apache 2.2 – How to configure nginx better to reduce redundant system calls when APIs are called?

I have a Laravel application running in production, and there are a few APIs that used a lot. Something was creating a bottleneck and it used to stall our servers (3 with Load Balancer). After optimising the basics in Laravel, caching config, routes, data and so on, even resolving all n+1 issues, we were still having issues in peak times. Someone suggested we run strace on one of the nginx workers to see what is happening on the system level, so we did, and interesting enough, there are lots of redundant system calls where nginx tries to find files when APIs are called:

Part of trace:

240498 stat("/var/www/html/myProject/current/public/APIRequest/3d4f7518e04e9", 0x7ffc7ee6ff70) = -1 ENOENT (No such file or directory)
240498 stat("/var/www/html/myProject/current/public/APIRequest/3d4f7518e04e9", 0x7ffc7ee6ff70) = -1 ENOENT (No such file or directory)
240498 lstat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject/current", {st_mode=S_IFLNK|0777, st_size=48, ...}) = 0
240498 readlink("/var/www/html/myProject/current", "/var/www/html/myProject/release"..., 4095) = 48
240498 lstat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject/releases", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject/releases/20201202085755", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
240498 lstat("/var/www/html/myProject/releases/20201202085755/public", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0

Now the API is called with the ID 3d4f7518e04e9 in this case, and it tries to loop through the directories to find that file instead. But it is not a file, it is an API. We ran strace for less than 30 secs, and we have 5k such calls which don’t make sense to me.

So, are these calls necessary? I don’t think so, but tell me if I am wrong. And if I am right, how can I configure my nginx better so that these calls can be “caught in time” and resolved appropriately. Any ideas are welcome. 🙂

PS: We have tried apache with similar config also, same problem in strace appears.

Apache Web Server Aliasing for multiple url giving 404

I am trying to redirect the all the URL starting from /search-engine/* to /var/www/search-engine/dist but the result says not found, I had tried with AliasMatch as shown below

AliasMatch ^/search-engine(.*) /var/www/search-engine/dist

Front-End technology what I am using is Angular. Can any one suggest me where I am missing, I also tried going through many documentation of Apache2.4 but was not able to understand things which would help to reach the result.

mod rewrite – Unable to redirect https://www.example.com to https://example.com on Apache 2.4.10

I’ve tried numerous methods to get https://www.example.com (the url with www) to redirect to https://example.com (the url without www) but I keep getting a certificate warning. I have http:// redirecting to https:// just fine in the non-ssl vhost config.

The current version of the ssl vhost config looks like this (I’ve tried many variations but none work):

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin webmaster@localhost

                ServerName example.com
                DocumentRoot /var/www/html/website
                <Directory /var/www/html/website/>
                        AllowOverride All
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/apache2/ssl/fullchain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/key.pem


                <FilesMatch ".(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE (2-6)" 
                                nokeepalive ssl-unclean-shutdown 
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE (17-9)" ssl-unclean-shutdown

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} (END,NE,R=permanent)
RewriteCond %{HTTP_HOST} ^www. (NC)
RewriteCond %{HTTP_HOST} ^(?:www.)?(.+)$ (NC)
RewriteRule ^ https://%1%{REQUEST_URI} (L,NE,R=301)
        </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

security – Can I use rate-limiting with HTTP basic authentication in Apache?

So I’m running a few popular web applications on my server. I want these to be reachable from any computer without creating too many vulnerabilities.

I am using Apache 2.4.29 as my HTTP server. My current idea for hiding potential security vulnerabilities in my applications from attackers is to enable HTTP basic authentication (AuthType Basic) for the relevant virtual hosts as an additional security layer. Of course, I’m only allowing SSL connections.

Now this is all quite easy to accomplish. But my question is this: how can I best avoid brute force style attacks with HTTP basic authentication? I.e., how can I enable rate limiting?

My current plan is something like this:

Since I’m using ufw (Uncomplicated Firewall) to limit SSH connections, I thought I could do the same on a specific port I use for HTTPS. However, I see two problems with this:

  1. Can’t an attacker just use Connection: Keep-Alive and keep trying different passwords without even reconnecting? So limiting incoming connections wouldn’t be of any use here.
  2. If I disabled Connection: Keep-Alive somehow, I guess I would run into trouble with the underlying web applications, since they would require a lot of individual connections so the browser can retrieve additional files.

