Some people say that to enable compression you modify htaccess file:
apache compression Deflate .js and .css files not compressed?
http://betterexplained.com/articles/how-to-optimize-your-site-with-gzip-compression/)
Others say you need to update httpd.conf file
http://kb.mediatemple.net/questions/1567/Compressing+web+pages+with+mod_deflate#dv
What is the right way? If either is correct then wouldn't htaccess be a better choice since it doesn't require web server restart?
The Apache HTTP Server can be configured in a number of ways: The main configuration file is (usually) called "httpd.conf", but this file can include other configuration files with the "Include" directive. Furthermore, the HTTP Server allows for configuration files to be placed in the context path of your website. These decentral configuration files are (usually) called ".htaccess".
Configuration directives, like the directives to enable compression, can be valid in different contexts. The valid configuration contexts of the "AddOutputFilter", the "SetOutputFilter", and the (deprecated) "AddOutputFilterByType" all specify "server config, virtual host, directory, .htaccess" as their valid configuration contexts. Therefore, all of these directives can be used in the "httpd.conf" as well as in the ".htaccess" configuration files.
So both ways of configuring output compression are valid, and it's just a matter of taste whether you want all your server configuration in one central file (which gets only read during server (re)start) or whether want to spread the configuration in multiple files and directories (but get the benefit of changes being applied instantly).
If your Web Host is through C Panel
Enable G ZIP Compression on Apache C Panel
Go to CPanel and check for software tab.
Previously Optimize website used to work but now a new option is available i.e "MultiPHP INI Editor".
Select the domain name you want to compress.
Scroll down to bottom until you find zip output compression and enable it.
Now check again for the G ZIP Compression.
You can follow the video tutorial also.
https://www.youtube.com/watch?v=o0UDmcpGlZI
Related
I am trying to decide whether to use .htaccess files in each sub-directory to deny all requests for specific files (while also denying directory indexes), or whether it is more security conscious to move all files except for essential files (index.php, .htaccess, robots.txt) outside the root directory and call them from the index file.
Are there any critical differences in security between these two methods for securing files in my web application?
Here is a view of what the .htaccess looks like in the root directory.
# pass the default character set
AddDefaultCharset utf-8
# disable the server signature
ServerSignature Off
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|lock|DS_Store|json|)$">
order allow,deny
allow from all
</FilesMatch>
# disable directory browsing
Options All -Indexes
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc
However, this would not stop someone from accessing a file if they knew the directory structure such as https://www.example.com/security/please_dont_look.cfg
Although that file does not print anything, I don't want anyone to know it exists, and don't want a site-specific solution like using modredirect to redirect calls to specific files.
I could use a .htaccess file in each directory such as this:
order deny,allow
deny from all
From this question and reply (Prevent access to files in a certain folder)
Is one solution more bullet-proof than the other?
As always in such complex systems, security here is about having several lines of defense, keeping things simple and attempting to prevent as many attack vectors as possible.
Theoretically both solutions should provide you with the exact same level of security - the files would not be accessible in either case.
I'd recommend moving files that should not be accessed directly into a directory outside of the web root directory. It is quite easy to screw up htaccess files and thats just not possible when you move the files outside of your webroot. This will also prevent timing attacks against the directory structure of your server: reading htaccess files comes with a time penalty and that might be measureable, especially if your htaccess files get big and you have plenty of them for each sub directory. Actually I'd recommend skipping htaccess entirely, just disable indexes directly in your vhost configuation, such that Apache does not have to look for htaccess files at all, speeding up your website.
Additionally, in case you run php via fcgi, you should disallow file access on a file system level for apache and just allow access from php. With this setup it should be outright impossible to access your files by attacking the webserver (excluding php) unless you have some privilege escalation vulnerability (in which case you are screwed anyways).
The only way to access your confidential files in this setup would be to convince PHP to read the file or to mess with the file system, i.e. by creating a hard link from your web root into your "confidential files outside web root"-directory. Preventing against that boils down to ensuring your PHP configuration is as restrictive as possible, file creation inside the webroot is disallowed and, most importantly, ensuring that the PHP application itself is not vulnerable.
I am running into some sort of issue when trying to access my local website:
Forbidden
You don't have permission to access /index.html on this server.
