We have a small farm of REST-servers that are behind an Apache 2.4 webserver. Apache serves some static resources and proxies REST-calls to the backend. Every now and then we are hit by a DOS-attack (probably from malicious software on Android phones). The attack lasts several hours and fires over 10 requests per second.
I was hoping that Apache could detect such an attack and prevent the requests from reaching our backend servers. I tried mod_evasive but doesn't seem to work.
Is there some other module for Apache that can block malicious clients?
I ended up installing a new Ubuntu 16 server with Apache 2.4.18 and mod_evasive. Now it all works as expected.
My previous setup used an older Ubuntu 14 and Apache 2.4.8 so maybe that combination was not compatible with mod_evasive.
Related
Backstory: A couple of years ago my group changed the server on which coldfusion runs to Apache instead of IIS. I changed my dev environment to run CF on Apache httpd and everything was fine. Later we changed the session variables to j2ee, but I have never been able to get j2ee to work on dev so I am still using regular session variables on dev. Lately I am getting session persistence failure on test but I can't reproduce on dev. In looking for differences in CF server settings between test and dev I discovered that test is running on Tomcat while dev is running on Apache httpd.
My problem real problem is how to get j2ee session vars to work on dev. My question right now is how do I change my server from Apache httpd to the Tomcat that is built in with CF 10? Is there a way to do this without starting over with a fresh install of CF 10 as those are the only instructions I can find?
System: Windows 7
IIS and Apache are not (for Coldfusion, anyway) application servers. They are your front-end web servers. Your 'application server' in this setup is the software running the "application" of Coldfusion via servlets, and that's Tomcat.
While it is possible to use CF's builtin Tomcat server as your front-end web server, it isn't advisable, and it's almost certainly got nothing to do with your problem. Apache is more than capable of doing what you need and a problem with J2EE session variables is going to be related either to your JVM (are you using more-or-less the same version as your production server?) or to Tomcat itself.
Think about how J2EE sessions work. A request comes in and hits your front-end server (httpd), which, presumabl through mod_proxy or mod_jk, hands that connection over to Tomcat. Until this happens, that your system is even running a JVM isn't relevant -- neither Apache nor IIS care about Java. I wouldn't go so far as to say that it's impossible for an Apache problem to be monkeying with your session variables, but it would be pretty low on my list of suspects.
Once Tomcat (and then CF) get involved, then your JVM is doing all the work, so that's where I'd look. I'd also have a look at CF logs and Tomcat logs.
To properly answer your question, though, if you want to remove Apache from the loop, you're looking at Tomcat's server.xml and web.xml in /cfusion/runtime/conf - you'd need it running on port 80 (or else reconfigure Apache to just pass all requests to Tomcat instead of only CFML, but that doesn't really do what you asked about since Apache is still involved). You'd also have to reproduce your entire Apache configuration in Tomcat, which I've never done and wouldn't recommend, but that's the direction you'd need to investigate.
Much better to work on solving your session problem. Killing Apache is just collateral damage here.
I would like to setup mod_security as a stand alone instance protecting Tomcat instances against web application attacks. Would anyone know the pros and cons of doing this via installing mod_security as an Apache module versus installing mod_security on a reverse proxy? Has anyone implemented mod_security in either of these fashions? And if so is one preferred over the other?
There's really no difference in your two options. What non reverse proxy would you install the module on to protect Tomcat?
The question doesn't really make sense as they are both the same to you.
If you already have an Apache server, then you install ModSecurity in one of two ways:
In embedded mode by installing ModSecurity as module in the existing Apache instance you already have. The advantages are that you won't have to set up a separate Apache instance, and that the ModSecurity will have access to the environment that Apache runs under (so can see environment variables for example or log to same log files).
In a reverse proxy mode. This involves setting up a separate Apache instance, with ModSecurity on it only, and funnel all requests through it, before sending on the requests to your normal Apache. The advantages here are a dedicated web server just for ModSecurity, so you will not share resources with your existing version of Apache, if it is already resource hungry. Disadvantages are that it doubles your infrastructure and the complications that brings.
Personally I prefer option 1.
