I am trying to make my server PCI Compliant. One of the last issues that I need to fix is to remove the INode from Apache ETag header. So I defined in httpd.conf this line: "FileETag MTime Size" to only return MTime and Size.
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
FileETag MTime Size
</Directory>
This fix solved issue for standard port 80.
Now, I also have hosting control panel (ISPConfig3) running on port 8000. After running PCI compliance test I got this error:
Apache ETag header discloses inode numbers Severity: Potential Problem
CVE: CVE-2003-1418 Impact: A remote attacker could determine inode
numbers on the server. Resolution Use the
http://httpd.apache.org/docs/2.2/mod/core.html#FileETag FileETag
directive to remove the INode component from the calculation of the
ETag. For example, place the following line in the Apache
configuration file to calculate the ETag based only on the file's
modification time and size: FileETag MTime Size Vulnerability Details:
Service: 8000:TCP
I assume I have to add something in httpd.conf to also apply FileETag to all applications running on port 8000.
Please advice what should be done.
Thank you!
Kelvin
It sounds like your PCI Compliance test is out of date. Have you read CVE-2003-1418?
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).
[My Ital] This isn't an issue for Apache 2.2 which uses a different Etag algo. And if you are still running Apache 1.3 then you've got bigger problems since it is no longer supported.
You are trying to solve a non-problem. Get yourself a current PCI Compliance test suite.
Add this to the beginning of your /etc/apache2/http.conf:
#PCI Compliance fix for "Apache ETag header discloses inode numbers"
Header unset ETag
FileETag MTime Size
This worked for my PCI compliance scan and I don't see why it wouldn't work on all ports that apache listens on.
Per Apache 2.4 FileETag directive documentation the default used for calculating the ETag is MTime Size.
For Apache versions 2.3.14 and earlier the default was set to INode MTime Size.
ETag settings for all ports and checking Apache ETag output
You can check for yourself by using curl and comparing the ETag value returned in the headers versus the inode value returned by ls.
For example:
curl -I https://example.com/file
where file is a file that is on your filesystem served by your Apache web server.
With ETag set to MTime Size you might see something like this:
ETag: "3-24f10051b181e"
You can change the values returned by ETag by using the FileETag directive. Add to the bottom of your Apache server conf (e.g. /etc/httpd/conf/httpd.conf) file the following:
FileETag INode
Reload or restart Apache and then repeat the curl test.
In my tests, inclusion of FileETag INode in the server config file affected output on ALL ports being served by my Apache web server: 80 and 443.
With ETag set to INode you should receive a single hex number, something like this:
ETag: "200f8fa"
Convert the numbers returned by ETag from hex to decimal and compare to the inode number.
If you run ls -i /path/to/webroot/example.com/file the inode returned should be the decimal equivalent of the hex number returned via ETag (in this example 33618170).
If you added FileETag Inode don't forget to remove it and restart/reload Apache.
ETag settings for a specific port
The contexts where you can use FileETag are:
server config
virtual host
directory
.htaccess
If FileETag is present in the server config with the component keywords you desire and you are still seeing incorrect ETag output for a specific port that Apache is serving, you should search vhost config files and web root directories for FileETag - as any settings there will override the server config.
If you actually want to have a specific ETag output on a specific port, you should add FileETag to the appropriate VirtualHost block for the port you want to affect. If you are serving more than one site on this port, you'll need to add FileETag to each VirtualHost block that specifies that port.
Related
I have followed the tutorial to setup Browser Caching on My Droplet:
https://www.digitalocean.com/community/tutorials/how-to-configure-apache-content-caching-on-ubuntu-14-04
What I want to accomplish for now is set up a year-long cache on all files but later on will fine-tune files like HTML for a much shorter expiry.
I have checked my cache folder with below and it is growing:
ls -la /var/cache/apache2/mod_cache_disk/
But the problem is Google Page Insight and other page speed tests are still reporting that there is not cache policy applied to my files even after 2 days of caching applied to the server.
I have also check edge dev tools and most files don't show Cache-Control in response and for some a small subset of files that it is shown, it is set to no-cache.
I included the following lines in my domain's virtual host file and enabled caching on my server:
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault A31536000
Header set Cache-Control public
Header merge Cache-Control max-age=31536000
FileETag All
</Location>
Any idea what's wrong?
