FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-29-2011, 04:01 PM
Always Learning
 
Default (c 5.6) Running 2 versions of Apache ?

Just wondering how to run 2 versions of Apache on the same server,
listening on different IPs and both on port 80.

Does one give them, the httpd, different names and effectively duplicate
most of the Apache set-up ?

I use Apache;s virtual hosts facility for normal purposes but this is
for a different project.

Thank you.

Paul.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 04:13 PM
Ray Van Dolson
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, Aug 29, 2011 at 05:01:13PM +0100, Always Learning wrote:
>
> Just wondering how to run 2 versions of Apache on the same server,
> listening on different IPs and both on port 80.
>
> Does one give them, the httpd, different names and effectively duplicate
> most of the Apache set-up ?
>
> I use Apache;s virtual hosts facility for normal purposes but this is
> for a different project.
>
> Thank you.
>
> Paul.

First, this sounds like a messy way to do it... spinning up another
OS instance with the appropriate version of Apache you are after sounds
cleaner...

However...

As long as you keep your various Apache installs from stepping on each
other (where the binaries, logs, configs live, etc), you just need to
make sure they're binding to mutually exclusive IP/port pairs. The
"Listen" directive is likely what you're after here.

Ray
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 04:23 PM
Always Learning
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, 2011-08-29 at 09:13 -0700, Ray Van Dolson wrote:

> First, this sounds like a messy way to do it... spinning up another
> OS instance with the appropriate version of Apache you are after sounds
> cleaner...

I have a spare server but I want to use an under-utilised one.

> As long as you keep your various Apache installs from stepping on each
> other (where the binaries, logs, configs live, etc), you just need to
> make sure they're binding to mutually exclusive IP/port pairs. The
> "Listen" directive is likely what you're after here.

That's what I am currently browsing Google for.

Can the 'Listen 1.2.3.4:80' statement be inside a Virtual Host section ?

Does the 'NameVirtualHost' statement affect every Virtual Host until the
next encounter of it, IP that is ?

If I don't get an answer I'll probably experiment.


Paul.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 04:26 PM
Ray Van Dolson
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, Aug 29, 2011 at 05:23:24PM +0100, Always Learning wrote:
>
> On Mon, 2011-08-29 at 09:13 -0700, Ray Van Dolson wrote:
>
> > First, this sounds like a messy way to do it... spinning up another
> > OS instance with the appropriate version of Apache you are after sounds
> > cleaner...
>
> I have a spare server but I want to use an under-utilised one.

I was thinking virtualization (Xen or an OpenVZ style might be
appropriate).

>
> > As long as you keep your various Apache installs from stepping on each
> > other (where the binaries, logs, configs live, etc), you just need to
> > make sure they're binding to mutually exclusive IP/port pairs. The
> > "Listen" directive is likely what you're after here.
>
> That's what I am currently browsing Google for.
>
> Can the 'Listen 1.2.3.4:80' statement be inside a Virtual Host section ?
>
> Does the 'NameVirtualHost' statement affect every Virtual Host until the
> next encounter of it, IP that is ?
>
> If I don't get an answer I'll probably experiment.

Listen should be used in the global configuration. So, for example
your 2.2 configuration file listens on 1.2.3.4:80:

Listen 1.2.3.4:80
NameVirtualhost 1.2.3.4:80

And you have an Apache 2.3.x instance with a separate config file
listening on either a different IP or a different port on the initial
IP:

Listen 1.2.3.5:80
NameVirtualHost 1.2.3.5:80

<VirtualHost 1.2.3.5:80>
...
</VirtualHost>

or

Listen 1.2.3.4:8080
NameVirtualHost 1.2.3.4:8080

<VirtualHost 1.2.3.4:8080>
...
</VirtualHost>

Ray
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 06:19 PM
Always Learning
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, 2011-08-29 at 09:26 -0700, Ray Van Dolson wrote:

> I was thinking virtualization (Xen or an OpenVZ style might be
> appropriate).

Perhaps when I start using Centos 6.1. KVM or XEN ?

> Listen should be used in the global configuration. So, for example
> your 2.2 configuration file listens on 1.2.3.4:80:

The standard Listen statement is used globally for the benefit of
non-virtual hosts, if any.

> And you have an Apache 2.3.x instance with a separate config file
> listening on either a different IP or a different port on the initial
> IP:

Even sub-version numbers of Apache are stable, odd ones are less stable.
That is why I use only 2.2.

> <VirtualHost 1.2.3.5:80>

I never ever give a virtual host declaration an IP address. If moving
the virtual host to another server, I don't have to change anything
expect the DNS. Also virtual hosts are web sites with different domain
names, so I use

<virtualhost anydomain.com:80 www.anydomain.com:80>

<virtualhost domain2.com:80 www.domain2.com:80>

instead.

