Category: Ubuntu 12.04

How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

Submitted by The Fan Club on Sun, 2012-04-29 23:33

Last Update : August 2013

This guide is based on various community forum posts, and hours of frustration.

This guide is intended as a relatively easy step by step guide to:

  • Install and configure Apache2 ModSecurity and mod_evasive modules on Ubuntu 12.04 LTS server.
  • Things have become much easier than before installing both these two excellent security modules for Apache2 in Ubuntu 12.04 LTS, as both modules are available in the standard Ubuntu 12.04 repositories.
  • This is only a starting point for getting mod_security and mod_evasive working. Refer to both projects documentation for the various configuration option available and configure your security settings as required.

Requirements:

  • Ubuntu 12.04 LTS server, or later installed on your machine.
  • Apache2 webserver setup and configured.

1. Install ModSecurity on your server.

  • Install the dependencies. Open the Terminal Window and enter :
sudo apt-get install libxml2 libxml2-dev libxml2-utils

sudo apt-get install libaprutil1 libaprutil1-dev
  • 64bit users please note – Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
  • Now install ModSecurity
sudo apt-get install libapache-mod-security

2. Configure ModSecurity rules.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  • The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
  • We need to activate all the base rules and make sure they also get loaded.
  • You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
  • SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
  • This settings is very important as it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or WordPress this setting is the source of much pain.
  • Open the Terminal Window and enter :
sudo vi /etc/modsecurity/modsecurity.conf
  • First activate the rules by editing the SecRuleEngine option and set to On.
SecRuleEngine On
  • Edit the following to option to increase the request limit to 16 MB and save the file :
SecRequestBodyLimit 16384000SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.

  • We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
  • We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example
  • If you prefer not to use the latest rules, replace master below with the a specific version you would like to use e.g : v2.2.5
  • Open the Terminal Window and enter :
cd /tmp

sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz http://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz

sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/

sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz

sudo rm -R SpiderLabs-owasp-modsecurity-crs-*

sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
  • Now we create symbolic links to all activated base rules. Open a terminal window and enter :
cd /etc/modsecurity/base_rulesfor f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; donecd /etc/modsecurity/optional_rulesfor f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
  • Now add these rules to Apache2. Open a terminal window and enter:
sudo vi /etc/apache2/mods-available/mod-security.conf
  • Add the following to towards the end of the file with other includes and save the file :
Include "/etc/modsecurity/activated_rules/*.conf"

4. Check if ModSecurity is enabled and restart Apache.

  • Before restarting Apache2 check if the modules has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod headerssudo a2enmod mod-security
  • Then restart the Apache2 webserver :
sudo /etc/init.d apache2 restart
  • OR
service apache2 restart

5. Install ModEvasive.

  • Open the Terminal Window and enter :
sudo apt-get install libapache2-mod-evasive

6. Create log file directory for mod_evasive.

  • Open the Terminal Window and enter :
sudo mkdir /var/log/mod_evasive
  • Change the log folder permissions :
sudo chown www-data:www-data /var/log/mod_evasive/

7. Create mod-evasive.conf file and configure ModEvasive.

  • Open the Terminal Window and enter :
sudo vi /etc/apache2/mods-available/mod-evasive.conf
  • and add the following, changing the email value, and other options below as required :
<ifmodule mod_evasive20.c>   DOSHashTableSize 3097   DOSPageCount  2   DOSSiteCount  50   DOSPageInterval 1   DOSSiteInterval  1   DOSBlockingPeriod  10   DOSLogDir   /var/log/mod_evasive   DOSEmailNotify  EMAIL@DOMAIN.com   DOSWhitelist   127.0.0.1</ifmodule>

8. Fix mod-evasive email bug

  • Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
  • A temporary workaround is to create symlink to the mail program.
  • Open the Terminal Window and enter :
sudo ln -s /etc/alternatives/mail /bin/mail/

9. Check if ModEvasive is enabled and restart Apache.

  • Before restarting Apache2 check if the module has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod mod-evasive
  • Then restart the Apache2 webserver :
sudo /etc/init.d/apache2 restart
  • OR
service apache2 restart

How to secure an Ubuntu 12.04 LTS server – Part 1 The Basics

http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
Submitted by The Fan Club on Thu, 2012-05-17 13:06

This guide is based on various community forum posts and webpages. Special thanks to all. All comments and improvements are very welcome as this is purely a personal experimental project at this point and must be considered a work in progress.

