New features in Apache HTTP Server 2.4

Core Enhancements

New Modules

mod_lua

Embeds the Lua language into httpd, for configuration and small business logic functions. (Experimental)

mod_log_debug

Allows the addition of customizable debug logging at different phases of the request processing.

mod_buffer

Provides for buffering the input and output filter stacks

mod_data

Convert response body into an RFC2397 data URL

mod_ratelimit

Provides Bandwidth Rate Limiting for Clients

mod_request

Provides Filters to handle and make available HTTP request bodies

mod_reflector

Provides Reflection of a request body as a response via the output filter stack.

mod_slotmem_shm

Provides a Slot-based shared memory provider (ala the scoreboard).

mod_xml2enc

Formerly a third-party module, this supports internationalization in libxml2-based (markup-aware) filter modules.

mod_macro (available since 2.4.5)

Provide macros within configuration files.

mod_proxy_wstunnel (available since 2.4.5)

Support web-socket tunnels.

mod_authnz_fcgi (available since 2.4.10)

Enable FastCGI authorizer applications to authenticate and/or authorize clients.

mod_http2 (available since 2.4.17)

Support for the HTTP/2 transport layer.

mod_proxy_hcheck (available since 2.4.21)

Support independent dynamic health checks for remote proxiy backend servers.

Module Enhancements

mod_ssl

mod_ssl can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.

mod_ssl now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.

mod_ssl can now be configured to share SSL Session data between servers through memcached

EC keys are now supported in addition to RSA and DSA.

Support for TLS-SRP (available in 2.4.4 and later).

mod_proxy

The ProxyPass directive is now most optimally configured within a Location or LocationMatch block, and offers a significant performance advantage over the traditional two-parameter syntax when present in large numbers.

The source address used for proxy requests is now configurable.

Support for Unix domain sockets to the backend (available in 2.4.7 and later).

mod_proxy_balancer

More runtime configuration changes for BalancerMembers via balancer-manager

Additional BalancerMembers can be added at runtime via balancer-manager

Runtime configuration of a subset of Balancer parameters

BalancerMembers can be set to 'Drain' so that they only respond to existing sticky sessions, allowing them to be taken gracefully offline.

Balancer settings can be persistent after restarts.

mod_cache

The mod_cache CACHE filter can be optionally inserted at a given point in the filter chain to provide fine control over caching.

mod_cache can now cache HEAD requests.

Where possible, mod_cache directives can now be set per directory, instead of per server.

The base URL of cached URLs can be customized, so that a cluster of caches can share the same endpoint URL prefix.

mod_cache is now capable of serving stale cached data when a backend is unavailable (error 5xx).

mod_cache can now insert HIT/MISS/REVALIDATE into an X-Cache header.

mod_include

Support for the 'onerror' attributes within an 'include' element, allowing an error document to be served on error instead of the default error string.

mod_cgi, mod_include, mod_isapi, …

Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables in Apache has some pointers on how to work around broken legacy clients which require such headers. (This affects all modules which use these environment variables.)

mod_authz_core Authorization Logic Containers

Advanced authorization logic may now be specified using the Require directive and the related container directives, such as <RequireAll>.

mod_rewrite

mod_rewrite adds the [QSD] (Query String Discard) and [END] flags for RewriteRule to simplify common rewriting scenarios.

Adds the possibility to use complex boolean expressions in RewriteCond.

Allows the use of SQL queries as RewriteMap functions.

mod_ldap, mod_authnz_ldap

mod_authnz_ldap adds support for nested groups.

mod_ldap adds LDAPConnectionPoolTTL, LDAPTimeout, and other improvements in the handling of timeouts. This is especially useful for setups where a stateful firewall drops idle connections to the LDAP server.

mod_ldap adds LDAPLibraryDebug to log debug information provided by the used LDAP toolkit.

mod_info

mod_info can now dump the pre-parsed configuration to stdout during server startup.

mod_auth_basic

New generic mechanism to fake basic authentication (available in 2.4.5 and later).

Program Enhancements

fcgistarter

New FastCGI daemon starter utility

htcacheclean

Current cached URLs can now be listed, with optional metadata included.

Allow explicit deletion of individual cached URLs from the cache.

File sizes can now be rounded up to the given block size, making the size limits map more closely to the real size on disk.

Cache size can now be limited by the number of inodes, instead of or in addition to being limited by the size of the files on disk.

rotatelogs

May now create a link to the current log file.

May now invoke a custom post-rotate script.

htpasswd, htdbm

Support for the bcrypt algorithm (available in 2.4.4 and later).

Documentation

mod_rewrite

The mod_rewrite documentation has been rearranged and almost completely rewritten, with a focus on examples and common usage, as well as on showing you when other solutions are more appropriate. The Rewrite Guide is now a top-level section with much more detail and better organization.

mod_ssl

The mod_ssl documentation has been greatly enhanced, with more examples at the getting started level, in addition to the previous focus on technical details.