Apache Server at ffghost.local Port 34580
I'm using macOS X Server 5.2 with Apache 2.4.18. OS X Server automatically creates two default websites (one on port 80 and one on port 443). I created a new website. It was my understanding that Apache would redirect from the default site to the created site automatically once created. This didn't happen. So, in an attempt to begin de-conflicting I replaced the files where the default site was located with the new website files and all of the sudden am getting the above 404 message.
I have read a lot of possibilities as to why this may be happening. I've run a syntax checker for Apache in terminal and terminal says syntax is ok. So from there I was going to check into the config files, but there are several, and I just want to know the gist behind them.
There seem to be about 4 file extension types. I don't know what they all mean or if they are active.
.config (I'm assuming this is the active file)
.config.prev (I'm assuming this is a previous version or copy of an active config file and is no longer active)
.config.orig (original file? and is no longer active)
.config.default (???)
Also, OS X Server and Apache seem to have the same files in two different places and I'm a little confused on which one to change. If I change one of them will it be reflected in the other? Do I need to change both of them? Additionally, I don't have DNS set up and am unsure if that was the original issue of not pulling up the new website over the default site.
You are mixing several aspects in your question which makes it complicated to give a helpful answer. For example, you say you get Forbidden when accessing your site, but later you mention a status 404. The former might be due to configuring a user group being allowed to access the site, while the latter just means Not found.
As to your actual question about the config files:
The file just ending in .conf is the one that is being used.
However, the Server app uses a lot of of different config files which might be relevant:
Path /Library/Server/Web/Config/apache2 contains the general config files
httpd.conf - general Apache configuration
httpd_server_app.conf - more general configuration
the other files contain configurations for specific applications or webapps (the latter being defined in plist files in /Library/Server/Web/Config/apache2/webapps)
Path /Library/Server/Web/Config/apache2/sites contains config files specific to your websites. They are named something like 0000_127.0.0.1_34543_your.domain.name.conf where 34543 is the configuration for the https (SSL) port, while 35480 would indicate the http port. There is also a file like 0000_127.0.0.1_34543_.conf (no domain name in the file name) which defines the default site.
In addition to these, there are two more configuration file in /Library/Server/Web/Config/proxy which configure the proxy services.
It is not recommended to manually adjust the config files, except for those in the sites subdirectory, because they may get overwritten by the Server app or when updating the Server app.
Important: If you change the files manually, you must re-start the Apache server in order to make the changes effective. Use sudo serveradmin stop/start web to do so.
However, I do not know of a detailed documentation of of all these files, so I try to stay on the safe side and possibly not edit the general config files (only those in sites). I also recommend to write down any manual changes, so they can be reapplied if necessary.
Without exactly knowing what you configured in the Server app and which files you changed how, I'm afraid it is impossible to say what might have gone wrong. I recommend to start all over by removing and re-adding the web sites.
How do I customize the list that web server does in absence of index.* file in the web root or its child directory, if we do not put any index files in the web root directory and the directory has the read permission?
you can set the page to show for a directory url with the index directive, it doesn't need to point to something called index.*, might just as well be whatever.html. See http://nginx.org/en/docs/http/ngx_http_index_module.html#index for details
or you can set autoindex on to give a generated file/directory listing, you can use the autoindex_exact_size and autoindex_localtime to further customize that listing. See http://nginx.org/en/docs/http/ngx_http_autoindex_module.html for details
3th option, if your nginx is compiled with it, is the random_index, see http://nginx.org/en/docs/http/ngx_http_random_index_module.html for details.
NOTE: to find out if your nginx is compiled with the needed --with-http_random_index_module option use the command nginx -V
Well, it depends on what webserver you are using.
In case of Apache, direcory indexes handled by a module called mod_autoindex.
When you want to customize the directory listing, then you have to know that Apache need three 'view' files:
The Header — by default automatically generated by Apache The
Directory Listing — necessarily generated by Apache
The Footer — referred to as the “Readme” file
The Header and Footer parts are basically written in plain HTML. The directory listing is generated by Apache but you can apply CSS on it..
The whole thing is a rather long story, so what I can suggest is a well written article with the details about this 'directory listing customisation':
Better Default Directory Views with .htaccess
I am working on a web application that allows users to upload attachments. These attachments are stored on a different drive than that of the web application. How can I create an alias (equivalent to Apache HTTP server's aliases) to this drive so that users can download these attachments?
