the apache2.conf file though. I can't see that on mine (but that may be due to me replying a custom docker container).
I've got a .htaccess file that I copied from one Apache HTTPD server and deployed onto another. Unfortunately, I foolishly didn't check the version of the destination server and just put the file in place; the site stopped working because it's Apache 2.4 and the file has 2.2 syntax. So I quickly reverted it to the previous version and hoped that nobody noticed!
Now, of course, I'm paranoid.
I tried copying the broken-on-2.4 version elsewhere and using apache2 -t .htaccess to find out what's wrong, but I get this error:
apache2: Could not open configuration file /etc/apache2/.htaccess: No such file or directory
If I supply the full path (i.e. apache2 -t /path/to/it/.htaccess) I get:
AH00534: apache2: Configuration error: No MPM loaded.
This error appears to be unrelated but I get the same error message and exit code (1) regardless of whether or not there's an error in the .htaccess file.
So my question is: can I use apache2 -t [...] to test a .htaccess file, and if not, what can I use instead (aside from the manual)? There is this site but it doesn't seem to allow me to say what version of Apache to check against.
I haven't found out how to do what I asked, but I have come up with a workaround.
I created a new directory on the server and put the incompatible .htaccess file in there. I then accessed the directory via my browser whilst tail -fing the error log (/var/log/apache2/error.log) to see what the problem was.
*Edit: Anyone who's using MAMP PRO on a Mac running Mac OS X Lion may find it helpful to know that I finally tracked down my httpd.conf file in my personal library at Application Support > appsolute > MAMP PRO > httpd.conf. The reason I couldn't find it with a normal search is that it's a hidden directory. To access it, open Finder, Choose Go > Go To Folder, then type in ~/Library After tracking it down, you may then discover that it's almost impossible to edit your httpd.conf file. ); *
This is a weird one. I'm using MAMP on a Mac and want to modify my httpd.conf file so it defaults my URL's to lower case. So I navigated to Applications > MAMP > conf > apache > httpd.conf and added this line of code:
RewriteMap tolower int:tolower
I then modified one of my .htaccess files accordingly, but nothing happened. (Yes, I restarted my servers.)
I then reopened my httpd.conf file and added this code, which I understand is supposed to display "verbose" messages in my log file:
LogLevel trace8
I then opened my log file # Application > MAMP > logs > apache_error.log. There's code associated with the web pages I most recently visited, but they're just generic messages - not "verbose" messages.
Someone who understands Apache far better than me told me this indicates that the httpd.conf file I modified isn't being used by my server or sites. In other words, there must be another httpd.conf file out there somewhere.
Sure enough, I typed httpd.conf into Apple's finder and found half a dozens files with that name. I don't know where they came from; I recently tried to install Drupal and Aqquia, so that might be where some of them originated.
Anyway, I added the code (including LogLevel trace8) to EVERY httpd.conf file, restarted my servers, and I STILL don't see any changes on my websites, and I still just see generic code in my log file.
I'm completely snowed. It looks like the httpd.conf file in my MAMP folder is out of the loop, yet the Apache log file in the same folder is being used...or can errors be written to more than one Apache log file at the same time?
If I rename the httpd.conf file in my MAMP folder and restart my servers, my sites display fine, further suggesting that this httpd.conf is outside the flow. Yet if I rename a file that sits beside it named mime.types, my web pages don't display.
Anyway, does anyone have any idea how I can figure out what's going on?
If not, then can you advise me on Plan B? If I can't find my httpd.conf file, then I'll have to abandon ship and just do it online. I've found the path to my online httpd.conf file. I don't know how to open online files, but I assume I can copy it to my computer with an ftp program, open it and modify it, then publish it online.
So here are my questions: Am I correct in understanding that I can safely add the code RewriteMap tolower int:tolower to my online httpd.conf file without affecting any of my websites UNTIL I also modify a .htaccess file(s)? And if I modify my online config file, do i have to restart the server, just as I do on my computer?
Thanks.
First, use the ps command to find the full path to the running Apache process:
$ ps ax | grep httpd
28 ?? Ss 3:01.99 /usr/sbin/httpd -D FOREGROUND
On this system, Apache is /usr/sbin/httpd.
Second, run that binary with the -V option to show its configuration. This should include the path to the config file.
$ /usr/sbin/httpd -V
...
Server compiled with....
..
-D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"
On this system, the running copy of Apache reads its config from /private/etc/apache2/httpd.conf.
I'm getting 500 Internal Server errors when I try to make an HTTP POST to a specific address in my app. I've looked into the server logs in the custom log directory specified in the virtual hosts file, but the error doesn't show up there so debugging this has been a pain in the ass.
How do I cause Apache to log Internal 500 errors into the error log?
This is an Ancient answer from 2013, back when PHP was new and security wasn't an issue:
Here in the future it's a security risk to dump errors to screen like this. You better not be doing this in any production setting.
Why are the 500 Internal Server Errors not being logged into your apache error logs?
The errors that cause your 500 Internal Server Error are coming from a PHP module. By default, PHP does NOT log these errors. Reason being you want web requests go as fast as physically possible and it's a security hazard to log errors to screen where attackers can observe them.