It would be perfect if I could instruct Apache to only keep the connection going for authenticated users and drop it for failed attempts. Is there a way to do this? I am actually not sure what is the default behavior and don’t understand enough about HTTP to easily test this.

proxy – Apache – multiple domains and ports

Currently, I have two domain names pointing to the same cloud server:

domain-a.com
domain-b.com

The setting in my Apache for domain-a.com

// 000-default.conf
<VirtualHost *:80>
        Redirect permanent / https://domain-a.com/
</VirtualHost>

But how can I have the domain-b.com “redirect” to a port, for example, 3000, in the same cloud server but not having the port number appeared on the browsers?

Is it the proxy module that I should be looking into? I am thinking something like this:

// 000-default.conf
<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass / http://xxx.xxx.xxx.xxx:3000/
    ProxyPassReverse / http://xxx.xxx.xxx.xxx:3000/
</VirtualHost>

But this doesn’t seem right because that will become a proxy for domain-a.com too. I just want the domain-a.com to be directed to 443 but using the proxy for domain-b.com. Is this possible?

apache – How to make wordpress page site.com/content as location for main site.com that is worked on nuxt.js+node?

There are 2 containers with sites:
on nuxt.js
on wordpress
They work in the same environment, that is, they are visible to each other.
It is necessary in the 3rd container with Nginx to display the wordpress page as location / content when passing from nuxt.js.
That is, site.com works under node + nuxt, and when you go to the site.com/content link, we go to the wordpress page with posts. You also need the site.com/wp-admin link to work as a regular wordpress route and open a full-fledged wordpress admin panel. But wordpress itself can work on any other subdomain example.site.com, if there are difficulties with the wp-admin output. How to implement this using nginx + wordpress or suggest other options?

apache 2.4 – Header always edit Set-Cookie not working

I am using Apache 2.4.6 on an up-to-date installation of CentOS 7.9. I have tried all variations of setting a header like below (adding/removing quotes, changing the regular expression, etc.) but the Set-Cookie header is never modified when sent to the user. Every article I find trying to accomplish this says it works but it just does not work for me.

Header always set TestBefore 1
Header always edit Set-Cookie ^(.*)$ "$1; SameSite=Strict; Secure"
Header always set TestAfter 1

Both the before and after headers are sent but the Set-Cookie header is never modified. Any idea what the issue could be?

installing – “Process ‘Apache web server’ failed to start. Port 8083 didn’t open”

I’m trying to install Acquia Deve Desktop 2 for my windows 10 PC. When it’s finished installing and I run the program, an error pop up message shows up saying Process ‘Apache web server’ failed to start. Port 8083 didn’t open.

screenshot

I should point out that I do have XAMPP installed in my PC, but I also read in the documentation that even if you have XAMPP installed, it won’t interfere.

What am I doing wrong here?

I just want my Drupal websites to load faster because on XAMPP they’re pretty slow.

Apache virtualhost is redirecting to the wrong virtualhost

I am trying to implement a second domain within an existing digitalocean droplet.

Because I’m on DO, I followed the answer by ryanpq on this thread: https://www.digitalocean.com/community/questions/is-it-possible-to-install-another-wordpress-on-droplet

Similar to the commenters on that thread, my newer site redirects to my existing site (even after changing the DocumentRoot and Directory appropriately).

Here are my configs:

Within /etc/apache2/sites-enabled, I have 4 files: 000-default-le-ssl.conf 000-default.conf example1.conf example2.conf

000-default.conf and example1.conf are copies.

example1.conf looks like so:

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName example1.io
        ServerAlias www.example1.io

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride None
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example1.io (OR)
RewriteCond %{SERVER_NAME} =example1.io
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} (END,NE,R=permanent)

example2.conf looks like so:

<VirtualHost *:80>
        ServerAdmin webmaster@example2.com

        ServerName example2.com
        ServerAlias www.example2.com

        DocumentRoot /var/www/example2

        <Directory /var/www/example2/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

my directory structure looks like /var/www/html and /var/www/example2

Within the DNS control panel, I created new A and CNAME records. The A record points to the IP address of the older, existing, site (so, example2.com directs to 128….)

Going to example2.com redirects me to example1.io.

What am I missing?

apache http server – Throttled speed to specific IP address from within home WiFi only

I am experiencing a weird problem where:

  • Accessing my own dedicated server at a hosting provider in France is slow between the hours of 6pm and 10pm.
  • Just accessing this particular IP is slow, not everything else
  • Accessing the IP from my phone for example is fine

I called my ISP and they say they don’t block or throttle anything. I also reset my router completely but the problem persists.

I can download TO my server with no problem and also contacted my server provider. They ran some tests and they get full speed.

What can I do? How can I find out what is causing this issue?