I found some information on

http://httpd.apache.org/docs/2.2/vhosts/examples.html

http://httpd.apache.org/docs/2.2/mod/core.html#namevirtualhost

I think the solution for me is two NameVirtualHost statements:-

NameVirtualHost 11.22.33.44:80

NameVirtualHost 11.22.33.55:80

with normal virtual hosts on IP 11.22.33.44 and the special virtual host
on 11.22.33.55

This will give me a separate IP address, for the special virtual host,
which I can utilise in iptables.

Thank you for your suggestions.

Best regards,

Paul.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 06:35 PM
Les Mikesell
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, Aug 29, 2011 at 1:19 PM, Always Learning <centos@u61.u22.net> wrote:
>
>> I was thinking virtualization (Xen or an OpenVZ style might be
>> appropriate).
>
> Perhaps when I start using Centos 6.1. KVM or XEN ?

For light use you could drop in VMware server or player or virtualbox
without much effect on the current system. It shouldn't be necessary,
though, unless you'd like to install otherwise conflicting rpm
packages or give root access to someone on the virtual server only.

>> Listen should be used in the global configuration. *So, for example
>> your 2.2 configuration file listens on 1.2.3.4:80:
>
> The standard Listen statement is used globally for the benefit of
> non-virtual hosts, if any.
>
>> And you have an Apache 2.3.x instance with a separate config file
>> listening on either a different IP or a different port on the initial
>> IP:
>
> Even sub-version numbers of Apache are stable, odd ones are less stable.
> That is why I use only 2.2.
>
>> * <VirtualHost 1.2.3.5:80>
>
> I never ever give a virtual host declaration an IP address. If moving
> the virtual host to another server, I don't have to change anything
> expect the DNS. Also virtual hosts are web sites with different domain
> names, so I use
>
> * * * *<virtualhost anydomain.com:80 www.anydomain.com:80>
>
> * * * *<virtualhost domain2.com:80 www.domain2.com:80>
>
> instead.

So why can't you do that for your new virtualhost instead of running
on a different IP?


> I found some information on
>
> * * * *http://httpd.apache.org/docs/2.2/vhosts/examples.html
>
> * * * *http://httpd.apache.org/docs/2.2/mod/core.html#namevirtualhost
>
> I think the solution for me is two NameVirtualHost statements:-
>
> * * * *NameVirtualHost 11.22.33.44:80
>
> * * * *NameVirtualHost 11.22.33.55:80
>
> with normal virtual hosts on IP 11.22.33.44 and the special virtual host
> on 11.22.33.55
>
> This will give me a separate IP address, for the special virtual host,
> which I can utilise in iptables.

If you are just firewalling there, apache can permit/deny ip ranges on
its own for a location or virtualhost.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 07:25 PM
Always Learning
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, 2011-08-29 at 13:35 -0500, Les Mikesell wrote:

> For light use you could drop in VMware server or player or virtualbox
> without much effect on the current system. It shouldn't be necessary,
> though, unless you'd like to install otherwise conflicting rpm
> packages or give root access to someone on the virtual server only.

I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.

> So why can't you do that for your new virtualhost instead of running
> on a different IP?

A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web
site. Its started about 5 August but significantly escalated on 22
August.

My Apache routine can add the IPs to iptables and block them. Since 22
August the lunatic has used over 100 different IPs from around the world
to send those wrong URLs which always seem to include one of these:-

forgotten_password.php

login.php

contact.php

Assigning a spare IP address to this small web site should make it
easier for me to experiment with IP tables and examine TCP packets
without disturbing the server's normal workings. For example no valid
HTTP request sent to that IP address should contain 'pas' or 'log' or
'con' so if I detect these the packets can be dropped - that is the
theory. With dropped packets I lose the ability to easily record IP
address and host name. However my web page has over 100 entries of
machines compromised in the current abuse, so loosing new details is
worth the satisfaction of blocking the loony.

> If you are just firewalling there, apache can permit/deny ip ranges on
> its own for a location or virtualhost.

I don't know which IP address to block until at least one 'hit'. For low
level abuse, I use a routine to add 'Deny from' to the site's .htaccess
file. An IP blocked with this method can still access HTTPD where it
will receive a 403 rejection. Thus successful blocks still involve the
web server.

By filtering in IP tables by IP and then port, I can try to identity
those keywords: con, pas, log and, if successful, drop the packets.
Packet length, used by this lunatic, with a very few exceptions, is 60
bytes, so I could potentially identify the required 3-byte fragments.

It is amazing so many machines can be broken-into or misused by one
deranged lunatic. I wonder if those machines run on Windoze.

