|
|
| Line 1: |
Line 1: |
| − | == Apache ==
| + | == Password Generators == |
| − | | + | |
| − | === Note - serving of local files ===
| + | |
| − | | + | |
| − | '''Note''': Often the initial installation of Apache has <tt><Directory /></tt> directive (directive for the root of the filesystem) set to "Allow from All", in '''[Apache config dir]/sites-available/default'''! This means that server can server '''any''' file from the file system, not just the files in the ''htdocs'' document folder, which you typically want!
| + | |
| − | | + | |
| − | To avoid this, simply change this to "Deny from All".
| + | |
| − | | + | |
| − | === Self-Signed SSL Certificate ===
| + | |
| − | | + | |
| − | They might not pass as customer-friendly - in fact, if you need https/ssl for customer communication, you should always use signed certificates, as those do induce trust - but often you have private sections/domains/sites where self-signed is just fine... or you might just wanna test the ssl while waiting for the signed certificate.
| + | |
| − | | + | |
| − | Here are only listed steps to get to your certificate; for details and explanations, see e.g. [http://www.akadia.com/services/ssh_test_certificate.html akadia.com].
| + | |
| − | | + | |
| − | <pre># openssl genrsa -des3 -out server.key 1024
| + | |
| − | # openssl req -new -key server.key -out server.csr
| + | |
| − | # cp server.key server.key.org
| + | |
| − | # openssl rsa -in server.key.org -out server.key
| + | |
| − | # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
| + | |
| − | # cp server.crt /etc/apache2/cert/ssl.crt
| + | |
| − | # cp server.key /etc/apache2/cert/ssl.key
| + | |
| − | # chmod 400 /etc/apache2/cert/ssl.crt /etc/apache2/cert/ssl.key</pre>
| + | |
| − | | + | |
| − | === Enable SSL/HTTPS in Apache ===
| + | |
| − | | + | |
| − | '''HowTo''': Use the following virtual host definition:
| + | |
| − | | + | |
| − | <pre><VirtualHost *:443>
| + | |
| − | ServerName ssl-name
| + | |
| − | DocumentRoot /var/www/ssl/root
| + | |
| − | SSLEngine on
| + | |
| − | SSLCertificateFile /etc/apache2/server.crt
| + | |
| − | SSLCertificateKeyFile /etc/apache2/server.key
| + | |
| − | SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
| + | |
| − | </VirtualHost></pre>
| + | |
| − | | + | |
| − | where ''certificate file'' and the ''certificate key file'' are either authority-signed or self-signed certificate files (see above), and add
| + | |
| − | | + | |
| − | <pre>NameVirtualHost *:443
| + | |
| − | Listen 443</pre>
| + | |
| − | | + | |
| − | to '''/etc/apache2/ports.conf''' and restart Apache.
| + | |
| − | | + | |
| − | === .htaccess and mod_rewrite Tricks ===
| + | |
| − | | + | |
| − | Mostly based on [http://www.queness.com/post/5421/17-useful-htaccess-tricks-and-tips 17 Useful .htaccess Tricks and Tips]
| + | |
| − | | + | |
| − | ==== General ====
| + | |
| − | | + | |
| − | '''1. Set Timezone'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre>SetEnv TZ Australia/Melbourne</pre>
| + | |
| − | [http://www.php.net/manual/en/timezones.php List of timezones].
| + | |
| − | | + | |
| − | '''2. SEO Friendly 301 Permanent Redirects'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | Modern search engines have the capability to detect 301 Permanent Redirects and update its existing records.
| + | |
| − | | + | |
| − | <pre>Redirect 301 http://www.domain.com/home http://www.domain.com/</pre>
| + | |
| − | | + | |
| − | '''3. Skip the Download Dialogue'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | The following defines given types as octet-stream, thus making it "only to download"; clicking the link to such resource will skip "open / save" dialog and will start download immediately.
| + | |
| − | | + | |
| − | <pre>AddType application/octet-stream .pdf
| + | |
| − | AddType application/octet-stream .zip
| + | |
| − | AddType application/octet-stream .mov</pre>
| + | |
| − | | + | |
| − | '''4. Skip or Force www.'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | One of the SEO guidelines is, make sure there is only one URL pointing to your website.
| + | |
| − | | + | |
| − | To force URL's without www.:
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | RewriteCond %{HTTPS} =off
| + | |
| − | RewriteCond %{HTTP_HOST} ^www\..+$ [NC]
| + | |
| − | RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]</pre>
| + | |
| − | | + | |
| − | To force www. in the URL, with the exception of subdom.domain.com:
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | RewriteCond %{HTTPS} =off
| + | |
| − | RewriteCond %{HTTP_HOST} !^www\.
