The problem with multiple SSL on the same IP

If there are several sites with SSL on the same IP address, then old ancient browsers that do not support SNI will not be able to determine which certificate to download and will most likely download the first one that is registered at the beginning of the web server configuration.

Continue reading “The problem with multiple SSL on the same IP”

WordPress. Solution “cURL error 60: SSL certificate problem: unable to get local issuer certificate”

Once on one of the sites I noticed in WordPress the menu “Tools” – “Site Health” the following errors:

Continue reading “WordPress. Solution “cURL error 60: SSL certificate problem: unable to get local issuer certificate””

Upgrading PHP Version on Ubuntu 14.04

Once it was necessary to upgrade the version of PHP 5.5.9 to 5.6 on Ubuntu Server 14.04 LTS, the usual update of the system components did not help:

sudo apt-get update
sudo apt-get upgrade

You can try to upgrade the system to 16.04 or higher as I described in the article Updating Ubuntu 14.04 to 16.04. Together with the system will be updated and PHP.

If the system update fails, you can add a third-party source with PHP:

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update

And install the correct version from it, for example PHP 5.6:

sudo apt-get install php5.6 php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml

Since there are several installed versions, disable the old version and activate the installed one:

sudo a2dismod php5
sudo a2enmod php5.6
sudo service apache2 restart

Similarly, you can install PHP 7.2:

sudo apt-get install php7.2
sudo a2dismod php5.6
sudo a2enmod php7.2
sudo service apache2 restart

Or PHP 7.0:

sudo apt-get install php7.0
sudo a2dismod php7.2
sudo a2enmod php7.0
sudo service apache2 restart

Install Apache JMeter in Ubuntu

Apache JMeter — load testing tool.

For Apache JMeter you need to install Java, see my article – Installing Java on Linux.

For an example I’ll install Apache JMeter in Ubuntu Desktop 18.04.

After Java is installed, copy the link to the archive with the latest version of Apache JMeter from the official site http://jmeter.apache.org/download_jmeter.cgi and download it:

wget http://apache.volia.net//jmeter/binaries/apache-jmeter-4.0.tgz

Extract the archive:

tar -xf apache-jmeter-4.0.tgz

Run:

cd apache-jmeter-4.0/bin/
./jmeter

After the startup, a message was displayed that you can create tests in the Apache JMeter graphical mode, and you can execute them only from the terminal, for example:

jmeter -n -t [jmx file] -l [results file] -e -o [Path to web report folder]

By the way, Apache JMeter in Windows is run through the jmeter.bat file.

Monitoring of Apache2 parameters in Zabbix

Install the necessary components:

sudo apt-get install curl

Activate the module information about apache2 (usually it is activated initially):

sudo a2enmod info

Open the configuration file of the module and specify the IP address of the zabbix server to allow it to view information about apache2 (if apache2 is on the local machine, then access is usually allowed by specifying local or 127.0.0.1):

sudo nano /etc/apache2/mods-enabled/status.conf

In the nano editor, CTRL+X is used to exit and y/n to save or discard changes. Example of specifying IP:

<Location /server-status>
    SetHandler server-status
    Require local
    Require ip 192.168.1.5
</Location>

Restart the web server to apply the changes:

sudo service apache2 restart

Now the information about apache2 is available through the browser by the link http://HOST/server-status

Let’s move on to Zabbix. Create a folder for scripts if it does not exist:

mkdir /etc/zabbix/scripts/
chown root:zabbix -R /etc/zabbix/scripts/
chmod 750 /etc/zabbix/scripts/

In the zabbix server configuration file, we specify the path to this folder:

sudo nano /etc/zabbix/zabbix_server.conf
ExternalScripts=PATH

Now I will give the content of the script:

