I've got phpMyAdmin running on Nginx. I also enabled reCaptcha $cfg['CaptchaLoginPublicKey'] = 'secretkey' and $cfg['CaptchaLoginPrivateKey'] = secretkey'.

I added the above to config.inc.php. As you can see below, I have reCaptcha enabled. The secretkeys are entered correctly also. But when I login I get the following errors:

Entered captcha is wrong, try again!

Warning in ./libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/Post.php#68 file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0

I'm sure I entered the corret captcha.

According to this Bug Report the issue was going to be solved in the next release. I'm using the latest phpMyAdmin version 4.6.2 with PHP7.0.

In my php.ini, allow_url_fopen = off.

Any body knows are workaround for this one?

Thank you.

UPDATE: Problem is fixed if allow_url_fopen = On. But is there a solution to the error stated above since I want to set this to OFF for security reasons.

Today our server was not reachable. It was returning a 502.

We are running Nginx 1.10 on Ubuntu 14.04. We also use PHP7 (only, no PHP5).

In the logs, we got the same error from the same client (2 different, but similar IP).

connect() to unix:/run/php/php7.0-fpm.sock failed (11:Resource temporarily unavailable) while connecting to upstream, client 191.xx.xx.53, server: example.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi:/unix:/run/php/php7.0-fpm.sock:", host: "xx.xx.xx.xx"

This was in the logs in a per second to 5 second intervals. From 191.xx.xx.53 and 191.xx.xx.54. "Similar" IPs.

We run wordpress sites here. And we got hammered!

1. What do you make of this? Using the XML-RPC is a bruteforce attack? Or is this a DDOS attack or both? (both meaning bruteforce but failed but resulted to ddos).

2. Our logs say Resource temporarily unavailable. Does this mean that the resource could no longer be served or is the resource that's being called not supported in PHP7?

3. The attack went on for around 6 hours before we noticed the site was down. We immediately blocked the IP and site was immediately back up. Why was it immediately back online? Because resources were already available?

Words of wisdom needed...

I'm trying to mount a samba network share on an Ubuntu 14.04 using cifs.

On the server, I've got the share running. I can already map it as a drive in Windows. The share has a username and password.

On the ubuntu machine, i've got /etc/samba/user where the credentials are saved. I also have the directory where I would mount the share /mounthere.

I have this on /etc/fstab

//192.168.1.1/sharename /mounthere cifs credentials=/etc/samba/user 0 0

When I do sudo mount -a I get this error:

mount error(112): Host is down

The host is not down. I've got it running on Windows. I've double checked the credentials and possible firewall issues.

I also have cifs-utils installed.

Can anyboby point me to the right direction.

Thank you!

I need to install Wordpress on an Ubuntu 14.04 Server. From what I've googled, I can install it via apt-get install or download the package from wordpress.org.

What option should I use for better administration? Specially when updating the Wordpress package.

Also, how to update downloaded packages? (installations that did not use apt-get)

PS. We plan to run more than 1 wordpress site here. (I don't know if this matters in the setup)

Sometimes after installing updates, the server machine would say

*** System restart required ***.

And we of course we comply.

Is this really how this works? I can't imagine that this is already the best practice. Because you would not want to restart your Server. You have live traffic running on your Server.

Running Ubuntu 14.04. We install updates with sudo apt-get upgrade and sudo apt-get dist-upgrade.

Guidance needed.

Thanks!

I'm trying to implement a Secure flag for all cookies. I'm doing this via Headers.

Here's how I did it:

Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"    

It successfully does its job on the first load. But on the second load, either when I refresh the browser or hit enter from the address bar, the header is no longer there and the cookies are no longer being served with the secure flag.

Is this a normal browser behaviour? What's wrong with my settings?

Thanks.

UPDATE (Still not working as expected)

1. My problem is that HttpOnly and Secure flags don't stick after reloading the page. And apparently this is not normal browser behaviour. I've tested other sides and their flags are still there after reload. So this one is all me...
2. Where do I put the Header edit Set-Cookie? I've tried it in the Main Config (apache.conf), I've tried it in an Include file and inside the VirtualHost. None of them seems to work.
3. I also tried other variations/syntax, like Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure but the same issue.

UPDATE (FireBug) Tried to run it with FireBug. Checking the cookies from NET would show that the Secure and HttpOnly flags have been removed on the second load. At first load they're there. But checking from the COOKIES tab (beside Net), it shows that the Secure and HttpOnly flags are PERSISTENT. Why is that like that?

I'm running SSL Certificates from Let's Encrypt. I've got them installed on my Ubuntu machine running Apache. The setup works fine and I can launch the website, see the green padlock and even got an A+ on SSL Labs.

The problem is that when I do apachectl configtest the server would return a file not found error:

SSLCertificateFile: file '/etc/letsencrypt/live/www.example.com/fullchain.pem' not exist or is empty.

