Re: [us...@httpd] Hardening Apache against attacks
Why .htaccess? Security tip #1 should be 'disable .htaccess'. Performance tip #1 too. I'm not running a vhost clients can control. I'm running a vhost for production sites my dev team manages, and I don't always want my dev team restarting Apache to make changes. Also, .htaccess is in version control (along with all other important app and config files). Aside from the chance your users will modify .htaccess, why would you disallow .htaccess? I assume disallowing overrides allows you to set permissions and behavior in stone. But, it sure makes for a nice tool to handle redirect changes, new file type restrictions, etc. -- Jason N - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Hardening Apache against attacks
I've done a few things already: blocked certain IP blocks, block know problematic user agents. I'm trying to collect a list of Apache and site hardening (.htaccess) methods. Please share your favorite. Jason N - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] htaccess format howto question
On 5/13/10 8:08 PM, David Banning wrote: I am wondering how I might do a .htaccess redirect if I want to redirect domain.com/index.php?id=606 to domain.com Same domain (as I assume because domain.com and domain.com are the same). First, you'll need to set up the rewrite basics. RewriteEngine On RewriteBase / Then, the specific rule. RewriteRule ^$ http://www.domain.com [R,L] This is what you'd do if it's a different domain from any and all URLs at that website. Just for example. RewriteRule ^/index.php?id=606 / [R,L] Is going to look for index.php on that domain. This may redirect the URL to where you're trying to get. There's other folks here that do better with the regular expressions and .htaccess stuff than me. Maybe this will get the party started. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Internet Explorer 6
W3C Schools publishes a data sheet. I assume it's based on good collection. http://www.w3schools.com/browsers/browsers_stats.asp On 5/11/10 7:31 AM, Malka Cymbalista wrote: Does anyone have any statistics as to how many people still use Internet Explorer 6? We are trying to decide whether we can stop supporting it. Thanks for any information -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC]
Re: [us...@httpd] Internet Explorer 6
On 5/11/10 8:13 AM, Lester Caine wrote: Malka Cymbalista wrote: Does anyone have any statistics as to how many people still use Internet Explorer 6? We are trying to decide whether we can stop supporting it. The remaining problem is that W2k is still widely used, and so IE6 is the only browsers available to those users. Perhaps it is time to convince those councils that can't afford to replace hardware that Firefox IS a more popular browser and more secure :) Is Firefox compatible with a machine running Win2k? I'm not sure how practical that really is, if you're trying to get anything productive done online. Firefox is quite heavy on its own and you'd have to tweak your add-ons quite a bit to limit resource usage. Maybe we just have to realize that the PDLC of internet applications is quite a bit smaller than 10 years. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache Sending Email?
I know. Have any ideas why the email address is apa...@xxx.xxx? Apache exploit? Just trying to understand. It's Apache. I'm guessing your web server runs as apache so that's why it's sending email as apache. It doesn't mean Apache is compromised, but it may mean you have a publicly writable directory that has a script. The best thing for you to do is look at the email header and see what script generated the email. It may tell you. osCommerce, Wordpress, Drupal, etc. all have built in email scripts that sometimes get hijacked. Or, someone can upload a file if you have a world writable directory that also executes scripts. You may want to configure all directories that are writeable so folks can upload files as no-exec directories in your Apache config. Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reliable combined log sorting
On 5/9/10 10:36 AM, Eike Frost wrote: Hi Jason, On Sun, May 9, 2010 at 5:41 AM, Jason Nunnelley ja...@jasonn.com mailto:ja...