However, as you want to set up a dedicated web server in front of TomCat, the two options are identical for you. The new instance of Apache (or Nginx) that you set up will be running it in embedded mode and will act as a reverse proxy to your Tomcat server.
Personally I always think it's best to run a dedicated web server like Apache in front of any app server like Tomcat - especially on a public facing website. Granted Tomcat does include a pretty good web server (called Coyote), which may serve most of your web server needs, but a dedicated web server like Apache is more geared towards serving static content and contains other features for performance and security which make it a better end point server (including the ability to run ModSecurity for example!).
And just in case there is any confusion, Apache is actually short for Apache HTTP Server, and is sometimes called Apache httpd after the process that it runs. It is Apache's most popular bit of software hence why the name gets shortened, but Apache actually have lots of bits of software (including Apache Tomcat - usually shortened just to Tomcat).
We have been using Apache 2.2 (MPM Worker) for years now and we intend to migrate to Apache 2.4.
Our architecture is strongly shared and we manage about 500 applications. We have chosen to split these applications by technology and to associate one http instance by product (Tomcat5/6/7, Websphere).
In this configuration, our Websphere http instance is for example handling something like 300 virtual hosts. With Apache 2.2 we use the mod_qos module in order to prevent an application from taking all the threads of this http instance by limiting the number of simultaneous connexions by virtual host.
Unfortunately the mod_qos module is not compatible with Apache 2.4 and indeed my http instance are not stable since i try to use this combination (Apache 2.4 in worker mode + mod_qos).
I'm actually surprised that Apache does not provide mod_qos functionalities in a native way in order to answer to a recurring problem. Here are my questions :
Is there any alternative to mod_qos with Apache 2.4 (I haven't found so far) ?
Without such module, how can you prevent an application from taking all the threads on a shared platform ?
Thanks in advance for your feedback.
Sylvain
For well over a year and a half I have been running Apache (using HTTPD, naturally) through WAMP without issue, or at least no issues like this. On this system, we host around 8 or so different web sites and a few applications that use the MySQL database.
Recently I had a full system crash and when I rebuilt the system on the same operating system with the same versions of Apache, MySQL, and PHP and near-identical configuration files.
The issue I am having is this: On startup our web services initially seem to work fine, and this can hold over for an hour or so, sometimes less, sometimes more. However after some period of time, all web sites suddenly become entirely unavailable, to include the localhost landing on the web server itself or any local browsing for that matter. Apache identifies as still running, remains listening on port 80, and has no abnormal access or error logs (to include in debug mode).
I've gone over this quite a few times, reinstalled WAMP and have interchanged different versions of Apache. Additionally I've vetted the configuration files compared to the old system and have ensured that the modules, extensions, and so on are the same as our previous version.
I would really appreciate any insight as I continue to rack my head over what might be causing this erroneous issue.
--
Some additional details and notes that might prove insightful.
I've ensured the firewall isn't an issue, plus that wouldn't explain the sudden downtime or downtime at the localhost.
A restart of just the Apache service tends to fix the issue, but only for a little while.
Because we host multiple web sites, we do use virtual hosts. They work fine when the system is up and I don't believe they are of issue.
The issue tends to result in indefinite "Waiting for host (site.com, localhost, etc.)".
When I reset Apache during that indefinite error, it then errors out with "The connection to site.com was interrupted.", so something is still running.
During these downtimes, httpd -d DUMP_VHOSTS is able to return the active virtual hosts.
Using ab -n 1000 site.com when the site is 'down', the following result occurs:
Benchmarking site.com (be patient)
Completed 100 requests
Completed 200 requests
apr_pollset_poll: The timeout specified has expired (70007)
Total of 216 requests completed
Add this into httpd.conf
EnableMMAP off
EnableSendfile off
AcceptFilter http none
AcceptFilter https none
This will disable Apache from using some of the more advanced functions for networking that the OS provides.
These functions can get broken with 3rd-party software installs.
Sometimes reinstalling TCP/IP (winsock) can remove the 3rd-party filters/drivers attached to the network layer.
netsh winsock reset
Recently our Software Analytic provider (NETTRACKER) sent us a plugin in order to be able to capture visitors in a better way. This plugin is for Apache 1.x and Apache 2.x. They said and I quote
that since Apache Tomcat is built on Apache HTTP server the configuration of the plugin should be the same.