But sudo service apache2 restart works just fine.

I got this question running at Let's Encrypt Community but the issue hasn't been resolved yet.

sudo cat /etc/letsencrypt/live/www.example.com/fullchain.pem works, returns valid certificate details.

sudo x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem

does not work and returns the error below:

Error opening Certificate /etc/letsencrypt/live/www.example.com/fullchain.pem
139774254929568:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem.','r')
139774254929568:error:2007402:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ubable to load certificate

Any ideas on why I'm getting errors on apachectl configtest and openssl?

Thanks guys!

We have DBF files running in our local network. It's on an Ubuntu Server running Samba shares. The DBF files are used by our in-house system running on xBase.

Now we're moving everything to Amazon Web Services. I was wondering if AWS has an infrastructure available to run DBF files? Where we can store data and still access it from our xBase system. I was looking into DynamoDB but I don't know if it will work as needed. Or does it have a special infrastructure to run Samba-like shares?

My last option would probably to run a Samba Server in an EC2 instance.

Any advise please.

Thanks.

I'm running Apache 2.4.20 on Ubuntu and I have SSL configured. I have a SAN SSL Certificate and www.example.com and www2.example.com are sharing the same certificate.

I'm getting a 421 Misdirected Request error when I include the following:

Protocols h2 h2c http/1.1
H2Upgrade on
H2Direct
H2WindowSize 128000

Websites run normally if I remove them.

I'm getting the error if ON THE SAME BROWSER, www.example.com and www2.example.com are opened. If I go to www.example.com first then it will load properly. I get the error when I load a second site from that SAN SSL Certificate, like www2.example.com. It does not matter what site I go to first. It always responds with the 421 Misdirected Request on the second site.

What is wrong with my use of the HTTP/2 directives? (They are in the VirtualHost by the way)

Or is there an issue with HTTP/2 and SAN SSL implementations?

And if it matters, both www.example.com and www2.example.com are on the same server hosted in AWS.

Thanks.

EDIT:

I also tried the settings below with the same results.

Protocols h2 http/1.1
H2Direct
H2WindowSize 128000

In the SSL Config

<IfModule mod_ssl.c>

    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    SSLOpenSSLConfCmd DHParameters "/path/dhparams.pem"

    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    SSLHonorCipherOrder on

    SSLCompression Off
    SSLSessionTickets Off

    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

    SSLProtocol all -SSLv3

    SSLInsecureRenegotiation Off
    SSLStrictSNIVHostCheck Off

</IfModule>

In the VirtualHost

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName www.example.com
    DocumentRoot /path/path

    Protocols h2 http/1.1
    H2Direct on
    H2WindowSize 128000

    SSLEngine on
    SSLCACertificateFile /path/cert.crt
    SSLCertificateFile /path/cert.crt
    SSLCertificateKeyFile /path/key.key

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    <Directory /path/path>
        AllowOverride None
        Require all granted
    </Directory>

 </VirtualHost>
</IfModule>

I have the latest Apache installed and currently support HTTP/2. Can I setup SPDY and run it together with HTTP/2?

The goal is to also take advantage of the SPDY for browsers that do not support HTTP/2.

Thanks.

I'm currently working on running our own Owncloud (version 9). I've done this several times with Apache but I'm having trouble configuring it with Nginx in the front as a Proxy.

Nginx config

server {
        listen 443 ssl http2;
        server_name example.com;

    index index.php index.html;

    ssl_certificate /path/ssl.crt;
    ssl_certificate_key /path/ssl.key;
    ssl_dhparam /path/dh.pem;
    ssl_buffer_size 8k;
    ssl_session_timeout 1d;
    ssl_session_cache builtin:1000 shared:SSL:50m;
    ssl_session_tickets off;
    ssl_trusted_certificate /path/ssl.crt;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://127.0.0.1:8080;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

Apache Config

<VirtualHost *:8080>
    ServerAdmin [email protected]
    ServerName example.com
    DocumentRoot /var/www/owncloud

    <Directory /var/www/owncloud>
        Options +FollowSymLinks
        Options -Indexes
        AllowOverride All
        SetEnv HOME /var/www/owncloud
        SetEnv HTTP_HOME /var/www/owncloud
        SetEnv MOD_X_SENDFILE_ENABLED 1
    </Directory>
</VirtualHost>

Owncloud config - /var/www/owncloud/config/config.php

<?php
$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'xxxxxxxx',
  'passwordsalt' => 'xxxxxxxx',
  'secret' => 'xxxxxxxx',
'overwritehost' => 'example.com:8080',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'proxy' => 'localhost',
'trusted_proxies' => array('192.168.0.2', '127.0.0.1'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
  'trusted_domains' => 
  array (
    0 => 'example.com',
  ),
  'datadirectory' => '/not/in/default/data',
  'overwrite.cli.url' => 'https://example.com',
  'dbtype' => 'mysql',
  'version' => '9.0.1.3',
  'dbname' => 'dbname',
  'dbhost' => 'dbhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_administrator',
  'dbpassword' => 'xxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
);

I am able to access the site properly if I don't use Nginx. But if I do, the page will load with no styles. All of the request are getting 404 responses.

