Tag: WebServer

Categories
everyday life

Smoke signals.

同一記事の日本語版

   I got an e-mail from Delonix on March 1st. Its subject is ‘Smoke signals’, he-he. He wrote “every time I try to go to your blog it shows this message: Forbidden You don’t have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.“. This is 403 Forbidden default message.

   I asked him to create a topic on o6asan’s BBS. And then I checked up my access-denied.conf file. I control the accesses by the conf file. Of course you can do it by .htaccess files and I think it is more common method. Anyway I found his current IP address and removed it. Now he can access my site.

403 Forbidden   Delonix and I sometimes exchange e-mails, so we know our email addresses each other. But for not close visitors I think I need to customize 403 Forbidden message. So I made a 403.html file. You see its text on the right image.

   For 403 ErrorDocument I need to add the following lines, shown in bold, to the access-denied.conf file and to reboot my Apache httpd.
<Directory “G:/WEB”>   <<— G:/WEB is my document root.
<RequireAll>
Require all granted
Require not ip xxx.xxx.xxx.xxx/xx
Require not ip yyy.yyy.yyy.yyy/yy
</RequireAll>
<Files “403.html”>
Require all granted
</Files>
</Directory>

   That’s it!!

Categories
Uncategorized

Updating to Apache 2.4.12.

同一記事の日本語版

   Apache HTTP Server 2.4.12 was released. It includes four security patches for CVE-2014-3583, CVE-2014-3581, CVE-2014-8109 and CVE-2013-5704. In the httpd-ssl.conf the following lines were added. There was no release of 2.4.11.

  • # OCSP Stapling (requires OpenSSL 0.9.8h or later)
    #
    # This feature is disabled by default and requires at least
    # the two directives SSLUseStapling and SSLStaplingCache.
    # Refer to the documentation on OCSP Stapling in the SSL/TLS
    # How-To for more information.
    #
    # Enable stapling for all SSL-enabled servers:
    #SSLUseStapling On

    # Define a relatively small cache for OCSP Stapling using
    # the same mechanism that is used for the SSL session cache
    # above. If stapling is used with more than a few certificates,
    # the size may need to be increased. (AH01929 will be logged.)
    #SSLStaplingCache “shmcb:c:/Apache24/logs/ssl_stapling(32768)”

    # Seconds before valid OCSP responses are expired from the cache
    #SSLStaplingStandardCacheTimeout 3600

    # Seconds before invalid OCSP responses are expired from the cache
    #SSLStaplingErrorCacheTimeout 600

   The version was built with openssl-1.0.1l, so the issues told by OpenSSL Security Advisory [08 Jan 2015] were fixed.

   I downloaded httpd-2.4.12-win32-VC11.zip from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.’.

Categories
Windows

Updating to PHP5.6.5.

同一記事の日本語版

   They released PHP5.6.5 Windows version on Jan-22 03:24:41UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68710), CVE-2014-9427 (bug #68618) and CVE-2015-0232 (bug #68799).
   I couldn’t find “Fixed bug #68799” on the PHP5.6.5 ChangeLog though it’s on 5.5.21’s. Did they forget to write it? Anyway, I updated my PHP from 5.6.4 to 5.6.5 on my Web server (Windows7HP+SP1(x86)).

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.

Categories
Uncategorized

Memorandum #9.

同一記事の日本語版

A flock of sparrows
A flock of sparrows
   Yesterday, I saw a pretty flock of sparrows. Nowadays this is very rare in my town though I often saw flocks of sparrows in the rice fields when I was a child. I think the opportunities to see sparrows are decreased despite they were very popular birds and we have a lot of folktales of them. I took a picture of them.
Shrohara???
Shrohara???
 
   Today I saw the bird on the left image. I think this is Shirohara. Am I correct?
 
   By the way, I updated some server software on my Web server yesterday (The server OS is Win7 HP SP1 x86).
 

Categories
Uncategorized

phpMyAdmin 4.3.0 is released.

同一記事の日本語版

   They released phpMyAdmin 4.3.0 on December 5 and 4.3.1 on December 8. So I updated to 4.3.1 from 4.2.13.1 yesterday. Here is the ChangeLogs. The 4.3.0 has a tons of improvements by RFE(Request for enhancement). The 4.3.1 is a bugfix version.

   I downloaded a phpMyAdmin-4.3.1-english.zip, extracted it, copied my old config.inc.php to the phpmyadmin folder made from extracting, and uploaded all of them to the server (See “To create a Wamp-like Web Server in Windows7-#3.“).

   By the way, when I compared the new config.sample.inc.php with my old one(=Ver.4.2.x), I found a line was lost and a line was added.

At /* Storage database and tables */ area
   The lost line.
     // $cfg[‘Servers’][$i][‘designer_coords’] = ‘pma__designer_coords’;

   The added line.
     // $cfg[‘Servers’][$i][‘central_columns’] = ‘pma__central_columns’;

4.3.1 alerts
4.3.1 alerts
   So, when I logged on the new phphmyadmin as root at the first time, I got “The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. Find out why. Or alternately go to ‘Operations’ tab of any database to set up it there”.

   By clicking ‘Find out why’, I got the alerts like the right image.

   I had instructions, too.

     Quick steps to setup advanced features:

     Create the needed tables with the ./examples/create_tables.sql.
     Create a pma user and give access to these tables.
     Enable advanced features in configuration file (config.inc.php), for example by starting
     from config.sample.inc.php.
     Re-login to phpMyAdmin to load the updated configuration file.

   I did the followings.

  1. Log on the new version with the old config.inc.php as root.
  2. Add the ALTER privilege to the controluser(Default : pma) on the database phpmyadmin.
  3. Import the new create_tables.sql. If you change the database name(Default : phpmyadmin) and the controluser name(Default : pma), you need to customize the sql file before import. See “Configuration storage“.
  4. Log out.
  5. Edit the old config.inc.php.
    • Delete the line.
           $cfg[‘Servers’][$i][‘designer_coords’] = ‘pma__designer_coords’;
    • Add the line.
           $cfg[‘Servers’][$i][‘central_columns’] = ‘pma__central_columns’;
  6. Log on as root, again.
  7. Drop the table pma__designer_coords.

   That’s it.

   About pma__central_columns, see central_columns.

Categories
Uncategorized

Remote Desktop Service

同一記事の日本語版

   I think someone has the same trouble. After the black Tuesday of October, I cannot use Remote Desktop to my server whose OS is Windows7 Home Premium (x86). Actually, I had not thought it was the black Tuesday before I found this fact (-_-;). Remote Desktop to Windows7 Home Premium, you can understand what I say, can’t you? I found this and this (http://stascorp.com/load/1-1-0-63 くりくりさん gave me the site might have some malicious links by his comment on the Japanese post. So I removed the link tag. I think it’s probably O.K. unless you make clicks on the linked site when you visit. But Prevention is better than cure. So, if you want the information, go to the site AT YOUR OWN RISK.) and tried their suggestion for enabling the feature again. But failed, and gave up. Oops!

   Honestly, it is very inconvenient that I cannot use Remote Desktop to the server. So I decided to use Chrome Remote Desktop instead. I don’t like another software installation that is not needed for the server itself, but I have no choice at this time (Sigh).

Categories
Windows

A self-sighed certificate with SANs and SHA256 by OpenSSL.

同一記事の日本語版
Update information      Edit(Oct.28)

   When I tested my SSL server by “Qualys SSL Labs – Projects / SSL Server Test” for this dust, the test gave me following Reds and Oranges (^_^;).
 
||Reds||

  1. Trusted : No NOT TRUSTED <<---- Because I use a self-sighed certificate that the Labs doesn't know. So I ignore the message with confidence ha-ha.
  2. IE 6 / XP No FS 1 No SNI 2 : Protocol or cipher suite mismatch : Fail3 <<---- My SSL server user is only me, and I don't use IE 6 / XP. So I ignore the message.
  3. Fail3 They say “Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.” My SSL server doesn’t accept lower protocols, but it’s no problem for me.

    4.    As above I have nothing to be done about Reds.

||Oranges||

  1. Prefix handling : Not valid for “www.o6asan.com” :CONFUSING
  2. Signature algorithm : SHA1withRSA : WEAK
  3. Chain issues : Contains anchor <<---- Ivan Ristić replied about “Chain issues Contains anchor”. So I ignore the message.
  4. Not in trust store <<---- Because I use a self-sighed certificate. So I ignore the message.
  5. Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported
  6. Forward Secrecy : With some browsers

   As above I have something to be done about 1, 2, 5 and 6. First I handle 5 and 6 because I need to re-create a new certificate for 1 and 2.

  1. I update Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) to October 20 version. Because it was built with openssl-1.0.1j which supported TLS_FALLBACK_SCSV.
  2. I uncommented SSLHonorCipherOrder on and changed SSLCipherSuite Directive value in the httpd-ssl.conf.
    HIGH:MEDIUM:!aNULL:!MD5

    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
    EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
    !PSK !SRP !DSS
       Ref : Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
    ↓ I changed on Dec. 23 because of RC4.
    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH
    EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
       Ref : RC4 in TLS is Broken: Now What?
    IF your server should support some mobile OS/browser or legacy ones, you need more additional configuration. But the above is enough to my server.

    3. After them the test gives me “Downgrade attack prevention : Yes, TLS_FALLBACK_SCSV supported” and “Forward Secrecy : Yes (with most browsers) ROBUST”.

   Second I handle 1 and 2.
   The 1 is caused by my self-sighed certificate only has o6asan.com as its Common Name. So I have to create a new certificate supporting both o6asan.com and www.o6asan.com. But there is a problem that I want to use only one IP address for my SSL server. Nowadays we have the solution for this issue that is called SNI(Server Name Indication) though all OS/browser haven’t supported it yet. I can use a wildcard certificate or SAN for SNI. I use SANs because I don’t want to allow my SSL server to accept all sub domains though I can restrict them by Apache configuration.
   The 2 is caused by my creation of the certificate by OpenSSL default, which is set to use SHA1. So I’ll use default_md = sha256 for the new certificate.
 On 28th, I re-read Server Name Indication. Is SNI a different story from wildcard certificate / SAN? I don’t understand them still now. Difficult.

   I copy the file openssl.cnf(← this is the default name) from Apche24conf folder to c:openssl-1.0.1x-winxxssl(← this is the default location) and customize like the followings.

    Change values and uncomment a line.

  1. dir = ./demoCA —->> dir = X:/demoCA <<----Need an exact path
  2. default_crl_days = 30 —->> default_crl_days = 365
  3. default_md = default —->> default_md = sha256
  4. default_bits = 1024 —->> default_bits = 2048
  5. # req_extensions = v3_req —->> req_extensions = v3_req
    Adding lines.

  1. subjectAltName = @alt_names to [ v3_req ] area.
  2. [ alt_names ]
    DNS.1 = example.com
    DNS.2 = www.example.com     to just before [ v3_ca ] area.
     
    You can add your domains, like DNS.1, DNS.2, DNS.3, ….
  3. If you make a client certificate, add the followings to the end of the openssl.cnf.
    [ ssl_client ]
    basicConstraints = CA:FALSE
    nsCertType = client
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    nsComment = "OpenSSL Certificate for SSL Client"

   Now I’ll create new certificate. (Ref : WordPress: Administration Over SSL #1)

    ||Create myCA||

  1. Make myCA folder at X:/
  2. Make two folders and a file named private, newcerts and index.txt in the myCA.
  3. Run cmd.exe as Administrator
    pushd X:myCA
    echo 01 > serial
    openssl req -new -keyout privatecakey.pem -out careq.pem
    openssl ca -selfsign -in careq.pem -extensions v3_ca -out cacert.pem
    copy cacert.pem (Drive_SV):Apache24confssl.crt
    copy cacert.pem my_ca.crt
      Note) (Drive_SV) is a partition for server components on my home server PC.
    ||Create Server Cert||

  1. pushd X:myCA
    openssl genrsa -out server.key 2048
    openssl req -new -out server.csr -key server.key
  2. Check multiple SANs in the CSR (Can you see ‘Subject Alternative Name’ area in it?)
    openssl req -text -noout -in server.csr
  3. openssl ca -in server.csr -out server.crt -extensions v3_req
    copy server.key cp_server.key
    openssl rsa <cp_server.key> server.key
    copy server.key (Drive_SV):Apache24conf
    copy server.crt (Drive_SV):Apache24conf
    ||Create Client Cert||

  1. pushd X:myCA
    openssl req -new -keyout client.key -out client.csr
    openssl ca -policy policy_anything -extensions ssl_client -in client.csr -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

References about SANs : FAQ/subjectAltName (SAN), Multiple Names on One Certificate.

   I have a self-sighed certificate with SANs and SHA256 now. Mission complete!!

Categories
Windows

Memorandum #7.

同一記事の日本語版
Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

Categories
Windows

Updating to PHP5.6.1.

同一記事の日本語版

   They released PHP5.6.1 Windows version on Sep-25 06:28:30UTC. Recently, Windows versions release earlier than other versions. So, I updated my PHP from 5.6.0 to 5.6.1 on my Web server (Windows7HP+SP1(x86)).

   There is no difference between the two php.ini-production files except a misspelling correction. So I replaced all files and copied my php.ini file to the folder. Then I restarted the httpd.exe.

   About OPcache bug is still remaining. But the above is my ordinary steps. So I thought “That’s it.”

   Buuuuuuuuuuuuuuuuuut I had very troubles at this time. First I found the warning “PHP Startup: in Unknown on line 0” on the Apache error log. Only this. It had no module name or anything else. But it was just a warning, i.e. that was a very little problem. And when I checked up the PHP information about PHP Version 5.6.1, I found out the php_curl.dll was not loaded. Boo-hoo-hoo!

   Finally I found out the solution after hard work for all day.
   I added “x:PHP install directory” to PATH Environment Variable. I think, usually, most of PHP users added it when they first installed PHP. But I didn’t and I had no problem until today. I guessed this is the new requirement of PHP5.6.1 at the first time. However, after reading “the curl extension doesn’t load using apache” and seeing its date, I bet that this trouble maybe depends on Windows Security updates.

   Anyway, PHP5.6.1 is working well on the server.

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows“.

Categories
Windows

Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows.

同一記事の日本語版

   They released PHP5.6.0 on Aug-27 21:52:22. Actually, it was about half a day earlier than the release on php.net, and time lag between the two I sometimes experience recently. So, this afternoon, I migrated from PHP 5.5.16 to PHP 5.6.0 on my Web server (Windows7 HP + SP1 (x86)). Here is its ChangeLog.

   They say “Most improvements in PHP 5.6.x have no impact on existing code. There are a few incompatibilities and new features that should be considered, and code should be tested before switching PHP versions in production environments.” and it is true. I didn’t need any changes on existing codes. However, migrating from PHP 5.5.16 to PHP 5.6.0 in my case. If migrating from more older version, you might need some changes.

   I did not change my old php.ini except about mbstring. PHP 5.6.0 has UTF-8 as its default charset, so I thought I does not need the customization about mbstring anymore. If you run production sites, you should use a php.ini based on the php.ini-production INI file that the official package includes. The php.ini-development INI file is for development environments.

   The following table shows my new configuration for the version 5.6.0. Drive_SV that is my server software partition.

  Default Custom
1 output_buffering = 4096 output_buffering = Off
2 disable_functions = disable_functions =”shell_exec, suexec, passthru, phpinfo”
3 expose_php = On expose_php = Off
4 ; extension_dir = “ext” extension_dir = “Drive_SV:PHPext”
5 allow_url_fopen = On allow_url_fopen = Off
6 ;extension=php_curl.dll extension=php_curl.dll
7 ;extension=php_gd2.dll extension=php_gd2.dll
8 ;extension=php_mbstring.dll extension=php_mbstring.dll
9 ;extension=php_mysqli.dll extension=php_mysqli.dll
10 ;extension=php_openssl.dll extension=php_openssl.dll
11   zend_extension= “Drive_SV:PHPextphp_opcache.dll”
12 ;date.timezone = date.timezone =”Asia/Tokyo”
13 ;sendmail_from = me@example.com sendmail_from = My email address
14 mysql.allow_persistent = On mysql.allow_persistent = Off
15 ;opcache.enable=0 opcache.enable=1
16 ;opcache.memory_consumption=64 opcache.memory_consumption=128
17 ;opcache.interned_strings_buffer=4 opcache.interned_strings_buffer=8
18 ;opcache.max_accelerated_files=2000 opcache.max_accelerated_files=4000
19 ;opcache.revalidate_freq=2 opcache.revalidate_freq=60
20 ;opcache.fast_shutdown=0 opcache.fast_shutdown=1

   The 1 and 14 settings might give some troubles on your server. It depends on your server environment. The 11 and 15 – 20 are values for OPcache. So if you don’t use OPcache, leave the default for them.Now 1 day after the migration. After that, php_opcache.dll was giving a lot of errors. I have stopped using OPcache until I find the solution. To change mbstring settings might give some bad effects to server performances. I am having wait-and-see attitude.

   As you see, I do not use MySQL Extension on my server anymore. I use MySQLi Extension only.

   I’ll show you my server software versions.

   I’ve almost forgot to write. This time I had a trouble which gave me an error ‘Bad Host request’. It was BulletProof Security’s fault. Ha-ha-ha. So I disabled the plugin before PHP version up. Then I enabled it again after the PHP migration. I gave it a bum-rap. It was php_opcache.dll’s fault. Hey BulletProof Security, sorry!