#!/bin/bash
if [[ -z "$1" || -z "$2" || -z "$3" ]]; then
  exit 1
fi
##### PARAMETERS #####
RESERVED="$1"
METRIC="$2"
URL="$3"
STATSURL="${URL}?auto"
#
CACHE_TTL="55"
CACHE_FILE="/tmp/zabbix.apache2.`echo ${URL} | md5sum | cut -d" " -f1`.cache"
EXEC_TIMEOUT="2"
NOW_TIME=`date '+%s'`
##### RUN #####
if [ -s "${CACHE_FILE}" ]; then
  CACHE_TIME=`stat -c"%Y" "${CACHE_FILE}"`
else
  CACHE_TIME=0
fi
DELTA_TIME=$((${NOW_TIME} - ${CACHE_TIME}))
#
if [ ${DELTA_TIME} -lt ${EXEC_TIMEOUT} ]; then
  sleep $((${EXEC_TIMEOUT} - ${DELTA_TIME}))
elif [ ${DELTA_TIME} -gt ${CACHE_TTL} ]; then
  echo "" >> "${CACHE_FILE}" # !!!
  DATACACHE=`curl -sS --insecure --max-time ${EXEC_TIMEOUT} "${STATSURL}" 2>&1`
  echo "${DATACACHE}" > "${CACHE_FILE}" # !!!
  echo "URL=${URL}"  >> "${CACHE_FILE}" # !!!
  chmod 640 "${CACHE_FILE}"
fi
#
if [ "${METRIC}" = "accesses" ]; then
  cat "${CACHE_FILE}" | grep -i "accesses" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "kbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "kbytes" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "cpuload" ]; then
  cat "${CACHE_FILE}" | grep -i "cpuload" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "uptime" ]; then
  cat "${CACHE_FILE}" | grep -i "uptime" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgreq" ]; then
  cat "${CACHE_FILE}" | grep -i "ReqPerSec" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgreqbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "BytesPerReq" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "BytesPerSec" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "busyworkers" ]; then
  cat "${CACHE_FILE}" | grep -i "BusyWorkers" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "idleworkers" ]; then
  cat "${CACHE_FILE}" | grep -i "idleworkers" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "totalslots" ]; then
  cat "${CACHE_FILE}" | grep -i "Scoreboard" | cut -d':' -f2 | sed -e 's/ //g' | wc -c | awk '{print $1-1}'
fi
#
exit 0

Let’s make the script file executable:

chown root:zabbix /etc/zabbix/scripts/apache2-status.sh
chmod 550 /etc/zabbix/scripts/apache2-status.sh

Script validation example:

sudo -u zabbix /etc/zabbix/scripts/apache2-status.sh none accesses http://HOST/server-status

Open the zabbix agent configuration file in the editor:

sudo nano /etc/zabbix/zabbix_agentd.conf

And we will specify the following parameters:

UserParameter=apache2[*],/etc/zabbix/scripts/apache2-status.sh "none" "$1" "$2"

Some commands allow you to see the number of apache2 processes and connections to port 80, for this you do not need a script, for example, you can specify:

UserParameter=apache2.count_processes,ps aux | grep apache | wc -l
UserParameter=connections_on_80_port,netstat -na | grep :80 | wc -l

Restart the zabbix agent to apply the changes:

sudo /etc/init.d/zabbix-agent restart

Let’s check:

zabbix_get -s 127.0.0.1 -k "apache2[accesses,http://HOST/server-status]"

Now we will create a template and add data elements, an example of created data items:

apache2[KEY,http://HOST/server-status]

Exported ready template – apache2-status

We also need to add a macro to the monitored host:

Macro: {$APACHE_STATS_URL}
Value: http://HOST/server-status

Done.

The number of apache2 processes can be obtained from the Zabbix agent by creating on the Zabbix server a data element with a key:

proc.num[apache2]

Installing and Configuring the Apache2 Web Server

Apache HTTP Server – named after the tribes of the North American Indians of Apache, is also an abbreviation of “a patchy server” – a free web server.

An example of an installation command in Ubuntu:

sudo apt-get install apache2

Example installation in CentOS:

yum install httpd

We check to open in the browser the address http://HOSTNAME
Normally, a standard inscription should appear “It works!“.

