msgbartop
Blog di Dino Ciuffetti (Bernardino in realtà)
msgbarbottom

23 Ott 18 How to disable Diffie-Hellman ciphers on apache

If you are getting errors like “DH key too small” you can avoid using DH ciphersuites on apache.
You can obtain that using Perfect forward secrecy, or disabling all DH ciphersuites like this:

SSLCipherSuite ALL:!EXP:!NULL:!DH:!LOW

06 Mag 16 How to convert URI to query string parameters with mod_rewrite

You may need to convert URI levels to query string parameters, for example if want to be RESTful compliant with PHP.

Try this one:

RewriteEngine on
RewriteRule ^/(\w+)/(\w+)$ /path_of_index.php?lev1=$1&lev2=$2 [QSA,L]

In this case the first URI level will be converted to a query string parameter called lev1, while the second will be converted to a query string parameter called lev2, each one with the respective values.

For example, the uri /user/list will be passed to index.php and will become index.php?lev1=user&lev2=list

An eventual query string will be passed, eventually overriding lev1 and lev2 parameters.

24 Nov 15 HTTP request header from a query string parameter on apache reverse proxy

Suppose you have a apache httpd server working as a reverse proxy. Now suppose that this server has to set a HTTP request header called “token” to be attached to every request made to the backends, and that the header’s value must be copied from a query string parameter called “querytoken”.

This can be simply done with the help of mod_headers + mod_rewrite.

RewriteEngine On
RewriteCond %{QUERY_STRING} (?:^|&)querytoken=([^&]+)
RewriteRule (.*) - [E=QS_TOKEN:%1]

RequestHeader set token %{QS_TOKEN}e env=QS_TOKEN
ProxyPass / http://your_backend/

Will your external client make a request like this:

GET /?querytoken=somestuff HTTP/1.0
Host: example

The request header that apache will do to the backend will be something like this:

GET /?token=somestuff HTTP/1.1
Host: 127.0.0.1:1234
token: somestuff
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: example
X-Forwarded-Server: myserver.linux
Connection: Keep-Alive

The request header “token” with value “somestuff” is added to the request made to the backend.

30 Ott 15 How to check SSL/TLS protocol for a given server

If you need to check which SSL/TLS protocol version is implemented by your webserver, you can issue the following command:

dino@dam2knb:~$ echo | openssl s_client -connect 10.38.46.137:8443 2>&1 | grep Protocol
Protocol : TLSv1.2

27 Ago 14 Squid: how to get rid of “All url_rewriter processes are busy”

If you check your squid forward (transparent or not) proxy log files you may found errors like those:

WARNING: All url_rewriter processes are busy.
WARNING: up to 6 pending requests queued

This is true if you use the directive “url_rewrite_program”, for example with SquidGuard.
In this case, squid tells you that it cannot spawn more helper processes to externally scan your requests in parallel, so it’s queuing your requests.
This is not a great problem, but you may be annoyed to see this stuff in your log files, or there are cases in which the default may be too low!

You may raise this limit with the parameter called url_rewrite_children.

To solve, add something like this to your squid.conf configuration file, and restart squid:

url_rewrite_children 32

Ciao, Dino.

21 Ago 14 How to enable apache NameVirtualHost with SSL

If you want to create name based virtualhosts in apache with SSL Certificates, you need openssl with SNI and TLS support (0.9.8f or better) and good apache 2.2.X version.

It’s a simple task, after you’ve read this official article: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

21 Feb 14 HOWTO generate a SAN (Subject Alternative Names) SSL CSR with OpenSSL

There is a cool SSLv3 protocol extension that’s called SAN (Subject Alternative Names). With this extension you can create a single SSL X509 certificate that is valid for several domain names, instead of a classic certificate that’s valid for one domain name only.

You can ofcourse create this kind of certificate with OpenSSL. We are now going to see how to do that.
Fist you have to create a file called openssl.cnf and put it for example into a temporary dir. The file should begin with:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

This is to enable SSLv3 req extensions.
Now, you have to add your custom informations to the openssl.cnf file: those informations will be reflected on the next steps.
Add something like this to openssl.cnf:

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = IT
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Italy
localityName = Locality Name (eg, city)
localityName_default = Rome
organizationName = Organization name
organizationName_default = My company name Srl
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = System Techies
commonName = Common Name (eg, YOUR name)
commonName_max = 64
#commonName_default = www.myfirstdomain.it
emailAddress = Email Address
emailAddress_max = 40

The informations above are used by the “openssl req” command to ask you data to generate your certificate request.
Then, add this block of informations into the openssl.cnf file:

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

Those informations will enable some extra useful things on your certificate request that will hopefully became valid on your brand new SSLv3 certificate. For example you are requesting your Certification Authority to release a X509 SSLv3 certificate with server and client authentication purposes, plus other certificate goodies.

