## Disbale SSLv2 and enable SSLv3
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

2. Reload httpd service to apply the new settings:

# /etc/init.d/httpd reload

3. Verify the settings by connecting to SSL ver 3 protocol:

# openssl s_client -connect localhost:443 -ssl3

It should connect. you can also try connecting to SSL ver 2 which should result in error. Request the PCI test again and it should not complain about Apache SSL related issues.

The quick solution is to update httpd.conf in your main server to redirect traffic for certain apps to different server (or domain). Apache will work like a proxy when accessing other apps. for example, here are sample URLs:

Main Application: http://www.maindomain.com/
Pages of main application: http://www.maindomain.com/something.html
Other application 1: http://www.maindomain.com/wiki/
Other application 2: http://www.maindomain.com/forums/

Here’s what I’ve used, open httpd.conf and add following lines in it:

RewriteEngine on
RewriteRule ^/wiki/(.*) http://otherdomain.com/wiki/$1 [P,L]
RewriteRule ^/forums/(.*) http://otherdomain.com/forums/$1 [P,L]

ProxyPassReverse / http://otherdomain.com/

Details:
Pls make sure that mod_proxy and mod_rewrite are loaded in apache. In above lines:

line 1: Turns on rewrite engine provided by mod_rewrite
line 2 and 3: A rewrite rule to parse the url and detect the word (wiki) in begining of it. if word is there, then rewrite url using different domains (or IP address). The last parameter [P] indicates that its a proxy request.

line 4: URL that needs to be masked while browsing.

Save file, restart/reload httpd service and check. It worked in my case but your requirement may be different, I recommend having of a look of official documentation for url rewriting.

child pid 6485 exit signal Segmentation fault (11)

In my CentOS 5.2 box with httpd 2.2.3 and subversion 1.6.1, this error caused enough headache for me and claimed long time before I was able to find out the root cause. The problem is caused by collision of apr and apu utilities which are installed by both subversion and Apache. These packages are required to access svn via apache. The subversion-deps package contains apr and apr-util version 0.9.x, but apache 2.2.x uses apr and apr-util 1.2.x, and subversion and apache must be using the same version of apr and apr-util, else things can result in above error.

To get a fix, you need to re-compile subversion and inform that it should use Apache’s apr and apr-util packs instead of it’s own. You should search for apr-1-config and apu-1-config files in your server and then supply their path while running configure. I found both in my /usr/bin/ directory.

# cd subversion-1.6.1
# ./configure –with-apr=/usr/bin/apr-1-config –with-apr-util=/usr/bin/apu-1-config
# make
# make install

Now config your apache to access your repositories, you can find a quick howto here. It should run fine. Please post a comment in case you still not able to access your repos using Apache.

Step 1. Download perlbal OR install it via perl cpan, like this:

$ perl -MCPAN -e shell
cpan-> install perlbal

Step 2. Find out its sample config (/root/.cpan/build/Perlbal-1.60/doc/config-guide.txt) or if you downloaded and compiled it, file will be there. Put this file in /etc/perlbal as perlbal.conf.

$ mkdir /etc/perlbal
$ cp /root/.cpan/build/Perlbal-1.60/doc/config-guide.txt /etc/perlbal/perlbal.conf

Step 3. Update the perlbal.conf file as per your requirements.
for example, we are using it as load balancer, here is sample config

$ vi /etc/perlbal/perlbal.conf
CREATE POOL my_apaches
SET nodefile = conf/nodelist.dat  # IP of backend Apache servers.
 
CREATE SERVICE balancer
SET listen          = 0.0.0.0:80
SET role            = reverse_proxy
SET pool            = my_apaches
SET persist_client  = on
SET persist_backend = on
SET verify_backend  = on
ENABLE balancer
 
# Keep an internal management port open to reconfigure pool automatically via telnet
CREATE SERVICE mgmt
SET role   = management
SET listen = 127.0.0.1:60000
ENABLE mgmt

Step 4. Start perlbal module as daemon.

$ perlbal -d

Step 5. Test by connecting through management port

$ telnel 127.0.0.1 60000

Step 6. One major concern is that the backend servers will log entries with IP address of load balancer instead of actual user’s IP. To overcome this issue, install and configure mod_rpaf for apache at backend servers. Login in backend server and install the module:

$ cd /usr/src/
$ wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
$ tar xzf mod_rpaf-0.6.tar.gz
$ cd mod_rpaf-0.6
$ apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
$ vi /etc/httpd/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 192.168.0.1  ## replace your IP of load balancer
RPAFheader X-Forwarded-For
 
$ service httpd restart

Testing

Step 1. Create a simple perl file and put it in cgi-bin directory of all backend servers.

$ vi /var/www/cgi-bin/test.pl
#!/usr/bin/perl
print "Content-Type: text/html\n\n";
print " Web server load balance testing ";
print "Web Server running fine.";
 
# Fetch IP of server
my $ifout =`ifconfig eth0 | grep inet`;
$ifout =~ m/\s+inet\saddr:([\d\.]+)\s.+/g;
 
print "This page is fetched from: $1 Server.";

Step 2. Start testing from browser and try to access the perl script from your load balancer server. Add more backends (by updating perlbal.conf) and test again. As per the load you will notice that perl script will be fetched from different back ends.

Adding / removing backends on the fly

Step 1. To maximum utilize the load balanced environment, there should be some technique by which backend servers can be added or removed on fly in the pool of perlbal as per the load. The topic of measuring load of backend servers and then making right decision is beyond the scope of this post. I developed some perl scripts to achieve the same in Amazon EC2[aws.amazon.com/ec2] environment, where we can create/remove servers on fly. If you are also on EC2, just post a comment or send mail to me and I will happily give scripts to you. Updating perlbal using a perl script with the help of Net::Telnet module is very easy. Here’s sample code:

use Net::Telnet;
$telnet=new Net::Telnet(Host=>$loadbalancerIP,Port=>60000,Timeout=>20, Errmode=>'Die');
$telnet->print("pool my_apaches add $newserverIP");
$telnet->waitfor('/OK/i');
$telnet->close;

Its Done. Play with it. One of the noticed minus point (as of ver 1.60), perlbal is not so efficient/capable while handling https connections. In case you have website which doesnt require https connections, perlbal should be given preferrence.

An alternate to perlbal is haproxy load balancer, I’ve covered it here, here and here as well.

You may also like to read:

* Install and configure haproxy load balancer, lightweight and fast alternative of perlbal/apache proxy.
* Enable or fix logging for Haproxy or perlbal load balancer.
* Install and setup haproxy load balancer for content switching.
* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux