Linux 4 All

Best Linux tricks source

Posts in the Apache category

Here is how to configure PHP-FPM for an Apache virtual host. Just add the following line to the vhost.conf file:

ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/dev/shm/php.sock|fcgi://$DOCUMENTROOT/

Here is a little curl magic to get you how long it it will take to connect to a site. It will display time to connect, time to namelookup, time to first byte and so on.

curl -s -w "\ntime connect: %{time_connect}\ntime namelookup: %{time_namelookup}\ntime pretransfer: %{time_pretransfer}\ntime redirect: %{time_redirect}\ntime to first byte: %{time_starttransfer}\ntime total: %{time_total}\nhttp code: %{http_code}\n\n" -o /dev/null

time connect: 0.165
time namelookup: 0.133
time pretransfer: 0.166
time redirect: 0.000
time to first byte: 0.392
time total: 0.432
http code: 200

Should you need to disable Trace and Track methods on Apache, add the following lines to httpd.conf and restart Apache.

 RewriteEngine on
 RewriteRule .* - [F]

TraceEnable off

Here is how to install a SSL certificate for Apache and Nginx:

1. Apache: edit the virtual host:

SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/site.crt
SSLCACertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/site.key

2. Nginx: you need to combine site certificate and CA bundle into one single file. Add those entries to server part of nginx configuration file:

ssl_certificate /etc/pki/tls/certs/site+CA.crt;
ssl_certificate_key /etc/pki/tls/private/site.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_prefer_server_ciphers on;

Remember to check ssl keys before restarting nginx or apache.

You can avoid your server being compromised by simply disabling PHP execution for upload folders. By default those folders should only contain documents and images, thus PHP execution should not be allowed in there. Here is how:

For mod_php:

php_flag engine off

For fastcgi:

    AddHandler /dev/null .php

Restrict access to whatever.php.old or similar:

    Order allow,deny
    Deny from all
    Satisfy All

It’s easy to run Apache with mod_fastcgi and php-fpm. On a RedHat/CentOS box, assuming you have IUS repository enabled, and php 5.4 installed from IUS, here are the steps:

1. Install and start php-fpm for php54:

yum install php54-fpm

2. Edit /etc/php-fpm.d/www.conf and change to listen on socket to avoid tcp overhead:

listen = /dev/shm/apache-php.sock
service php-fpm start
chkconfig php-fpm on

2. Get mod_fastcgi

tar xvzf mod_fastcgi-current.tar.gz
cd mod_fastcgi-[[tab-tab]]
cp Makefile.AP2 Makefile
make top_dir=/usr/lib64/httpd
make install top_dir=/usr/lib64/httpd

3. Create /etc/httpd/conf.d/mod_fastcgi.conf

# cat /etc/httpd/conf.d/mod_fastcgi.conf
LoadModule fastcgi_module modules/

AddType application/x-httpd-php .php
Action application/x-httpd-php /php.fcgi
DirectoryIndex index.php index.html index.htm
FastCGIExternalServer /dev/shm/apache-php.fcgi -socket /dev/shm/apache-php.sock -flush

4. Disable Apache mod_php

mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disabled
echo "# PHP is running as mod_fastcgi" >/etc/httpd/conf.d/php.conf

5. Enable PHP engine, by adding the following to your Apache Virtual Host:

# FastCGI handler for PHP-FPM
# See conf.d/fastcgi.conf
Alias /php.fcgi /dev/shm/apache-php.fcgi

6. Restart Apache

service httpd restart

Sometimes you may find the situation where duplicate packages exists on a server.

[root@tstsrv ~]# rpm -qa | grep php53u-5

Few minutes later we got the 2 php packages

[root@tstsrv ~]# rpm -qa | grep php53u-5 php53u-5.3.17-2.ius.el6.i686 php53u-5.3.17-2.ius.el6.x86_64

and it looks like they are sharing some packages
[root@tstsrv ~]# rpm -ql php53u-5.3.17-2.ius.el6.x86_64
[root@tstsrv ~]# rpm -ql php53u-5.3.17-2.ius.el6.i686
I went ahead and removed one the wrong package:
[root@tstsrv ~]# yum remove php53u-5.3.17-2.ius.el6.i686

Checking the good package and everything is fine.

[root@tstsrv ~]# rpm -ql php53u-5.3.17-2.ius.el6.x86_64

Yes, you can do it. You need openssl 0.9.8f who comes with RHEL 6.

RHEL 6 comes with Apache 2.2 who supports SNI (Server Name Identification) .

Server Name Indication (also known as “SNI”) is an extension of TLS that sends the name of the virtual domain as part of the TLS negotiation, which allows for SSL sites to be configured as Virtual Hosts on the same IP. This means that a web server will be able to serve more than one SSL certificate per IP address. However, clients that support SNI are not as widespread as they should be, so it is currently not advised to implement it unless you are 100% sure your client base will be running new enough software to support it.

If you are on a Linux server that supports SNI, you can configure Apache to use it very easily:

# We want Non-SNI capable browsers to receive an error message, rather than possibly accessing the wrong site:
SSLStrictSNIVHostCheck on

DocumentRoot /var/www/vhosts/
SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/
SSLCertificateChainFile /etc/pki/tls/certs/
SSLEngine on
ErrorLog logs/
CustomLog logs/ common

DocumentRoot /var/www/vhosts/
SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/
SSLCertificateChainFile /etc/pki/tls/certs/
SSLEngine on
CustomLog logs/ common
ErrorLog logs/