After days of headache I finally solved it. I was editing the Virtual Host for HTTP and not the one for HTTPs/SLL. If any body faces this problem just search for active virtual host files on your server like below:
$ apachectl -S
VirtualHost configuration:
:443 de***.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
:80 de***.com (/etc/apache2/sites-enabled/000-default.conf:1)
Earlier I was using apache 2.2.31.But due to some security Issue like removing of Etag header from http header.
For this purpose I need to have mod_headers.so is not availabe in 2.2.31. is there any way to remove Etag Header without upgrading to apache 2.4.16 on AIX 5.3.0.0 ?
Thank you
You can remove the inode from ETAG headers with the "FileETAG" directive. It's available in 2.2 (so is mod_headers):
https://httpd.apache.org/docs/2.2/mod/core.html#fileetag
FileETag MTime Size
Please, Can you help me for best Apache Configuration
I own the servers for files download, Download files by direct links
ex: domain.com/files.rar
Without programming or php function
The problem: Sometimes I having a high load or stop servers
For this can you help me for best Apache Configuration
Such as:
Server Limit
Max Clients
Max Requests Per Child
Keep-Alive
Keep-Alive Timeout
Max Keep-Alive Requests
Etc.
My servers with 4GB RAM and HDD drives, and 100Mb-ps and 1GBMb-ps
Thanks.
Separate Static and Dynamic Content
Use separate servers for static and dynamic content. Apache processes serving dynamic content will carry overhead and swell to the size of the content being served, never decreasing in size. Each process will incur the size of any loaded PHP or Perl libraries. A 6MB-30MB process size [or 10% of server's memory] is not unusual, and becomes a waist of resources for serving static content.
For a more efficient use of system memory, either use mod_proxy to pass specific requests onto another Apache Server, or use a lightweight server to handle static requests:
Nginx
lighttpd
Or use a front-end caching proxy such as Squid-Cache or Varnish-Cache
The Server handling the static content goes up front.
Note that configuration settings will be quite different between a dynamic content Server and a static content Server.
mod_deflate
Reduce bandwidth by 75% and improve response time by using mod_deflate.
LoadModule deflate_module modules/mod_deflate.so
<Location />
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript
</Location>
Loaded Modules
Reduce memory footprint by loading only the required modules.
Some also advise to statically compile in the needed modules, over building DSOs (Dynamic Shared Objects). Very bad advice. You will need to manually rebuild Apache every time a new version or security advisory for a module is put out, creating more work, more build related headaches, and more downtime.
mod_expires
Include mod_expires for the ability to set expiration dates for specific content; utilizing the 'If-Modified-Since' header cache control sent by the user's browser/proxy. Will save bandwidth and drastically speed up your site for [repeat] visitors.
Note that this can also be implemented with mod_headers.
KeepAlive
Enable HTTP persistent connections to improve latency times and reduce server load significantly [25% of original load is not uncommon].
prefork MPM:
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 100
worker and winnt MPMs:
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
With the prefork MPM, it is recommended to set 'KeepAlive' to 'Off'. Otherwise, a client will tie up an entire process for that span of time. Though in my experience, it is more useful to simply set the 'KeepAliveTimeout' value to something very low [2 seconds seems to be the ideal value]. This is not a problem with the worker MPM [thread-based], or under Windows [which only has the thread-based winnt MPM].
With the worker and winnt MPMs, the default 15 second timeout is setup to keep the connection open for the next page request; to better handle a client going from link to link. Check logs to see how long a client remains on each page before moving on to another link. Set value appropriately [do not set higher than 60 seconds].
SymLinks
Make sure 'Options +FollowSymLinks -SymLinksIfOwnerMatch' is set for all directories. Otherwise, Apache will issue an extra system call per filename component to substantiate that the filename is NOT a symlink; and more system calls to match an owner.
<Directory />
Options FollowSymLinks
</Directory>
AllowOverride
Set a default 'AllowOverride None' for your filesystem. Otherwise, for a given URL to path translation, Apache will attempt to detect an .htaccess file under every directory level of the given path.
<Directory />
AllowOverride None
</Directory>
ExtendedStatus
If mod_status is included, make sure that directive 'ExtendedStatus' is set to 'Off'. Otherwise, Apache will issue several extra time-related system calls on every request made.
ExtendedStatus Off
Timeout
Lower the amount of time the server will wait before failing a request.
