Securing Website through .htaccess behind CloudFlare or CDN

access-denied

By default, when you want to block or allow some IP(s) from your website, you may simply do it as the following rules from .htaccess,

order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2

However, if you are using service like CloudFlare or other CDN service, you can not do like this as Apache do not understand your visitor IP.

To do that, you need to do like rules below,

SetEnvIf X-FORWARDED-FOR 1.1.1.1 allow
SetEnvIf X-FORWARDED-FOR 2.2.2.2 allow
order deny,allow
deny from all
allow from env=allow

If you need it for IP ranges or network block such as 1.1.1.0/24, you may do it like,

SetEnvIf X-FORWARDED-FOR "^1\.1\.1\.*" allow
order deny,allow
deny from all
allow from env=allow

cPanel: How to block visitor by country through GeoIP

To block a certain country IP range, you do not need to know which IP range it is and what you need is to use the GeoIP feature.

To install GeoIP, refer to the following URL,
http://www.mickgenie.com/cpanel-how-to-install-mod_geoip

Next, you will need to insert the following command to the .htaccess file,

RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^CN$
RewriteRule ^(.*)$ http://www.google.com [L]

The command use to redirect China IP to google.com***

***This is an example only and it is not to abuse any user/visitor reside in China.

cPanel: How to install mod_geoip

There are many ways to install mod_geoip in the web but the easiest way to compile it with cPanel server is to compile it through the easyapache.

To get it done, run the following command as root,

cd /var/cpanel/easy/apache/custom_opt_mods/
wget http://docs.cpanel.net/twiki/pub/EasyApache3/CustomMods/custom_opt_mod-mod_geoip.tar.gz
tar -zxf custom_opt_mod-mod_geoip.tar.gz

Next compile it with easyapache,

/scripts/easyapache

Then select the Mod_GeoIP in the Short Options List.

cPanel: How to disable mod_security2 for account or path

To disable mod_security2 from cPanel server,

1. Create the following folder.

/usr/local/apache/conf/userdata/std/2/username/domain.com

2. Create a file name disabled_modsec2.conf in the above path.
3. Enter the following line if you want to disable mod_security2 for whole domain.

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

For specific path,

<LocationMatch your_path>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

4. Run the following script from root access.

/scripts/ensure_vhost_includes –user=username

 Alternatively,
Edit the following file,

/usr/local/apache/conf/modsec2.conf

Enter the information below,

SecRule SERVER_NAME "domain.com" phase:1,nolog,allow,ctl:ruleEngine=off

Replace the domain.com will do.

Howto: Configure CloudLinux kernel on pv xen

In other to switch your hosted server with pv xen to CloudLinux server, you may refer to the step as below,

1. Make sure that /etc/sysconfig/kernel is as line below, if the file is not exist, create it,

UPDATEDEFAULT=yes
DEFAULTKERNEL=kernel-xen

2. Install grub if it is not,

yum install grub

3. Check /etc/modprobe.conf is exists and with the following line it is not,

alias eth0 xennet
alias scsi_hostadapter xenblk

4. If you have install the newer kernel, run the following line,

mkinitrd -f /boot/initrd-2.6.xxx.img 2.6.xxx

‘xx’ should be the same as you newly installed kernel-xen version

5. Else, install kernel,

yum install kernel-xen

6. Check if /boot/grub/grub.conf exists, else create it,

ln -s /boot/grub/grub.conf /boot/grub/menu.lst
ln -s /boot/grub/grub.conf /etc/grub.conf

7. Make sure that the /etc/grub.conf is look like,

default=0
timeout=10
title CentOS (2.6.18-308.11.1.el5xen)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-308.11.1.el5xen console=xvc0 root=/dev/sda1 ro
initrd /boot/initrd-2.6.18-308.11.1.el5xen.img

Make sure that the vmlinuz and initrd should be the same.

8. Ask your hosting provider to change the kernel type to pygrub and reboot it.

Apache: service httpd does not support chkconfig

As you know, when you installed your Apache service to your Centos/Redhat server manually (make & make install but not yum) and could like to run the service automatically, you should copy the apachectl from the Apache bin folder to /etc/init.d/ folder as named httpd.

Then you might want to set the chkconfig and facing the error as below,

service httpd does not support chkconfig

To fix this issue, you may simply add the following line to your file at /etc/init.d/httpd.

#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve
# HTML files and CGI.
# processname: httpd
# pidfile: /usr/local/apache/logs/httpd.pid
# config: /usr/local/apache/conf/httpd.conf

Then you may chkconfig again,

chkconfig --level 235 httpd on

And now restart your httpd service.

Howto: Password protected a folder from Apache .htaccess

To protect a folder from your website, you may actually use the htpasswd feature available from the server.

To create a password protected folder to /home/user/public_html/important with user named admin, run the following command.

[[email protected] ~]# htpasswd -c /home/user/public_html/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
[[email protected] ~]#

Then, add the following code to your .htaccess file located at /home/user/public_html folder.

AuthUserFile /home/user/public_html/.htpasswd
AuthName "important"
AuthType Basic
Require valid-user

Now, access to your folder with the credential created.

Linux: Generate SSL CSR Key with Apache Linux

Oops.. It is been a while MGe disappeared and here I come back again after long holiday for blogging. 🙂

This article used to guide you to create the CSR(Certificate Signing Request) from your Apache machine.

Web Server: Linux
Web Service: Apache

1. First of all, you will need to create a key pair.

openssl genrsa -out www.yourdomain-example.com.key 2048

– Replace the mickgenie.com with your domain name.
– The number of 2048 used to determined the bit-length of your certificate, where you are advise to have 2048 and above.

2. You will be asking for the pass phrase and you may enter any strong password.

3.  Next, you will need to generate the CSR.

openssl req -new -key www.mickgenie.com.key -out www.mickgenie.com.csr

Next, you will be asking for Country Name, State or Province, Locality or City, Company, Organizational Unit, Common Name and Email Address.

4. Get your CSR and purchase the SSL from SSL provider.

Apache: Premature End of Script Headers

In Apache, Premature End of Script Headers error is a common error and normally you will not have any way to know what is the actual error.

The method of error is like below,

Premature end of script headers: /home/mickgenie/public_html/index.php

With this error, it is because the server is expecting a complete set of HTTP header, but it doesn’t get it.

From my experience, this could be caused by at least 4 of the following problem,
1. With 32 bits server, the suPHP’s Logs file reached 2GB. As the largest file size per file from 32 bits server is 2GB only, you should check the suphp_log as path below,
/usr/local/apache/logs/suphp_log

2. PHP version, if you recently upgrade your PHP version, it could be one of the possibility of the problem.

3. The RLimitCPU and RLimitMEM directives in the httpd.conf file as the resource might killed.

4. File permission, as CGI script required user and group permission set, if you do not have proper permission, you will get this error.

Show Detailed Error when Moodle show blank page

One of the customer is facing blank page when they are using Moodle application but they can’t find a way to show the error from Apache error_log.

After search around from the Internet, it is found out Moodle used their custom PHP ini_set function to define the PHP value.

In order to show the detailed error which got from Moodle, simply add the following code to the config.php file.

ini_set ('display_errors', 'on');
ini_set ('log_errors', 'on');
ini_set ('display_startup_errors', 'on');
ini_set ('error_reporting', E_ALL);

Now, browse to your page again and you should see the detailed error by now.