Apache Web Server

Summary #

tags: Apache, Open Source

Upgrade on Debian #

Versions #

Supported versions on apache: https://packages.debian.org/search?searchon=names&keywords=apache2
- apps-4 current version on Debian 10

Server version: Apache/2.4.38 (Debian)

on Debian 10 with backports is 2.4.52-1

https://packages.debian.org/buster-backports/apache2

on Debian 11 is 2.4.53-1 https://packages.debian.org/bullseye/apache2

Issues #

Linux OS and packages are not patched/updated regularly, manage server broken

Solutions #

Apache HTTP Server mod_proxy SSRF: update apache to latest supported https://www.acunetix.com/vulnerabilities/web/apache-http-server-mod_proxy-ssrf-cve-2021-40438/#:~:text=Description,forgery)%20attacks%20on%20the%20server.

Things to do to start #

update apache on Debian 11 to latest and rescan the app
update apache with backports on Debian 10 and rescan

Apache, Debian 11, issues from vulnerability report #

150456 Apache HTTP Server NULL pointer dereference and Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-44224)
150461 Apache HTTP Server mod_proxy Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-40438)
150462 Apache HTTP Server Buffer Overflow Vulnerability (CVE-2021-44790)
150398 Apache HTTP Server Multiple Vulnerabilities(CVE-2021-26690,CVE-2021-26691)
150399 Apache HTTP Server Multiple Vulnerabilities (CVE-2021-34798,CVE-2021-39275)
150400 Apache HTTP Server HTTP/2 Method injection (CVE-2021-33193)

7.150401 Apache HTTP Server Out of bounds read - DoS (CVE-2021-36160)

Upgrading #

<2022-05-18 Wed> Current apps-1.test Debian 9: Apache 2.4.25 apps-2 Debian 10: Apache 2.4.32 https://readmission.test.kfupm.edu.sa/ar/ apps-3 Debian 9: Apache 2.4.25 apps-4 Debian 10: Apache 2.4.52 https://dsr-incentives.test.kfupm.edu.sa/

Meetings #

Applying patches to Debian 10 and Setting deadlines to upgrade OS #

Renad #

[DONE] Decommission:
[ x ] 1. trends

<2022-05-29 Sun> removed.

[INPROGRESS] Upgrade Debian 8 files.kfupm <2022-06-02 Thu>
- still running
  - internal service, still required.
[INPROGRESS] Reconcile the inventory of Debian 8 and Debian 9

<2022-06-02 Thu>

113 machines needs be checked
- total 700 machines machines
  - poweroff 113
  - 687 machines are running both linux and windows
    - 348 windows
  - linux 339 Linux
    - 159 redhad machines
      - 120 Include Debian machines, Ubuntu, Centos and Free BSD, Suse
[INPROGRESS] provision apps-6.test, 32 RAM, 200 GB Storage deadline <2022-05-31 Tue>
confirm with Windows teams and decommission password.kfupm.edu.sa still in use

Akber #

Apache role add task to check OS version and if Debian 10 install it from buster-backport <2022-05-31 Tue>

Jaaved #

Services, NonDjango
1. tasks.kfupm.edu.sa
2. muhtawa.kfupm.edu.sa [not upgraded]
3. https://lemu.kfupm.edu.sa/reserve/ confirm if this is Django?
4. code.kfupm.edu.sa

Applications
1. apps-1 : Debian 9
2. apps-3: Debian 9 to Debian 11 Upgrade
Deadline: <2022-06-29 Wed>

Applications with site map information #

Apache Modules #

Modules are service programs that can be dynamically linked and loaded to extend the nature of the HTTP Server.

In this way, the Apache modules provide a way to extend the function of a Web server. Functions commonly added by optional modules include:

Authentication
Encryption
Application support
Logging
Support for different content types
Diagnostic support

ref

mod_auth_cas #

https://github.com/apereo/mod_auth_cas

mod_wsgi #

is an Apache module implementing the WSGI specification. https://github.com/GrahamDumpleton/mod_wsgi

mod_python #

https://modpython.org/ Mod_python is an Apache module that embeds the Python interpreter within the server. With mod_python you can write web-based applications in Python that will run many times faster than traditional CGI and will have access to advanced features such as ability to retain database connections and other data between hits and access to Apache internals.

Apache Web Server vs nginx #

evernote

Links to this note

SSL Certificate