Archive for the tag 'web'

How to verify Apache web server status - Parallels Plesk Panel for Linux/Unix.

The name of Apache 2 binary on Debian and SuSE OSes is “apache2,” not “httpd” as it is on Red Hat-based Linux distributions or FreeBSD.

# ps ax | grep httpd | grep -v grep

If not, try to start Apache from Plesk CP or via command line. If you get an error, check /var/log/httpd/error_log (/var/log/apache2/error_log on SuSE and Debian, /usr/local/psa/apache/logs/error_log on FreeBSD)

Make sure that Apache is listening on the both HTTP and HTTPS ports (80/443) on all needed IP addresses:

# netstat -l | grep http
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:https *:* LISTEN
SBDavid

Customizing apache web logs

Customizing apache web logs

Custom formats for apache web logs, to record more information or to make them easier to read.

LogFormat

%h The remote host
%l The remote logname (usually just “-”)
%u The authenticated user (if any)
%t The time of the access
\”%r\” The first line of the request
%>s The final status of the request
%b The size of the server’s response, in bytes
\”%{Referer}i\” The referrer URL, taken from the request’s headers
\”%{User-Agent}i\” The user agent, taken from the request’s headers

Apache’s “LogFormat” directive is what lets you define your own access log setup. Let’s look at how that directive would be used to define the combined log format (CLF):

LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”" combined

That first argument, in quotes, is the string that describes the log format. The last argument, “combined”, gives a nickname to the format that can be used by CustomLog later on.

That format string contains a bunch of placeholders that describe the data to be included in the log. That first one, for example, is “%h” and represents the IP address of the visitor (the identifier for their host). A bit further on, “%t” represents the time of the request.

Apache Security: Hide Apache Web Server Version number

Apache Web Server Version number with ServerSignature and ServerTokens directives

Open your httpd.conf file using text editor such as vi:

vi httpd.conf

There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Append/modify config directive as follows:

ServerSignature Off
ServerTokens Prod

Save and close the file. Restart Apache web server:

/etc/init.d/httpd restart

To make a domain secure Web content available in Plesk

After migration, secure Web content (available via the https protocol) become unavailable. The reason is that in Parallels Plesk Panel, secure Web content can be stored either in a directory different from the directory with common Web content (default option), or in the same directory.

To make a domain secure Web content available, enable the Use a single directory for housing SSL and non-SSL content option.

Go to the domain Home page > Web site: Web Hosting Settings > Preferences: Use a single directory for housing SSL and non-SSL content checkbox.

SBDavid

Hide apache web server version

Hide apache web server version

It is possible to hide apache web server version and other information. This is done for security reasons. It is not a good idea to broadcast the version of the software that you are running on the server. You should have noticed the following details(or something similar) when an error page is displayed.

Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 Server at XXX.com Port 80

Add/Edit the two entries in the apache configuration file(httpd.conf)

ServerSignature Off
ServerTokens Prod

ServerSignature Off : tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod : tells apache to only return Apache in the Server header, returned on every page request.

Restart the webserver.

$ service httpd restart