Linux Admin Zone

This is second part of article to describe how to dynamically manage Apache Virtual host. You can read first article here.

In earlier article I mentioned using a php script to dynamically create/remove virtualhost entry in Apache (httpd) config file and then reload it using cron.

Here I would describe how to manage DNS to dynamically recognize newly created virtualhosts. Again, this might not be the best or efficient way to implement this but this is what worked for me. After creating virtualhosts in Apache, you need to update DNS so that new virtualhosts start working. To update DNS dynamically, your DNS provider should have some way (like API) which enable you to manipulate its records. There are few providers offering this facility. For this experiment, I selected DNSMadeEasy which provides APIs to add/remove/update records on fly using scripts.

There’s situation with my friend where his team wanted to dynamically create/remove virtual hosts or subdomains using php. This can be achieved in several ways. You can use a control panel which obviously use resources or develop your own script to do this. There’s security aspects attached with script because it needs to update file which is read by Apache and to apply settings, you need to reload Apache. Here I am describing how my friend achieved their goal, again I’m saying that this might not be the best way to do this thing and may be comparatively insecure or inefficient but this is what worked for them in Ubuntu host.

To tighten security or again to pass PCI test, you can disable weak SSL cipher. Let’s do it in a host running lighttpd web server in CentOS Linux.

Normally, you get message like this for this issue:

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
 
Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)

Let’s disable these weak cipher’s now:

Update config file to add or modify following lines. After addition/editing, lines should look like this:

$ vi /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

make sure that you have to put these lines in any blocks/vhosts etc. also because these are global options and if you not put these in vhosts blocks, then they will not be effective.

This is again short post for people lazy enough to not compile and always looking for some quick way to upgrade/install software.

The machine is having CentOS 5.2 and httpd 2.2.8. We are looking to upgrade httpd to 2.2.17 to succeed in PCI compliance. While I assured that current Apache is having all security upgrades but still test guys saying we have to upgrade to latest stable. Ok, its not that difficult.

When I checked, almost all common repositories are having upgrades up to 2.2.8 which I did but I need it to latest stable which is 2.2.17 while writing this article. Then I noticed CentAlt repo which is having this upgrade.

In a CentOS 5.2 Server, there PHP 5.2.4 and due to which PCI complaince test failed. We were in requirement to upgrade PHP to latest stable version. While writing this article, we found 5.3.5 as latest stable release of PHP. Describing here the steps taken to download, install PHP 5.3.5.

Step 1. Check existing PHP modules and Install pre-requisites libraries/apps

As the first step, you should get list of installed PHP modules so that you can incude them with newer PHP as well otherwise functionality of your site/application can break.

Get list of all PHP module installed in Server: