400 Bad Request - Because of browser cache, Cokkkies, and wrondg curl
401 Unauthorized - Maybe the IP is restricted to access the website and
403 Forbidden - wrong file permissions
404 Not Found - Because of missing files or
500 Internal Server Error - Misconfiguration in htaccess file or missig PHP packages
502 Bad Gateway - Mostly firewall is causing issue establishing connection between the client and server
503 Service Unavailable - Server is overloaded or service down
504 Gateway Timeout - not receiving a response from the backend servers within the allowed time period
1. How you handle apache in the existing environment?
# What versions are you using: We are currently using Apache 2.4
#Is it a dedicated service or installed on same application server?
In our current organization we are providing Both Dedicated and Shared Hosting services
# How many servers you handle in existing environment?
we have more than 2000 Physical serers and 6 Virtual Host nodes
# How you manage it and how you handle automations?
There currently Im assigned to complete mmigration tasks. We have made different scripts with bash to automate migration process and testings.
# Recent automation done with Apache systems?
# how to make sure apache servers gets started after reboot?
We were using chkservd service to monitor all services and automatically bring services online quickly if iit fails
There are many options for ensure the apache uptime
1. We can check it wwith "service apache status"
2. We can check apache process using ps aux command
3. We can check service listening port using netstat command
#how to modify configuration without affecting the existing connection?
>> systemctl reload apache2
2. How do you install Apache on the Linux Machine?
Static vs Dynamic Compiling
- In static Apache compiling modules are lods along with httpd
- but in Dnamic we can enable or load modules in future
3. How do you check Apache is listening or not?
netstat -plan | grep apache
# How we can change Apache port for a specific URL?
If there are multiple websites running in this scenario, the specific URL which should have the custom port require a dedicated IP address and we should Listen the custom port for this IP address by editing httpd.conf file and Mention the custom port number along with the IP address in apache virtual host.
4. What is virtual hosting?
Apache Virtual Hosts are used to run more than one web site(domain) using a single IP address. In other words you can have multiple web sites(domains) but a single server.
Different sites will be shown depending on the user's requested URL
#Did you have any experience in hosting multiple websites in a single servers?
> Yes, I have. In our current organization most of our severs contains more thaan 500 websites
#What are the different options?
> We use name virtual Hosting to host multipe websites
> Alternatively if it is okay to run different websites with different port numbers we can install multi APache instances same server and Host websites i each
#Is it possible to run two Apache process in a single server?
Yes ofcorse it is possible.
#How to host different URL's using same IP?
Using Name virtual hostig we can host multiple websites using same IP
#How is the SSL configured for different URL's while using same IP
After the TLS transport layer security (TLS) upgrade this feature got enabled with APache. I think its has beeen enabled after the Apache Version 2.2.12.
5. What are the different log files available?
Apache generates two kinds of logs: access logs and error logs
Apache commonly writes logs to the /var/log/apache2 or /var/log/httpd
#Is customization possible and how to do it?
> We can customize the apache log locatio and formats using "LogFormat" and "CustomLog" directives
LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" vhost_combined
CustomLog /var/log/apache2/vhost.log vhost_combined
# What kind of loglevels are available? How can it be set.
There are multiple log levels in APache:
emerg, alert, Crit, error, warn, notice, Info, Debug
6. What’s the difference between <Location> and <Directory>?
<Location> is used to set element related to the URL / address bar of the web server.
<Directory> refers that the location of file system object on the server
7. What is the difference between Worker and Prefork MPM?
Basic difference between Worker and MPM is in their process of spawning the child process.
In the Prefork MPM, a master httpd process is started and this master process starts manages all other child processes to serve client requests.
Whereas, In the worker MPM one httpd process is active, and it uses different threads to serve client requests.
Prefork MPM uses multiple child processes with one thread each, where worker MPM uses multiple child processes with many threads each.
Connection handling in the Prefork MPM, each process handles one connection at a time, whereas in the Worker mpm each thread handles one connection at a time.
Memory footprints Prefork MPM Large memory footprints, where Worker has smaller memory footprints.
8. Is it possible to deploy war or JAVA applications in Apache?
WAR files can be deployed to application servers such as Apache Tomcat,
9. Modules
# What are the requirements to setup rewrite rules in Apache?
The Apahe module mod_rewrite is require to setup rewrite rule in apache.
# How modules are installed in Apache configuraitons
We can install apache modules using different methods like, Yum, RPM
# What is the module for SSL?
mod_ssl
To enable a module add "LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so" in aache conf
#Which module are used in Apache to enhance security again attachs ? -
Mod_evasive & Mod_Security
# What module is needed to connect to WebSphere?
mod_was_ap22_http.so
TLS
=====
TLS is an improved version of SSL.
10 How SSL works with Apache?
The client sends a request to the server for a secure session.
The server responds by sending its X.509 digital certificate to the client.
The client receives the server's X.509 digital certificate.
The client authenticates the server, using a list of known certificate authorities.
The client generates a random symmetric key and encrypts it using server's public key.
The client and server now both know the symmetric key and can use the SSL encryption process to encrypt and decrypt the information contained in the client request and the server response.
# How you create SSL certificate?
Ensure you have the correct website information.
Decide the type of SSL certificate you need.
Choose a Certificate Authority (CA)
Generate a Certificate Signing Request (CSR)
Submit the CSR to a Certificate Authority (CA)
Await validation by the CA.
Install your SSL certificate.
Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols.
Decode CSR:
openssl req -in mycsr.csr -noout -text
Certificate Decoder
openssl x509 -in certificate.crt -text -noout
Certificate Match check:
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
11. Do you have any experience in reverse proxy configuraiton with Apache?
How you setup Apache reverseproxy?
- Install the Apache Web Server
- Install and configure the backend origin servers
- Enable the mod_proxy and mod_http modules in Apache’s httpd.conf file
- Configure Apache ProxyPass and ProxyPassReverse settings
- Restart the Apache Web Server
How to load Apache proxy modules?
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
How to connect Apache with applicaiton servers?
ProxyPass /sample http://localhost:8080/sample
ProxyPassReverse /sample http://localhost:8080/sample
12. What kind of requests apache can handle? Did you ever try to handle TCP packets with Apache?
>> The Apache server works by handling URL requests to the server through specific communication protocols in a multithreading fashion,
# What different ReverseProxy solutions you have experience with?
Nginx
Haproxy
Apache
Scenarios
=========
URL don't work?
There are lot of posibilities that cause the error in Domains/URLs, some of them are
- DNS isssue :
> If the domainn is not registered, the website/URL request showss error something like "This site can’t be reached"
> If the domain doesnt have any nameservers configured it gives error like "DNS server Not responding"
We can track various issues usig the types of errors that we are gettig
Webserver/APache issue
- If the website or URL doesnt work beecause of any websserver issues, it returns some error codes like 402,404, 500, 503 all of them have different meeanings. Also we can monitor the apache error logs to identify the exacct isssue.
400 Bad Request - Because of browser cache, Cokkkies, and wrondg curl
401 Unauthorized - Maybe the IP is restricted to access the website and
403 Forbidden - wrong file permissions
404 Not Found - Because of missing files or
500 Internal Server Error - Misconfiguration in htaccess file or missig PHP packages
502 Bad Gateway - Mostly firewall is causing issue establishing connection between the client and server
503 Service Unavailable - Server is overloaded or service down
504 Gateway Timeout - not receiving a response from the backend servers within the allowed time period
Kerberos configuraitons?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key
Single sign on configurations and how you troubleshoot it?
if you log in to a Google service such as Gmail, you are automatically authenticated to YouTube, AdSense, Google Analytics, and other Google apps.
Apache Optimization
===================
Peformance validation tools - Apache benchmark (httpd-tools)
Remove unused modules
Configure mod_disk_cache with a flat hierarchy
Utilize mod_gzip/mod_deflate
Persistent Connections
Set KeepAlive on and then set KeepAliveTimeout and KeepAliveRequests.
KeepAliveTimeout is how long apache will wait for the next request, and KeepAliveRequests is the max number of requests for a client prior to resetting the connection.
