Prevent (stop) Apache from logging specific AJAX / XmlHttpRequests? - apache

I'm working on a site where the main idea is to do a lot of xmlHttpRequests in a loop (or loop like construct). But the thing is that every time I access the file on my server from the javascript it is logged in access log on the server. Over time the access log file gets so big it slows down the further requests.
Is there a way to tell the apache (I guess) not to log the access to this file if its correct? (I'm sending a get with a password (always different) to this file.)
The access to the file will be from different IPs.
I don't want to stop all the logging, just the "approved" one.

No problem. Just look at the example from Apache's documentation (a place where you might want to look, if you happen to have an apache-related question in the future).
For example:
# Mark requests for the AJAX call
SetEnvIf Request_URI "^/myajaxscript\.php.*$" dontlog
SetEnvIf Request_URI "^/myotherajaxscript\.php$" dontlog
# Log what remains
CustomLog logs/access_log common env=!dontlog

Related

disable access logging for specific folder - centos 6 / apache 2.4

I have a bunch of php scripts in a specific folder on one of my domains which are constantly accessed (20+ hits a second) and would like to disable access logging for all of them (the folder). I am using CentOS 6 with Apache 2.4 and have WHM/Cpanel.
I found information on how to do this using environment variables and modifying the host file, but I am not sure how to customize this for my needs.
I want to disable logging for /home/username/public_html/folder1/folder2/ (everything in it).
Here is what I found online to do this (putting this in a vhost include file) :
<IfModule mod_userdir.c>
UserDir public_html
SetEnvIf Request_URI "/nolog" dontlog
CustomLog /var/log/apache2/useraccess_log combined env=!dontlog
</IfModule>
One thing I am confused about is I have a different log location setup. For instance, if I look up /var/cpanel/userdata/username/domain.com it shows this at the top :
customlog:
-
format: combined
target: /usr/local/apache/domlogs/domain.com
-
format: "\"%{%s}t %I .\\n%{%s}t %O .\""
target: /usr/local/apache/domlogs/domain.com-bytes_log
documentroot: /home/username/public_html
group: username
hascgi: 0
homedir: /home/username
Given the different log location how would I implement this? While I am at it I wouldn't mind disabling the logging for the bytes-log as well for this folder. This is too much logging constantly happening which would not be useful to me at all given how much often they are accessed.
'username' and 'domain.com' represent their actual values in the above.
By default cPanel/WHM stores the access logs for the cPanel accounts (domains/sites/etc) in /usr/local/apache/domlogs/. That means that all the requests for that site are logged in that file (including the requests from folder1, folder2 etc).
You could try something like this:
Create an .htaccess file in /home/username/public_html/folder1/folder2/ with the content from bellow:
<IfModule mod_userdir.c>
UserDir public_html
SetEnvIf Request_URI "/nolog" dontlog
CustomLog /usr/local/apache/domlogs/domain.com combined env=!dontlog
</IfModule>
See if that works (basically it should allow logging but exclude the requests from the files from folder1, folder2 etc).
If that doesn't work then you could edit /var/cpanel/userdata/username/domain.com and comment the bytes_log line and the access_log line. That should completely disable access logging of http requests for that domain. You might need to restart httpd and cpanel service for the changes to take effect.

Apache 2.2 Allow from env=_variable_

I have an Apache 2.2 set up with LDAP Authorization, which is working fantastically as expected, and have also made it so that I can bypass Authentication when accessing it locally.
Allow from localIP hostnameA hostnameB, etc...
If I curl from the server, I don't get any Auth Required. So all good and working as expected.
What I need now is to make one particular URL to also bypass authorisation.
I have tried all the usual solution of using SetEnvIf;
SetEnvIf Request_URI "^/calendar/export" bypassauth=true`
Allow from env=bypassauth IP_ADDRESS HOSTNAME_A HOSTNAME_B
But this is just not working!!
Local access is still unrestricted, but remotely it is not (no change there)
If I dump out my server environment variables on that URL's script, I can see my bypassauth variable is being passed.
I just cannot for the life of me figure out why the Allow from env=bypassauth part is not working, while it still obeys the additional directive parameters.
I also tried another suggestion, using the Location directive;
<Location /calendar/export>
Satisfy Any
Allow from all
AuthType None
SetEnv WTF 123
</Location>
Again, I can see my new environmental variable (WTF) appear on this URL (when I dumped the server envs in the script), so I know that the SetEnv and SetEnvIf directives are working.
Is there anything I'm missing (any Apache2.2 quirks?), as all the solutions I've seen so far just are not working. It's as if my Allow from changes are having no effect after restarting Apache. I'm starting to feel my sanity slip.
Is there also a particular order when writing the directives for Satisfy Any, Order allow, deny and the Auth* directives, which might be effecting this?
Finally managed to figure it out!! :)
Seems my url was being processed by mod_rewrite (my environmental variable being prefixed by REWRITE_ should have rung alarm bells), which according to this post https://stackoverflow.com/a/23094842/4800587, the mod_rewrite is performed AFTER our SetEnvIf and Allow directives.
Anyway, long story short; I used the rewritten/final URL and the Location section to bypass authentication using the Allow any directive. So I changed...
<Location "/calendar/export">
Allow from all
</Location>
to..
<Location "/calendar/index.php/export">
Allow from all
</Location>
which is the final URL (after rewrite), and now works.

