The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: 1 ... 6 7 [8] 9 10
 71 
 on: March 06, 2018, 05:39:13 AM 
Started by ozzy13 - Last post by Gregg
After reading a few things about CSRF it's not really Apache's job to protect. The reason mod_security can protect against c/xsrf is because it actually inspects the request for a great many things.  It's more the browsers and web apps job to make sure these things are coming from the right origin. Nothing should ever depend on the Referrer for granting  anything because the headers can be forged.

That said, I suggest you read OWASP's CSRF Prevention Cheat Sheet.

Also, there are Headers you can set to tell browsers how to behave when it comes to your server/site.
See https://securityheaders.io/. Run a scan on your site and when you get your score, the page in the bottom section has links to explain the various headers. In the case of CSRF, XSS is not always required but quite often helps pull off the attack. There's a header for it. "X-XSS-Protection: 1; mode=block".

Another would be Referrer-Policy. It has a few options and the link for the explanation is also in that bottom section.


This is what I use on my server (which isn't this one).
Code: [Select]
Header set Content-Security-Policy "default-src 'self' mydomain.net *.mydomain.net; img-src 'self' data:; style-src 'self' mydomain.net *.mydomain.net; frame-ancestors 'self'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=30; report-uri=\"https://www.mydomain.net/ct/report\""
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=63072000;"

I get an A+ grade at securityheaders.io.

 72 
 on: March 05, 2018, 09:51:06 AM 
Started by ozzy13 - Last post by ozzy13
Hello Peeps!!

I've a query regarding Referer Header validation (CSRF) vulnerability. I want to know if this can be fixed in the apache config without mod_security? I'm not keen on using mod_security due to its complexity.

TIA.

 73 
 on: February 28, 2018, 11:54:23 AM 
Started by AyrA - Last post by AyrA
This issue has been resolved by updating PHP to V 7.2


I've been stumped by this for some time now.

Responses sent with PHP occasionally stop working after approximately 5MB has been sent. The exact amount is different each time you load a page. This only happens with content served by PHP and not static files. After being stuck for a while the connection simply closes. I assume PHP hits the 30 second timeout and then exits.

The problem is inconsistent though

This 10 MB page works fine (mostly text, uses php output buffer): https://cable.ayra.ch/emoji/plain.php
The exact same page with gzip encoding fails with the symptoms stated above (php output buffer with gzip handler): https://cable.ayra.ch/emoji/index.php

I am using Apache 2.4.27 with PHP 7 via FastCGI on Windows 7 x64.

Is there some configuration I am missing? I am not sure if this is a problem with the interface between server and PHP or if it is a PHP issue. I found surprisingly little online about this.

 74 
 on: February 19, 2018, 04:18:24 PM 
Started by sychn - Last post by long76
recommend check VHOST config for SSL domains

 75 
 on: February 15, 2018, 07:55:16 PM 
Started by sychn - Last post by Gregg
Well, with no log entries for this error from Apache's error log and no config or info any info at all, can't really help you much.

 76 
 on: February 15, 2018, 05:09:20 PM 
Started by sychn - Last post by sychn
Hi m8s,

I got https 500 Internal Server Error after enabling the SSL, while there is no problem via http access.

The platform is Windows 2k8 r2 + Apache 2.4.29 + php 7.2.0.

Thanks in advance.

 77 
 on: February 08, 2018, 04:42:05 PM 
Started by casinobet77 - Last post by mario
Did you add the cert in php.ini?

openssl.cafile="c:\wamp\openssl\cacert.pem"

and

curl.cainfo="c:\wamp\openssl\cacert.pem"

also make sure curl extension is enabled in your php.ini


if you still have a question please ask again.

 78 
 on: February 08, 2018, 03:18:40 PM 
Started by casinobet77 - Last post by casinobet77
I'm working on Windows 10 with WAMP 3.0.6 (Apache 2.4.23, PHP 5.6.25) and when I try to run composer update It displays the error with OpenSSL:

Loading composer repositories with package information
The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
https://packagist.org could not be fully loaded, package information was loaded from the local cache and may be out of date
Updating dependencies (including require-dev)

I have already set openssl.cafile variable in c:\wamp\bin\php\php5.6.25\php.ini and confirmed that this php.ini file is used by CLI.
Output of php -r "var_dump(openssl_get_cert_locations());"

array(8) {
  ["default_cert_file"]=>
  string(25) "c:/usr/local/ssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(22) "c:/usr/local/ssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(24) "c:/usr/local/ssl/private"
  ["default_default_cert_area"]=>
  string(16) "c:/usr/local/ssl"
  ["ini_cafile"]=>
  string(29) "c:/wamp/openssl/cacert.pem"
  ["ini_capath"]=>
  string(16) "c:/wamp/openssl/"
}
I downloaded certificate file from http://curl.haxx.se/ca/cacert.pem and tried to place it to different locations:

c:/wamp/openssl/
c:/usr/local/ssl/certs
c:/usr/local/ssl/cert.pem


I'm working on Windows 10 with WAMP 3.0.6 (Apache 2.4.23, PHP 5.6.25) and when I try to run composer update It displays the error with OpenSSL:

Loading composer repositories with package information
The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
https://packagist.org could not be fully loaded, package information was loaded from the local cache and may be out of date
Updating dependencies (including require-dev)
I have already set openssl.cafile variable in c:\wamp\bin\php\php5.6.25\php.ini and confirmed that this php.ini file is used by CLI.

Output of php -r "var_dump(openssl_get_cert_locations());"

array(8) {
  ["default_cert_file"]=>
  string(25) "c:/usr/local/ssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(22) "c:/usr/local/ssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(24) "c:/usr/local/ssl/private"
  ["default_default_cert_area"]=>
  string(16) "c:/usr/local/ssl"
  ["ini_cafile"]=>
  string(29) "c:/wamp/openssl/cacert.pem"
  ["ini_capath"]=>
  string(16) "c:/wamp/openssl/"
}
I downloaded certificate file from http://curl.haxx.se/ca/cacert.pem and tried to place it to different locations:

c:/wamp/openssl/ เล่นคาสิโนบนมือถือ
c:/usr/local/ssl/certs
c:/usr/local/ssl/cert.pem
I tried even reinstalling composer, using composer-setup.exe from getcomposer.org but it ends with the same error.

I searched stackoverflow and googled for hours but any of possible solutions have not worked. What am I doing wrong ?

 79 
 on: January 30, 2018, 03:23:52 PM 
Started by hyaa - Last post by mario
You can use any PHP Version as long as you use mod_fcgid ;)

 80 
 on: January 26, 2018, 01:54:27 PM 
Started by hyaa - Last post by long76
Hi,

I am using httpd-2.4.18-x64-vc11 and php-5.6.19-nts-Win32-VC11-x64 for a 64 bit windows. Upon adding a php handler it says "couldn't load php5apache2_4.dll : x1 is not a valid win32 application" .

Although, when i comment those handlers Apache starts perfectly fine. can some one help me out in identifying the correct dll file for the php Apache integration in my case?

php with version < 7.0 work only on x86 apache. if you want use php 5.6 you need apache x86 vc11 and php 5.6 vc11 TS(thread safe) for windows. if you need x64 u must upgrade apache for last x64 version and php to any 7.x version x64 TS(thread safe)

Pages: 1 ... 6 7 [8] 9 10