This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
fuss:apache [2017/02/22 18:30] – external edit 127.0.0.1 | fuss:apache [2025/05/22 15:11] (current) – [Creating Ban Lists for Apache] office | ||
---|---|---|---|
Line 360: | Line 360: | ||
& | & | ||
\end{eqnarray*} | \end{eqnarray*} | ||
+ | |||
+ | ====== Implementing a Global and Consistent Directory Index Style ====== | ||
+ | |||
+ | The following setup implements a global and consistent directory index style that can be used for multiple virtual hosts just by adding an include to any '' | ||
+ | |||
+ | < | ||
+ | + / | ||
+ | | | ||
+ | +---+ / | ||
+ | | + | ||
+ | | | | ||
+ | | +---+ conf-available/ | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | +---+ includes/ | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | | ||
+ | | +---+ sites-available/ | ||
+ | | + | ||
+ | | | | ||
+ | | +---+ vhost.conf | ||
+ | | | ||
+ | +---+ /var/www/ | ||
+ | + | ||
+ | | | ||
+ | +---+ .fancyindex.css | ||
+ | </ | ||
+ | |||
+ | where: | ||
+ | * ''/ | ||
+ | < | ||
+ | Alias "/ | ||
+ | </ | ||
+ | * ''/ | ||
+ | < | ||
+ | IndexOptions +Charset=UTF-8 | ||
+ | IndexOptions +TrackModified | ||
+ | IndexOptions +Charset=UTF-8 | ||
+ | IndexOptions +FoldersFirst | ||
+ | IndexOptions +NameWidth=* | ||
+ | IndexOptions +FancyIndexing | ||
+ | IndexOptions +HTMLTable | ||
+ | IndexOptions +SuppressDescription | ||
+ | IndexIgnore favicon.ico | ||
+ | IndexIgnore auth* | ||
+ | IndexIgnore include* | ||
+ | IndexIgnore css* | ||
+ | IndexIgnore share* | ||
+ | IndexIgnore upload* | ||
+ | IndexIgnore incoming* | ||
+ | IndexStyleSheet "/ | ||
+ | Options +Indexes | ||
+ | </ | ||
+ | * ''/ | ||
+ | < | ||
+ | < | ||
+ | include " | ||
+ | </ | ||
+ | </ | ||
+ | * ''/ | ||
+ | < | ||
+ | * { | ||
+ | font-family: | ||
+ | } | ||
+ | </ | ||
+ | and is responsible for setting the CSS for the rendered index page. | ||
+ | |||
+ | <WRAP info> | ||
+ | '' | ||
+ | </ | ||
+ | |||
+ | Perhaps a good reason for preferring this setup to using '' | ||
+ | |||
+ | ====== Globally Enable brotli Compression ====== | ||
+ | |||
+ | On Debian, to enable brotli compression, | ||
+ | <code bash> | ||
+ | apt-get install brotli | ||
+ | </ | ||
+ | |||
+ | and then the Apache module must be enabled by issuing the command: | ||
+ | <code bash> | ||
+ | a2enmod brotli | ||
+ | </ | ||
+ | |||
+ | Lastly, create the file ''/ | ||
+ | < | ||
+ | < | ||
+ | AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | The purpose of this file is to instruct the brotli Apache module to compress certain resources, namely textual content as well as javascript with the brotli compressor. | ||
+ | |||
+ | Finally, enable the configuration file by issuing the command: | ||
+ | <code bash> | ||
+ | a2enconf brotli | ||
+ | </ | ||
+ | |||
+ | and reload the Apache configuration: | ||
+ | <code bash> | ||
+ | systemctl apache2 reload | ||
+ | </ | ||
+ | |||
+ | The brotli compressor should now be enabled and will globally compress content as it is transferred from the Apache server. | ||
+ | |||
+ | Note that an alternative configuration is to add the contents of the file ''/ | ||
+ | |||
+ | ====== Rate Limiting an IP Network with mod_QoS ====== | ||
+ | |||
+ | The process of rate-limiting an IP network with Apache mod_qos involves matching an IP address block using the Apache2 '' | ||
+ | < | ||
+ | SetEnvIfExpr "-R ' | ||