I have looked for a httpd.conf in our tomcat deployment but we cannot find one, the only configuration that is similar to that one is the server.xml under the /conf directory.
If someone has better information regarding these two incredible products (Apache HTTP server and Apache Tomcat) I will greatly appreciate to draw the differences.
EDIT:
In case you are curious we know that Apache Web Server and Tomcat can work together using the mod_jk option and other proxys. But this will be too complex for our deployment.
Apache Tomcat and Apache HTTP are completely different server technologies. It is impossible to use a plugin for Apache HTTP server with Tomcat.
Apache HTTP server is developed in C and so are the plug-ins. On the contrary Tomcat is now completely developed in Java. Tomcat doesn't only serve static content, but it can also serve JSP pages and servlets.
Tomcat is used for hosting Java Web Applications. It can sure serve static content - you can host a web application using only Tomcat. Secure connections are supported and the performance is also very good (comparable with the performance of HTTP server).
A plain installation of Apache serves static content. Using the appropriate plug-ins, HTTP requests can be redirected to an application server (Tomcat, JBoss, Glassfish) or a script language interpreter (PHP). With this way dynamic content can be generated. The big advantages of Apache are the numerous plug-ins available, which allows administrators to configure and monitor web sites any way they want and that is the most widespread server available. This makes it the most secure solution, since it is thoroughly tested and any discovered flaw is corrected very quickly.
The best solution would be to use Tomcat proxied by an Apache server. It isn't so difficult to set up. If you can't do this, then you can't take advantage of Apache's plug-ins.
You see this confusion all the time. Many people think that Apache is a web server where in reality it is the name of an organization that has a web server project called "The Apache HTTP Server Project". In short the web server is called HTTPD (D as in daemon or Unix process).
Tomcat is another Apache project. This project implements a Java servlet engine to serve JSP pages and servlets. Tomcat and HTTPD have nothing to do with each other. However, you can set up HTTPD and Tomcat so that they work together. This way you can have HTTPD serve all static content, do URL rewriting and much more fancy stuff that the built in Tomcat web server can't do (or can't do very well). Whenever a JSP page is requested, HTTPD will pass the request on to Tomcat. Tomcat will process the request and will hand the output back to HTTPD which in turn will send it to the client.
Apache has many interesting projects. E.g. there is also a project called Geronimo which is a Java Enterprise server (J2EE). You can e.g. choose to embed Tomcat inside Geronimo to handle requests for JSP's and servlets where Geronimo does the more enterprisy stuff (LDAP, Messaging etc.). And you guessed it probably already, you can use HTTPD as a static content server for Geronimo as well.
totally bogus. Apache httpd plugins are written in C, Tomcat is pure Java.
Tomcat is a Java servlet engine. It can be hosted under Apache or IIS or quite a number of other external facing web servers. It sounds like you may be currently running your Tomcat instance standalone...
If you serve the JSP/servlets off of port 8080 and have it do things standalone, on the same host machine that Apache is running on, this can allow you to have them loosely coupled. Having multiple web servers fielding independent requests is not recommended, especially if you want to use server-based authentication along with Apache. Typically, you have one outside facing server that shepherds everything through it... Apache does this quite well, and the plugin you mention probably relies on this type of setup (everything gets wired through Apache) for its features/capabilities, based on your brief description of it.
If you would like to serve up your Tomcat servlets under Apache, you could configure apache to forward a class of URIs to your tomcat server instances. you could achieve this type of forwarding through mod_rewrite. this is a slower option performance-wise, as it adds slight overhead on everything you server up. You could also proxy incoming requests via a CGI mechanism similarly, from Apache to Tomcat.
mod_jk will simplify deployment and increase performance for placing Tomcat into an Apache server config. It is pretty painless to configure if you follow the docs, so I am not sure what you mean by "too complex" for your deployment -- if you want Apache and have Tomcat already, it would seem only a matter of slight config changes to get mod_jk downloaded and installed.