Caching Guide

The Caching Guide has been rewritten to properly distinguish between the RFC2616 HTTP/1.1 caching features provided by mod_cache, and the generic key/value caching provided by the socache interface, as well as to cover specialized caching provided by mechanisms such as mod_file_cache.

Take reference from apache.org

How to Configure Network Teaming in RHEL/CentOS 7

When a system administrator wants to increase the bandwidth available, provide redundancy, and load balancing for data transfers, a kernel feature known as network bonding allows getting the job done in a cost-effective way.

To configure Teaming, need at least two NIC.

Check NIC details using command[s] ( using ifconfig, ip addr… ).

[root@feenixdv ~]# nmtui

Assign IP to interface (Team0).

[root@feenixdv ~]# nmcli connection modify Team0 ipv4.method manual ipv4.addresses 192.168.1.100/24 connection.autoconnect yes

Activate interface.

Check IP details.

Check ping.

ACCESS CONTROL LIST (ACL)

We assign permission to the specific file to providing security, but still it has some limitation just like if we set 777 permission for a file, it set for all the user, but now if we have a need that just user1 can execute the file then it will be problematic so we cannot assign different permissions for different users so ACL comes in.

Now we set permission for file.txt

1^st we create “file.txt” in “/tmp” directory then set ACL with “setfacl” command where m ( modify ) u (user name) then permission and location of a file.

How to see ACL list. We have “getfacl command”

Through ACL we give permission to ram user to modify the file.

Check how it’ work

It’s working.

To remove ACL

Analyzing past System performance

Analyzing past System performance of a Linux server
Case
Today's date is 17th Dec 2012.
You are asked to check the System performance of a Linux server on 7th Dec,2012 between 1 AM to 5 AM.

# To check CPU utilization
# sar -u -f /var/log/sa/sa07 -s 01:00:01 -e 05:00:01

… # To check Memory status
#sar -r -f /var/log/sa/sa07 -s 01:00:01 -e 05:00:01

# To check Load average
#sar -q -f /var/log/sa/sa07 -s 01:00:01 -e 05:00:01

# To check Network status
#sar -n DEV -f /var/log/sa/sa07 -s 01:00:01 -e 05:00:01

Apache Monitoring

mod_status:-

The Status module allows a server administrator to find out how well their server is performing. An HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state.

The details given are:

• The number of worker serving requests
• The number of idle workers
• The status of each worker, the number of requests that the worker has performed and the total number of bytes served by the worker
• A total number of accesses and byte count served
• The time the server was started/restarted and the time it has been running for
• Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request
• The current percentage CPU used by each worker and in total by Apache
• The current hosts and requests being processed

How do I configure mod_status to display Apache web server status?

Enable/uncomment mod_status.so module

# vi httpd.conf

Enable/uncomment “ServerSignature”

Create virtual section

Restart apache service

Access apache status in a web browser

Autofs

Autofs

Configuration for USB mass storage, DVD, CDROM, IDE hard drives. Now drives are automatically mounted when you try to access them. You can test it by inserting a cdrom, and cd /mnt/auto/autofs/cdrom . The CDROM is automatically mounted, and ls should show you the contents of the cd.

autofs uses /etc/auto.master and /etc/auto.misc file.

Example:-

We want to auto mount CDROM when we list “/mnt” directory(ls /mnt).

Put “/mnt    /etc/auto.misc” line in “/etc/auto.master” file.

Then edit “/etc/auto.misc”

Restart service

Check directory

Create Partition

How to create a partition

CRON JOB

We put a small script in a cron job and change permission to execute.

Now modify cron job using “crontab –e”.

This script run every one minute.

As per script, we can see it’s updated in every one minute.

Some example:-

00 09-18 * * 1-5

• 00 – 0th Minute (Top of the hour)
• 09-18 – 9 am, 10 am,11 am, 12 am, 1 pm, 2 pm, 3 pm, 4 pm, 5 pm, 6 pm
• * – Every day
• * – Every month
• 1-5 -Mon, Tue, Wed, Thu, and Fri (Every Weekday)

00 09-18 * * *

• 00 – 0th Minute (Top of the hour)
• 09-18 – 9 am, 10 am,11 am, 12 am, 1 pm, 2 pm, 3 pm, 4 pm, 5 pm, 6 pm
• * – Every day
• * – Every month
• * – Every day of the week

 Unable to change the password for any user

If we are unable to change the password for any user or during login always asking for password and then force to change the password ( after changing automatic logout ) then check below points.

• Reboot server in rescue mode(chroot…) and try to change the password or check “/etc/fstab” file.
• If chroot not working and your partition in LVM then try to 1^st activate LVM by below command.