+ | </ | ||
+ | where: | ||
+ | * ''" | ||
+ | * '' | ||
+ | |||
+ | followed by using mod_qos to rate-limit: | ||
+ | < | ||
+ | QS_EventLimitCount Amazon 10 60 | ||
+ | </ | ||
+ | where: | ||
+ | * '' | ||
+ | |||
+ | ====== Creating Ban Lists for Apache ====== | ||
+ | |||
+ | People conventionally block IP addresses on the networking layer instead of the application layer with Apache and for good reasons due to IP being a property of networking and not something that would be specific to Apache. However, given cloud services Apache might end up downstream with a real IP address passed via an HTTP header such that the banning is only possible after the HTTP session is decapsulated by a reverse proxy or an HTTP server like Apache. | ||
+ | |||
+ | In any case, it makes somewhat sense to block IP addresses at he application layer in that context. Previously we have written scripts that would pull databases, such as [[/ | ||
+ | |||
+ | <code bash> | ||
+ | # | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2025 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | # This script is used to generate an universal blocklsit for Apache in # | ||
+ | # order to block various IP addresses or networks in CIDR notation by # | ||
+ | # pulling lists from various sources on the Internet. | ||
+ | ########################################################################### | ||
+ | |||
+ | APACHE_CONFIGURATION_FILE=/ | ||
+ | |||
+ | PEERBLOCK=$(curl -s -L " | ||
+ | gunzip | \ | ||
+ | cut -d: -f2 | \ | ||
+ | grep -E " | ||
+ | awk ' | ||
+ | xargs ipcalc -rn | grep -v deaggregate) | ||
+ | |||
+ | AWS=$(curl -s https:// | ||
+ | jq ' | ||
+ | grep -P -o ' | ||
+ | |||
+ | # preamble | ||
+ | cat >" | ||
+ | < | ||
+ | # Amazon AWS Blocking | ||
+ | < | ||
+ | Require all granted | ||
+ | EOF | ||
+ | |||
+ | # body | ||
+ | printf " | ||
+ | while IFS=$' | ||
+ | printf " | ||
+ | done <<< | ||
+ | printf " | ||
+ | while IFS=$' | ||
+ | printf " | ||
+ | done <<< | ||
+ | |||
+ | # postamble | ||
+ | cat >>" | ||
+ | </ | ||
+ | </ | ||
+ | EOF | ||
+ | |||
+ | </ | ||
+ | |||
+ | The script above is a variant of the ipset-generating scripts that is meant to create a single file that is placed within the '' | ||
+ | |||
+ | On the other hand, the script itself is placed within the daily crontab in order to regenerate the lists on a daily basis. | ||
+ | |||
+ | For the curious, the script above blocks Amazon AWS, because it has become very cheap hosting for harvesters and various other indexers (more than likely feeding " | ||
+ | |||
+ | ====== Max Open Files ====== | ||
+ | |||
+ | One error that might appear out of the blue when dealing with Apache is the "max open files" error, perhaps followed by an Apache error '' | ||
+ | |||
+ | Furthermore, | ||
+ | |||
+ | The issue stems from ''/ | ||
+ | <code bash> | ||
+ | ULIMIT_MAX_FILES=" | ||
+ | if [ " | ||
+ | if ! $ULIMIT_MAX_FILES ; then | ||
+ | |||
+ | </ | ||
+ | |||
+ | These lines make it such that the command defined by the variable '' | ||
+ | |||
+ | The issue is mostly encountered under containerization, | ||
+ | <code bash> | ||
+ | APACHE_ULIMIT_MAX_FILES=' | ||
+ | </ | ||
+ | or set a limit, as in: | ||
+ | <code bash> | ||
+ | APACHE_ULIMIT_MAX_FILES=' | ||
+ | </ | ||
+ | |||
+ | Note that the variable '' | ||
+ | |||
+ |
For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.