| + | |
| − | RewriteCond %{HTTP_HOST} !^subdom\.
| + | |
| − | RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]</pre>
| + | |
| − | | + | |
| − | '''5. Custom Error Pages'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre>ErrorDocument 401 /error/401.php
| + | |
| − | ErrorDocument 403 /error/403.php
| + | |
| − | ErrorDocument 404 /error/404.php
| + | |
| − | ErrorDocument 500 /error/500.php</pre>
| + | |
| − | | + | |
| − | '''6. Compress Files'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | You need to have <tt>deflate</tt> module installed and enabled.
| + | |
| − | | + | |
| − | <pre>AddOutputFilterByType DEFLATE text/plain
| + | |
| − | AddOutputFilterByType DEFLATE text/html
| + | |
| − | AddOutputFilterByType DEFLATE text/xml
| + | |
| − | AddOutputFilterByType DEFLATE text/css
| + | |
| − | AddOutputFilterByType DEFLATE application/xml
| + | |
| − | AddOutputFilterByType DEFLATE application/xhtml+xml
| + | |
| − | AddOutputFilterByType DEFLATE application/rss+xml
| + | |
| − | AddOutputFilterByType DEFLATE application/javascript
| + | |
| − | AddOutputFilterByType DEFLATE application/x-javascript</pre>
| + | |
| − | | + | |
| − | '''7. Cache Files'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | The following example sets caching of multimedia files to 30 days:
| + | |
| − | | + | |
| − | <pre><FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
| + | |
| − | Header set Cache-Control "max-age=2592000"
| + | |
| − | </FilesMatch></pre>
| + | |
| − | | + | |
| − | '''8. Disable Caching for Certain File Type'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | The following example disables caching of scripts:
| + | |
| − | | + | |
| − | <pre><FilesMatch ".(pl|php|cgi|spl|scgi|fcgi)$">
| + | |
| − | Header unset Cache-Control
| + | |
| − | </FilesMatch></pre>
| + | |
| − | | + | |
| − | '''9. Redirect (Sections) to https://'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | The following forces /login and /signup sections of your site to use https.
| + | |
| − | | + | |
| − | Of course, it's recommendable that you have a signed SSL certificate.
| + | |
| − | | + | |
| − | <pre>RewriteEngine on
| + | |
| − | RewriteCond %{HTTPS} =off
| + | |
| − | RewriteCond %{REQUEST_URI} /login [NC,OR]
| + | |
| − | RewriteCond %{REQUEST_URI} /signup [NC]
| + | |
| − | RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]</pre>
| + | |
| − | | + | |
| − | '''10. Simple MVC using .htaccess'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | You can redirect all requests to a single script file, and serve content based on REQUEST_URI:
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | RewriteRule !robots\.txt|\.(js|ico|gif|jpg|png|css|flv|swf)$ index.php</pre>
| + | |
| − | | + | |
| − | '''11. Provide Different Page Versions based on User Agent'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | You can provide different versions of your site for different browsers (e.g. ''links'' as a text-based browser, and for mobile devices):
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | | + | |
| − | # MSIE
| + | |
| − | RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4(.*)MSIE
| + | |
| − | RewriteRule ^index\.html$ /index.ie.html [L]
| + | |
| − | | + | |
| − | # Netscape / Mozilla
| + | |
| − | RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5(.*)Gecko
| + | |
| − | RewriteRule ^index\.html$ /index.full.html [L]
| + | |
| − | | + | |
| − | # Lynx, text based
| + | |
| − | RewriteCond %{HTTP_USER_AGENT} ^Lynx/
| + | |
| − | RewriteRule ^index\.html$ /index.light.html [L]
| + | |
| − | | + | |
| − | # Mobile version of your site
| + | |
| − | RewriteCond %{HTTP_USER_AGENT} ^.*(iPad|iPhone).*$
| + | |
| − | RewriteRule ^(.*)$ http://ipad.domain.com [R=301]
| + | |
| − | | + | |
| − | # All other
| + | |
| − | RewriteRule ^index\.html$ /index.medium.html [L]</pre>
| + | |
| − | | + | |
| − | ==== Security ====
| + | |
| − | | + | |
| − | '''1. Hotlinking Protection with .htaccess'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | Block all multimedia file requests that do not come from direct link or from your site:
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | RewriteCond %{HTTP_REFERER} !^$
| + | |
| − | RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com/.*$ [NC]
| + | |
| − | RewriteRule .(gif|jpg|swf|flv|png)$ /no-hotlink.html [R=302,L]</pre>
| + | |
| − | | + | |
| − | '''2. Prevent Hacks'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | Block some common malicious URL hacks:
| + | |
| − | | + | |
| − | <pre>RewriteEngine On
| + | |
| − | | + | |
| − | # proc/self/environ? no way!
