When you are enter a discussion about Cloud Computing with legacy IT people, you often (always) tell the story of handling IT infrastructure with the "Cattle vs Kittens". The story highlights the d...
I recently had a problem where a Magento store would infinitely redirect, from TLD to sub-domain (i.e. non-www to www). The server was configured behind a reverse proxy, which was handled by Pound (acting as a load balancer and SSL wrapper). Pound is great for handling hand-overs between a caching proxy and application servers, in addition to load balancing multiple servers and wrapping SSL connections to the client.
When developing web applications that use APIs, it is usually necessary to have the development site accessible for API callback URLs. A good example would be when working with payment gateway systems, which typically post back success or failure of transactions. In this event it is convenient to use HTTP authorisation to prevent outside access (users, crawlers, etc.). The issue with this is that API systems don’t always work with the http://[user]@[password]:[url] method of manually passing through this authentication method.
I was working on a project which was randomly failing to load certain views outside the development environment. It turns out that the system was running out of memory. After searching some of the error messages output by the script, I stumbled upon the xhprof PHP module. It was originally created by Facebook, and released under an open source license.
I have been trying to disable the server signature for a while, but I found that turning off the ServerSignature directive didn’t work for all servers. The signature might read something like:
Apache/2.2.X (Ubuntu) mod_ssl/2.X.X OpenSSL/0.X.X
If your server exposes this information, it’s easier for an attacker to compromise a system based on flaws in a particular server software version (especially if your server software is allowed to become outdated, or your distribution is slow to release security updates). By default, it will display this on error pages in plain text, and also present it as a Server header on every request.
To disable completely, you should set the following directives in your Apache configuration:
ServerSignature Off ServerTokens Prod