Web Storage Directory – /var/www/
Directory of configuration files – /etc/apache2/

A separate virtual host is created for each site. The standard virtual host file is located at /etc/apache2/sites-available/000-default.conf

Suppose we have an example.net domain. Create a new file in the /etc/apache2/sites-available/example.conf and prescribe the settings in it:

<VirtualHost *:80>
     ServerAdmin admin@example.net
     ServerName example.net
     ServerAlias www.example.net
     DocumentRoot /var/www/example.net/

     <Directory /var/www/example.net>
     Options -Indexes
     AllowOverride All
     Order allow,deny
     allow from all
     </Directory> 

     #You can restrict IP access to some directories, for example, the admin panel in this way:
     <Directory /var/www/example.net/admin>
     Order allow,deny
     allow from 127.0.0.1 192.168.0.47 172.16.30.5
     </Directory>

     ErrorLog /var/log/example.net.error.log
     CustomLog /var/log/example.net.access.log combined
</VirtualHost>

I’ll describe the options I mentioned above:
-Indexes – in the absence of index files index.php, index.html, etc. the contents of the directories will not be displayed.
FollowSymLinks – allows you to navigate through symbolic links.
-MultiViews – if you specify an example of a non-existent directory http://example.net/img/ the inclusion of this directive will allow you to redirect to the file http://example.net/img.php or http://example.net/img.jpg etc . if any one of them exists, such manipulations can badly affect the indexing of links by search engines, so it is better to disable this directive.
AllowOverride All – allows the use of additional configuration files. htaccess.

Next, make a link to this file in the directory /etc/apache2/sites-enabled/. You can do this with commands (the second one to delete, ending .conf is not specified):

sudo a2ensite TEXT
sudo a2dissite TEXT

If you need to activate any modules, you can also do this by eg commands (the first command to enable, the second to disable):

sudo a2enmod rewrite
sudo a2dismod rewrite

To activate additional configuration files:

sudo a2enconf TEXT
sudo a2disconf TEXT

Now create a directory for the site and copy the files into it:

sudo mkdir /var/www/example.net

Let’s edit some web server security settings:
sudo nano /etc/apache2/conf.d/security

ServerTokens OS
to:
ServerTokens Prod

ServerSignature On
to:
ServerSignature Off

Restart Apache2 for the changes to take effect:

sudo /etc/init.d/apache2 restart
sudo service apache2 restart

If the server uses many IP addresses, and apache2 should not work at all, then you can specify in which it works in /etc/apche2/ports.conf, you can also change the port, for example:

Listen 192.0.3.1:80
Listen 192.0.3.2:80
Listen 192.0.1.10:8080

To work at all:

Listen 80

See also:
Access Control Apache2
Installing and Configuring Nginx

The solution of the error “Permission denied: .htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable”

I noticed somehow the following error:

[Mon Sep 05 10:24:38 2016] [crit] [client 192.168.1.1] (13)Permission denied: /home/user/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Before the error occurred, I moved the files through sudo (from the root user) and to return the rights I executed the command:

sudo chown user:user -R /home/user/public_html

Which changed the owner to the one specified in all the subfolders and files, but the other directory should have been specified to the public_html directory (not its contents), because of which apache2 wrote that access was denied. Therefore, if you point to the public_html of the user and the group from which apache2 is running, the error disappears.
It can also be helped by specifying permissions 777 on this folder, it will give full access to all users (but this option is better not to use for security purposes).

Solution of the error “Invalid command ‘AuthGroupFile'”

I noticed once the following error:

AH00526: Syntax error on line 26 of /etc/apache2/sites-enabled/000-default.conf:
Invalid command ‘AuthGroupFile’, perhaps misspelled or defined by a module not included in the server configuration
Action ‘configtest’ failed.
The Apache error log may have more information.

It is solved simply by activating the module:

sudo a2enmod authz_groupfile

Restart apache2 to apply the changes:

sudo service apache2 restart

Done.