Feb 12

apache — password protect your web resource only to external user

Think about  that an IT company would like to protect their example project from Internet user,but allow their customer to access with password.however,the developer would not like to input password.

if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following:

Require valid-user
Allow from 192.168.1
Satisfy Any

you can put the config directive into a .htaccess file or enclose the config diretive with apache Directory directive.With the Satisfy Any directive the client will be granted access if they either pass the host restriction or enter a valid username and password.But please keep in mind that the config may not work if your server allow all user access by default.we should tweak the config to be more restricted.

Order Allow,Deny
AuthType Basic
AuthName “Restricted Resource”
AuthUserFile /var/users
Require valid-user

Allow from 192.168.1
Satisfy Any


Order Deny,Allow
Deny from All
AuthType Basic
AuthName “Restricted Resource”
AuthUserFile /var/users
Require valid-user

Allow from 192.168.1
Satisfy Any



Nov 27

remove server info and PHP info from response header

Below is a comm http response header:

HTTP/1.1 200 OK
Date: Wed, 27 Nov 2013 01:18:27 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

To keep your server from attack, you should hide all unnecessary information about your system.With apache web server,this was control by ServerTokens  and ServerSignature config directive.From apache manual,we find out  all available config value of ServerTokens and its sample out.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Obviously, we should turn our config to ServerTokens Prod.

To stop apache from exposing info in related error page,we need to turn off ServerSignature.

ServerSignature off

To hide the php related information,locate your php config file, find or add expose_php.

expose_php off

Nov 16

Apache – RewriteCond: NoCase option for non-regex pattern xx is not supported

we got lots of ‘NoCase option not supported’ warning like below from our apache server error log

[Fri Nov 15 20:46:14 2013] [warn] RewriteCond: NoCase option for non-regex pattern ‘-f’ is not supported and will be ignored.

As you may have guessed the problem is with your rewrite rule and one or more lines RewriteCond in your .htaccess file. From the mod_rewrite documentation,i found this

‘nocase|NC’ (no case)
This makes the test case-insensitive – differences between ‘A-Z’ and ‘a-z’ are ignored, both in the expanded TestString and the CondPattern. This flag is effective only for comparisons between TestString and CondPattern. It has no effect on filesystem and subrequest checks.

Pay attention to the last sentence It has no effect on filesystem and subrequest checks. this means that ‘nocase|NC’  is no need when you use ‘-d’ (directory) ‘-f’ (regular file) and ‘-l’ (symbolic link)  in your code pattern in the RewriteCond directive. they will just be ignored.

Unfortunately it is not explicitely written but these CondPatterns will only work in case sensitive mode when it contains filesystem related flags(-d,-f,-l).so keep in minds that you can not test insensitive mode in linux server.This means

If there is a file name A.php in domain(abcdomain.com) root it can be reached via http://www.abcdomain.com/A.php but not http://www.abcdomain.com/a.php

Someone may find that the warning messages still showing up that the waring show up in the error log file after the removed the NC flag.i thought it was because the error log was global error log,so the warning messages will continue showing up before you fix all website on the server.



Oct 19

apache — 301 redirect from long domain www.abcdomain.com to short abcdomain.com

For search engine, www.abcdomain.com and abcdomain.com are different domain.For seo purpose,we need to do 301 redirect to tell search engine to  treat the two domain as one.

To redirect long form domain with www to the domain without www,you can use the rewrite rule below.this can help you save time if you have lots of websites.

RewriteCond %{HTTP_HOST} ^([a-z0-9-]+)\.([a-z]+)$
RewriteRule (.*) http://www\.%1\.%2/$1 [R=301,L]


RewriteCond %{HTTP_HOST} ^([a-z0-9-]+)\.([a-z]+)$
RewriteRule (.*) http://www\.{HTTP_HOST} [R=301,L]

On the other way,if you prefer to keep short form domain,you can adapt the rule to:

RewriteCond %{HTTP_HOST} ^www.([a-z0-9-]+)\.([a-z]+)$
RewriteRule (.*) http://%1\.%2/$1 [R=301,L]

Aug 07

apache — Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.

This afternoon,i was trying to install zen cart v1.5.1.The zen cart installer shows that my running php is of version 5.2.6. To continue the installer, the minimum version of php should be 5.2.14.

Unlucky,i didn’t find any php addons which meets zen cart 1.5.1 version. The newest php version wamp support is 5.2.11  which means i will have to grab a new php developing platform(kit).that’s no good.it takes too much time and too much work need to be done. i decided to integrate php5.2.17 to wamp.

At the first time,i download  php-5.2.17-nts-Win32-VC6-x86.zip (VC6 x86 Non Thread Safe) from http://windows.php.net/downloads/releases/php-5.2.17-nts-Win32-VC6-x86.zip.After some setting tweaks,i restart the apache,it shows the error:

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.
Pre-configuration failed.

