tomcat_httpsd.conf_virtual-hosting-Secure for Java + PHP
We can run java and PHP based websites on same servers using SSL Certificate,
Here are six websites, inwhich four are based on Java and two are based on PHP
1. https://revenue.unixserveradmin.com – Java
2. https://revenue.unixserveradmin.com – Java
3. https://revenue.unixserveradmin.com – Java
4. https://revenue.unixserveradmin.com – Java
5. https://noc.unixserveradmin.com – PHP
6. https://online.unixserveradmin.com – PHP
# vim /etc/httpd/conf/httpd.conf
Line No. 201 to 212
#############################################################
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/httpd/conf/worker.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat “[%a %b %d %H:%M:%S %Y] ”
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat “%w %V %T”
JkEnvVar SSL_CLIENT_V_START
JkMount /revenue* tomcat1
JkMount /mis* tomcat2
JkMount /sms* tomcat3
JkMount /sla* tomcat4
#############################################################
For Java Hosting
#############################################################
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
ServerName revenue.unixserveradmin.com
ServerAlias http://www.revenue.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /revenue/$1[L,PT]
JkMount /* tomcat1
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log commo
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
ServerName mis.unixserveradmin.com
ServerAlias http://www.mis.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /mis/$1[L,PT]
JkMount /* tomcat2
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
ServerName sms.unixserveradmin.com
ServerAlias http://www.sms.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /sms/$1[L,PT]
JkMount /* tomcat3
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
ServerName sla.unixserveradmin.com
ServerAlias http://www.sla.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /sms/$1[L,PT]
JkMount /* tomcat4
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
#############################################################
For PHP Hosting
#############################################################
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
DocumentRoot /var/www/html/noc/
ServerName noc.unixserveradmin.com
ServerAlias http://www.noc.unixserveradmin.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin info@unixserveradmin.com
DocumentRoot /var/www/html/online/
ServerName online.unixserveradmin.com
ServerAlias http://www.online.unixserveradmin.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
#############################################################
tomcat_httpd.conf_virtual-hosting for Java + PHP
We can run java and PHP based websites on same servers, Here are six websites, in which four are based on Java and two are based on PHP
1. http://revenue.unixserveradmin.com – Java
2. http://revenue.unixserveradmin.com – Java
3. http://revenue.unixserveradmin.com – Java
4. http://revenue.unixserveradmin.com – Java
5. http://noc.unixserveradmin.com – PHP
6. http://online.unixserveradmin.com – PHP
# vim /etc/httpd/conf/httpd.conf
Line No. 201 to 212
#############################################################
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/httpd/conf/worker.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat “[%a %b %d %H:%M:%S %Y] ”
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat “%w %V %T”
JkEnvVar SSL_CLIENT_V_START
JkMount /revenue* tomcat1
JkMount /mis* tomcat2
JkMount /sms* tomcat3
JkMount /sla* tomcat4
#############################################################
For Java Hosting
#############################################################
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
ServerName revenue.unixserveradmin.com
ServerAlias http://www.revenue.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /revenue/$1[L,PT]
JkMount /* tomcat1
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
ServerName mis.unixserveradmin.com
ServerAlias http://www.mis.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /mis/$1[L,PT]
JkMount /* tomcat2
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
ServerName sms.unixserveradmin.com
ServerAlias http://www.sms.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /sms/$1[L,PT]
JkMount /* tomcat3
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
ServerName sla.unixserveradmin.com
ServerAlias http://www.sla.unixserveradmin.com
RewriteEngine On
RewriteLog logs/apache-mod_rewrite
RewriteRule ^/(.*)$ /sms/$1[L,PT]
JkMount /* tomcat4
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
#############################################################
For PHP Hosting
#############################################################
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
DocumentRoot /var/www/html/noc/
ServerName noc.unixserveradmin.com
ServerAlias http://www.noc.unixserveradmin.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin info@unixserveradmin.com
DocumentRoot /var/www/html/online/
ServerName online.unixserveradmin.com
ServerAlias http://www.online.unixserveradmin.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
#############################################################
worker.properties_virtual-hosting
##############################################################
# workers to contact, that’s what you have in your httpd.conf
# here are four different tomcat server, running on different ports
# tomcat1 for revenue portal
# tomcat2 for mis portal
# tomcat3 for sms portal
# tomcat for sla portal
##############################################################
worker.list=tomcat1, tomcat2, tomcat3, tomcat4
# setup tomcat1
worker.tomcat1.port=8009
worker.tomcat1.host=localhost
worker.tomcat1.type=ajp13
# setup tomcat2
worker.tomcat2.port=8109
worker.tomcat2.host=localhost
worker.tomcat2.type=ajp13
# setup tomcat3
worker.tomcat3.port=8209
worker.tomcat3.host=localhost
worker.tomcat3.type=ajp13
# setup tomcat4
worker.tomcat4.port=8309
worker.tomcat4.host=localhost
worker.tomcat4.type=ajp13
##############################################################
# worker.list –> Describe the workers that are available to Apache via a list
# ajp13 –> This type of worker represents a running Tomcat instance
How to Enable Secure SSL Protocol
A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages. Because sometimes Servers use SSLv2 protocol with low encryption ciphers. There are known flaws in the SSLv2 protocol. These flaws have been fixed in SSLv3 (or TLSv1). SSLv2 should be disabled and MEDIUM or HIGH encryption ciphers must be used. SSLV3 should be used instead of SSLv2.