This guide is intended as a relatively easy step by step guide to:

Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:

  1. Install and configure Firewall – ufw
  2. Secure shared memory – fstab
  3. SSH – Disable root login and change port
  4. Protect su by limiting access only to admin group
  5. Harden network with sysctl settings
  6. Disable Open DNS Recursion and Remove Version Info – Bind9 DNS
  7. Prevent IP Spoofing
  8. Harden PHP for security
  9. Restrict Apache Information Leakage
  10. Install and configure Apache application firewall – ModSecurity
  11. Protect from DDOS (Denial of Service) attacks with ModEvasive
  12. Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban
  13. Intrusion Detection – PSAD
  14. Check for RootKits – RKHunter and CHKRootKit
  15. Scan open Ports – Nmap
  16. Analyse system LOG files – LogWatch
  17. SELinux – Apparmor
  18. Audit your system security – Tiger

If you are looking for a GUI script to install and configure all the steps explained here automatically,
visit How to secure an Ubuntu 12.04 LTS server – Part 2 The GUI Installer script

Requirements:

  • Ubuntu 12.04 LTS server with a standard LAMP stack installed.

1. Firewall – UFW

  • A good place to start is to install a Firewall.
  • UFW – Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool – gufw, or use Shorewall, fwbuilder, or Firestarter.
  • Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
  • Install UFW and enable, open a terminal window and enter :
sudo apt-get install ufwsudo ufw enable
  • Check the status of the firewall.
sudo ufw status verbose
  • Allow SSH and Http services.
sudo ufw allow sshsudo ufw allow http

2. Secure shared memory.

  • /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.
  • Open a Terminal Window and enter the following :
sudo vi /etc/fstab
  • Add the following line and save. You will need to reboot for this setting to take effect :
tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

3. SSH Hardening – disable root login and change port.

  • The easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
  • Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
  • If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
  • Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
  • Change or add the following and save.
Port <ENTER YOUR PORT>Protocol 2PermitRootLogin noDebianBanner no
  • Restart SSH server, open a Terminal Window and enter :
sudo /etc/init.d/ssh restart

4. Protect su by limiting access only to admin group.

  • To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
  • Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
  • Open a terminal window and enter:
sudo groupadd adminsudo usermod -a -G admin <YOUR ADMIN USERNAME>sudo dpkg-statoverride --update --add root admin 4750 /bin/su

5. Harden network with sysctl settings.

  • The /etc/sysctl.conf file contain all the sysctl settings.
  • Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window:
sudo vi /etc/sysctl.conf
  • Edit the /etc/sysctl.conf file and un-comment or add the following lines :
# IP Spoofing protectionnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# Ignore ICMP broadcast requestsnet.ipv4.icmp_echo_ignore_broadcasts = 1# Disable source packet routingnet.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0# Ignore send redirectsnet.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0# Block SYN attacksnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 5# Log Martiansnet.ipv4.conf.all.log_martians = 1net.ipv4.icmp_ignore_bogus_error_responses = 1# Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0# Ignore Directed pingsnet.ipv4.icmp_echo_ignore_all = 1
  • To reload sysctl with the latest changes, enter:
sudo sysctl -p

6. Disable Open DNS Recursion and Remove Version Info – BIND DNS Server.

  • Open a Terminal and enter the following :
sudo vi /etc/bind/named.conf.options
  • Add the following to the Options section :
recursion no;version "Not Disclosed";
  • Restart BIND DNS server. Open a Terminal and enter the following :
sudo /etc/init.d/bind9 restart