how to block cross frame scripting in Apache for svn

I have SVN configured thru Apache 2.4.18 on Linux 6.6. Next i have to disable cross frame scripting for my svn url. SVN url is like https://servername/svn/projectA. I have compiled mod_security2.so and copied to /modules directory and loaded then in virtualHost have the lines below.
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin email#domain.com
DocumentRoot "/var/local/apache/httpd2.4.18/htdocs"
ServerName servername.fqdn.com
# For http to https redirect
Redirect / https://servername
TraceEnable off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SecRuleEngine On
#SecFilterEngine On
#SecFilterForceByteRange 32 126
#SecFilterScanPOST On
#SecFilter "<( |\n)*script"
SecRequestBodyAccess On
SecResponseBodyAccess On
ErrorLog "logs/error_log"
CustomLog "logs/access_log" common
</VirtualHost>
The rules that Apache not supported are
SecFilterEngine
SecFilterForceByteRange
SecFilterScanPOST
SecFilter
Blockquote
Instead of SecFilterEngine, its taking SecRuleEngine. But I do not know alternative rule for other rules. I am using modsecurity-2.9.0 source compiled. The error i see is below. [root#server extra]# /var/local/apache/httpd2.4.18/bin/apachectl configtest
AH00526: Syntax error on line 45 of /var/local/apache/httpd2.4.18/conf/extra/httpd-vhosts.conf:
Invalid command 'SecFilterForceByteRange', perhaps misspelled or defined by a module not included in the server configuration. Any one know the mod_security2 supported modules for SecFilterForceByteRange, SecFilterScanPOST and SecFilter. I also read documentation about mod_security but could not figure out and solve the issue. I followed the url below.
http://www.unixpearls.com/how-to-block-xss-vulnerability-cross-site-scripting-in-apache-2-2-x/
[EDIT]
Its solved by adding the header response.
All those unsupported commands are ModSecurity v1 commands and have been completely rewritten for ModSecurity2.
The rule you would want would be something like this:
SecRule ARGS "<( |\n)*script" "phase:2,id:1234,deny"
This basically scans any of your arguments (as parameters or the body) for items like this:
<script
or
< script
or
<
script
That's not a bad start to trying to protect for XSS but is a bit basic.
OWASP has a Core Rule Set of ModSecurity rules and their XSS rules are much more complex and can be seen here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf
XSS can be exploited in a number of ways, some of which will make it to your server (and this sort of thing might catch) and some which might not even make it to your server at all (and so which this can't protect against).
The best way to protect against XSS is to look at Content Security Policy, which allows you to explicitly say what javascript you want to allow on your site, and what not, and to explicitly deny in-line scripts if you want. This may require some clean up of your site to remove inline scripts and is not always the easiest to set up, particularly if loading third party assets and widgets on your site, but is the most robust protection.
The X-Frame-Options header is useful to stop your site being framed, and someone overlaying content to make you think you are clicking on the real site buttons and fields, but actually clicking their buttons. It's not really a form of XSS, since you are more putting scripting on an invisible window on top of your site rather than directly on your site, but can have similar effects. It's a good header to use.

Disable apache access log for openshift's app health check

I realized Openshift makes health checks in my app each 2/3 seconds, generating a lot of redundant junk in the apache's log. How can i disable log from openshift's health check servers?
Thanks!
You can perform access logging conditionally, see Conditional Logs. I do not know how Openshift access can be identified, but defining an appropriate SetEnvIf should be feasible. Then, as mentioned, add the negated environment variable to your logging definition:
CustomLog logs/access_log common env=!dontlog
A more complete example will be...
SetEnvIf Request_URI "^/metrics$" skiplog
CustomLog logs/access.log combined env=!skiplog
Where your application exports metrics for Prometheus at the usual /metrics endpoint.

Set mod_reqtimeout to unlimited time for a specific folder

I basically have two questions:
How do you set the RequestReadTimeout (in mod_reqtimeout), header and body time to: unlimited time
and
How do I apply that to a specific folder?
The default reqtimeout.conf is:
<IfModule reqtimeout_module>
RequestReadTimeout header=10-20,minrate=500
RequestReadTimeout body=10,minrate=500
</IfModule>
So that it would be something like:
<IfModule reqtimeout_module>
#Apply this to the /var/www/unlimitedtime folder
<Directory /var/www/unlimitedtime>
RequestReadTimeout header=unlimited,MinRate=0 body=unlimited,MinRate=0
</Directory>
</IfModule>
This doesn't work but it's just an example that maybe will make my question more clear.
Thx
Several tips from official documentation of top
RequestReadTimeout :
Context: server config, virtual host
That means this directive is a quite high level directive, you do not have the Location or Directory context here. In fact the timeouts are applied far before the web server can apply a directory decision on the request (the request is not received...), so it's quite normal. What it means is that you cannot apply this directive in a Directory, and there's nothing you can do for that, sorry.
type=timeout
The time in seconds allowed for reading all of the request headers or
body, respectively. A value of 0 means no limit.
So instead of using the 10-20 form simply set 0 and it becomes an unlimited timeout. Or at least that's what the documentation seems to imply. But that's a real nice way of making your webserver DOS-enabled. A few HTTP requests on the right url and you will get a nice Deny of Service, so I hope some other Timeout setting will override it (but maybe not, be careful) :-)