Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

install Apache Mod? CentOS 1

Status
Not open for further replies.
Hondy

Hondy

Technical User
Mar 3, 2003
864
GB
Hi

(noob)- I think I need to install mod_rewrite.so into my Apache installation.

The Apache istall was part of a LAMP install and is installed already. In the httpd.conf file there is a mod_rewrite and there is no # in front of it, does this mean its likely to be installed?

from a command line what do I need to run, and where do I run it from?

The problem is that I have been given a website and it contains a .htaccess file with "rewrite" config in but when I browse it i get a 500 internal server error. If i # out the rewrite config it works but the website isn't as expected.

Thanks

 
Sort by date Sort by votes
From the command line type "httpd -M". This will show you both the modules compiled into apache and the shared (.so) modules which are loaded dynamically. To see if you actually have the module, look in /usr/lib/httpd/modules. If it is there then add this line to httpd.conf:
Code: 
LoadModule rewrite_module modules/mod_rewite.so

It's hard for me to imagine a distro that doesn't already have this but ya never know.

 
Upvote 0 Downvote
ah yes, thats what I needed. I also found that it tells me in phpinfo but your command is better.

the LoadModule was ok, the problem turned out to be
Allow Override AuthConfig on my directory
I changed it to

Allow Override All and it started working

What have i done there? I still get asked for a password which is what I want but I don't know what it means :S

Thanks


 
Upvote 0 Downvote
Basically what you've done is go from the specific to the general. In short, you told apache you want to allow the use of an .htaccess file in that directory. Almost anything you can put into an httpd.conf file can go into an .htaccess file. ( I don't pronounce the dot so I use an instead of a) ;-) Actually in linux the dot indicates a hidden file so if you don't specify to show All files, you may not see it when you list the files in a directory. There is a line in the file that is telling apache to request a password and user name. These are kept in files in another directory for security reasons. Root or the owner of that directory are the only ones who can say where they get stored. Rather than reinvent the wheel, here a a link to where you can find out more about this. If you have questions later, feel free to come back and ask away.
 
Upvote 0 Downvote
Thanks rhythm, i'd say that was essential reading for a linx web noob. I'm going to have to re-read it a few times - seems like I should be using AuthConfig but it seems break mod_rewrite when I do this so its the "all" option or i don't use it for now. A password is better than nothing in this case.

Any other good basic apache security advice?

Cheers
 
Upvote 0 Downvote
Yes. What you did is fine. The AllowOverride directive indicates to apache that the .htaccess file will be used. You can set it to either "All", "None" or a directive type. In your case it was set to AuthConfig. This told apache that .htaccess will be used for authentication and will contain auth directives. When you switched it to "All", you told apache that .htaccess can contain anything that is allowed in htpd.conf. Many people don't know this but anything that can go in .htaccess can also go into httpd.conf. Sounds kind of dumb but they think you have to put authentication stuff in .htaccess. This is not the case. You can put that all in httpd.conf as well. But you say "that would mean root would have to make these entries and reboot the server every time." BIMBO!!! That is the whole idea behind .htaccess. It allows the admin/webmaster of each site to, in essence, have access to httpd.conf. Hence the name (ht access). The great thing about it, is that the server doesn't have to be restarted every time it is changed. The file gets read ever time that directory is accessed.
 
Upvote 0 Downvote
oops! I forgot to answer you question about security. One of the first things you should do is add the mod_security module. Here is a link where you can find out more about it.
 
Upvote 0 Downvote
ahhhh i see, bimbo indeed :) next you will be telling me that the "ht" in htaccess actually stands for HyperText too...

modsecurity looks very useful - combined with my recent htaccess questions...

I'm a bit concerned that .htaccess can be easily brute-forced unless there is some kind of IP blocking or account lockout that you can do... is this covered by modsecurity or do I have to look elsewhere for this?

Thanks
 
Upvote 0 Downvote
and sorry, one other simple thing...