7. Prevent IP Spoofing.

  • Open a Terminal and enter the following :
sudo vi /etc/host.conf
  • Add or edit the following lines :
order bind,hostsnospoof on

8. Harden PHP for security.

  • Edit the php.ini file :
sudo vi /etc/php5/apache2/php.ini
  • Add or edit the following lines an save :
disable_functions = exec,system,shell_exec,passthruregister_globals = Offexpose_php = Offdisplay_errors = Offtrack_errors = Offhtml_errors = Offmagic_quotes_gpc = Off
  • Restart Apache server. Open a Terminal and enter the following :
sudo /etc/init.d/apache2 restart

9. Restrict Apache Information Leakage.

  • Edit the Apache2 configuration security file :
sudo vi /etc/apache2/conf.d/security
  • Add or edit the following lines and save :
ServerTokens ProdServerSignature OffTraceEnable OffHeader unset ETagFileETag None
  • Restart Apache server. Open a Terminal and enter the following :
sudo /etc/init.d/apache2 restart

10. Web Application Firewall – ModSecurity.

11. Protect from DDOS (Denial of Service) attacks – ModEvasive

12. Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban.

  • DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
  • Open a Terminal and enter the following :
sudo apt-get install denyhosts
  • After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.
  • To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
  • Change the following values as required on your server :
ADMIN_EMAIL = root@localhostSMTP_HOST = localhostSMTP_PORT = 25#SMTP_USERNAME=foo#SMTP_PASSWORD=barSMTP_FROM = DenyHosts nobody@localhost#SYSLOG_REPORT=YES
  • Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
  • Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.
  • Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
  • Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
  • Open a Terminal and enter the following :
sudo apt-get install fail2ban
  • After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
  • To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
  • Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
  • For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
[ssh]enabled  = trueport     = sshfilter   = sshdlogpath  = /var/log/auth.logmaxretry = 3
  • If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
[ssh]enabled  = trueport     = <ENTER YOUR SSH PORT NUMBER HERE>filter   = sshdlogpath  = /var/log/auth.logmaxretry = 3
  • If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
destemail = root@localhost
  • and change the following line from :
action = %(action_)s
  • to:
action = %(action_mwl)s
  • You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
sudo vi /etc/fail2ban/jail.local
  • Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForgeclick here for an example
  • When done with the configuration of Fail2Ban restart the service with :
sudo /etc/init.d/fail2ban restart
  • You can also check the status with.
sudo fail2ban-client status

13. Intrusion Detection – PSAD.

  • Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • Currently version 2.1 causes errors during install on Ubuntu 12.04, but apparently does work. Version 2.2 resolves these issues but is not yet available on the Ubuntu software repositories. It is recommended to manually compile and install version 2.2 from the source files available on the Ciperdyne website.
  • To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
  • OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
sudo apt-get install psad

14. Check for rootkits – RKHunter and CHKRootKit.

  • Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both.
  • Open a Terminal and enter the following :
sudo apt-get install rkhunter chkrootkit
  • To run chkrootkit open a terminal window and enter :
sudo chkrootkit
  • To update and run RKHunter. Open a Terminal and enter the following :
sudo rkhunter --updatesudo rkhunter --propupdsudo rkhunter --check

15. Scan open ports – Nmap.

  • Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
  • Open a Terminal and enter the following :
sudo apt-get install nmap
  • Scan your system for open ports with :
nmap -v -sT localhost
  • SYN scanning with the following :
sudo nmap -v -sS localhost

16. Analyse system LOG files – LogWatch.

  • Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
  • Open a Terminal and enter the following :
sudo apt-get install logwatch libdate-manip-perl
  • To view logwatch output use less :
sudo logwatch | less
  • To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today'

17. SELinux – Apparmor.

  • National Security Agency (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof.
  • More information can be found here. Ubuntu Server Guide – Apparmor
  • It is installed by default since Ubuntu 7.04.
  • Open a Terminal and enter the following :
sudo apt-get install apparmor apparmor-profiles
  • Check to see if things are running :
sudo apparmor_status

18. Audit your system security – Tiger.

  • Tiger is a security tool that can be use both as a security audit and intrusion detection system.
  • Open a Terminal and enter the following :
sudo apt-get install tiger
  • To run tiger enter :
sudo tiger
  • All Tiger output can be found in the /var/log/tiger
  • To view the tiger security reports, open a Terminal and enter the following :
sudo less /var/log/tiger/security.report.*

Startup/Shutdown script

1) Create the startup script file

in /etc/init.d – sudo nano /etc/init.d/StartVM.