# vim /etc/httpd/conf.d/ssl.conf
Remove or Comment on Following Lines
Line No. 93 :- SSLProtocol all -SSLv2
Line No. 98 :- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Add Following Line
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNull:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
# /etc/init.d/httpd restart
# chkconfig httpd on
Service httpd status: httpd dead but subsys locked, but pid exists
I have an apache server acting as a reverse proxy for serveral websites, (which you should see that it is up and running). However, when I check the status of the apache service, I get this:
# service httpd status
httpd dead but subsys locked
================== Method-1 ==================
So I lookup the locked PIDs of apache and get:
# ipcs -s | grep apache
0x00000000 98306 apache 600 1
0x00000000 131075 apache 600 1
0x00000000 163844 apache 600 1
So I delete these resources:
# ipcs -s | grep apache | perl -e ‘while (<STDIN>) { @a=split(/\s+/);print `ipcrm sem $a[1]`}’
resource(s) deleted
resource(s) deleted
resource(s) deleted
and I delete the lock from the subsys folder:
# cd /var/lock/subsys
# rm httpd
and start apache:
# service httpd restart
Starting httpd: [ OK ]
================== Method-2 ==================
If the above is not fixing then try the following.
comment out the following module in your httpd.conf and restart apache
# vim /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
# /etc/init.d/httpd restart
How to rotate apache logs
/var/log/httpd/access_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 100K
}
/var/log/httpd/dummy-host.example.com-access_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 10M
}
/var/log/httpd/dummy-host.example.com-error_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 100K
}
/var/log/httpd/error_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 5K
}
/var/log/httpd/mod_jk.log.* {
compress
copytruncate
create 644 root root
rotate 30
size 5M
}
/var/log/httpd/ssl_access_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 10K
}
/var/log/httpd/ssl_error_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 10K
}
/var/log/httpd/ssl_request_log.* {
compress
copytruncate
create 644 root root
rotate 30
size 10K
}
daily :- rotates the catalina.out daily
rotate 7 :- keeps at most 7 log files
compress :- compresses the rotated files
size 10M :- rotates if the size of logs are bigger than 10M
copytruncate :- Truncate the original log file in place after creating a copy, instead of moving the old log file and optionally creating a new one, It can be used when some program can not be told to close its logfile and thus might continue writing (appending) to the previous log file forever. Note that there is a very small time slice between copying the file and truncating it, so some logging data might be lost. When this option is used, the create option will have no effect, as the old log file stays in place.
How to enable gzip (web Page) compression in Apache
First lets be sure your server supports compression, to do that it needs to have the mod_deflate module:
# cat httpd.conf | grep deflate
You should see this:
LoadModule deflate_module modules/mod_deflate.so
If it is commented, comment it out and add following lines :-
# vim /etc/httpd/conf/httpd.conf
#################################################
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
# You can’t compress what is already compressed
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
# Make proxies work as they should.
<IfModule mod_headers.c>
Header append Vary User-Agent
</IfModule>
</IfModule>
#BrowserMatch ^Mozilla/4 gzip-only-text/html
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
#################################################
How to running PHP 4 and PHP 5 on the same cPanel
Here is following process to install and run on the same server php 4 and 5. Users will be allowed to choose what version to use for their scripts.
Although I personally don’t recommend this as it has many performance implications it’s something that small webhosts use so that they don’t have to have different servers for different php versions.