@jasonn.com wrote: In our configuration of Apache we push all logs to a single file via syslog-ng. I need to create some basic log analysis (like AWstats style) for a single domain out of several domains that post to that file. Any suggestions on a simple solution? What LogFormat are you using, precisely ? And what, precisely, is the problem you are having (you mention sorting in the subject, but nothing related to it in the body). I decided to punt and just grep out the lines I needed. It does have the %v config in the Apache conf. Most of what I'm dealing with are old logs, so I'm not so much looking (yet) to create better logs in the future (which seems to me would be best to split out by virtual host). This is the config I have for cranking out some AWstats. My lazy punt solution was to just grep out the lines that relate to my vhost of choice, perhaps I could set a simple perl script to split those into appropriate segregated logs. My log config: LogFormat = %other %other %other %other %virtualname %host %other %logname %time1 %methodurl %code %bytesd This is an actual log example for one vhost in the combined file. 2010-05-09T16:18:44-0400 local3.info domID-XX-XX-XX-XX-XX-XX http: www.domain.com 10.10.10.XX - - [09/May/2010:16:18:43 -0400] GET /galleries/image.jpg HTTP/1.1 200 28553 http://www.domain.com/swf/include/nav.swf; Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) I have two sets of log types to deal with: historical logs; future logs. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC]
[us...@httpd] Reliable combined log sorting
In our configuration of Apache we push all logs to a single file via syslog-ng. I need to create some basic log analysis (like AWstats style) for a single domain out of several domains that post to that file. Any suggestions on a simple solution? -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
On 4/24/10 4:42 PM, Wang, Mary Y wrote: Crypto, Thanks for the info on SNI. I'm currently running on httpd-2.0.46, therefore, SNI support is not there. The browsers support listed on that wiki can't support the browser versions that are offered in the company currently. The application is running on Redhat 3.9. Are you saying that I can request two IPs for the same server? I'd need to contact our admin over here. I am not sure if we can request a wildcard cert either. If I just request another SSL cert for the second site (not doing any of methods that you listed below), does Apache would still use the default SSL cert for the main site? The user would still get that warning? Is that what you are saying? Please advise. Mary, you've got a few options here. 1) Upgrade your server and run SNI even though most sys admins refuse to run it. Not likely going to be your pick. 2) Add an IP number to your server and run multiple IPs, allowing you to set up traditional IP based SSL hosting. You have to do 1 IP per SSL cert if you do this. This is an IP on the server. So, you'll configure the server to take an extra IP and then add the IP to the configuration for the SSL Apache config. 3) Run a unified multi-domain SSL certificate. You'll have to buy a new certificate from someone who sells a unified certificate. It means you can run multiple domains on the same IP, each with different domain names, but hosted on the same IP. Some call this a wildcard SSL cert. But, typical wildcard SSL certs are meant for X.domain.com and not X.com and Y.com. You'll want a cert where you can assign multiple domains to the single cert. Most host providers will sell you an IP for this purpose, if it's an actual physical server. If it's ephemeral (cloud hosting), that's likely not an option. You can not run multiple domain certificates without either IP based SSL configuration or SNI. IP based SSL certificates will apply the first certificate it finds in the configuration. The second is an error, or superfluous. It's actually a broken configuration and you should receive an apachectl configtest error message if you test the configuration. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI I tend to trust the Apache wiki. It says Safari 3.2.1 on Mac OS X 10.5.6 is supported. No notes on iPhone. IE7 on XP is not supported. There's an awful lot of XP boxes running IE7 (some still running IE6). http://www.w3schools.com/browsers/browsers_stats.asp On 4/24/10 5:08 PM, Michael Ni wrote: i think people have been saying SNI does not satisfy Safari browser. the ssl warning still pops up. can someone verify? -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC]
[us...@httpd] Redirect all requests /BUT/ a given directory/URIs
Any of you Apache geniuses know how to .htaccess redirect everything BUT a given directory path? And, I'll add another twist: it's another URL I need to write. So, I need local/page.html to rewrite remote/page.html in every case but local/specified_directory. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Alias, Virtual Host and 500 Internal Server Error
On 4/22/10 1:29 PM, Wang, Mary Y wrote: ... Apache/1.3.27 Apache doesn't typically misrepresent itself. I'd look into this first. Trace the IPs and the domain and make absolutely sure your domain is pointing the right server. You can also go to the machine (host) and do something like: ps -aux | grep apache or ps -aux | grep httpd to see what servers are running. You may be running separate instances of Apache and one of them is in fact Apache 1.x. This would explain both the error and the peculiar misrepresentation about the version of Apache. I'm betting you missed an IP directive in DNS or perhaps a config in Apache. But, I'd start with the erroneous Apache pronouncement. Find out why that's happening first. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] multiple SSL on one computer - IP
