Apache RewriteRule Mitigation for log4shell

Yes, you should update ASAP to a patched version of Log4J. You should also consider other ways you can be exploited – do you have java processing emails? But layers of security never hurt, so you can also try this: RewriteCond %{THE_REQUEST} \${ [OR] RewriteCond %{REQUEST_URI} \${ [OR] RewriteCond %{QUERY_STRING} \${ [OR] RewriteCond %{HTTP_USER_AGENT} \${ …

Continue reading ‘Apache RewriteRule Mitigation for log4shell’ »

Add tracking IDs to your web application

With a complex multi-tier stack with HTTP requests getting proxied it can be difficult to track a request as it goes around the system. One thing you can do is enable mod_unique_id in apache – this creates a distinct environment variable UNIQUE_ID in the web server context for each incoming request. Simply loading the module …

Continue reading ‘Add tracking IDs to your web application’ »

Fix D-link webcam interface for Apache reverse proxy

This is for the DCS-932LB1 but should work on others. Add the below to your reverse proxy configuration: ProxyPreserveHost On # fixes digest authentication RequestHeader set User-Agent “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)” # Interface requires IE By doing this you can allow different browsers (Chrome, Firefox, etc) …

Continue reading ‘Fix D-link webcam interface for Apache reverse proxy’ »

Improving Apache Clustered Performance

Use Apache 2.4 (so if you use Centos / RHEL, use v7). This has lower memory requirements, stable Event MPM (see below) and far more functionality. If you terminate SSL at Apache, use a clustered cache to keep track of SSL sessions. Otherwise the SSL session establishment will have to be renegotiated every time you …

Continue reading ‘Improving Apache Clustered Performance’ »

Warn your clients before disabling SSLv3 on Apache for POODLE

With POODLE, everyone is hurrying to disable SSLv3 on their webservers. However some sites still have clients that for whatever reason have not updated from XP / IE6 (it’s only been out 13 years, what’s the rush?) Instead of immediately locking them out you might like to give them a few days warning with some …

Continue reading ‘Warn your clients before disabling SSLv3 on Apache for POODLE’ »

Fix “Internet Explorer cannot display the webpage” for Oracle Enterprise Manager

If you cannot view Oracle Enterprise Manager in IE, but can in other browsers, chances are you’ve hit the MS IE ssl keysize patch. A patch does exist for this (the problem is due to OEM using a 512 bit cert) but if you like you can frontend EM with Apache. Put this inside the …

Continue reading ‘Fix “Internet Explorer cannot display the webpage” for Oracle Enterprise Manager’ »