1. Compiler check
# /scripts/checkccompiler
# rm -rvf /home/cpphpbuild
# mkdir /home/cpphpbuild
# cd /home/cpphpbuild
2. Download and extract php
# wget http://us2.php.net/downloads.php
# tar -xzf php-5.2.4.tar.gz
# cd php-5.2.4
3. Configure and build the php installation (credits go to elix for an excellent work)
# echo “#define HAVE_SENDMAIL 1? >> /home/cpphpbuild/php-5.2.4/main/php_config.h
# wget http://www.elix.us/tutorials/php5.gen.cpanel
# chmod 700 php5.gen.cpanel
# ./php5.gen.cpanel
# make
# make install
4. Moving the files and finishing the configuration
# cp -f /usr/local/php5/bin/php5 /usr/local/cpanel/cgi-sys/php5
# chown root:wheel /usr/local/cpanel/cgi-sys/php5
# cp -p /home/cpphpbuild/php-5.2.4/php.ini-recommended /usr/local/php5/lib/php.ini
# chown root.root /usr/local/php5/lib/php.ini
# chmod 644 /usr/local/php5/lib/php.ini
# echo “cgi.fix_pathinfo = 1 ; needed for CGI/FastCGI mode” >> /usr/local/php5/lib/php.ini
5. Now we have to add a few lines to the httpd.conf file
# vim /usr/local/apache/conf/httpd.conf
6. Add in the section – “index.php5″ before index.php4 and Add after “AddType application/x-httpd-php .phtml”
—————————————————————————
Action application/x-httpd-php5 “/cgi-sys/php5″
AddHandler application/x-httpd-php5 .php5
—————————————————————————
7. Test the installation
# service httpd configtest
8. If you get any errors please check that you done all the steps properly. If everything is ok you can now restart apache.
# service httpd restart
How to monitor specific process (ie apache) using Top Command
How to monitor specific process (ie apache) using Top Command
# top -p `pidof httpd | awk ‘{gsub(/[ ]/,”,”);print}’`
index.jsp for tomcat cluster with HA
<%@ page language=”java” %>
<HTML>
<HEAD>
<TITLE>Login using jsp</TITLE>
</HEAD>
<BODY>
<h1><font color=”red”>Index Page by Tomcat-2 Node-2</font></h1>
<h2><font color=”blue”>This is test page of Tomcat-2 of NODE-2</font></h2>
<table> align=”centre” border=”1″
<h2>></h2>
<tr>
<td>Session ID –> </td>
<td><%= session.getId() %></td>
</tr>
<tr>
<td>Created on –> </td>
<td><%= session.getCreationTime() %></td>
</tr>
</table>
</BODY>
</HTML>
worker.properties_cluster
##############################################################
# workers to contact, that’s what you have in your httpd.conf
worker.list=loadbalancer
# setup tomcat1
worker.tomcat1.port=8109
worker.tomcat1.host=localhost
worker.tomcat1.type=ajp13
worker.tomcat1.lbfactor=1
# setup tomcat2
worker.tomcat2.port=8209
worker.tomcat2.host=localhost
worker.tomcat2.type=ajp13
worker.tomcat2.lbfactor=1
# setup tomcat3
worker.tomcat3.port=8309
worker.tomcat3.host=localhost
worker.tomcat3.type=ajp13
worker.tomcat3.lbfactor=1
# setup the load-balancer
worker.loadbalancer.type=lb
worker.loadbalancer.method=R/S/T/B
worker.loadbalancer.balance_workers=tomcat1,tomcat2,tomcat3
worker.loadbalancer.sticky_session=True
#worker.loadbalancer.sticky_session_force=True
# Status worker for managing load balancer
worker.status.type=status
##################################################################
worker.list –> Describe the workers that are available to Apache via a list
ajp13 –> This type of worker represents a running Tomcat instance
lb –> used for load balancing
status –> display useful information about how the load among the various Tomcat workers is distributed
Sticky sessions are an important feature if you rely on jSessionIDs and are not using any session-replication layer. If sticky_session is True a request always gets routed back to the node which assigned this jSessionID.
If that host should get disconnected, crash or become unreachable otherwise the request will be forwarded to another host in the cluster.
R :- Request –> If method is set to Request the balancer will use number of requests to find the best worker. Accesses will be distributed according to the lbfactor in a sliding time window. This is the default value and should be working well for most applications.
