MISP (Malware Information Sharing Platform) is built with Apache. Previously I had a publicly facing instance on Digital Ocean. No log in lag time at all.
I've now moved behind an Apache reverse proxy which is managed by our network team. When attempting to reach the site for the first time there's either a long lag time to get to the site, and if you get to the site there's long lag time when first logging in.
This seems to go away after you first log in. However, many folks are getting a 502 error unable to process /GET, or they simply can't get to the site. There's competing arguments as to which Apache is doing this.
I've looked up a bunch of items already, tried tuning the MISP server, and have had zero luck. Caveat.
I have internal MISP instances that all use the same network. These are not publicly facing and do not have this issue. Also, we are using Lets Encrypt for the certs.
Here's the basic diagram:
Related
So I'm pretty new to the server and website dev. Self "taught".
I recently setup a home server running Apache on Ubuntu 20.04(MicroK8s, Linux Server). Postgres database. Nextcloud Cloud server. TomCat and OpenCMS system. And Postfix.
I have a domain name pointing to my address. When I'm home, i.e. physically near my server. And I connect to my subdomain. Cloud.example.com I get nextcloud. When I connect to the 8080 port(www.example.com:8080) I get tomcat and OpenCMS. So far, so good.
When I use a VPN, or am not near my server, and go to the subdomain,I sometimes get one of those random "ad" sites that says "this site may be able to purchase".
After more testing it seems like the number of connected users also changes whether I get the rando site or the intended one.
My server is... Old. Likely slow (4GBram and a Core 2 Duo, it's the fastest old tower I had laying around). So I think it's a timeout error within OpenCMS, that serves a rando site when it can't get nextcloud to respond fast enough. But honestly, I'm not even sure where to start, or what to even ask/say or what you would need to see to even start diagnostic...
When I connect to mydomain.com from the vpn i get a 404. Which makes sense, as I haven't built it yet in OpenCMS.
Any pointers on where to start?
What am I missing?
Do I need to delete my /var/www sites or Virtual Hosts, and let OpenCMS handle all the routing?
I'm confused as to how my server knows to point 8080 to tomcat/OpenCMS, as I never setup a virtual host. How will it eventually know to point mydomain.com to the sites I build in OpenCMS? Or will OpenCMS deploy them to /var/www? Will I need to transfer the netcloud site to the OpenCMS directory?
I know this is a lot of free help to ask for, but I'm doing this mostly for fun and to learn, and don't have anyone who knows. I don't want to pay it out as I'd rather learn it. I'm not even sure where to start asking, but have browsed stack overflow for A LOT of excel, Apache, Linux, and other answers in the past, so thought I would ask here first.
I run a 2GB RAM Linode (Ubuntu) that hosts a few WordPress websites. Recently my server has been OOMing and crashing and I have been up all night trying to find out what's causing it. I have discovered there I get an enormous influx of traffic (a tiny DoS) that brings the whole thing down.
I have access logs setup across all of the virtual hosts and I am using tcptrack to monitor activity on the server.
The traffic appearing in my access logs does not account for the traffic I am seeing on tcptrack. i.e. there are a dozen i.p. addresses that are constantly opening and closing connections on the server, but are nowhere to be seen in the access logs for each virtual host.
Clearly it's because these i.ps are not hitting the virtual hosts, but I have tried to set up access logs to monitor server-wide traffic so that I can see what requests their making but I'm really struggling.
Can anyone please point me in the right direction, perhaps tcptrack is just too simplified to provide any meaningful insight?
Start using mod_security
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_Apache
Debian has it which means Ubuntu likely does as well. You should also make sure the kernel is setup properly, search google for SYN_COOKIES. Look into iptables/shorewall etc. Shorewall is a package that wraps iptables. Iptables can be configured for detect floods and start dropping packets.
I found my httpd processes were using a lot of resources in 'htop' (while my page view is actually low and my webserver has 4 CPU with 4G RAM), so I tried to find out what was happening.
Then I found there is an IP kept visiting my site via httpd access log.
After I blocked this IP, my web server was back to normal.
However, I found the problem after my server was in heavy load, which already caused a lot of connection rejections earlier. Therefore my questions are:
(1) What kind of visiting is this? From the rate of the visiting, it's definitely not a human. I looked up this IP, it's from Neitherland, no other information.
(2) What if they change the IP to visit my site like this again? Any way to prevent this kind of visiting proactively?
We have a small office with 20+ computers that are about 80/20 split Macs vs. PCs. I am a web developer by trade who manages our little network but am, by no means, a networking/DNS expert.
That being said, we are having trouble in that every single web site we visit (stackoverflow.com included) that makes a call to a Google API takes forever to load. They all get stuck with a statusbar message such as: "Connecting to fonts.googleapis.com, ajax.googleapis.com, developers.google.com etc..." Eventually, the api call times out and the site will then load without it. Sometimes we get a pop-up error "accounts.google.com" failed to respond. In fact, when we finally get Stack Overflow to load this message is at the top of the page: "Stack Overflow requires external JavaScript from another domain, which is blocked or failed to load."
This seems to be only happening on our internal network. For instance, we can connect laptops, phones and tablets to LTE/mobile networks and they load up the same sites fine.
Oddly enough, Google.com, itself, loads fine. As do Gmail and Google Docs.
When I ping 'fonts.googleapis.com' from both inside the network and from our firewall I get "Request timed out" for 'googleapis.l.google.com' [74.125.70.95].
I have tried deleting all Google entries from our DNS server, an old Windows 2003 Small Biz Server, which sometimes results in 'googleapis.l.google.com' getting a different IP address from our ISP which alleviates the issue temporarily. But, it seems eventually this same IP of 74.125.70.95 will get tacked on to the API URL and we're back in the same boat.
I tried changing the DNS server address of our Win2003 SBS server, itself, away from our ISP's address to both OpenDNS and Google's own DNS server but this hasn't helped.
This has been happening for about a month.
Any ideas?
Stumbled on this article:
http://www.sophos.com/en-us/support/knowledgebase/2450/2750/4350/120934.aspx
Essentially it details something I hadn't thought about. My firewall's Country Blocking feature. Even though the particular IP I had trouble with seemed to belong to Google here in the US, it may have been routed through China (or my firewall's IP address tables are outdated) so traffic was being blocked.
I've adjusted FW rules to allow this IP and all is well.
I am coding a mac app, which will be a server that serve files to each user's mobile device.
The issues with this of course are getting the actual ip/port of the server host, as it will usually be inside of a home network. If the ip/port changes, its no big as i plan to send that info to a middle-man-server first, and have my mobile app get the info from there.
I have tried upnp with https://code.google.com/p/tcmportmapper/ but even though I know my router supports upnp, the library does not work as intended.
I even tried running a TURN server on my amazon ec2 instance, but i had a very hard time figuring how what message to communicate with it to get the info i need.
I've been since last night experimenting with google's libjingle, but am having a hard time even getting the provided ios example to run.
Any advice on getting this seemingly difficult task accomplished?
The port of your app will not change. The IP change could be handled by posting your servers IP to a web service every hour or whatever time period you want.
Server should run a URL http://your-web-service.com/serverip.php?ip=your-updated-ip and then have your serverip.php handle the rest (put it into a mySQL db or something)
When your client start it should ask your site for the IP and then connect to your server with that.
This is a pretty common way of handling this type of things.