Copy Past the following in the file and replace "My VM Name" for your vm name: 

#! /bin/sh
# /etc/init.d/StartVM
#
#Edit these variables!
VMUSER=spode
VMNAME="My VM Name"
case "$1" in
start)
echo "Starting VirtualBox VM..."
sudo -H -b -u $VMUSER /usr/bin/VBoxVRDP -s "$VMNAME"
;;
stop)
echo "Saving state of Virtualbox VM..."
sudo -H -u  $VMUSER /usr/bin/VBoxManage controlvm "$VMNAME" savestate
;;
*)
echo "Usage: /etc/init.d/StartVM {start|stop}"
exit 1
;;
esac
exit 0

2) Give the script executable permission

with sudo chmod +x /etc/init.d/StartVM.

3) Tell script to run at startup.

tell the script be the first to shutdown and the last to startup.

sudo update-rc.d StartVM defaults 99 01

Restore mono apps

This is not perfected…..

rebuild server with the following…

  • update
  • all mount points
  • backup
  • java7
  • apache2 base
  • apache2 ssl
  • apache2 mono
  • rsync -raltWv –progress –exclude /root/logs/srv.rsync.log –log-file=/root/logs/srv.rsync.log /mnt/nfs/fs-01.sdb1/backup/apache-01/srv/ /srv/
  • rsync -raltWv –progress –exclude /root/logs/srv.rsync.log –log-file=/root/logs/srv.rsy nc.log /mnt/nfs/fs-01.sdb1/backup/apache-01/etc/apache2/sites-available/ /etc/apache2/sites-available/
  • enable sites
  • start apache

Dest Machine:

cd /tmp/

rm -rf ./www/

Source Machine:

backup —> scp -r /srv/www/Java.Qbytesworld.com/ davidq@apache-999:/tmp/www/

restore —> rsync -raltWv –progress –exclude=*.rsync.log –log-file=/root/logs/www.rsync.log /mnt/nfs/fs-01.sdb1/backup/apache-01/srv/www/ /tmp/www/

Dest Machine:

/etc/init.d/tomcat7 stop

mv /tmp/www/Java.Qbytesworld.com/ /srv/www/

chown -R apache:apache /srv/www/

/etc/init.d/tomcat7 start

May be needed?

chmod -R 775 /srv/www/

Dynamic mass virtual hosts with mod_rewrite

http://httpd.apache.org/docs/2.2/rewrite/vhosts.html

This document supplements the mod_rewrite reference documentation. It describes how you can use mod_rewrite to create dynamically configured virtual hosts.

mod_rewrite is not the best way to configure virtual hosts. You should first consider the alternatives before resorting to mod_rewrite. See also the "how to avoid mod_rewrite document.
top

Virtual Hosts For Arbitrary Hostnames

Description:

We want to automatically create a virtual host for every hostname which resolves in our domain, without having to create new VirtualHost sections.

In this recipe, we assume that we'll be using the hostname www.SITE.example.com for each user, and serve their content out of /home/SITE/www.

Solution:

RewriteEngine on

RewriteMap lowercase int:tolower

RewriteCond %{lowercase:%{HTTP_HOST}} ^www\.([^.]+)\.example\.com$
RewriteRule ^(.*) /home/%1/www$1

Discussion
You will need to take care of the DNS resolution – Apache does not handle name resolution. You'll need either to create CNAME records for each hostname, or a DNS wildcard record. Creating DNS records is beyond the scope of this document.