does anyone else have a better solution? besides using SNI The fastest easiest way to do is is a shared SSL certificate. I've used Digicert's unified cert to solve this very problem. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] multiple SSL on one computer - IP
There are probably competing, if not free, methods of achieving the same end. If you need a branded cert, this is a good company. I endorse them and I'm not a reseller :) Maybe I should be. But, they helped me out of a bind more than once and it's a great solution for cloud or ephemeral server SSL solutions. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] multiple SSL on one computer - IP
Blah! I guess a link would be nice: http://www.digicert.com/unified-communications-ssl-tls.htm On 4/21/10 8:55 PM, Jason Nunnelley wrote: There are probably competing, if not free, methods of achieving the same end. If you need a branded cert, this is a good company. I endorse them and I'm not a reseller :) Maybe I should be. But, they helped me out of a bind more than once and it's a great solution for cloud or ephemeral server SSL solutions. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Apache module that enables ActiveX
On 4/20/10 8:06 AM, Eric Covener wrote: On Tue, Apr 20, 2010 at 8:28 AM, Eli Mazinema...@verizon.net wrote: Html experience see under emaz I am on the road call me if you need something on my cel Don't post this garbage on this mailing list. Or, a slightly nicer way to say this - there's a Reply all feature in email. Use it. Delete the list email address from the recipients. We don't want to read your interpersonal back and forth. It's fine, just not public or useful to any of the rest of us. Since most of us read hundreds, if not thousands of messages each and every day, we tend to tire quickly of personal communications that don't include us. If it's private, keep it private. If it's about Apache (and can help us all), post it here. Cheers, -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ServerLimit and MaxClients
ServerLimit and MaxClients are relatively light weight (per instance). You need to do some math here, and it depends on your resources. The math isn't super simple. There's a static amount of cache memory you can calculate for each instance. Google and see what folks say about it. When you max out this number, you get no more instances - no more connections until you have more available. When you hit this ceiling it's a hard ceiling, the end viewer gets a failure to connect error. So, whatever you do you'll want to make sure you have more resources than visitors. An inefficient application can waste instances and keep their tied up for longer periods of time. People serving simple website page views seldom have a problem. Like I said, the math here is more complex than ServerLimit/MaxClients * X = Y. On 4/17/10 1:40 AM, Brent Clark wrote: Hiya What is the consequences of an overly increased ServerLimit and MaxClients. And to add to this puzzle. What if the number of apache process reach that limit. Kind Regards Brent Clark - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] apache2.2 + ssl
mod_redirect if it's something you want to force. On 4/12/10 3:35 PM, motty.cruz wrote: Hello, I have apache 2.2 running on FreeBSD. Apache is working fine but when I go to Machinename.domain.com defaults to http://machine.domain.com/ instead of https://machine.domain.com/ I have look around, I don't see to get a solid answer to get apache to rederect users to https not http Any suggestions? Thanks in advance, -Motty -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC]
Re: [us...@httpd] virtualhost not picking up for non port 80
The conf VirtualHost must include the hostname and the port. You could just add * to indicate it should listen to all ports. I'm not sure what teh 8886 port has to do with your problem - not sure it has antyhing to do with it. You need a Listen *:80 or 192.168.1.1:80 for it to listen on port 80. On 4/12/10 4:51 PM, Michael Ni wrote: tried it, still doesn't work, i dont think it needs to be that specific right? Listen 192.168.0.10 should work. On Mon, Apr 12, 2010 at 8:07 AM, alin vasile alinachegal...@yahoo.com mailto:alinachegal...@yahoo.com wrote: in httpd.conf it shouldn't be Listen 192.168.0.10 http://192.168.0.10:8886/:8886? *From:* Michael Ni michael...@gmail.com mailto:michael...@gmail.com *To:* users@httpd.apache.org mailto:users@httpd.apache.org *Sent:* Mon, April 12, 2010 5:39:42 PM *Subject:* Re: [us...@httpd] virtualhost not picking up for non port 80 yes i have Listen 8886 in the httpd.conf file i tried changing the private ip to localhost, it doesn't work as well On Mon, Apr 12, 2010 at 7:33 AM, Frank Gingras francois.ging...@gmail.com mailto:francois.ging...@gmail.com wrote: Michael, Make sure you have a corresponding Listen directive before your vhost as well for that port. Frank. On 04/12/2010 10:20 AM, Michael Ni wrote: i added log in virtual host ErrorLog logs/asdf-error.log CustomLog logs/asdf-access.log common when i tried again, nothing shows up on both i also did a httpd -S and got the following C:\Program Files\Apache Software Foundation\Apache2.2\binhttpd -S VirtualHost configuration: 192.168.0.10:8886 http://192.168.0.10:8886 http://192.168.0.10:8886 is a NameVirtualHost default server www.foobar.com http://www.foobar.com http://www.foobar.com (C:/Program Files/Apache Software Foundat ion/Apache2.2/conf/extra/httpd-vhosts.conf:52) port 8886 namevhost www.foobar.com http://www.foobar.com http://www.foobar.com (C:/Program Files/Apache Software Fo undation/Apache2.2/conf/extra/httpd-vhosts.conf:52) Syntax OK but it just won't pick up for some reason On Mon, Apr 12, 2010 at 7:12 AM, [triplepack] info (i...@pack3.ch mailto:i...@pack3.ch mailto:i...@pack3.ch mailto:i...@pack3.ch) i...@pack3.ch mailto:i...@pack3.ch mailto:i...@pack3.ch mailto:i...@pack3.ch wrote: Am 12.04.2010 16:00, schrieb Michael Ni: I'm having difficulty on windows XP getting a virtualhost to work with non port 80. it works when i use port 80 in the virtualhost but doesn't work with other ports. i have turned off my firewall, although this is private ip, shouldn't matter i have tried ports 8080, , 8000, and now with 8886. when it doesn't match my virtualhost, it will redirect to the main configuration servername automatically if i turn off the all other listen and only keep listen 8886, i will just be unable to connect i have searched all over the internet but i can't find the solution. hope someone can help. the following is my config WINDOWS HOSTS FILE 192.168.0.10 www.foobar.com http://www.foobar.com http://www.foobar.com HTTPD.CONF --- Listen 8886 HTTPD-VHOSTS.CONF NameVirtualHost 192.168.0.10:8886 http://192.168.0.10:8886 http://192.168.0.10:8886 VirtualHost 192.168.0.10:8886 http://192.168.0.10:8886 http://192.168.0.10:8886 Directory C:/Program Files/Apache Software Foundation/Apache2.2/htdocs Options Indexes FollowSymLinks AllowOverride none Order allow,deny Allow from all /Directory ServerName www.foobar.com http://www.foobar.com http://www.foobar.com DocumentRoot C:/Program Files/Apache Software Foundation/Apache2.2/htdocs /VirtualHost Hi Michael,
Re: [us...@httpd] Centralized logging.
On 4/10/10 10:04 AM, Ray Van Dolson wrote: Why not use splunk. -- Way too expensive. I think this space could use some competition. :) (Splunk is pretty awesome however though it wouldn't help me in this particular case really...). I keep hearing about folks and Splunk, and would love to try it out. But, I'm pulling 5-50G a day in log files. I'd love some conversation here about better log reading techniques and reporting packages. -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Centralized logging.
I'm using syslog-ng. It does the job. A nice little rsync script is nice, but you're still storing log files on the individual servers until you run some rsync and delete script. This can be risky if resources are limited or machines are ephemeral. NFS has its own issues as well. You've got to ask yourself What's my plan B and write that into your logging config/scripts. On 4/8/10 3:52 PM, Ray Van Dolson wrote: So how are people out there in mailing list land handling centralized logging? I'd like to mirror my web farm's logfiles on a central server, but want to be sure to preserve the W3C-ness so it's easy to run awstats, etc against them from off this central box. The options I see so far are: - Piping to syslog via external process (perl script, etc). * Downside being that we end up with syslog timestamps - Pipe to something like netcat * Custom-ish / hacky - Fire off some sort of synchronization process from central box to pull in logs (rsync) periodically. * Asynchronous -- there's a somewhat large window of time where logs will be missing on the internal server. - Log directly to shared, remote file server (via NFS) * Log server network issues or technical problems could affect Apache servers How do you guys typically deal with this? Ray - The official User-To-User support forum of the Apache HTTP Server Project. SeeURL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Jason A. Nunnelley +1 2562971652 http://www.google.com/profiles/imjasonn [Member Tekany, LLC] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache regex config for mass redirects
The goal: to provide for three kinds of applications and application
structures (file structure driven here, so you don't have to understand
what the applications are or do to understand what I'm trying to
accomplish) in a single front end configuration.