Currently I am creating a context file and dumping it in CATALINA_HOME/conf/Catalina/localhost, but it gets randomly deleted every so often. The context file is named attachments.xml and the contents are shown below. I have also read about virtual hosts, but if I understand correctly, then a virtual host is not what I am looking for. I am using version 6.0.18 of Apache Tomcat.
attachments.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase = "e:\uploads\attachments"
reloadable = "true"
crossContext = "true">
</Context>
I spent a lot more time researching this and found a solution that solves the random deletion of the context files. I found this excerpt on Apache's website under the host configuration section:
You can nest one or more Context
elements inside this Host element,
each representing a different web
application associated with this
virtual host.
The virtual hosts are stored in the server.xml file located at CATALINA_HOME\conf. Tomcat comes configured with localhost as the default host. So, if we add the contents of attachments.xml from the first post, we get the following:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/attachments"
docBase="e:\uploads\attachments"
reloadable="true"
crossContext="true" />
</Host>
This is as close as one can get to defining aliases similar to Apache's HTTP server, I think.
There are multiple options.
Use Apache as frontend, delegating to tomcat by mod_jk or mod_proxy
Provide a download servlet in your own application, serving the requested file
Make the directory that you want tomcat to deliver a web application
each has some drawbacks and some advantages. I strongly prefer the first solution for multiple reasons:
My main reasons apply to unixoid systems, which you are obviously not talking about: Only root can bind ports lower than 1024, e.g. 80. Therefor tomcat would need to run as root (I know that there are mechanics to allow users to bind to low ports, but I've never gotten to use them). Apache is usually started as root but drops these privileges as soon as port 80 is bound.
Apache is said to be a lot better in serving static resources than tomcat (I've never measured it, but find it hard to believe the contrary)
You obviously know how to create aliases in apache - it would be trivial to do so.
About the download servlet:
This way you'd have a servlet serving your static resources, which you might bind to the urls "/download/*" (e.g. in the application that also handles file uploads) You'd gain:
You need to configure the directory where your files are stored only once
If you need you might easily implement permission checks (e.g. login required for downloading)
You need to deploy only one completely selfcontained application.
The download servlet is trivial - find the file, set it's name and filetype in the output stream and stream it byte by byte, then close the output stream (be sure to handle attacking file names like "/download/../../../../etc/passwd" or "/download/C:/WINDOWS/someimportantfile.xxx"), e.g. by using the java.io.File constructor that gets the base directory as a separate parameter.
The third option has some severe drawbacks and opens you for attacks if you don't take special care of them:
Tomcat does not serve directories, but webapps. Therefor "E:/upload/attachments" would need at least a directory named "WEB-INF", containing "web.xml". Take care to not provide write access to this directory and file from the uploading web application. With this provision you might let tomcat serve the directory.
However: Configure the contained web.xml to not serve "*.jsp" as a jsp, otherwise tomcat would not just deliver jsp files but execute them. Imagine someone uploading "index.jsp" with <% System.exit(0); %> or more malicious content.
One additional thought: You don't need the extra crosscontext="true". This would imply that the webapplication that you deploy just to serve your files has access to other webapplications, e.g. is able to manage them or access their private data. Usually you don't need that at all, in the case of your question you definitely don't want that.
See the initial part of my newer question for ways to do this by editing the context.xml file
How do I add aliases to a Servlet Context in java?.
According to several people now, it is no longer necessary (2012: Tomcat 6 or 7) to use Apache for performance reasons over Tomcat for serving static content.
Today I discovered that my fresh installation of Apache HTTP Server is able to serve files from my C:\uploads\ directory.
I have two folders in C:\uploads:
C:\uploads\templates
C:\uploads\sites
Both folders contain testimage.jpg.
I found that Apache will serve the files from the templates folder if I request:
http://localhost/templates/testimage.jpg
However, http://localhost/sites/testimage.jpg 404's!
OMG - firstly, why does Apache serve the templates folder in the first place? Is it special?
Secondly, by what arbitrary set of rules does apache disallow access to other folders such the sites?
I'm so confused. Perhaps I've taken a wrong turn somewhere during the installation.
Did you look through your httpd.conf file to see what rules are in place for what is being served? Alternatively, are there .htaccess files that may be changing what is being served? You might have templates exposed in one or the other, but not sites... that's the first thing that comes to mind.
I would suggest going through these configuration files with a fine toothed comb to see what may cause the behavior you see.