Category: Apache

  • cPanel Request body no files data length is larger than the configured limit

    cPanel Request body no files data length is larger than the configured limit

    On a WordPress website hosted on Cpanel server, when editing a page, i get 404 error. On checking ModSecurity logs, found the following

    Message: Request body no files data length is larger than the configured limit (1048576).
Message: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/serverok-session": Permission denied
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 51.38.246.115] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "serverok.in"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZHQozKnDG2AlaeRW-JY2IAAAAA8"]
Apache-Error: [file "mod_proxy_fcgi.c"] [line 1011] [level 3] [status 70007] AH01075: Error dispatching request to : (polling)
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 51.38.246.115] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/serverok-session": Permission denied [hostname "serverok.in"] [uri "/index.php"] [unique_id "ZHQozKnDG2AlaeRW-JY2IAAAAA8"]
Apache-Handler: proxy:unix:/opt/cpanel/ea-php80/root/usr/var/run/php-fpm/7a4f759cc09e45f3b275cfba3a7c520dee7d7128.sock|fcgi://serverok.in
Stopwatch: 1685334220711796 301144175 (- - -)
Stopwatch2: 1685334220711796 301144175; combined=1973, p1=110, p2=1759, p3=0, p4=0, p5=69, sr=25, sw=35, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/).
Server: Apache
WebApp-Info: "default" "14244c1b1b0e291067e05758571163ec" "-"
Engine-Mode: "ENABLED"

    To fix the error, edit the file

    vi /etc/apache2/conf.d/modsec/modsec2.user.conf

    In the file, add

    SecRequestBodyNoFilesLimit 1548576

    Restart Apache

    systemctl restart httpd

    If the above did not work, you can try increasing value of SecRequestBodyNoFilesLimit. When you change the value, don’t forget to restart Apache webserver.

    Back to Cpanel

  • How to enable Apache SSL module in Ubuntu

    How to enable Apache SSL module in Ubuntu

    To enable the Apache SSL module in Ubuntu, follow these steps

    Update apt package cache

    apt update

    Install Apache SSL module

    apt install libapache2-mod-ssl

    Enable the SSL module

    a2enmod ssl

    Example

    # a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
#

    Restart Apache webserver

    # service apache2 restart
 * Restarting web server apache2     [ OK ] 
#

    Verify Apache SSL module is installed.

    # apache2ctl -M | grep ssl
 ssl_module (shared)
#

    See Configure SSL in Apache

  • How to configure Security Headers in Apache

    How to configure Security Headers in Apache

    Enable HSTS

    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    Enable X-Frame-Options

    Header always append X-Frame-Options SAMEORIGIN

    Enable X-XSS-Protection

    Header set X-XSS-Protection "1; mode=block"

    Enable X-Content-Type-Options

    Header always set X-Content-Type-Options "nosniff"

    Enable Referrer-Policy

    Header always set Referrer-Policy "strict-origin"

    Enable Content Security Policy (CSP)

    Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

    Enable Permissions-Policy

    Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

    Back to Apache

  • Apache Website not loading – DDoS

    Apache Website not loading – DDoS

    On a Fresh Cpanel Server, after pointing the domain name to the server, the website won’t load. Some times site loads after a very long wait. Apache was working fine and the server load was normal.

    Cpanel/WHM Apache status

    On checking Apache status in WHM, I found all workers are in use

    150 requests currently being processed, 0 idle workers

    On another somewhat busy production server, I had “18 requests currently being processed, 132 idle workers”.

    Current Time: Saturday, 22-Oct-2022 04:25:16 UTC
Restart Time: Wednesday, 28-Sep-2022 05:46:18 UTC
Parent Server Config. Generation: 119
Parent Server MPM Generation: 118
Server uptime: 23 days 22 hours 38 minutes 58 seconds
Server load: 0.98 1.32 1.56
Total accesses: 8832035 - Total Traffic: 511.0 GB - Total Duration: 12701232339
CPU Usage: u344.48 s101.28 cu71563 cs11674.9 - 4.05% CPU load
4.27 requests/sec - 259.0 kB/second - 60.7 kB/request - 1438.09 ms/request
18 requests currently being processed, 132 idle workers

    On checking apache error log /etc/apache2/logs/error_log, i have error related to MaxRequestWorkers

    AH00288: scoreboard is full, not at MaxRequestWorkers
AH00287: server is within MinSpareThreads of MaxRequestWorkers, consider raising the MaxRequestWorkers setting
AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

    You can find the errors with the command

    grep MaxRequestWorkers /etc/apache2/logs/error_log

    On checking the connection with netstat, there were a lot of incoming connections

    netstat -tn 2>/dev/null | grep -E ':80|:443' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

    netstat ddos

    The server was getting some DDoS attacks causing the server to go down. The issue is fixed by enabling the DDoS protection service provided by the server provider.

    Back to DDoS

  • How to Redirect HTTP to HTTPS using htaccess

    How to Redirect HTTP to HTTPS using htaccess

    To redirect a website from HTTP to HTTPS, you can use the following code in .htaccess file

    RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

    If you want to redirect HTTP to HTTPS and keep SSL verification pages on HTTP, this is needed on Cpanel servers.

    
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

    If you wish to add redirect in Apache VirtualHost, use the following VirtualHost entry.

     
ServerName www.yourdomain.com 
Redirect permanent / https://www.yourdomain.com/

    See htaccess

  • How to block Bad Bots (User Agents) using .htaccess

    How to block Bad Bots (User Agents) using .htaccess

    Some bots can cause a high load on servers as they index too many pages or get into some never-ending loop.

    last day one of the servers I manage had a very high load. On checking Apache logs, I have thousands of access like

    135.181.138.45 - - [24/Aug/2022:03:00:54 +0000] "GET /sv/produkt-linux-server/page/7/?add_to_wishlist=42752&_wpnonce=a8836de6af HTTP/1.1" 200 209072 "https://domain/sv/produkt-linux-server/page/7/?add_to_wishlist=56196&_wpnonce=1e5a94622c" "Mozilla/5.0 (compatible; SeekportBot; +https://bot.seekport.com)"
135.181.138.45 - - [24/Aug/2022:03:00:53 +0000] "GET /sv/produkt-linux-server/page/7/?add_to_wishlist=66324&_wpnonce=a8836de6af HTTP/1.1" 200 209072 "https://domain/sv/produkt-linux-server/page/7/?add_to_wishlist=56196&_wpnonce=1e5a94622c" "Mozilla/5.0 (compatible; SeekportBot; +https://bot.seekport.com)"
135.181.138.45 - - [24/Aug/2022:03:00:54 +0000] "GET /sv/produkt-linux-server/page/7/?add_to_wishlist=42830&_wpnonce=a8836de6af HTTP/1.1" 200 209072 "https://domain/sv/produkt-linux-server/page/7/?add_to_wishlist=56196&_wpnonce=1e5a94622c" "Mozilla/5.0 (compatible; SeekportBot; +https://bot.seekport.com)"

    In this case, the bot user agent is

    Mozilla/5.0 (compatible; SeekportBot; +https://bot.seekport.com)

    To block the bot, I added the following code in .htaccess file

    RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (SeekportBot|SpamBot2) [NC]
RewriteRule (.*) - [F,L]

    This will block any visitor with Browser User Agents SeekportBot or SpamBot2.

    To block common marking bots, run

    RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (semrush|ahref|mj12bot) [NC]
RewriteRule (.*) - [F,L]

    If you are using Nginx web server, see How to block bad bots User-Agents in Nginx or using Block User-Agent using Cloudflare

    Back to htaccess

  • Apache 414 Request-URI Too Long

    Apache 414 Request-URI Too Long

    On an Apache server, when accessing a long URL, got 414 Request-URI Too Long

    Apache 414 Request-URI Too Long

    The error is because the URL is too long, this may be a bug with the web applications. If you pass so much data, you should consider using the HTTP POST method instead of GET request.

    To fix this error, edit the apache config file, and add the following 2 lines

    LimitRequestLine 40940
LimitRequestFieldSize 40940

    On Debian/Ubuntu, create

    vi /etc/apache2/conf.d/url-length.conf

    On RHEL based OS, create

    vi /etc/httpd/conf.d/url-length.conf

    Add the following 2 lines

    LimitRequestLine 40940
LimitRequestFieldSize 40940

    Restart Apache

    For Ubuntu/Debian

    systemctl restart apache2

    For RHEL/AlmaLinux/OracleLinux

    systemctl restart httpd

    See Nginx HTTP 414 request-URI too large, Apache

  • Change Apache Server MPM in RHEL 8

    Change Apache Server MPM in RHEL 8

    Apache on RHEL 8 uses events MPM. You can use apachectl -V command to see the current MPM used by Apache.

    [root@ok ~]# apachectl -V
    Server version: Apache/2.4.37 (AlmaLinux)
    Server built: Jan 25 2022 20:48:49
    Server’s Module Magic Number: 20120211:83
    Server loaded: APR 1.6.3, APR-UTIL 1.6.1
    Compiled using: APR 1.6.3, APR-UTIL 1.6.1
    Architecture: 64-bit
    Server MPM: event
    threaded: yes (fixed thread count)
    forked: yes (variable process count)
    Server compiled with….
    -D APR_HAS_SENDFILE
    -D APR_HAS_MMAP
    -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
    -D APR_USE_SYSVSEM_SERIALIZE
    -D APR_USE_PTHREAD_SERIALIZE
    -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
    -D APR_HAS_OTHER_CHILD
    -D AP_HAVE_RELIABLE_PIPED_LOGS
    -D DYNAMIC_MODULE_LIMIT=256
    -D HTTPD_ROOT=”/etc/httpd”
    -D SUEXEC_BIN=”/usr/sbin/suexec”
    -D DEFAULT_PIDLOG=”run/httpd.pid”
    -D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
    -D DEFAULT_ERRORLOG=”logs/error_log”
    -D AP_TYPES_CONFIG_FILE=”conf/mime.types”
    -D SERVER_CONFIG_FILE=”conf/httpd.conf”
    [root@ok ~]#

    To modify Apache MPM, edit file

    vi /etc/httpd/conf.modules.d/00-mpm.conf

    Apache MPM change in AlmaLinux 8

    You can enable the PMP you want to use, comment out other MPM.

    For example to enable Prefork, uncomment the line

    #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

    and comment the following line

    LoadModule mpm_event_module modules/mod_mpm_event.so

    Once modified, restart Apache with

    systemctl restart httpd

    Veirfy Apache MPM changed to prefork with command

    [root@ok ~]# apachectl -V
Server version: Apache/2.4.37 (AlmaLinux)
Server built:   Jan 25 2022 20:48:49
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
[root@ok ~]#
  • How to deny access to a file using .htaccess?

    How to deny access to a file using .htaccess?

    You may need to deny access to specific files on your web server for security reasons. On the Apache web server, you can do this by using .htaccess file.

    Let’s say you need to prevent anyone from accessing the file with the name .user.ini, you can create a file with the name .htaccess with the following content

    
    Require all denied

    Here is another example, that prevents access to file with name config.php

    
    Require all denied

    If you want to deny access to a folder, create a .htaccess file inside the folder with the following content

    deny from all

    If you want to allow whitelisted IP to access a folder, then use the following .htaccess file.

    Order Allow,Deny
Allow from YOUR_IP_HERE
Deny from all
  • How to install Apache from source code

    How to install Apache from source code

    To install the latest version of Apache Web Server from source code, go to the apache website, download the latest source code .tar.gz file.

    https://httpd.apache.org/download.cgi

    At the time of writing this, the latest version was Apache HTTP Server 2.4.52.

    cd /usr/local/src
wget --no-check-certificate https://dlcdn.apache.org//httpd/httpd-2.4.52.tar.gz
tar xvf httpd-2.4.52.tar.gz
cd /usr/local/src/httpd-2.4.52
./configure --prefix=/usr/local/apache --enable-proxy --enable-proxy-connect --enable-proxy-fcgi --enable-remoteip
make
make install

    If you get an error related to APR

    checking for APR... no
configure: error: APR not found.  Please read the documentation.