I think there is something wrong with my Nginx proxy config or my Owncloud config. I've read this https://doc.owncloud.org/server/8.0/admin_manual/configuration_server/config_sample_php_parameters.html but I don't know if I'm doing the Owncloud config right.

Thanks guys!

EDIT

Definitely not caused by APACHE CONFIG or OWNCLOUD CONFIG. There is an issue with JavaScript (.js) or CSS (.css) files not served properly - link.

Follow-up to my original question: No Cache-Control Header for files from AWS CloudFront with S3 Origin

Im serving up static files using AWS CloudFront with AWS S3 as the origin. I tried to set the Cache-Control header for my objects using AWS web console as instructed in the answer in my original question (link above). And when I access the file using the AWS S3 link, I can already see the Header I added: Cache-Control: public, max-age=31536000.

The problem is that the browser does not respect the header. When I reload/refresh the same link, I get a 304 - Not Modified response instead of a 200 (Cached) response.

I also tried the value max-age=300 (no Public) and also tried the value inside " " but I always get the 304 response. I also tried to add the Expires header from S3 but the same results.

How do I make the browser respect the cache header? I want to leverage on browser caching and save cost in using AWS.

Additional note: My S3 Bucket is not set for Static Website Hosting. Just in case that has something to do with this.

EDIT: Below are live HTTP Headers

https://cdn.example.com/path/logo.png

GET /path/logo.png HTTP/1.1
Host: cdn.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.example.com/
Connection: keep-alive
If-Modified-Since: Tue, 12 Apr 2016 10:29:24 GMT
If-None-Match: "xxxxxxxxxxxxxxxxxxxxxxxxxxx"

HTTP/1.1 304 Not Modified
Connection: keep-alive
Date: Sat, 16 Apr 2016 09:33:08 GMT
Etag: "xxxxxxxxxxxxxxxxxxxxxxx"
Server: AmazonS3
Age: 67885
X-Cache: Hit from cloudfront
Via: 1.1 xxxxxxxxxxxxxxx.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx==

EDIT: I get the 200 response if I reload and 304 Not Modified if I hit enter on address bar URL. Also, Google assets in the same page load are responded with 200 (from cache) and not with a 304.

UPDATE:

Online tests currently detecting that files are already cached. Did the test on http://www.webpagetest.org/ and http://tools.pingdom.com/. Also with Google Page Speed. I think it needed time to distribute the files to edge locations. Which is weird since I was changing the file names with every edit for changes to happen immediately. But as far as caching was concern, it might needed time to distribute the cache to edge locations. Still doing a few more tests.

We have Nginx in the front of our system and we Proxy to Apache at the back. We use SSL/TLS for our connection.

Question:

1. Is Nginx the best option to terminate SSL/TLS connections in terms of performance / SSL Handshake?
2. Am I doing all the needed performance tweaks? Can I still improve my code?

Here's my config:

ssl_certificate /path/ssl.crt; 
ssl_certificate_key /path/ssl.key;
ssl_dhparam /path/dh.pem;
ssl_buffer_size 4k;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets on;
ssl_trusted_certificate /path/trust.crt;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

I use Mozilla SSL Configuration Generator to generate my ciphers below.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

The cipher was to accomodate most of the browsers. I also have Strict-Transport-Security set.

Our system runs on Amazon AWS with CloudFront. Currently it takes SSL Labs around 130 seconds to run a test. And Pingdom shows the SSL connection for one request takes at least 220ms.

Thanks!

We just migrated to Amazon AWS. We currently have an EC2 instance that's working well. It's running Nginx in front and Apache in the back-end. That's running well also. All sites are launched properly and includes the Cache-Control header for files that are served from the EC2.

The problem is with ALL static files we placed in Amazon S3 that's being accessed through CloudFront CDN. We can access the files fine (and no issue with CORS), but apparently CloudFront doesn't serve files with Cache-Control header. We want to leverage on browser caching.

The way I see it, the EC2 instance doesn't play a role here as the static files are being served directly by S3+CloudFront, the request does not go to the Web Server in EC2.

I'm at a complete lost.

Question: 1) How do I set the Cache-Control in this case? 2) Is it possible to set the Cache-Control? From S3 or CloudFront?

Note: I've hit a few pages in Google where you can set the Header in S3 for individual objects. That's really not a productive way to do it specially since in my case we are talking of several objects.

Thanks!