How to find the least or busy time on an apache web server

# cut -d: -f 2 /var/log/httpd/*access_log* | sort | uniq -c

290873 00
184948 01
115479 02
84129 03
71059 04
67632 05
88071 06
149285 07
275537 08
431069 09
529708 10
586744 11
599993 12
591466 13
565942 14
585796 15
611814 16
639781 17
625244 18
622163 19
574962 20
558504 21
503386 22
412359 23

The first column is the number of hits on the webserver, the second column is the time of the day. In this example the 5th hour (05:00 - 05:59) is the least busy hour, the 18th hour (18:00 - 18:59) is the busiest hour.

How to setup SSL on Apache

SSL certificates verify your identity with an end user and make it possible to encrypt the communication between two hosts.

The browser would check the web server's certificate to see if it's valid or not. If the certificate is valid the browser and web server negotiate on an encryption algorithm they both can understand.

Once a negotiation has been reached they use unique keys or codes (public key and private key) for encrypting and decrypting the data on both sides. Finally the browser and web server communicate securely so no one can eavesdrop on their conversation. Secure Sockets Layer (SSL) is used in e-commerce and other applications where the information being transmitted must be secure and not visible to anyone watching the network traffic. SSL certificates must be signed by a trusted authority or more commonly known as Certificate Authorities (CA). CA's confirm your identity by adding their signature to your SSL certificate. On the web browser side, browsers like FireFox and Internet Explorer have a list of CA fingerprints to match against the SSL certificates they come across.if all goes well your browser would accept the certificate and give no complaints, however, if the certificate doesn't have the fingerprint on file of CA it would complain and typically throw up a window saying the certificate is bad or shouldn't be trusted.

OpenSSL helps in creating self signed certificates for free. Self-signed certs are the same as signed versions except for the fact that a CA doesn't stamp it with their approval, instead you stamp it with yours.

Self-signed certs offer the same amount of protection but at the cost of dealing with the annoying popup alert the browser displays and someone being able to forge your identity.

SSL is a layered protocol and consists of four sub-protocols:
  !  SSL Handshake Protocol
  !  SSL Change Cipher Spec Protocol
  !  SSL Alert Protocol
  !  SSL Record Layer

@ Get the apache package first  

# cd /ctechz/

# wget http://apache.mirrors.hoobly.com//httpd/httpd-2.2.22.tar.gz

# gunzip httpd-2.2.22.tar.gz

# tar -xvf httpd-2.2.22.tar

# cd httpd-2.2.22

# ./configure --prefix=/opt/apachessl/ --enable-ssl --enable-so

# make

# make install

# cd /opt/apachessl

# /opt/apachessl/bin/apachectl start

take browser http://192.168.1.240  ## it will shows the default apache page if every this going right OR if you need a custom html page follow the steps below.

# mkdir /opt/apachessl/htdocs/ctechz.com/   ## this is its default document root

create an index.html page there for you.

# vim /opt/apachessl/conf/httpd.conf

<VirtualHost 192.168.1.240:80>
    DocumentRoot /opt/apachessl/htdocs/ctechz.com/
    ServerName ctechz.com
</VirtualHost>

Listen 192.168.1.240:80

@ Now generate a self signed ssl certificate key

# cd /opt/apachessl/conf/

# mkdir ssl

# cd ssl

generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

Generating RSA private key, 1024 bit long modulus.

# openssl genrsa -des3 -out www.ctechz.com.key 1024

Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

# openssl req -new -key www.ctechz.com.key -out www.ctechz.com.csr

@ Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

Do this only if you enter any password while creating a key file

# cp server.key server.key.org

# openssl rsa -in server.key.org -out server.key

Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in www.ctechz.com.csr -signkey www.ctechz.com.key -out www.ctechz.com.crt

After generating the certificate, if it has any default location for each certificate copy the files to that location. Here i create a directory called ssl under /opt/apachessl/ssl and copied all files there.

Then edit httpd.conf and shows the certificate there. For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file.