| + | |
| − | RewriteCond %{QUERY_STRING} proc/self/environ [OR]
| + | |
| − | | + | |
| − | # Block out any script trying to set a mosConfig value through the URL
| + | |
| − | RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
| + | |
| − | | + | |
| − | # Block out any script trying to base64_encode crap to send via URL
| + | |
| − | RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
| + | |
| − | | + | |
| − | # Block out any script that includes a <script> tag in URL
| + | |
| − | RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
| + | |
| − | | + | |
| − | # Block out any script trying to set a PHP GLOBALS variable via URL
| + | |
| − | RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
| + | |
| − | | + | |
| − | # Block out any script trying to modify a _REQUEST variable via URL
| + | |
| − | RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
| + | |
| − | | + | |
| − | # Send all blocked request to page with 403 Forbidden error!
| + | |
| − | RewriteRule ^(.*)$ no-way.html [F,L]</pre>
| + | |
| − | | + | |
| − | '''3. Block Access to Your .htaccess File'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre># secure .htaccess file
| + | |
| − | <Files .htaccess>
| + | |
| − | Order Allow,Deny
| + | |
| − | Deny from All
| + | |
| − | </Files>
| + | |
| − | | + | |
| − | # prevent viewing of a specific file
| + | |
| − | <Files secretfile.jpg>
| + | |
| − | Order Allow,Deny
| + | |
| − | Deny from All
| + | |
| − | </Files>
| + | |
| − | | + | |
| − | # multiple files / file types
| + | |
| − | <FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
| + | |
| − | Order Allow,Deny
| + | |
| − | Deny from All
| + | |
| − | </FilesMatch></pre>
| + | |
| − | | + | |
| − | '''4. Rename .htaccess Files'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre>AccessFileName htacc.ess</pre>
| + | |
| − | | + | |
| − | '''5. Disable Directory Browsing'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre># disable directory browsing
| + | |
| − | Options All -Indexes
| + | |
| − | | + | |
| − | # enable directory browsing
| + | |
| − | Options All +Indexes</pre>
| + | |
| − | | + | |
| − | '''6. Change Default Index Page'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre>DirectoryIndex my-home.html</pre>
| + | |
| − | | + | |
| − | '''7. Block Unwanted Visitor based on Referring Domain'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre># block visitors referred from indicated domains
| + | |
| − | RewriteEngine on
| + | |
| − | RewriteCond %{HTTP_REFERER} scumbag.com [NC,OR]
| + | |
| − | RewriteCond %{HTTP_REFERER} wormhole.com [NC,OR]
| + | |
| − | RewriteRule .* - [F]</pre>
| + | |
| − | | + | |
| − | '''8. Blocking Request based on User-Agent Header'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre># block certain bots and spiders
| + | |
| − | SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT
| + | |
| − | SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT
| + | |
| − | Deny from env=HTTP_SAFE_BADBOT</pre>
| + | |
| − | | + | |
| − | '''9. Secure Directories by Disabling Execution of Scripts'''
| + | |
| − | -----
| + | |
| − | | + | |
| − | <pre>AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
| + | |
| − | Options -ExecCGI</pre>
| + | |
| − | | + | |
| − | == Other ==
| + | |
| − | | + | |
| − | ==== Password Generators ====
| + | |
| | | | |
| | * '''PHP''' - replace the '16' with length of the generated password (28 is most you can get): | | * '''PHP''' - replace the '16' with length of the generated password (28 is most you can get): |
| Line 296: |
Line 12: |
| | | | |
| | == External Links == | | == External Links == |
| − |
| |
| − | === Apache ===
| |
| − |
| |
| − | * [http://httpd.apache.org/docs/2.0/howto/htaccess.html .htaccess files in Apache2]
| |
| − | * [http://httpd.apache.org/docs/2.0/programs/htpasswd.html htpasswd utility in Apache2]
| |
| − | * [http://httpd.apache.org/docs/2.0/howto/auth.html Authentication, Authorization and Access Control in Apache2]
| |
| − |
| |
| − | === Other ===
| |
| | | | |
| | * [http://blogs.sun.com/jkini/entry/how_to_scp_scp_and How To scp, ssh and rsync without prompting for password] | | * [http://blogs.sun.com/jkini/entry/how_to_scp_scp_and How To scp, ssh and rsync without prompting for password] |