Paul.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 07:31 PM
 
Default (c 5.6) Running 2 versions of Apache ?

Always Learning wrote:
>
> On Mon, 2011-08-29 at 13:35 -0500, Les Mikesell wrote:
<snip>
>> So why can't you do that for your new virtualhost instead of running
>> on a different IP?
>
> A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web
> site. Its started about 5 August but significantly escalated on 22
> August.

Sorry, not a lunatic. Your website's name has been harvested, and added to
some black-market commercial or script kiddie toolkit, and it's on
infected servers around the world. Take it from me... (I'm a contractor
for a US Federal Gov't agency*, and we get *tons*.
>
> My Apache routine can add the IPs to iptables and block them. Since 22
> August the lunatic has used over 100 different IPs from around the world
> to send those wrong URLs which always seem to include one of these:-
>
Check out fail2ban. It works very nicely.
<snip>
mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 07:49 PM
Les Mikesell
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, Aug 29, 2011 at 2:25 PM, Always Learning <centos@u61.u22.net> wrote:
>
>> For light use you could drop in VMware server or player or virtualbox
>> without much effect on the current system. *It shouldn't be necessary,
>> though, unless you'd like to install otherwise conflicting rpm
>> packages or give root access to someone on the virtual server only.
>
> I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.
>
>> So why can't you do that for your new virtualhost instead of running
>> on a different IP?
>
> A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web
> site. Its started about 5 August but significantly escalated on 22
> August.

Ummm, 30,000 isn't a particularly big number of hits to an apache
server, especially if all it has to do is respond with a 'file not
found'. But you are probably wise to be defensive.

> My Apache routine can add the IPs to iptables and block them. Since 22
> August the lunatic has used over 100 different IPs from around the world
> to send those wrong URLs which always seem to include one of these:-
>
> * * * *forgotten_password.php
>
> * * * *login.php
>
> * * * *contact.php

That probably means the intrusion is self-propagating. That is, if
the target is running some vulnerable php version or application, it
is able to install a copy of itself and start over.

> Assigning a spare IP address to this small web site should make it
> easier for me to experiment with IP tables and examine TCP packets
> without disturbing the server's normal workings. For example no valid
> HTTP request sent to that IP address should contain 'pas' or 'log' or
> 'con' so if I detect these the packets can be dropped - that is the
> theory. With dropped packets I lose the ability to easily record IP
> address and host name. However my web page has over 100 entries of
> machines compromised in the current abuse, so loosing new details is
> worth the satisfaction of blocking the loony.

As long as you aren't vulnerable yourself, I don't see the point of
wasting human hours to save machine microseconds. And this is a tiny
bit of the viruses and automated intrusion attempts happening in the
wild so unless you can generalize it into a fail2ban type of process
your time would be better spent making sure your systems are up to
date and inherently secure.

>> If you are just firewalling there, apache can permit/deny ip ranges on
>> its own for a location or virtualhost.

> It is amazing so many machines can be broken-into or misused by one
> deranged lunatic. I wonder if those machines run on Windoze.

If that is the first instance you've seen, you must have a low-profile
site. And no, web applications have their own bugs and
vulnerabilities on Linux too. And if you aren't fairly close to
up-to-date on the base distribution, those exploits can get root
access. The last one I bothered tracking down used a java/spring
vulnerability to run something to trigger a local root exploit in
glibc (that I think was fixed in the 5.4 or 5.5 update) but there are
probably newer ones - and more we don't know about.
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-29-2011, 07:50 PM
Always Learning
 
Default (c 5.6) Running 2 versions of Apache ?

On Mon, 2011-08-29 at 15:31 -0400, m.roth@5-cent.us wrote:

> Sorry, not a lunatic. Your website's name has been harvested, and added to
> some black-market commercial or script kiddie toolkit, and it's on
> infected servers around the world. Take it from me... (I'm a contractor
> for a US Federal Gov't agency*, and we get *tons*.

It would be nice if Uncle Sam went after the pests.

The attacks are not automatic. The loony is currently having difficulty
finding vulnerable IPs and concentrating his efforts on a Japanese
company with very lax security (7 IPs at the same place so far).

> Check out fail2ban. It works very nicely.

Mark,

>From http://www.fail2ban.org/wiki/index.php/Main_Page
it states:

Fail2ban scans log files like /var/log/pwdfail
or /var/log/apache/error_log and bans IP that
makes too many password failures. It updates
firewall rules to reject the IP address.

I would like, if possible, to identify the fragments in IP tables and
instantly block the packets thus preventing them entering the remainder
of the server. Fail2ban does not do this. My current blocking
requirement is specialised.


Paul.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org