S :- Session –> If method is set to Session the balancer will use number of sessions to find the best worker. Accesses will be distributed according to the lbfactor in a sliding time window. Because the balancer does not keep any state, it actually does not know the number of sessions. Instead it counts each request without a session cookie or URL encoding as a new session. This method will neither know, when a session is being invalidated, nor will it correct its load numbers according to session timeouts or worker failover. This method should be used, if sessions are your limiting resource, e.g. when you only have limited memory and your sessions need a lot of memory.
T :- Traffic –> If set to Traffic the balancer will use the network traffic between JK and Tomcat to find the best worker. Accesses will be distributed according to the lbfactor in a sliding time window. This method should be used, if network to and from the backends is your limiting resource.
B :- Busyness –> If set to Busyness the balancer will pick the worker with the lowest current load, based on how many requests the worker is currently serving. This number is divided by the workers lbfactor, and the lowest value (least busy) worker is picked. This method is especially interesting, if your request take a long time to process, like for a download application.
##############################################################
tomcat_ssl.conf_cluster
# vim /etc/httpd/conf.d/ssl.conf
Line No. 83 to 93
##################################################################
# LoadModule jk_module modules/mod_jk.so
# JkWorkersFile /etc/httpd/conf/worker.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat “[%a %b %d %H:%M:%S %Y] ”
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat “%w %V %T”
JkEnvVar SSL_CLIENT_V_START
Jkmount /* loadbalancer
# JkMount /examples/*.jsp worker1
##################################################################
tomcat_httpd.conf_cluster
# vim /etc/httpd/conf/httpd.conf
Line No. 201 to 212
##################################################################
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/httpd/conf/worker.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat “[%a %b %d %H:%M:%S %Y] “
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat “%w %V %T”
JkEnvVar SSL_CLIENT_V_START
Jkmount /* loadbalancer
# JkMount /examples/*.jsp worker1
##################################################################
How to install and configure LVS to allow Load Balancing between Clusters/Nodes
The Linux Virtual Server Project (LVS) allows load balancing of networked services such as web and mail servers using Layer 4 Switching. It is extremely fast and allows such services to be scaled to service 10s or 100s of thousands of simultaneous connections. Now configure ipvsadm in both node
node-1 :- 192.168.3.201 :- node-1.unixserveradmin.com
node-2 :- 192.168.3.202 :- node-2.unixserveradmin.com
Virtual IP (VIP) :- 192.168.3.135
on node-1
# yum install ipvsadm
# ipvsadm-save
# ipvsadm-restore
# ipvsadm -C (Flush)
# ipvsadm-save > ipvsadm_rules.txt
# ipvsadm-restore < ipvsadm_rules.txt
# ipvsadm -A -t 192.168.3.135:80 (# ipvsadm -A -t 192.168.3.135:80 -s rr)
# ipvsadm -a -t 192.168.3.135:80 -r 192.168.3.201:80 -m
# ipvsadm -a -t 192.168.3.135:80 -r 192.168.3.202:80 -m
# /etc/init.d/ipvsadm start
# chkconfig ipvsadm save
# chkconfig ipvsadm on
# tcpdump -n -i any port 80 (for testing)
# ipvsadm -L -n (To show the number of active connections)
-A, –add-service
-L, -l, –list
-t, –tcp-service service-address
-s, –scheduler scheduling-method
-w, –weight weight
–stats
Output of statistics information. The list command with this
option will display the statistics information of services and
their servers.
–rate
Output of rate information. The list command with this option
will display the rate information (such as connections/second,
bytes/second and packets/second) of services and their servers.
Scheduling Method :-
1. Round-Robin :- Distributes Job Equally (rr)
2. WRR :- Weighted Round Robin
3. LC :- Least Connection
4. WLC :- Weighted Least Connection
5. LBLC :- Locality bases Least Connection
6. LBLCR :- Locality Bases least Connection with Replication
7. DH :- Destination Hashing, use statically assigned hash table
8. SH :- Source Hashing, Use Statically assigned hash table
9. SED :- Shortest Expected Delay
10. NG :- Never Queue
Hearbeat Configration File Options
——————————————————————————————————————————-
logfacility local0 –> Facility to use for syslog()/logger
——————————————————————————————————————————-
keepalive 2 –> how long between heartbeats
A note on specifying “how long” times below, The default time unit is seconds 10 means ten seconds You can also specify them in milliseconds 1500ms means 1.5 seconds
——————————————————————————————————————————-
deadtime 30 –> how long-to-declare-host-dead?
If you set this too low you will get the problematic split-brain (or cluster partition) problem.
——————————————————————————————————————————-
warntime 10 –> how long before issuing “late heartbeat” warning?