Timeout 45
If you are having load-problems with your apache setup, you could also consider migrating to another system. From my personal experience I would suggest you to try nginx to serve static files.
I'm working with Apache 2.4.2 and I need to change the LimitRequestFieldSize. supposedly (according to some Google researchs) that can be done in the httpd.conf file but I cant find that LimitRequestFieldSize neither the httpd.conf or any file within the Apache. Have any idea how I can do it?
In the end I solved simply adding LimitRequestFieldSize 500000 to the file httpd-default.conf
What you just did is open the door to a DoS attack.
Take a look at the LimitRequestFieldSize directive in the Apache documentation:
Quoting from that source:
This directive specifies the number of bytes that will be allowed in
an HTTP request header.
The LimitRequestFieldSize directive allows the server administrator to
set the limit on the allowed size of an HTTP request header field. A
server needs this value to be large enough to hold any one header
field from a normal client request. The size of a normal request
header field will vary greatly among different client implementations,
often depending upon the extent to which a user has configured their
browser to support detailed content negotiation. SPNEGO authentication
headers can be up to 12392 bytes.
This directive gives the server administrator greater control over
abnormal client request behavior, which may be useful for avoiding
some forms of denial-of-service attacks.
The documentation also specifies that the context of that directive is server config (which means server-wide) and virtual host (you can apply this directive on a per-vhost basis).
In addition, you do not mention what your OS is. In case it's Linux (which I'm more familiar with):
The configuration file, httpd.conf, is found in /etc/httpd/conf/httpd.conf (RHEL, CentOS, Fedora, Scientific Linux).
In Debian, and derivatives like Ubuntu (I don't think that is the case here, but I am mentioning it anyway just for the record), the configuration file is apache2.conf and can be found in /etc/apache2/apache2.conf.
Hope it helps.
And last but not least, you may want to check out the Unix and Linux Q&A here in StackExchange for questions like this (assuming Linux or other *Nix OS). You may have better luck at getting an answer.
This issue can be solved by updating the directive LimitRequestFieldSize either in the apache httpd.conf or in the virtual hosts.
How to add the prop in the virtual host
<VirtualHost 10.10.50.50:80>
ServerName www.mysite.com
LimitRequestFieldSize 16384
RewriteEngine On
...
...
</VirtualHost>
How to add in the httpd.conf which is inside , apache2/conf/httpd.conf
LimitRequestFieldSize 16384
But even after doing this i am still getting bad request error.
I want to use the keep-alive feature in Apache. How can I do this with my host (.htaccess file), and what are the best values for the parameters like KeepAliveTimeout?
If Keep-alive is turned on in the Apache configuration, all you need is just set an HTTP header Connection: keep-alive. E.g. add following lines to your .htaccess file:
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
You can't control keepalive behaviour in an .htaccess. Keepalives are a host-level feature, not one where different directories can behave differently depending on the per-directory htaccess info.
If you are on the kind of basic shared hosting that only gives you .htaccess to configure your sites, you can't change the keepalive settings. Presumably the hosting company will have set them appropriately, or just left them on the default settings, which are usually fine.
Yes Keep-alive behavior can be controlled in .htaccess file.
First check the server setting by printing $_SERVER and if
[HTTP_CONNECTION] => keep-alive
is there then you just have to include the setting in your .htaccess file.
Add the following line at the end of .htaccess file in your project's root directory.
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
If you have SSH access to your server you should edit the Apache config file. Use these settings as a starter:
KeepAlive: on
KeepAliveTimeout: 3 seconds
MaxKeepAliveRequests: 60
This should work for most basic server setups with average traffic. You can always tweak the settings to suit your own needs. See here for more detailed info about this: http://www.giftofspeed.com/enable-keep-alive/
If you don't have access to your server you should contact your host. Changing the keepalive settings on your own by editing the .htaccess file will probably don't work.
It very much depends on your site and the amount of traffic it receives. If a user comes to your site, then clicks through to another page within the KeepAliveTimeout setting (default is 15), a new TCP does not have to be created. This can really help with overhead.
On the other hand, any Apache processes that are currently tied up w/ existing visitors will not be able to talk to the new ones. So you may have to increase the total number of Apache processes that are available.
In short... it requires tweaking.
you can't control keep-alive behavior in .htaccess
Paste the following code in your .htaccess file:
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
Then use this website: https://varvy.com/pagespeed/ to check if it's enabled.