apache

[Master of Reality]

how do i set apache to be on a certain interface?
when i just started it, it only listened/connected to my internal interface. I need it on my external interface.

[voidmain]

It should have bound to both by default. Look at the "BindAddress" tag and the "Listen" tag in your httpd.conf file.

[Master of Reality]

is there any special security issues i should know about when running a website on my server?

http://chatroom.fuckmicrosoft.com

[voidmain]

Of course there are. People should have access to exactly what you want them to access and nothing more. Although a basic web site on a default Apache install is generally pretty safe you might want to turn off things you aren't using and hide unnecessary information. For instance, by default information can be obtained from Apache headers. Things like Operating system and version. Apache version, PHP version (if installed), SSL version, etc.  This information can be turned off, as knowing this information can be helpfull to a hacker. PHP should be updated as there are vulnerabilities in the version you likely have (although they may not be easily exploited). You can also set directory permissions like not allowing directory listing (directory listing is turned off by default). I don't want to make it sound like if you don't button up Apache on a default install that you will get hacked because it's very likely that it won't but you do need to be concious of what security implications there are, especially if you are doing CGI programming or other server side generated content.  I would suggest looking over Apache's web site and doing some Google searches on Apache+security etc.. Also if you use MySQL or PostgreSQL on your web server you not only have to worry about security of the database with Apache but weather the database server itself is secure and is not listening on your outside interfaces for people to try to hack... Especially if you don't set an admin password, etc.. The more services you associate with Apache the more complex your security becomes.

[ April 25, 2002: Message edited by: VoidMain ]

[Master of Reality]

well.. i must have screwed something up somewhere (again). I setup apache (a while ago), http://chatroom.fuckmicrosoft.com and now i cant get to the website from any computer other than the computers in my network, i get a 525 error, cant connect to remote host (i think thats what the 525 error is). Could it be that my local computers are just getting off the internal interface? I dont know how they would do that because they have to look up the DNS name to find out that chatroom.fuckmicrosoft.com is my IP address. Could squid be blocking people from getting to my webserver?, i'm not running a transparent proxy. And squid and apache are running on the same red hat 7.2 machine.

[voidmain]

Do a "netstat -a | grep www" which if you have Apache running and bound to all interfaces should show a line like:

tcp 0 0 *:www *:* LISTEN

If it is just bound to one interface or the other the "*" in "*:www" will contain the interface address or hostname.

I can ping/traceroute to you but I get "no route to host" when I try to telnet to your port 80 which I'm guessing means your provider is dropping http traffic to you.  Maybe they don't want you putting up a web server.  It would explain why you can get to your outside interface from your inside machines as you would not be going through their routers to get there.

I have an idea. Why don't you try running your web server on a port other than 80.  Maybe they are only blocking 80. Try 8000 for instance, then restart your httpd service.  Test it with http://chatroom.fuckmicrosoft.com:8000

[ May 07, 2002: Message edited by: VoidMain ]

[Master of Reality]

try going to http://chatroom.fuckmicrosoft.com:3000

[voidmain]

Nope, connection refused. Do you have anything in your ipchains rules that would be blocking 80 (or now 3000)? /sbin/ipchains -L

[Master of Reality]

i looked at everything else and now i searched through the apache error logs. I found out that apache couldnt bind with port 80.
the error reads:
[date here is right after i restarted apache][crit] (98)Address already in use: make_sock: could not bind to port 80

what do you think would cause this?

[voidmain]

Exactly what it says. You already have a process bound to port 80 so Apache can't start.  When you stop Apache (/etc/rc.d/init.d/httpd stop) then do a "netstat -a | grep www" you should get nothing back. If you do you have another process listening on port 80.

[Master of Reality]

there is something listening on my "http" port, i dont know what it is though. i did "netstat -a | grep http" it didnt show anything either time i did "netstat -a | grep www" i also did just "netstat -a" i looked at all the connections and it shows something listening on my http port.

[voidmain]

You should be able to do a "netstat -p" and get the PID of the process that has port 80 open. When you know the PID then do a "ps auxwww | grep <PID>" (replace <PID> with the actual PID number from the netstat output). This should answer that question.

[ May 08, 2002: Message edited by: VoidMain ]

[Master of Reality]

netstat -p doesnt show the port numbers. It also doesnt show all the programs connected to the internet (it doesnt show squid).
I tried "netstat -p | grep www" and netstat -p | grep http" (http and www are the same, arent they?) neither of those showed any programs.
Apache still says that the port is already in use and i cant figure out why.
I definatly do not have any ipchains doing anything to that port.
I dont have any other programs running other than squid.

[voidmain]

Yes, on the newer RedHat's it would show up as http and not www.  If nothing shows up when you run that command (as root) then you definately have a problem with httpd.conf. Did you change the config file at all?  Comment out all the "Listen" and "Bind*" tags if you modified them and see if Apache will start. Understand that the logs are your friend. *error_log and /var/log/messages especially.

[Master of Reality]

someone try to go to http://chatroom.fuckmicrosoft.com