——————————————————————————————————————————-
initdead 120 –> Very first dead time (initdead)
On some machines/OSes, etc. the network takes a while to come up and start working right after you’ve been rebooted. As a result we have a separate dead time for when things first come up. It should be at least twice the normal dead time.
——————————————————————————————————————————-
udpport 694 –> What UDP port to use for bcast/ucast communication?
——————————————————————————————————————————-
bcast etho –> What interfaces to broadcast heartbeats over?
——————————————————————————————————————————-
auto_failback on
on –> enable automatic failbacks
off –> disable automatic failbacks
legacy –> enable automatic failbacks in systems where all nodes do not yet support the auto_failback option.
——————————————————————————————————————————-
node –> Tell what machines are in the cluster
——————————————————————————————————————————-
How to install and configure Failover “OR” High Availability (HA) Cluster with heartbeat in Apache
Heartbeat is a High Availably cluster software in linux platform. Here is following steps to install and configure Heartbeat in RHEL/CentOS configure web server using Apache.
Heartbeat Version is : heartbeat-3.0
===========================================
Requirements :-
2 linux nodes, RHEL 5.x/CentOS 5.x
LAN & Internet connection.
A yum server.
Node-1: 192.168.3.201
Node-2: 192.168.3.202
Virtaul IP Address (VIP) :- 192.168.3.135
===========================================
1. Set the fully qualified hostnames and give corresponding entries in /etc/hosts and /etc/sysconfig/network
node-1 :- 192.168.3.201 :- node-1.unixserveradmin.com
node-2 :- 192.168.3.202 :- node-2.unixserveradmin.com
2. Configuring Apache on both node
# yum install httpd mod_ssl
On node1
# vim /var/www/html/index.html
This is test page of node 1 of Heartbeat HA cluster
On node2
# vim /var/www/html/index.html
This is test page of node 2 of Heartbeat HA cluster
On both nodes:
# vim /etc/httpd/conf/httpd.conf
Listen 192.168.3.135:80
3. Now start the service in both nodes.
# /etc/init.d/httpd restart
# chkconfig httpd on
Note:- It won’t work until heartbeat is started. So don’t worry
4. Confirm them from broswer.
5. Install the following packages in both nodes:
(These below packages are not necessary, but you can install it.)
# yum install glibc*
# yum install gcc*
# yum install lib*
# yum install flex*
# yum install net-snmp*
# yum install OpenIPMI*
# yum install python-devel
# yum install perl*
# yum install openhpi*
6. Save the repo file for clusterlabs online repository in both node. Its available in http://www.clusterlabs.org/rpm/epel-5/clusterlabs.repo
# cd /etc/yum.repos.d/
# wget http://www.clusterlabs.org/rpm/epel-5/clusterlabs.repo
it is as follows:
————————————————————–
[clusterlabs]
name=High Availability/Clustering server technologies (epel-5)
baseurl=http://www.clusterlabs.org/rpm/epel-5
type=rpm-md
gpgcheck=0
enabled=1
————————————————————–
7. After that install heartbeat packages on both nodes:
# yum install cluster-glue* heartbeat* resource-agents*
8. Setting Configuration files:
We can do all configuration in one system and copy the /etc/ha.d to both nodes.
#cd /etc/ha.d
#cat README.config
9. The details about configuration files are explained in this file. We have to copy three
configuration files to this directory from samples in documentation.
# cp /usr/share/doc/heartbeat-3.0.3/authkeys /etc/ha.d/
# cp /usr/share/doc/heartbeat-3.0.3/ha.cf /etc/ha.d/
# cp /usr/share/doc/heartbeat-3.0.3/haresources /etc/ha.d/
10. We have to edit the authkeys file on both nodes:
We are using sha1 algorithm:
# vim /etc/ha.d/authkeys
—————
auth 2
#1 crc
2 sha1 test-ha
#3 md5 Hello!
—————
11. Change the permission of authkeys to 600 to both nodes:
# chmod 600 authkeys
12. We have to edit the ha.cf file on both nodes:
# vim /etc/ha.d/ha.cf
uncomment following lines and make edits
—————————————–
logfile /var/log/ha-log
logfacility local0
keepalive 1
deadtime 15
warntime 10
initdead 120
udpport 694
bcast eth0
auto_failback on
node node-1.unixserveradmin.com # in both nodes command “uname -n” should give the these hostnames
node node-2.unixserveradmin.com
—————————————–
13. We have to edit the haresources file on both nodes separately:
on node-1 :-
# vim /etc/ha.d/haresources
node-1.unixserveradmin.com 192.168.3.135 httpd
on node-2 :-
# vim /etc/ha.d/haresources
node-2.unixserveradmin.com 192.168.3.135 httpd
Note:- You dont have to create an interface and set this IP or make a IP alias. Heartbeat will take care of it Automatically.