   

   

   

   

  # lvm vgchange -a y

• After that mount root partition ( / ) on any directory and check “/etc/fstab” file, maybe root partition ( / ) commented. uncomment it and reboot it.
• After that reboot. Now you can change the password and also login into the server.

Record Terminal Session in Linux

ttyrec is a tty(terminal) recorder in Unix like operating system & recorded data can be played back with the help of ttyplay command.ttyrec is just a derivative of script command for recording timing information with microsecond accuracy as well. It can record emacs -nw, vi, lynx, or any programs running on tty.

Continue reading →

systemctl command

In Red Hat Enterprise Linux 7, process ID 1 is systemd, the new init system. A few features provided by systemd include:

• Parallelization capabilities, which increase the boot speed of a system.

• On-demand starting of daemons without requiring a separate service.

• Automatic service dependency management, which can prevent long timeouts, starting a network service when the network is not available.

• A method of tracking related processes to gather by using Linux control groups.

Service states using systemctl command

The status of a service can be viewed with systemctl status name.

Investigate  any  units which are  in  a  failed  or  maintenance  state.  Optionally, add the -l option to show the full output.

Enable or disable service (chkconfig use in lower version of RHEL)

View only failed services.

View the enabled and dis abled settings for all units.  Optionally, limit the type of unit.

Start/stop/restart Services

Status

Stop

Start

Restart/reload

List all dependency of ant services

Masking services

At time s, a system may have conflicting services installed. For example, there are multiple methods to manage networks (network and Network Manager) and firewalls (iptables and firewalld). To prevent an admin iterator from accident tally  starting a  service, that service may be masked.  Masking will create a link in the configuration directories so that if  the service  is started, nothing  will  happen.

Un-Masking services

How to change interface name in RHEL-7 (enp…. To eth0)

The main difference between RHEL7 and lower version is naming of Ethernet card. Here we change Ethernet card name like older version. Sometime application dependency also on “eth0” naming so here the process how to change name.

In my case the network interface name is look like this.

To apply this changes 1^st we add some parameter in grub to push this parameter at boot time.

Add highlighted value in same line.

Then name new menu in Grub boot loader with this new configuration using “grub2-mkconfig” command.

Change LAN card name like this.

Change DEVICE  or NAME value in this file to eth0

Then rename interface name and reboot server. On the booting time select new one from grub list.

Now you can see interface name changed.

Network setting(NIC)

How to set IP address, Hostname, enable disable NIC in RHEL 7.

To set IP address in RHEL 7 we have “nmtui” command. For setting IP address follow this steps.

[root@feenixdv7 ~]# nmtui

Then you can edit or put new IP address and more information like Gateway DNS…..

For hostname follow bellow steps.

Then restart network service.

Set IP Address manual/DHCP(auto) with command line.

Set IP Address manually.

[root@ansible ~]# nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.1.100/24 connection.autoconnect yes
[root@ansible ~]# nmcli connection up eth0
[root@ansible ~]# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.100  netmask 255.255.255.0

Set IP Address from DHCP(auto).

[root@ansible ~]# nmcli connection modify eth0 ipv4.method auto connection.autoconnect yes
[root@ansible ~]# nmcli connection up eth0
[root@ansible ~]# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.224.24.246  netmask 255.255.252.0

How to set default target (default runlevel)

The conventional way used to change runlevel using /etc/inittab has become obsolete with Redhat Enterprise Linux version 7. As a result any Linux system using systemd system management daemon now relies on systemctl command to change runlevel or to be more precise to change the target. As a result any edits of /etc/inittab file will not take effect on RHEL 7. The term runlevel still exists on RHEL 7 and we cat check current runlevel using runlevel command: To list the predefined systemd run level target units :

List all currently loaded targets we can use the following command:

Comparison of SysV Run Levels and Target Units

The table below shows the system-state targets which are equivalents of run-levels

The default target unit is represented by the /etc/systemd/system/default.target file. This file is a symbolic link to the default target unit file currently set.

# ls -l /etc/systemd/system/default.targetlrwxrwxrwx. 1 root root 40 Oct 11 02:02 /etc/systemd/system/default.target -> /usr/lib/systemd/system/graphical.target Use the runlevel command to view the SysV runlevel.

# runlevelN 5 How to change run level or set run level  We have mainly these run level.·         poweroff.target

·         rescue.target
·         multi-user.target
·         reboot.target

In RHEL 7 we have “default” pointer who decide OS boot in which run level so 1^st check the default value.              

Then set run level. In my example I set run level to “multi-user.target”

Note that changing the default target unit removes the existing default.target symbolic link and re-creates the symbolic link, which points to the new default target unit file.

Switch to particular run level.

This command quickly boot in “default” run level if currently not in. 

# systemctl default

For switch particular run level from current command prompt (like #init 5 command). 