The internal tolower RewriteMap directive is used to ensure that the hostnames being used are all lowercase, so that there is no ambiguity in the directory structure which must be created.

Parentheses used in a RewriteCond are captured into the backreferences %1, %2, etc, while parentheses used in RewriteRule are captured into the backreferences $1, $2, etc.

As with many techniques discussed in this document, mod_rewrite really isn't the best way to accomplish this task. You should, instead, consider using mod_vhost_alias instead, as it will much more gracefully handle anything beyond serving static files, such as any dynamic content, and Alias resolution.

top

Dynamic Virtual Hosts Using mod_rewrite

This extract from httpd.conf does the same thing as the first example. The first half is very similar to the corresponding part above, except for some changes, required for backward compatibility and to make the mod_rewrite part work properly; the second half configures mod_rewrite to do the actual work.

Because mod_rewrite runs before other URI translation modules (e.g., mod_alias), mod_rewrite must be told to explicitly ignore any URLs that would have been handled by those modules. And, because these rules would otherwise bypass any ScriptAlias directives, we must have mod_rewrite explicitly enact those mappings.

# get the server name from the Host: header
UseCanonicalName Off

# splittable logs
LogFormat "%{Host}i %h %l %u %t \"%r\" %s %b" vcommon
CustomLog logs/access_log vcommon

<Directory /www/hosts>
# ExecCGI is needed here because we can't force
# CGI execution in the way that ScriptAlias does
Options FollowSymLinks ExecCGI
</Directory>

RewriteEngine On

# a ServerName derived from a Host: header may be any case at all
RewriteMap lowercase int:tolower

## deal with normal documents first:
# allow Alias /icons/ to work - repeat for other aliases
RewriteCond %{REQUEST_URI} !^/icons/
# allow CGIs to work
RewriteCond %{REQUEST_URI} !^/cgi-bin/
# do the magic
RewriteRule ^/(.*)$ /www/hosts/${lowercase:%{SERVER_NAME}}/docs/$1

## and now deal with CGIs - we have to force a handler
RewriteCond %{REQUEST_URI} ^/cgi-bin/
RewriteRule ^/(.*)$ /www/hosts/${lowercase:%{SERVER_NAME}}/cgi-bin/$1 [H=cgi-script]

top

Using a Separate Virtual Host Configuration File

This arrangement uses more advanced mod_rewrite features to work out the translation from virtual host to document root, from a separate configuration file. This provides more flexibility, but requires more complicated configuration.

The vhost.map file should look something like this:

customer-1.example.com /www/customers/1
customer-2.example.com /www/customers/2
# ...
customer-N.example.com /www/customers/N

The httpd.conf should contain the following:

RewriteEngine on

RewriteMap lowercase int:tolower

# define the map file
RewriteMap vhost txt:/www/conf/vhost.map

# deal with aliases as above
RewriteCond %{REQUEST_URI} !^/icons/
RewriteCond %{REQUEST_URI} !^/cgi-bin/
RewriteCond ${lowercase:%{SERVER_NAME}} ^(.+)$
# this does the file-based remap
RewriteCond ${vhost:%1} ^(/.*)$
RewriteRule ^/(.*)$ %1/docs/$1

RewriteCond %{REQUEST_URI} ^/cgi-bin/
RewriteCond ${lowercase:%{SERVER_NAME}} ^(.+)$
RewriteCond ${vhost:%1} ^(/.*)$
RewriteRule ^/(.*)$ %1/cgi-bin/$1 [H=cgi-script]

Available Languages: en

top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.