These instructions to enable Internal Server Error Logging are for Ubuntu 12.10 with PHP 5.3.10 and Apache/2.2.22.
Make sure PHP logging is turned on:
Locate your php.ini file:
el#apollo:~$ locate php.ini
/etc/php5/apache2/php.ini
Edit that file as root:
sudo vi /etc/php5/apache2/php.ini
Find this line in php.ini:
display_errors = Off
Change the above line to this:
display_errors = On
Lower down in the file you'll see this:
;display_startup_errors
; Default Value: Off
; Development Value: On
; Production Value: Off
;error_reporting
; Default Value: E_ALL & ~E_NOTICE
; Development Value: E_ALL | E_STRICT
; Production Value: E_ALL & ~E_DEPRECATED
The semicolons are comments, that means the lines don't take effect. Change those lines so they look like this:
display_startup_errors = On
; Default Value: Off
; Development Value: On
; Production Value: Off
error_reporting = E_ALL
; Default Value: E_ALL & ~E_NOTICE
; Development Value: E_ALL | E_STRICT
; Production Value: E_ALL & ~E_DEPRECATED
What this communicates to PHP is that we want to log all these errors. Warning, there will be a large performance hit, so you don't want this enabled on production because logging takes work and work takes time, time costs money.
Restarting PHP and Apache should apply the change.
Do what you did to cause the 500 Internal Server error again, and check the log:
tail -f /var/log/apache2/error.log
You should see the 500 error at the end, something like this:
[Wed Dec 11 01:00:40 2013] [error] [client 192.168.11.11] PHP Fatal error:
Call to undefined function Foobar\\byob\\penguin\\alert() in /yourproject/
your_src/symfony/Controller/MessedUpController.php on line 249
I just ran into this and it was due to a mod_authnz_ldap misconfiguration in my .htaccess file. Absolutely nothing was being logged, but I kept getting a 500 error.
If you run into this particular issue, you can change the log level of mod_authnz_ldap like so:
LogLevel warn authnz_ldap_module:debug
That will use a log level of debug for mod_authnz_ldap but warn for everything else (https://httpd.apache.org/docs/2.4/en/mod/core.html#loglevel).
Check your php error log which might be a separate file from your apache error log.
Find it by going to phpinfo() and check for error_log attribute.
If it is not set. Set it: https://stackoverflow.com/a/12835262/445131
Maybe your post_max_size is too small for what you're trying to post, or one of the other max memory settings is too low.
If your Internal Server Error information doesn't show up in log files, you probably need to restart the Apache service.
I've found that Apache 2.4 (at least on Windows platform) tends to stubbornly refuse to flush log files—instead, logged data remains in memory for quite a while. It's a good idea from the performance point of view but it can be confusing when developing.
Please Note: The original poster was not specifically asking about PHP. All the php centric answers make large assumptions not relevant to the actual question.
The default error log as opposed to the scripts error logs usually has the (more) specific error. often it will be permissions denied or even an interpreter that can't be found.
This means the fault almost always lies with your script. e.g you uploaded a perl script but didnt give it execute permissions? or perhaps it was corrupted in a linux environment if you write the script in windows and then upload it to the server without the line endings being converted you will get this error.
in perl if you forget
print "content-type: text/html\r\n\r\n";
you will get this error
There are many reasons for it. so please first check your error log and then provide some more information.
The default error log is often in /var/log/httpd/error_log or /var/log/apache2/error.log.
The reason you look at the default error logs (as indicated above) is because errors don't always get posted into the custom error log as defined in the virtual host.
Assumes linux and not necessarily perl
The answers by #eric-leschinski is correct.
But there is another case if your Server API is FPM/FastCGI (Default on Centos 8 or you can check use phpinfo() function)
In this case:
Run phpinfo() in a php file;
Looking for Loaded Configuration File param to see where is config file for your PHP.
Edit config file like #eric-leschinski 's answer.
Check Server API param.
If your server only use apache handle API -> restart apache.
If your server use php-fpm you must restart php-fpm service
systemctl restart php-fpm
Check the log file in php-fpm log folder. eg /var/log/php-fpm/www-error.log
Please check if you are disable error reporting somewhere in your code.
There was a place in my code where I have disabled it, so I added the debug code after it:
require_once("inc/req.php"); <-- Error reporting is disabled here
// overwrite it
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
Add HttpProtocolOptions Unsafe to your apache config file and restart the apache server. It shows the error details.
In my case it was the ErrorLog directive in httpd.conf. Just accidently noticed it already after I gave up. Decided to share the discovery )
Now I know where to find the 500-errors.
Check that the version of php you're running matches your codebase. For example, your local environment may be running php 5.4 (and things run fine) and maybe you're testing your code on a new machine that has php 5.3 installed. If you are using 5.4 syntax such as [] for array() then you'll get the situation you described above.
Try accessing a static file. If this is not working either then
go to all directories from the root "/" or "c:\" to the directory of your file and check if they contain ".htaccess" files.
I once left a file in "c:\" and it had the most strange results.