Disable ssl ver 2 in apache for pci compliance

You need to disable SSL ver 2 and enable SSL ver 3 in apache for PCI compliance. Its very easy to do. Following settings will set SSL ver 3 and also disable older/unsecure cipher suite in Redhat/centos/fedora Linux server:
1. Open /etc/httpd/conf.d/ssl.conf and add or if these lines already there, edit them as per follows:

## Disbale SSLv2 and enable SSLv3
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

2. Reload httpd service to apply the new settings:

# /etc/init.d/httpd reload

3. Verify the settings by connecting to SSL ver 3 protocol:

# openssl s_client -connect localhost:443 -ssl3

It should connect. you can also try connecting to SSL ver 2 which should result in error. Request the PCI test again and it should not complain about Apache SSL related issues.

Permanent link to this post (111 words, estimated 27 secs reading time)

January 23rd, 2010 | Posted in Security, Web Server | 2 Comments

Apache url rewriting with masking

I got an assignment where I’ve to move some apps from a server (due to immense load) to different server without changing URLs. Main software app should remains in first server and all other smaller apps should be moved to another server but because all apps are integrated (for seamless login etc) with each other, URL on the browser should not change when browing the main app or any of its subordinate apps residing on different server.

The quick solution is to update httpd.conf in your main server to redirect traffic for certain apps to different server (or domain). Apache will work like a proxy when accessing other apps. for example, here are sample URLs:

This is a preview of Apache url rewriting with masking. Read the full post (264 words, estimated 1:03 mins reading time)

June 2nd, 2009 | Posted in Web Server | No Comments

Fix subversion/svn child exit signal segmentation fault error in Apache

When running subversion with apache, how good config you’d done, you may still found that your svn repos are not accessible through http:// or https:// and most probably you’ll find this error in your apache error logs:

child pid 6485 exit signal Segmentation fault (11)

In my CentOS 5.2 box with httpd 2.2.3 and subversion 1.6.1, this error caused enough headache for me and claimed long time before I was able to find out the root cause. The problem is caused by collision of apr and apu utilities which are installed by both subversion and Apache. These packages are required to access svn via apache. The subversion-deps package contains apr and apr-util version 0.9.x, but apache 2.2.x uses apr and apr-util 1.2.x, and subversion and apache must be using the same version of apr and apr-util, else things can result in above error.

This is a preview of Fix subversion/svn child exit signal segmentation fault error in Apache. Read the full post (241 words, estimated 58 secs reading time)

April 20th, 2009 | Posted in Subversion | 2 Comments

Download, install and configure perlbal to load balance web server

Perlbal is fast and efficient web server, reverse proxy(load balancer). Here are quick steps to get started with it. I have tested perlbal-1.60 on my CentOS 5 box. There are many other possible ways to do the same and the way which worked for me, may not work for you.

Step 1. Download perlbal OR install it via perl cpan, like this:
# perl -MCPAN -e shell
cpan-> install perlbal

Step 2. Find out its sample config (/root/.cpan/build/Perlbal-1.60/doc/config-guide.txt) or if you downloaded and compiled it, file will be there. Put this file in /etc/perlbal as perlbal.conf.
# mkdir /etc/perlbal
# cp /root/.cpan/build/Perlbal-1.60/doc/config-guide.txt /etc/perlbal/perlbal.conf

This is a preview of Download, install and configure perlbal to load balance web server. Read the full post (605 words, estimated 2:25 mins reading time)

May 20th, 2008 | Posted in Web Server | 3 Comments

Get Adobe Flash playerPlugin by wpburn.com wordpress themes