14. Now exchange and save authorized keys between node1 and node2
node-1# ssh-keygen -t rsa
node-1# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.3.202
node-2# ssh-keygen -t rsa
node-2# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.3.201
15. Start Heartbeat service on both nodes:
# /etc/init.d/heartbeat start
# chkconfig heartbeat on
How to configure Apache server to listen Multiple Ports
By default Apache server listens on TCP port 80 but I’d like an Apache Web Server to listen on port 80 and port 8080. The following article explains how do I configure Apache server to listen multiple ports under CentOS Linux Server.
To configure Apache server to listen multiple ports, you need to login as root and open configure file /etc/httpd/conf/httpd.conf and modify the Listen directive tells the server to accept incoming requests on the specified port.
# vi /etc/httpd/conf/httpd.conf
Find line that read as follows:
Listen 80
Force Apache server to listen on both port 80 and 8080:
Listen 80
Listen 8080
And find the VirtualHost portion for your website config and add *:8080 as shown below:
<VirtualHost *:80 *:8080>
…
</VirtualHost>
Save and close the file. Restart apache server:
# service httpd restart
How to block or allow ips using .htaccess
Suppose you have a site example.com and in the document root directory of example.com you have a directory “admin” in which you want to restrict the access to others. But you want to give access to clients from some ips.
You can do this by creating a .htaccess file under “admin” directory.
# vim .htaccess file can be like this.
===================
Order Deny,Allow
Deny from all
Allow from IP_address1
Allow from IP_address2
Allow from IP_address3
Allow from IP_address4
Allow from IP_address5
===================
example.com/admin/ will only be accessible to IP_address1-5
How to configure Webalizer
The Webalizer is a GPL application that generates web pages of analysis, from access and usage logs, i.e. it is web log analysis software. It is one of the most commonly used web server administration tools. It was initiated by Bradford L. Barrett in 1997. Statistics commonly reported by Webalizer include: hits; visits; referrers; the visitors’ countries; and the amount of data downloaded. These statistics can be viewed graphically
and presented by different time frames, such as per day, hour, or month.
Hit
Each HTTP request submitted by the browser is counted as one hit. Note that HTTP requests may be submitted for non-existent content, in which case they still will be counted. For example, if one of the five image files referred by the example page mentioned above is missing,
the web server will still count six HTTP requests, but in this case, five will be marked as successful (one HTML file and four images) and one as a failed request (the missing image)
Here is steps to configure webalizer
1) Install the webalizer by yum
# yum install webalizer
2) vim /etc/httpd/conf.d/webalizer.conf
=====================================
Alias /usage /var/www/usage
#<Location /usage>
# AllowOverride AuthConfig
# Order allow,deny
# Allow from all
#</Location>
<Directory “/var/www/usage”>
AllowOverride AuthConfig
Options Indexes FollowSymLinks Includes
Order allow,deny
Allow from all
</Directory>
=====================================
3. Create .htacess file
# vim /var/www/usage/.htaccess
=====================================
AuthUserFile /etc/httpd/htpasswd
AuthName “Please provide Login Credentials”
AuthType Basic
require valid-user
=====================================
4. Restart httpd services.
# /etc/init.d/httpd restart
How to generate a CSR for SSL Certificate without using Password
Here is following steps to generating a Certificate Signing Request (CSR) Generation Instructions – Apache 2.x Web server. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.
1. Log in to your server’s terminal (SSH).
2. At the prompt, type the following command:
# openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Replace yourdomain with the domain name you’re securing. For example, if your domain name is example.com, you would type example.key and example.csr
Enter the requested information:
Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
State or Province Name: Name of the state or province where your organization is located. Do not abbreviate.
City or Locality Name: Name of the city where your organization is registered/located. Do not abbreviate.
Organization Name: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.
Organization Unit Name: If applicable, enter the DBA (doing business as) name.
Common Name: The fully-qualified domain name, or URL, you’re securing. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. However, please understand there might be additional risks. Open the CSR in a text editor and copy all of the text. Paste the full CSR into the SSL enrollment form in your account.