Booting process in RHEL 7

Process step by step

1. BIOS/UEFI

The machine is powered on. The system firmware (either modern UEFI or more old BIOS) runs a Power on Self-Test (P OST), and starts to initialize some of the hardware.

2. Grub2

The system firmware reads a boot loader from disk, and then passes control of the system to the boot loader.On a Red Hat Enterprise Linux 7 system, this will typically be grub2.

Configured using: grub 2 – install

The boot loader loads its configuration from disk, and presents the user with a menu of possible configurations to boot.

Configured using:

• /etc/grub .d/,
• /etc/default/grub, and (not manually)
• /boot/grub2/grub .cfg.

3. kernel and initramfs lading.

After the user has made a choice (or an automatic timeout has happened), the boot loader loads the configured kernel and initramfs from disk and places them in memory. An initramfs is a gzip-ed cpio archive containing kernel modules for all hardware Necessary at boot, init scripts, and more.  On Red Hat Enterprise Linux 7, the initramfs Contains an entire usable system by itself.

• Configured using: /etc/dracut.conf

4. Kernel

– The kernel starts the systemd process with a process ID of 1 (PID 1)

5. systemd

Systemd is the ancestor of all processes on a system.
– Systemd reads the file linked by /etc/systemd/system/default.target (for example, /usr/lib/systemd/system/multi-user.target) to determine the default system target (equivalent to run level). The system target file defines the services that systemd starts. systemd brings the system to the state defined by the system target, performing system initialization tasks such as:

1. Setting the host name
2. Initializing the network
3. Initializing SELinux based on its configuration
4. Printing a welcome banner
5. Initializing the system hardware based on kernel boot arguments
6. Mounting the file systems, including virtual file systems such as the /proc file system
7. Cleaning up directories in /var
8. Starting swapping

SELINUX: Use boolean settings to modify system SELinux settings.

SELinux uses booleans to makes its policy more flexible. The basic policy is pretty strict but suits most requirements. But if you’ve got special needs, you can easily adjust it thanks to the SELinux booleans.

For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the “semanage boolean –l” command as the Linux root user.

Here we can see all boolean values.

To see a particular boolean value we can use grep command.

In this example we try to access FTP account of any user when SELinux enabled.

Here I want to modify any file from “feenix” user home directory using FTP connection but we can’t.

User can’t modify his own file from home directory using FTP because the SELinux context not allow. We can see Boolean value of FTP “ftp_home_dir” which is set “off”.

Now I set “ftp_home_dir” Boolean value off to on.

After that user can modify his own file.

Note1:- You can use on or 1, off or 0 with the setsebool command.
Note2:- The -P option means Permanent. If you don’t use it, the boolean will restore its previous permanent or default configuration after the next reboot.

SELinux

Permissive mode is often used to trouble shoot issues.  In permissive mode, SELinux allows all interact ions,  even  if there  is no  explicit  rule ,  and  it  logs those  interactions it would have  denied in  enforcing  mode. This mode can be used to temporarily allow access to content that SELinux is restricting.  No reboot is required to go from enforcing to permissive or back again.

A third mode, disabled, completely disables SELinux. A system reboot is required to disable SELinux entirely, or to get from disabled mode to enforcing or permissive mode.

Important

Setting the default SELinux mode

The configuration file that determines what the SELinux mode is at boot time is

/etc/selinux/config.

In older releases of Red Hat Enterprise Linux, the default SELinux mode was set in a file called /etc/sysconfig/selinux. In RHEL7, this file is a symbolic link that points to /etc/selinux/confi.

Changing the current SELinux mode

The setenforce command modifies the current SELinux mode:

Changing the SE Linux context of a file

There are two commands that are used to change the SELinux context  of  files: chcon and restorecon. The chcon command changes the context of the file to the context specified as an argument to the command. Often the -t option is used to specify only the type component of the context

Chcon should not be used to change the SELinux context of file s.  Mistakes can be made when specifying the context explicitly.  File contexts will be changed back to their default context if the system's file systems are relabeled at boot time.

Note:- with chcon apply context only for running session. If server restart or if any one run “restorecon” command then it’s again reset.

Here in this example I create a folder and performed bellow action

• Check context with “ls –lZ”
• Change context with “chcon” command
• Then apply “restorecon” command

• Here we can see the context reset by the “restorecon” command.

Defining SELinux default file context rules

The semanage fcontext command can be used to display or modify the rules that the restorecon command uses to set default file contexts. The res to recon command is part of the policycoreutil package, and semanage  is  part  of the policycoreutil-python package.

In this example we can see in the copy process context is overwrite with default directory context.

When we mv file then context is same, not replaced by other.

In this example we change context of all directory hierarchy ( including file[s]) permanently and after that check with “restorecon” command, it’s change or not.  

Here check context of directory with is “default_t”

Here change context with “semanage” command.

Then try to restore but not success because now it’s permanent context of directory.