All app servers share same front ends, so they need to share the same
Apache configuration. So, this is just like one host, one Apache
config, one IP. It's complex, but it's actually quite simple once it
resolves. The file location is universal, so the apache config would
work on a single host as well as a HAProxy fronted application server.
1st, I have some specified domains which require me to add them to the
config and then perform an apache graceful (restart). The goal here is
to get away from the requirement to do a restart by using a redirect or
reroute file for each of the potential domain names.
# Single app shared space domains based on domain1
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond %{SERVER_NAME} ^(.*)?\.?(domain1|domain2|domain3)\.(com|net)$
RewriteCond /mnt/www/domain1_files/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !/mnt/www/domain1/maintenance.html
RewriteCond %{SCRIPT_FILENAME} !^(.+).(gif|png|jpg|css|js|swf)$
RewriteRule ^.*$ /mnt/www/domain1/maintenance.html [L]
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond %{SERVER_NAME} ^(.*)?\.?(domain1|domain2|domain3)\.(com|net)$
RewriteRule ^/(.*)$/mnt/www/domain1/public_html/$1 [L]
So, notice that I'm testing for a particular set of domains, then
pushing any domain that matches the list to a file location. In this
case they all share domain1's file source, since it handles all the
sites that are of like kind. Our application parses the domain based on
how Apache receives the request - so domain2.com is handled by
domain1.com's file system and app but the database spits back its
discrete content.
All these domains are managed by the same software, so they use the same
file system location. Instead of pushing them to discrete file system
locations like those below (which go to file/named/after/domain/public_html)
Here's how I serve my directory based websites:
# Production Discrete Sites
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond /mnt/www/production/www.%{SERVER_NAME} -d
RewriteRule ^/(.*)$http://www.%{SERVER_NAME}/$1 [L]
RewriteCond %{REQUEST_URI} !^/icons/
RewriteRule ^/(.*)$
/mnt/www/production/${lowercase:%{SERVER_NAME}}/public_html/$1 [L]
I have two or three of the situations above, where application servers
run different apps. What I'm trying to figure out is how to redirect
them based on a redirect file as they come in as an apache server request.
Here's an example of a rewrite rule that works for redirecting to an
URL. What I need to do is redirect to a file location to serve the
website's application/files.
# Setup redirect map
RewriteMap redirects txt:/mnt/www/.redirect_map
RewriteMap lowercase int:tolower
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond ${redirects:%{SERVER_NAME}|notfound} !^notfound$
RewriteCond %{REQUEST_URI} !^/$
RewriteRule ^(/.*)$http://${redirects:%{SERVER_NAME}}$1 [L]
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond ${redirects:%{SERVER_NAME}|notfound} !^notfound$
RewriteRule ^/$http://${redirects:%{SERVER_NAME}} [L]
What's I'm trying to do is combine the best of three processes. I'd like
to add a redirect/cond to send URL requests to an app or file location
based on the redirect map.
So, instead of a redirect map that looks likes this:
domain1 domain1.com
domain2 domain2.com/domain2content
I'd like to do something more like this:
domain1 /mnt/www/domain1.com
domain2 /mnt/www/domain1.com
domain3 /mnt/www/domain3.com
And so forth.
The goal here is to automate things and cut down on apache restarts.
Also, I intend to leave the redirect rule that sends all remaining
www.domain requests to thewww.$DOMAIN file location for that website's
discrete application files.
Opinions, ideas, etc. are solicited.
--
Jason A. Nunnelley
http://www.google.com/profiles/imjasonn