Apache Security
================
#Did you handled patching in existing environment? How patches are handled?
Yes I did
- Sice I worked for webhosting company we wanted to apply patches and update Apache and it modules
- I my last organization we used rpm/yum to apply patched and updates
yum -y upgrade httpd
#what kind of settings you use to enhance security with Apache service.
- Disable the server-info and server-status Directive
- Disable the ServerSignature Directive
- Disable directory listing
- Use the ModSecurity
- Keeps apache and its modules uptodate
- RequestReadTimeout, TimeOut, KeepAliveTimeout shouldd set with a posssible lower value
- Tune the MaxRequestWorkers directive
- Prevent htaccess if posssible using "AllowOverride"
<Directory "/">
AllowOverride None
</Directory>
#Disable Weak Protocols and Ciphers?
Yes it can be posssible.
# How to hide apache directory listing ?
<Directory /www/apachedft/htdocs>
Options -Indexes
</Directory>
# How to hide Apache Version and OS Identity from Errors? -
> ServerSignature Off & ServerTokens Prod
# How to Disable Unnecessary Modules?
commenting out the LoadModule directive in apache configuration file
httpd -t #check apache configuration file is
#HOw to change the default user and group of the Apache?
By modifying User and Group directives in apache configuratio file
User http-web
Group http-web
How to Disable Apache’s following of Symbolic Links
<Directory />
Options FollowSymLinks Indexes
AllowOverride None
</Directory>
Turn off Server Side Includes and CGI Execution
Options -Includes
Options -ExecCGI
Errors
======
#What do you understand by “connection reset by peer” in error logs?
> When the server is serving any ongoing Apache request and end user terminates the connection in between, we see “connection reset by peer” in the Apache error logs.
200 – content found and served OK
301- moved permanently
302 - Temporarily Moved to different URL
400 - bad request, server is confused with the request. generally bad syntax in the request or handler issue
403 – tried to access restricted file/folder
404 - not found
500 - Internal Server error
502 - Bad gateway erro
503 – the server is too busy to serve the request and in another word – service unavailable.
DNS
===
Do you have experience with managing DNS serverS?
Yes Im well experienced in install setup and manage DNS servers
Forward lookup and reverse lookup?
> Forward DNS lookup is using an Internet domain name to find an IP address. Reverse DNS lookup is using an Internet IP address to find a domain name.
How DNS resolution works?
- Whenever we type a domain name in browser it first check for any Browser cache available, if available load the website from it. if not,
- It will check for aan IP locally. Espeecially in hosts file whether there is any direct entry available in this file for website. If it is available, the website directly check for apache in server whch is mentioned in hosts file by bypassing any DNS checks,
- If there is no hosts file entries, it Contact ISP and its Recursive DNS Server to Resolve a Domain Name
- ISP DNS resolvers are configured to ask other DNS servers for correct IP address mapping until they can provide data back to the requester
- Once the ISP’s recursive DNS server obtains the IP address by sending multiple iterative DNS queries, it finally returns it to your computer.
IP Subneting
=============
Do you have experience with IP subnetting?
I learned IP subnetting in my CCNA class room but I didnt get chance to subnet for production environment. But Im very confident that I can catch it quicklyif it is required in this position.
Routing and gateways?
Yes I have basic knowledge and expericing routting and Gateway setup.
MySQL Replication
================
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
bind-address = source_server_ip
binlog_do_db = db
binlog_ignore_db = db_to_ignore
mysql> CREATE USER 'replica_user'@'replica_server_ip' IDENTIFIED WITH mysql_native_password BY 'password';
Apache Load balaner conf
========================
<VirtualHost *:80>
ServerName ldproxy.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ProxyRequests Off
ProxyPreserveHost On
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://mycluster>
BalancerMember "http://eva00:9080" route=1
BalancerMember "http://192.168.2.15:8082" route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
</Proxy>
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
ErrorLog ${APACHE_LOG_DIR}/proxy-error.log
CustomLog ${APACHE_LOG_DIR}/proxy-access.log combined
</VirtualHost>