# cd /opt/apachessl/conf

# vim httpd.conf

Listen *:80
Listen *:443

<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /opt/apachessl/htdocs/ctechz.com/
    ServerName ctechz.com
#  ErrorLog logs/dummy-host.example.com-error_log
#  CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

<VirtualHost *:443>
#    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /opt/apachessl/htdocs/ctechz.com/
    ServerName ctechz.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /opt/apachessl/ssl/www.ctechz.com.crt
SSLCertificateKeyFile /opt/apache/ssl/www.ctechz.com.key
</VirtualHost>

And take the browser and access the link

https://192.168.1.240

Useful Apache commands

# apachectl ­-k graceful
In a server environment, should use the command apachectl instead of /etc/init.d/httpd. apachectl command is used to control the apache httpd daemon.

# apachectl -­k restart
difference between apachectl -k graceful and apachectl -k restart is that in case of the former current requests are not aborted but in the latter case current requests are aborted. 


# ps ­-ef | grep httpd
This command lists the httpd processes. -f option lists in full format. -e option lists all system processes. By using this command we can detect the processes that is causing trouble and those processes can be killed using the kill command. 

# kill ­term 'pid'
At a time there cannot be more than 50-60 child apache processes. If that is the case then it could probably be an attack. If we notice an apache attack then at once stop the apache service using the command. 

# apachectl -­k stop
If we notice that it is a server attack, ie attacks like denial of service, flooding then at once disconnect the network cable.

 # locate httpd.pid

# cat /var/run/httpd.pid

This command lists the running apache process id. ie the id of the parent apache.

# ps -­auxf | grep httpd

This command lists all httpd processes in full format. 

# vi /etc/init.d/httpd
This file is a sript used to run apache services. 

# ps ­ef ­­--forest | grep httpd
This command lists the httpd processes. ie the parent apache and the childs in full format (-f option). Each child can have their children and so on. 

# netstat -­tn
Prints the foreign connections to the server and the ports through which they are connected. 

# netstat | grep 35296
Lists the details about this paricular port.  

# lsof ­-i tcp:80
This command lists open files (lsof). 

# lsof -­i tcp:80 | wc ­l
lists the number of files that listens to the tcp port 80. 

# cat /etc/httpd/conf/httpd.conf | grep User
Lists the user/group who run httpd. 

# top ­-u apache
Lists all processes run by user apache 

# httpd -­l
List compiled in modules. 

# httpd ­-M
Show all loaded modules. 

# httpd ­-L
List available configuration directives. 

# httpd ­-v
Show apache version.

High Availability Cluster On CentOS for apache

Configuring A High Availability Cluster with Heartbeat On CentOS for apache

This guide shows how you can set up a two node, high-availability / failover HTTP cluster with heartbeat on CentOS. Both nodes use the Apache web server to serve the same content.

Pre-Configuration Requirements:

1. Assign hostname node01 to primary node with IP address 172.16.4.80 to eth0.

2. Assign hostname node02 to slave node with IP address 172.16.4.81

Note: on node01

uname -n ---- must return node01. 

uname -n ---- must return node02.

172.16.4.82 is the virtual IP address that will be used for our Apache webserver (i.e., Apache will listen on that address)

Configuration:

1. Download and install the heartbeat package. Here i use CentOS so we will install heartbeat with yum:

# yum install heartbeat

  

or download these packages:

heartbeat-2.08

heartbeat-pils-2.08

heartbeat-stonith-2.08

 2. Now we have to configure heartbeat on our two node cluster. We will deal with three files. These are:

authkeys

ha.cf 

haresources

3. Now moving to our configuration. But there is one more thing to do, that is to copy these files to the /etc/ha.d directory. In our case we copy these files as given below: 

 # cp /usr/share/doc/heartbeat-2.1.2/authkeys /etc/ha.d/

 # cp /usr/share/doc/heartbeat-2.1.2/ha.cf /etc/ha.d/

 # cp /usr/share/doc/heartbeat-2.1.2/haresources /etc/ha.d/

4. Now let's start configuring heartbeat. First we will deal with the authkeys file, we will use authentication method 2 (sha1). For this we will make changes in the authkeys file as below. 

