Linux 4 All

Best Linux tricks source

Posts in the Apache category

Here is how to configure PHP-FPM for an Apache virtual host. Just add the following line to the vhost.conf file:

ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/dev/shm/php.sock|fcgi://127.0.0.1:9000/$DOCUMENTROOT/

Should you need to disable Trace and Track methods on Apache, add the following lines to httpd.conf and restart Apache.


 RewriteEngine on
 RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
 RewriteRule .* - [F]

TraceEnable off

In a previous post I was explaining how to log visitor real IP address in access_log. Now it’s time to do the same for error_log.

For this we are going to compile and install a module called mod_vgremoteip

Steps outlined bellow:

1. Get the module

git clone https://github.com/vgno/mod_vgremoteip.git

2. Install gcc and httpd-devel tools
yum install httpd-devel
yum install gcc

3. Compile the module
apxs -a -i -c mod_vgremoteip.c

4. Configure Apache to use it
LoadModule vgremoteip_module  modules/mod_vgremoteip.so

# Name of header which contains the 'real' client IP.
 VGRemoteIPHeader X-Forwarded-For
# Subnet to mark as trusted subnet (this ip will be allowed to set the X-Forwarded-For header and marked as a proxy ip).
# You should specify this.
VGTrustedProxy 10.0.0.0/8
# You can also specify a single ip addresses.
# Do not specify hostnames.
VGTrustedProxy 127.0.0.1

5. Restart Apache and you are done.
service httpd restart

The following one-liner will display number of Apache PIDs and sort them after memory usage:

ps aux | awk '$11 ~ /httpd/ {c++; SUM +=$6; print $6/1024" MB, PID:", $2|"sort -rn| head"} END {print c" Total Apache Processes"} END {print SUM/1024" MB Total Memory"} END {print "Top 10 Memory users:"}'

When Apache is running on a server behind a Load Balancer, by default all traffic will come from Load Balancer IP, thus Apache will only log the Load Balancer IP. In order to get your visitor real IP address, you can use X-Forwarded-For header.

Here is how Apache needs to be configured to log real IP addresses:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded
SetEnvIf X-Forwarded-For "." forwarded=1
CustomLog logs/access_log combined env=!forwarded
CustomLog logs/access_log forwarded env=forwarded

Basically you were adding a new LogFormat with X-Forwarded-For value named forwarded and configure CustomLog to use combined if the request was sent directly to the server: such as a curl cronjob, or forwarded if the request was passed through the Load Balancer.

Here is how to install a SSL certificate for Apache and Nginx:

1. Apache: edit the virtual host:


SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/site.crt
SSLCACertificateFile /etc/pki/tls/certs/site.ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/site.key

2. Nginx: you need to combine site certificate and CA bundle into one single file. Add those entries to server part of nginx configuration file:

ssl_certificate /etc/pki/tls/certs/site+CA.crt;
ssl_certificate_key /etc/pki/tls/private/site.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
#ssl_prefer_server_ciphers on;

Remember to check ssl keys before restarting nginx or apache.