Then i noticed the nts from the file name of the downloaded zip. To fix the problem,i need to download a Thread Safe version. i download from http://windows.php.net/downloads/releases/php-5.2.17-Win32-VC6-x86.zip. It works. maybe you can config apache to run in cgi mode.i didn’t try that.

VC6 x86 Thread Safe


Oct 03

apache — let search engine fetch robots.txt based upon domain name

if you have a website with multiple domain(for some special reason),and you want google or other major search engine to fetch different robots.txt,how will you do?

first,get all ready prepared robots.txt and put them in the root folder of you website.you need to name it as robots.txt ,robots1.txt ,robots2.txt

second,create .htaccess file( if not existed)

third,add the following apache config command to the head of the file

Source code    
RewriteCond %{HTTP_HOST} abcdomain1\.com$ [NC]
RewriteRule robots.txt robots1.txt [L]
RewriteCond %{HTTP_HOST} abcdomain2\.com$ [NC]
RewriteRule robots.txt robots2.txt [L]
RewriteCond %{HTTP_HOST} abcdomain3\.com$ [NC]
RewriteRule robots.txt robots3.txt [L]
Aug 04

zen cart – .htaccess file to protect images,cache,bmz_cache folder from attact

To compatible with most 3rd application,most server has a common configuration.This lead to some potential security problem.Zen car allow globally read and write to its images,bmz_cache,cache directory.

The following .htaccess config will help to disable the index list of image directory, block any attemp to running script from this directory.you can put this .htaccess in the zen cart images directory for better security.

Source code    

# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
# but now allow just *certain* necessary files:
<FilesMatch ".*\.(jpe?g|JPE?G|gif|GIF|png|PNG|swf|SWF)$" >
  Order Allow,Deny
  Allow from all
OPTIONS -Indexes -ExecCGI

The .htaccess above blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions(image and other approved static file). It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.This Will also prevent people from seeing what is in the dir. and any sub-directories. We’d better put this file to both images and bmz_image directory.

For the cache directory,we need to block running script and disalbe auto index.so the .htaccess can be:

Source code    
# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
OPTIONS -Indexes -ExecCGI
Aug 03

apache – globally disable direcory browsing

Zen cart website have some special folder which allow read write from apache user.This may be a potential security problem.Below is a list of folder we are talking about:

|– bmz_cache
|– cache
|– cgi-bin
|– download
|– editors
|– email
|– images
|– includes
|– media
|– pub
|– tempEP

The folder list above is the output from the command below of a zen cart website:

Source code    
tree -d -L 1

Those such directory should not be access directly from the web.but most server config make it possible.As there is no index.php file in those such directory,the apache server may return a index list of file in that directory for all request to the directory without any specified file.For example,a request to http://www.domain.com/cache or http://www.domain.com/bmz_cache will get response with a index list of cache and bmz_cache directory content respectively. So for the security purpose,we need to turn of the auto index feature of apache.

Of course we can put .htaccess file  in the directory to disable auto index,

Source code    
Options -Indexes

but in this way we will need to create many .htaccess for all directory in all zen cart websites.how to globally disable directory list(auto index) from apache.

Source code    
<Directory />
    Options FollowSymLinks
    AllowOverride None


Source code    
<Directory />
    Options FollowSymLinks -Indexes
    AllowOverride All

Both config will work.but the second config is more flexible, as you can change config for some directory but keep other unchanged.and zen cart need .htaccesss for seo and some other purpose.


Apr 21

Apache – how to set up mass virtual hosts with mod_vhost_alias module

If you manage many websites on a Apache web server,you may need this to save your time and also the server’s memory.Think about you have 10K website(virtual hosts), you would never like to write the configuration for each virtual host.The Apache configuration file will be huge which my contain about 70k lines (10k multiply 7 ). This will also slow down the Apache web server start speed.

Setting up mass virtual host will dynamically create virtual hosts without any configuration.You don’t need to restart the Apache web server.The only thing you need to do is create a folder in the specified folder and add a dns record.

let’s take a look at how to setting up mass virtual host.

mod_vhost_alias has a config directive VirtualDocumentRoot which dynamically configure the location of the document root for a given virtual host.it allows you to determine where Apache will find your documents based on the value of the server name.

UseCanonicalName Off
VirtualDocumentRoot /var/www/vhost/%2+/
A request to http://www.example.com/ will be served by /var/www/host/example.com/,request to http://www.example.com/page/test.html will be parsed as /var/www/host/example.com/page/test.html

however,with the configuration above is not enough,for request to http://example.com/page/test.html will be served by /var/www/host/.com/page/test.html.This will lead to 404 error page as the file is not existed.
You need to redirect all request to none www domain too its long format www.domain.com.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

So,i config my apache with the following configuration and it work very well.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

<Directory “/var/www/vhost”>
AllowOverride ALL
VirtualDocumentRoot /var/www/vhost/%2+/