vi /etc/ha.d/authkeys

Then add the following lines: 

auth 2

2 sha1 test-ha

Change the permission of the authkeys file:

# chmod 600 /etc/ha.d/authkeys

5. Moving to our second file (ha.cf) which is the most important. So edit the ha.cf file with vi:

# vi /etc/ha.d/ha.cf

Add the following lines in the ha.cf file:

logfile /var/log/ha-log

logfacility local0

keepalive 2

deadtime 30

initdead 120

bcast eth0

udpport 694

auto_failback on

node node01

node node02

Note:node01 and node02 is the output generated by uname -n 

6. The final piece of work in our configuration is to edit the haresources file. This file contains the information about resources which we want to highly enable. In our case we want the webserver (httpd) highly available:

vi /etc/ha.d/haresource

Add the following line:

node01 172.16.4.82 httpd

7. Copy the /etc/ha.d/ directory from node01 to node02: 

scp -r /etc/ha.d/ root@node02:/etc/

8. As we want httpd highly enabled let's start configuring httpd:

vi /etc/httpd/conf/httpd.conf

Add this line in httpd.conf:

 Listen 172.16.4.82:80

9. Copy the /etc/httpd/conf/httpd.conf file to node02:

scp /etc/httpd/conf/httpd.conf root@node02:/etc/httpd/conf/

10. Create the file index.html on both nodes (node01 & node02):

On node01:

echo "node01 apache test server" > /var/www/html/index.html

On node02:

echo "node02 apache test server" > /var/www/html/index.html

11. Now start heartbeat on the primary node01 and slave node02: 

/etc/init.d/heartbeat start

12. Open web-browser and type in the URL:

http://172.16.4.82

It will show node01 apache test server. 

13. Now stop the hearbeat daemon on node01: 

/etc/init.d/heartbeat stop

In your browser type in the URL http://172.16.4.82 and press enter.

It will show node02 apache test server.

14.  We don't need to create a virtual network interface and assign an IP address (172.16.4.82) to it. Heartbeat will do this for you, and start the service (httpd) itself. So don't worry about this.

Don't use the IP addresses 172.16.4.80 and 172.16.4.81 for services. These addresses are used by heartbeat for communication between node01 and node02. When any of them will be used for services/resources, it will disturb hearbeat and will not work.

How to Recompile Apache

We can add a new apache module by either recompiling apache or use apxs tool

Check which all options are available under configure that you need to compile

./configure --help

apache to a particular location using "--prefix"
# ./configure --prefix=/home/apache/ 

# make

# make install

If you need only apache html page just start the service

# /home/apache/bin/apachectl start

make needed changes in apache configuration file 
Listen 80/8080  change this if you need to listen to any other port
Listen 192.168.1.197:8080 http://192.168.1.197:8080

Then if you want to add/Compile PHP with Apache download the php source

# Download php-5.3.8.tar.gz

# /home/apache/bin/apachectl stop

# cd php-5.3.8
# ./configure --prefix=/home/php --with-apxs2=/home/apache/bin/apxs --with-config-file-path=/home/php --prefix=/home/apache/php
# make 
# make test
# make install
# cp /usr/local/src/php-5.3.8/php.ini-development  /home/php/lib/php.ini  

Now Load the PHP module,check the module is there in /home/apache/module/ (libphp5.so) now in httpd.conf add the php module if it is not there
    LoadModule php5_module modules/libphp5.so

 # Tell Apache to parse certain extensions as PHP. In httpd.conf add
    AddType application/x-httpd-php .php
 It tells which all file system you have to handle php,jsp etc.

For new php version add the tag "php" and put the index.html and info.php in /home/apache/htdocs/

<?php
 phpinfo();
 ?>

Adding new module using apache apxs tool

Here we can add a gsoap module to apache
/bin/httpd -l ------ shows the static modules installed while we configure apache.