Tomcat with JMX

You will also need to add two files:

1) /etc/tomcat7inst/jmxremote.password

#monitorRole tomcat
#controlRole tomcat
user password

2) /etc/tomcat7inst/jmxremote.access

#monitorRole readonly
#controlRole readwrite
user readwrite

4)

chmod 600 /etc/tomcat7inst/jmxremote.*

chown tomcat7:tomcat7 /etc/tomcat7inst/jmxremote.*

5) Edit /etc/tomcat7inst/8xx/bin/startup.sh

Add to existing options:

export JAVA_OPTS="-Dcom.qbw.instance=811
-Xms1g -Xmx1g -XX:MaxPermSize=128m
-Djava.rmi.server.hostname=192.168.1.xx
-Dcom.sun.management.jmxremote.port=xxy9
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/etc/tomcat7inst/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/etc/tomcat7inst/jmxremote.access
"

6)

/etc/tomcat7inst/8xx/bin/shutdown.sh

/etc/tomcat7inst/8xx/bin/startup.sh

Tomcat7 multi instance

apt-get install tomcat7

apt-get install tomcat7 tomcat7-docs tomcat7-examples tomcat7-admin tomcat7-user

Created for you:
Creating config file /etc/default/tomcat7 with new version
Adding system user `tomcat7' (UID 107) …
Adding new user `tomcat7' (UID 107) with group `tomcat7' …

apt-get install tomcat7-docs tomcat7-examples tomcat7-admin tomcat7-user

# find / -name "tomcat-users.xml"
There will be 2 tomcat-users.xml
• /etc/tomcat7/tomcat-users.xml is for the site created on port 8080
• /usr/share/tomcat7/skel/conf/tomcat-users.xml is the default used for create instance.

vi /etc/tomcat7/tomcat-users.xml (be sure to change user and password)
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>

Restart tomcat:
/etc/init.d/tomcat7 restart

CD to the directory where you want to put the new instance.
mkdir /etc/tomcat7inst
cd /etc/tomcat7inst
tomcat7-instance-create -p 8100 -c 8105 810
You are about to create a Tomcat instance in directory '810'
* New Tomcat instance created in 810
* You might want to edit default configuration in 810/conf
* Run 810/bin/startup.sh to start your Tomcat instance

Modify/verify

/etc/tomcat7inst/810/conf/server.xml
<Server port="8105" shutdown="SHUTDOWN">
<Connector port="8100" protocol="HTTP/1.1"
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" />

Modify/verify

/etc/tomcat7inst/810/conf/ tomcat-users.xml (same as above).

To get ROOT app
cp -r /var/lib/tomcat7/webapps/ROOT/ /etc/tomcat7inst/810/webapps/
Restart tomcat:

./810/bin/shutdown.sh
./810/bin/startup.sh
/etc/init.d/tomcat7 restart

To get manager sites to work
cp /etc/tomcat7/Catalina/localhost/* /etc/tomcat7inst/810/conf/Catalina/localhost/
Restart tomcat:

./810/bin/shutdown.sh
./810/bin/startup.sh
/etc/init.d/tomcat7 restart


When doing a deploy, be sure to cleanup…
rm -rf /etc/tomcat7inst/810/work/Catalina/
rm –rf /etc/tomcat7inst/810/temp/

=======================================================

Make Tomcat auto-start on boot (optional)

Now you should create an INIT-File that makes it possible to start, stop and restart your Tomcat Server. This file must be located in your “/etc/init.d/” directory. You can use the following command to create a file called “tomcat” and open up that file in an editor (I used nano).

vi /etc/init.d/tomcat8x0 (example here tomcat8x0 (519.00 bytes)). For a better script look at http://wiki.debian.org/LSBInitScripts or and example /etc/init.d/skeleton

Make sure you set the right paths for the startup.sh and shutdown.sh scripts. They reside in the /bin directory of your tomcat path (use the path to which you moved the tomcat files

chmod 755 /etc/init.d/tomcat8x0

update-rc.d tomcat8x0 defaults (you must cd to /etc/init.d/ for this to work)

You can remove the autostart with the following command:

update-rc.d -f tomcat8x0 remove (you must cd to /etc/init.d/ for this to work)


Now the Tomcat Server starts automatically at system bootup.

If you wish to start/stop Tomcat Server manually like this:
sudo /etc/init.d/tomcat8x0 start

sudo /etc/init.d/tomcat8x0 stop

Tag Cloud