apache

Our Zen Cart installation has incorrect time zone. On the orders page, the orders are placed +5 hours from current date/time. This is very annoying problem as the server is showing correct time, and PHP is configured with correct time zone in /etc/php.ini file. Also, the correct time zone is set in the includes/application_top.php file.

For smaller scale DDoS attacks, Web Application Firewall (WAF) like Mod Security and Mod Evasive will mitigate DDoS attacks. For larger scale DDoS attacks, you may need to turn to professional DDoS mitigation service provider.

1. Install Mod Security Apache Module.

Apache is the most popular web server being used today. Apache Killer exploit which was released in August 2011, exploits a vulnerability in the Apache software by sending a crafted "Range" HTTP header. Apache Killer attack abuses the HTTP protocol by requesting URL content to be returned in a huge number of small chunks, which leads to hundreds of large memory fetches causing a server to run out of memory and crash. This vulnerability identified as CVE-2011-3192 was fixed in httpd-2.2.21.

There are a couple of reasons why you may want to run php with html extension. You may have a static website with highly ranked web pages, and would like to retain search engine indexing and ranking while converting the site to use server-side technology. Or, you may not want to reveal server-side technology to your website visitors for security reasons. While others may just prefer plain old html extensions over php extensions on their URLs. Regardless of your reasoning, using a server-side technology such as PHP with html extension is easy to setup.

Mass virtual hosting using mod_vhost_alias or mod_rewrite module simplifies pattern-based virtual hosting. However, there is a major problem if your virtual host application makes use of the DOCUMENT_ROOT environment variable. According to the Apache documentation, the mod_vhost_alias does NOT correctly sets the DOCUMENT_ROOT variable and hence pontentially break PHP web applications that makes use of this environment variable.

Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. A server identity is verified by three components: Private Key, Digital Certificate and Trusted Certificate Authority.

htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd. This program can only manage usernames and passwords stored in a flat-file.

To restrict access to certain HTTP resources, we need to create two files: .htaccess and .htpasswd (or equivalent per httpd.conf setting). The .htaccess file looks something like:

-- [.htaccess] file content begins --

Platform setup:
Fedora Core 3
Apache 2.0.52-3
SELinux enabled.

Apache configuration is setup correctly with right permissions, we the server throws a 403 error.

The log entry in the /etc/httpd/logs/error_log:
"[error] [client xx.xx.xxx.xxx] (13)Permission denied: access to / denied"

The issue is well known but the fixes only apply to Fedora 3, such as :
"Use : chcon -R -t httpd_sys_content_t "

or

"deactive SELinux at the command line or GUI".

or

As described on URL Canonicalization article we published in March, having a unique URL ("canonicalization") for each webpage is important in improving your "Pagerank". Canonicalization is accomplished by redirecting non-standard webpages to a preferred ("standard") webpage.