    Install APR with

    For RHEL

    yum -y install apr-devel apr-util-devel

    For Ubuntu/Debian

    apt install libapr1-dev libaprutil1-dev libpcre3-dev build-essential

    To start Apache, use the command

    /usr/local/apache/bin/apachectl start

    To stop

    /usr/local/apache/bin/apachectl stop

    Apache config files are located at

    /usr/local/apache/conf/httpd.conf

    Create Apache Service file

    ?

    Create file

    vi /usr/lib/systemd/system/apache2.service

    
With the following content


    [Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/local/apache/bin/apachectl start
ExecReload=/usr/local/apache/bin/apachectl graceful
ExecStop=/usr/local/apache/bin/apachectl graceful-stop
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target

    

    Enable and start Apache service with
    

    systemctl daemon-reload
systemctl enable apache2
systemctl restart apache2

    

    To enable Apache module, you can edit file /usr/local/apache/conf/httpd.conf
    

    Here are sed commands to enable some common apache modules
    

    sed -i 's/^#LoadModule proxy_module/LoadModule proxy_module/g'  /usr/local/apache/conf/httpd.conf
sed -i 's/^#LoadModule proxy_fcgi_module/LoadModule proxy_fcgi_module/g'  /usr/local/apache/conf/httpd.conf
sed -i 's/^#LoadModule ssl_module/LoadModule ssl_module/g'  /usr/local/apache/conf/httpd.conf
sed -i 's/^#LoadModule rewrite_module/LoadModule rewrite_module/g'  /usr/local/apache/conf/httpd.conf
  • Install PHP APC Cache on CentOS 7 using yum

    Install PHP APC Cache on CentOS 7 using yum

    To install APC cache on CentOS 7, run

    yum install php-pecl-apcu

    After that, you need to restart the Apache webserver.

    systemctl restart httpd

    in phpinfo() page, you will see

    php APC cache in phpinfo

    Files in the packages are

    [root@localhost ~]# rpm -q --filesbypkg  php-pecl-apcu
php-pecl-apcu             /etc/php-zts.d/40-apcu.ini
php-pecl-apcu             /etc/php.d/40-apcu.ini
php-pecl-apcu             /usr/lib64/php-zts/modules/apcu.so
php-pecl-apcu             /usr/lib64/php/modules/apcu.so
php-pecl-apcu             /usr/share/doc/pecl/apcu
php-pecl-apcu             /usr/share/doc/pecl/apcu/NOTICE
php-pecl-apcu             /usr/share/doc/pecl/apcu/README.md
php-pecl-apcu             /usr/share/doc/pecl/apcu/TECHNOTES.txt
php-pecl-apcu             /usr/share/licenses/php-pecl-apcu-5.1.21
php-pecl-apcu             /usr/share/licenses/php-pecl-apcu-5.1.21/LICENSE
php-pecl-apcu             /var/lib/pear/pkgxml/php-pecl-apcu.xml
[root@localhost ~]#

    Config file located at

    /etc/php.d/40-apcu.ini

    Some configuration settings

    apc.shm_size – default is 64M, it is better increase this value to 128M

    apc.stat – default 1, set it to 0 to increase performance. Setting it to 0 means APC won’t look for code change. When you change code, you will need to restart web server.

    apc.num_files_hint – Tell APC how many PHP files it needs to cache. Set it to 10000

  • Apache 413 Request Entity Too Large

    Apache 413 Request Entity Too Large

    On a CentOS server, when uploading a 100 MB video file in WordPress media manager, I got the following error message

    Request Entity Too Large
The requested resource /wp-admin/async-upload.php
does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.

    The server had mod_security installed. I edited the mod_security config file

    vi /etc/httpd/conf.d/mod_security.conf

    Set following for values and restart Apache.

    SecRequestBodyLimit 1073741824000
SecRequestBodyNoFilesLimit 1073741824000
SecRequestBodyInMemoryLimit 1073741824000

    But I still get the same error. So I disabled mod_security by moving the config file to a temporary directory and restarting apache.

    The error was due to Apache setting LimitRequestBody, the error is fixed by adding “LimitRequestBody 0” in the .htaccess file used by WordPress.

    LimitRequestBody 0

    Now when I enable mod_security, I get 500 error, I disabled mod_seurity for the file upload PHP script used by WordPress by editing the Apache VirtualHost entry of the website and adding

    
    SecRuleEngine Off