# cd gsoap-2.8/ -------- Download this package

# cd /usr/local/src/gsoap-2.8/gsoap/mod_gsoap/mod_gsoap- 0.6/apache_20

  going to Add gsop module

Before compiling the module make sure that apache is running.

Then add the module using apxs tool

# /home/apache/bin/apxs -a -i -c mod_gsoap.c

compile the .c file and it create a .o file (mod_gsoap.o) / if apache is running it will create/copy a .so file in apache/module folder. This adding modules are called dynamic moduls.

Check module is reached in apache module folder

# ls /home/apache/modules/ (mod_gsoap.so)

and add the LoadModule option in httpd.conf file ( check below line is there or not. In apache 2.X it may come automatically )

LoadModule gsoap_module modules/mod_gsoap.so 

# Restart Apache

Enable another module by re-compiling apache

If we want to enable another option/module in apache either recompile apache or add its module. To recompile apache Go to its source.( In Production servers no recompiling bcz errors may occure only adding module using apxs # Here going to install ldap module.

Take the apaceh source package that you already installed, same version

# cd /usr/local/src/httpd-2.2.21

# make clean

# make distclean

# ./configure --prefix=/home/apache/ --enable-ldap

# make

# make install

# /home/apache/bin/httpd -l

     util_ldap.c

always better to use apxs tool other than re-compling apach

How to Compile Apache & Php in linux

  Compiling PHP and Apache from source

Assuming Apache source and Php source are in /usr/src directory.

To compile Apache

$ cd /usr/src 

$ tar -zxvf httpd-2.0.44.tar.gz

$ cd /usr/src/httpd-2.0.44 

$ ./configure --prefix=/wwwroot --enable-so ( Dynamic Shared Object (DSO) Support ) this module is used to enable dso.

$ make 

$ make install

$ /wwwroot/bin/apachectl start 

Now test apache installation by going to http://localhost.

Stop apache for php installation.

$ /wwwroot/bin/apachectl stop

To compile PHP

$ cd /usr/src $ tar -zxvf php-4.3.0.tar.gz 

$ cd /usr/src/php-4.3.0

$ ./configure --prefix=/wwwroot/php --with-apxs2=/wwwroot/bin/apxs --with-config-file-path=/wwwroot/php --with-mysql

$ make 

$ make install

Now you have to edit Apache configuration file /wwwroot/conf/httpd.conf.

If LoadModule php4_module modules/libphp4.so line hasn't been added by php install to /wwwroot/conf/httpd.conf, then you have to add it yourself. Add it somewhere below section named "Dynamic Shared Object (DSO) Support" 

LoadModule php4_module modules/libphp4.so 

Now add this line to /wwwroot/conf/httpd.conf file: 

AddType application/x-httpd-php .php

Start Apache now:  $/wwwroot/bin/apachectl start

Now create a test PHP file using any text editor and add these lines to it:

<?php

phpinfo();

?>

Save it under /wwwroot/htdocs as info.php

Now test your PHP installation by accessing file info.php:

http://localhost/info.php

DSO

The modules can be statically compiled into the httpd binary when the server is built. Alternatively, modules can be compiled as Dynamic Shared Objects (DSOs) that exist separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs). 

apxs is a tool for building and installing extension modules for the Apache HyperText Transfer Protocol (HTTP) server. This is achieved by building a dynamic shared object (DSO) from one or more source or object files which then can be loaded into the Apache server under runtime via the LoadModule directive from mod_so.

So to use this extension mechanism your platform has to support the DSO feature and your Apache httpd binary has to be built with the mod_so module. The apxs tool automatically complains if this is not the case. You can check this yourself by manually running the command.

$ httpd -l

The module mod_so should be part of the displayed list. If these requirements are fulfilled you can easily extend your Apache server's functionality by installing your own modules with the DSO mechanism by the help of this apxs tool:

$ apxs -i -a -c mod_foo.c

The arguments files can be any C source file (.c), a object file (.o) or even a library archive (.a). The apxs tool automatically recognizes these extensions and automatically used the C source files for compilation while just using the object and archive files for the linking phase.

DSO helps to add dynamic modules after we install apache.