Now the cool part: this is where you are asking your CA to release a certificate with Alternative Names (certificate valid for several domains). Append this stuff in openssl.cnf:

[alt_names]
DNS.1   = www.myfirstdomain.it
DNS.2   = myfirstdomain.it
DNS.3   = www.myalternativedomain.it
# you could also specify IP addresses like this:
# IP.1 = 1.2.3.4

OK. You are almost ready to create your CSR, but first you have to generate your private key.
NOTE that many CA are now requesting a private key of 2048 bits or more. Warned: a key of 1024 bits is not recommended!
To generate a 2048 bits private key, as usual, execute this command:

openssl genrsa -out server.key 2048

Perfect. It’s time to create the Certificate Request (PKCS#10) with SSLv3 extensions:

openssl req -new -out server.csr -key server.key -config openssl.cnf

Now, send your new server.csr file to your Certification Authority that will hopefully accept the request and relase a valid X509 SSLv3 certificate with SAN.

Good luck and enjoy.

05 Dic 13 As you can see, this site is reachable via IPv6!

If you are using IPv6 (like me) you can see that this blog is reachable via IPv6. Pretty cool!

ipv6 ready

13 Nov 13 Apache HTTPD as 2WAY (mutual) authentication SSL reverse proxy balancer

In this small article I’ll instruct myself (and you too?) how to create a 2 way authentication (mutual authentication) SSL reverse proxy balancer gateway. This configuration is useful in any enterprise environment where it’s requested to separate clients, the frontend and the backend, and when the traffic between clients and the gateway, and between the gateway and the backends must be encrypted.
This also ensure the clients and the backends to be authentic, and avoids Man In The Middle attacks.

Since the reverse proxy is in the middle between the clients and the backends, it’s requested for the clients to send a known client certificate to the gateway (apache), so that the gateway can recognize them. This is done with X509 certificates.
For the same reason, each backend contacted by the gateway is requested to respond with a valid and known server certificate. This is also done with X509 certificates.
Generally, the clients and the backends will also check their peer’s (apache) certificate to be known and valid, so that if someone is going to impersonate the gateway, it will be found and will not be considered authentic.

To do so, we’ll use:

  • apache httpd
  • mod_ssl
  • mod_proxy_balancer + mod_proxy + mod_proxy_http

Everything is done with a simple and single virtualhost in apache to be included in httpd.conf.
A working example is given below (assumes apache to be installed in /opt/apache, working with IP 11.22.33.44 on port 443):

<VirtualHost 11.22.33.44:443>
# General setup for the virtual host
DocumentRoot “/opt/apache/htdocs”
ServerName 11.22.33.44:443
ServerAdmin hostmaster@yoursite.com
CustomLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/ssl_request_%Y%m%d.log 43200” “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
ErrorLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/error_%Y%m%d.log 43200”
CustomLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/access_%Y%m%d.log 43200” combined

# SSL CONFIGURATION – SERVER SIDE
# Enable SSL Server on this virtualhost
SSLEngine on
# Disable SSLv2 in favor of the more robust and secure SSLv3
SSLProtocol all -SSLv2
# List of supported cryptografic server cipher suites
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

# Apache server certificate
SSLCertificateFile “/opt/apache/conf/ssl/server.pem”
# Apache server private key
SSLCertificateKeyFile “/opt/apache/conf/ssl/key.pem”
# Apache server CA certificate (certificate of who released your server certificate)
SSLCertificateChainFile “/opt/apache/conf/ssl/ca.pem”
# Client’s CA certificates (list of certificates of who released your client’s certificates)
SSLCACertificateFile “/opt/apache/conf/ssl/ca.pem”
# It’s mandatory for apache to authenticate the client’s certificate
SSLVerifyClient require
# END OF SSL CONFIGURATION – SERVER SIDE

# SSL CONFIGURATION – CLIENT SIDE
# Enable SSL Client on this virtualhost (the traffic to the backends can be encrypted)
SSLProxyEngine on
# Apache client CA certificate (certificate of who released your client certificate)
SSLProxyMachineCertificateChainFile “/opt/apache/conf/ssl/ca.pem”
# Apache client private key + client certificate (concatenated in a single file)
SSLProxyMachineCertificateFile “/opt/apache/conf/ssl/client.pem”
# Backends’ CA certificates (list of certificates of who released your backends’ certificates)
SSLProxyCACertificateFile “/opt/apache/conf/ssl/ca.pem”
# It’s mandatory for apache to authenticate the backends’ certificate
SSLProxyVerify require
# END OF SSL CONFIGURATION – CLIENT SIDE

<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory “/opt/apache/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch “MSIE [2-5]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Define a load balancer worker to be used to balance the HTTPS traffic to three backends.
# The traffic between apache and the backends is encrypted
<Proxy balancer://httpslb>
# Define the first backend (https) with 2 way auth
BalancerMember https://192.168.1.11:443/ route=worker1 retry=10
# Define the second backend (https) with 2 way auth
BalancerMember https://192.168.1.12:443/ route=worker2 retry=10
# Define the third backend (https) with 2 way auth
BalancerMember https://192.168.1.13:443/ route=worker3 retry=10
</Proxy>

# Don’t send the “/balancer-manager” uri to the backends
ProxyPass /balancer-manager !
# Distribute the traffic (any url, since it is “/”) to the backends with round robin + cookie based session persistence
ProxyPass / balancer://httpslb/ lbmethod=byrequests stickysession=JSESSIONID

</VirtualHost>

If the clients and the backends are configured to check the gateway (apache) certificates, this is considered to be a very secure configuration.

Enjoy!

03 Set 12 apache2 + mod_fastcgi + php 5.3 + PHP-FPM

This is a very quick guide to get your feet wet with PHP 5.3 + PHP-FPM fastcgi support and apache webserver.
The PHP-FPM is basically a fastcgi compliant pool of PHP processes spawned on the system, ready to quickly accept connections, for example via TCP. It’s generally used to greatly improove PHP scalability, security and performance.

Start by installing apache, no matter if it’s a binary installation or if it’s compiled from source code (I assume this step is already done).

Once you have a valid apache installation, you need to compile the mod_fastcgi module.
NOTE: don’t use mod_fcgid or any other fastcgi provider but mod_fastcgi: it’s proved to be stable and to work well with PHP-FPM.

To install mod_fastcgi you have to:

  1. download mod_fastcgi: http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
  2. untar the package, then compile the apache module with: /your_apache_path/bin/apxs -o mod_fastcgi.so -c *.c
  3. install the module with: /your_apache_path/bin/apxs -i -a -n fastcgi .libs/mod_fastcgi.so

Now, compile PHP with the fpm support, or install a already compiled PHP binary package.

Here I’ll cover how to compile it from source.

Start by downloading the latest php 5.3 version from http://www.php.net/downloads.php

When you have done, untar the PHP source package and enter into the extracted php-5.3.x directory.
Now create a file called conf.sh and put this stuff inside it:

./configure  \
–prefix=/usr/local/php53 \
–with-libdir=lib64 \
–enable-pcntl \
–enable-mbstring=shared \
–enable-mbregex \
–with-gd=shared \
–enable-bcmath=shared \
–with-xmlrpc=shared \
–with-mysql=shared,/usr \
–with-mysqli=shared,/usr/bin/mysql_config \
–enable-dom=shared \
–enable-soap=shared \
–with-xsl=shared,/usr \
–enable-xmlreader=shared –enable-xmlwriter=shared \
–with-pdo-mysql=shared,/usr \
–enable-json=shared \
–enable-zip=shared \
–with-readline \
–with-jpeg-dir=/usr \
–with-png-dir=/usr \
–with-pear \
–with-ldap=shared \
–enable-fpm \
–with-fpm-user=apache \
–with-fpm-group=apache

Your mileage may vary here, so please double check row by row if you need to modify something. The FPM part are the last 3 lines.

NOTE: you cannot compile PHP as FPM and SAPI at the same time.

Now, make the file executable with: chmod 755 conf.sh
and run the executable with: ./conf.sh

Wait that the configure script is done. If no errors are encountered you can proceed with make and make install as usual.
Remember to create the php.ini configuration file if you need it.
You should now end up with a fresh PHP installation into /usr/local/php53 (or any other path you given to the prefix configure attribute).

Ok, now it’s time to configure the php-fpm (change /usr/local/php53 with your path if it’s different):

cd /usr/local/php53/etc
cp php-fpm.conf.default php-fpm.conf
vi php-fpm.conf

You generally don’t need to modify anything here, but if you want you can touch something.
Now start the php-fpm process pool by running this command by the root user: /usr/local/php53/sbin/php-fpm

If anything gone ok you should have some process up and running, something like this:

25976 ?        Ss     0:00 php-fpm: master process (/usr/local/php53/etc/php-fpm.conf)
4945 ?        S      0:00  \_ php-fpm: pool www
4946 ?        S      0:00  \_ php-fpm: pool www
4947 ?        S      0:00  \_ php-fpm: pool www

If you didn’t modify the php-fpm.conf, the process pool listen for fastcgi requests to TCP 127.0.0.1:9000.

It’s time to configure a apache virtualhost with PHP support using this brand new fpm.

Edit the httpd.conf apache configuration file (or another included file where you store the virtualhost) and append this stuff (I assume that apache is installed into /opt/apache2):

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot “/opt/apache2/htdocs”
ServerName “your_servername.com”
ErrorLog “logs/your_servername-error_log”
CustomLog “logs/your_servername-access_log” common

FastCgiExternalServer /opt/apache2/htdocs/php5.sock -host 127.0.0.1:9000
AddHandler php5-fcgi .php
Action php5-fcgi /tmp/php5.sock
Alias /tmp /opt/apache2/htdocs

<Directory “/opt/apache2/htdocs”>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>

Any file whose name ends for “.php” into your document root should now be associated to the PHP fastcgi handler and the requests should be routed to the php-fpm process pool. Each php-fpm process is reused according to the php-fpm.conf configuration file.

Restart apache and enjoy (any comment are welcome).