When I do "allow from x.x.x.x" it works from those addresses, I understand that, but why do people outside those address just get the default CentOS Apache page saying its installed? Should it give a "Forbidden IP" message or somthing? How do I change this page?
 
Upvote 0 Downvote
There are a couple ways you can handle this. The easiest way is to use the ErrorDocument directive. This is what is happening when your visitors from a forbidden ip access the directory. When an ip is denied, apache returns a 403 error code. If you look in /etc/httpd/conf.d, you will see a file called welcome.conf. In there, you will see a Location container with the ErrorDocument directive. The ErrorDocument directive basically says that on error 403 go to /error/noindex.html. The Location directive can give you that deer in the headlights look if you don't speak apache but it simply says do this if no index page is found. It is defined here globally so that any time a vhost can't be resolved it will show the welcome page. By placing the ErrorDocument directive inside a directory or use a condition such as apache has, you limit its scope. Here is a little more info on the ErrorDocument directive. An other way to display a particular message is to use redirection based on whatever condition you want and have it point to a page of your own creation.
 
Upvote 0 Downvote
I totally appreciate the help RhythmAce - I will sort the errordoc out from your instruction.

Have you any comment on the brute force question I made?

Also, I managed to get VNC working graphically, if you log out then you just end up with a CentOS background with a cursor but no way back in?? How do you log back in without going to the server and doing it again??

(I appreciate you may not use VNC but there maybe a common theme)

Good fun this but I almost broke it a few times already :)
 
Upvote 0 Downvote
Usually you need to kill the VNC session and start a new one. I include the kill in my logoff script so I don't have to do it manually. But the thing is you don't actually have to log off, which is one of the advantages of VNC. You can just disconnect your VNC session, and reconnect to it at a later time and it willl be exactly as you left it.

Annihilannic.
 
Upvote 0 Downvote
yeh but what I wanted to do was to log off and then log on as root but I guess I need to open another firewall port and bind a new session for root. Or as you say do some log off script and rebind the port for root via an SSH console. Still it would be nice to have a generic port that anyone could bind to...


Anyone have any comment on brute forcing an .htaccess password out and enabling a user lockout on the users defined in it? You must be able to or thats a big problem.

Cheers


 
Upvote 0 Downvote
If you were to get a brute force attack, I doubt it will be through a web browser against the .htaccess file. It will more than likely be through ftp, telnet or pop3 mail server. The .htaccess file is specific to apache and has nothing to do with the security of your linux server in general. Apache is the only service that reads the file and also prevents browsers from accessing it. Just as you can control access to a directory with the Order allow, deny directive, you can also use it to control access to fliles. This forum is for the linux server. There is a forum here at tek-tips specifically for apache here: As I said earlier a brute force attack is more than likely going to come through a port that is more efficient for harvesting user names and passwords. For example a system user's account info is far more valuable than that of a user on a website. That is why they will try to access your server through those other ports. You can limit access attempts through most of them very easily. For example you can set sshd for three attempts. You can also set a time they will have to wait before trying again. The linux server is acually a bunch of servers/ports that are open to the outside world. As an administrator, you need to read up on every one of those that you have open and find the vulnerabilities that are being exploited.
 
Upvote 0 Downvote
ah ok I will try the apache forum thanks. From what you are saying then, .htaccess is no good for protecting "admin" pages such as content management system pages, and any admin pages should have the "banning of IPs" directly into the PHP or whatever.

I got modsecurity working, its currently deflecting my test attacks :) good mod that although quite tough for a noob like me to install.

Off to the Apache forum I go...! :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
CentOS is Dead? 1
Replies
0
Views
226
SamBones
SamBones
AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
391
AbidingDude
AbidingDude
SamBones
  • Locked
  • Question
CentOS 7 and Putty
Replies
2
Views
245
SamBones
SamBones
MCP2000
  • Locked
  • Question
CentOS 6.9, LDAP, Vault, Active Directory
Replies
0
Views
142
MCP2000
MCP2000
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
257
daniel.warner
daniel.warner

Part and Inventory Search

Sponsor

Back
Top