Monday, March 31, 2014

Monitoring RDS free space using CloudWatch alarm

If you suspect your RDS is running out of disk space, most likely it is running out it. To confirm you can create CloudWatch alarm on RDS instance metric "Freeable space" to trigger an alarm. In order to create an alarm, you will have to create a "topic" in Amazon SNS service. Once you define a "topic", you will have to click "create subscription". Under "create subscription", you will have to choose "email" as notification method and specify the email address to be notified.

Now you can go back to "Monitoring" page of your RDS and create an alarm. In the alarm, you have specify 3 parameters, Alarm metric threshold (in this particular case, RDS instance metric called "FreeStorageSpace"), alarm action and then like below:-

Alarm metric:-



Alarm action:-


Alarm preview:-


Once you have created the alarm, you will get an email from no-reply@sns.amazonaws when the threshold is reached.

Saturday, March 29, 2014

MySQL backups and restore

The general syntax for MySQL backups using mysqldump tool is

Backup:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] [database_name] > rdsdump.sql

Single DB Backup:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] [database_name1] > db1dump.sql

Multiple DB Backups:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] [database_name1] [database_name2] > db1db2dump.sql

All DB Backups:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] --all-databases > alldbdump.sql

Dump of specific table:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] [database_name] [table_name] > db_table_name_dump.sql

Restore from dump:

$mysqldump -h [RDS instance info] -u [rds_user_name] -p[rds_ password] --socket=[if_different_from_default] -P=[port_if_different_from_3306] [database_name] < rdsdump.sql

Configuring lamp for auto start in RHEL

If you want to have your lamp process start up as a service when the EC2 instance boots up, you can create start up script in /etc/init.d/.. folder such as


  • $ cd /etc/init.d
  • $ vi lampprestart
  • add lines 
          *************
          #!/bin/bash
          # chkconfig: 2345 55 25
          /opt/lampp/lampp restartapache
          *************

  • save the file
  • $chmod +x lampprestart
  • $chkconfig --add lampprestart
  • $chkconfig --level 2345 lampprestart on
  • $service lampprestart on
  • confirm if it is running by $chkconfig --list |grep lampprestart

Friday, March 28, 2014

MySQL RDS reads slow?

If you are experiencing slow sql reads from your RDS instance such as the below count(*) query:

mysql> select count(*) from customers;
  
+----------+
| count(*) |
+----------+
|   500000 |
+----------+

1 row in set (14 min 53.62 sec)

Then check your RDS Cloudwatch metrics on "Read IOPS". If the chart looks like below:-

 

then most likely you are using standard EBS volumes for your RDS instance. Typically, standard EBS volumes only support 100 iops/sec and as we can see from the above, 2000 count/sec is way over the limit. Some of the larger instance types such as m1.xlarge support EBS optimized IOPS which results in a dedicated channel from EC2 instance to RDS. If you are using such instances then you can improve the read performance by modifying the instance and enabling provisioned IOPS such as below:


NOTE - as best practices demands, always make a DB snapshot before you modify the RDS instance. Also, note that "Provisioned IOPS" value is multiple of "Allocated Storage". So if your allocated storage is 100G then IOPS limit is 1000.

Once you make the above change, you will see the count(*) query time go down as below:-

mysql> select count(*) from customers;
  
+----------+
| count(*) |
+----------+
|   500000 |
+----------+
1 row in set (1 min 22.5 sec)

Linux system analysis tools

Monday, March 17, 2014

Editing iptables to allow/drop ports

To enable a particular ports on iptables you can run the command

$sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
$sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$sudo iptables -A INPUT -p tcp --dport smtp -j ACCEPT

If you need to listen on loopback interface, you will need to add that as the first rule below

$sudo iptables -I INPUT 1 -i lo -j ACCEPT

To confirm you can run "sudo iptables -v -L". To add a drop rule to the firewall you can add

$sudo iptables -A INPUT -j DROP

Refer to more detailed instructions at: Ubuntu IptablesHowTo

Enabling/disabling linux firewall?.

To increase the security of the instance, you want to enable linux firewall. To check the current ports open in the firewall you can run

$sudo iptables -v -L

Additionally, you can check if firewall is enabled at boot time

$ chkconfig --list |grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

To disable firewall at boot time you can run the below command:

$ sudo chkconfig iptables off

To confirm the runlevels (2,3,4,5), you can again run the below command:

$ chkconfig --list | grep iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off

To the save the current firewall rules to a file, you can run

$sudo iptables-save > $HOME/firewall.rules

To restore the firewall rules, you can run

$sudo iptables-restore < $HOME/firewall.rules

To temporarily stop the firewall you can run the below command (NOTE:- before you stop iptables make sure to run iptables-save command to save the rules to a file)

$sudo /etc/init.d/iptables stop

Once the firewall has stopped, you can list the rules and it will show up like

$ sudo iptables -v -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

To restart firewall, run

$sudo /etc/init.d/iptables start



Checking SELINUX status and enabling/disabling as needed

To check if selinux is enabled, run "sestatus" command

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

to check if selinux is enforcing, you can run "getenforce" command

$ getenforce
Enforcing

There may be times when you may want to temporarily disable selinux for testing purposes. To do so, you will have to modify /etc/selinux/config file such as

************
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
************

Once you make the above change, you will have to reboot the system for the changes to take effect. Once rebooted, you can run "getenforce" to check if selinux has been disabled. If you want to turn it back on set SELINUX=enforcing in /etc/selinux/config and reboot the machine. 

Saturday, March 15, 2014

Configuring DKIM (Domain Keys Identified Mail) signature to the verified emails address used by Amazon SES to send emails to corporate domains

By default after you verify an email address with Amazon SES, the outbound emails from Amazon SES do NOT contain DKIM signatures. This causes some of the corporate mail servers to mark the inbound email as spam and quarantine it. DKIM signatures provide additional validation to the origination domain of the emai. For more information, refer to - DKIM "DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication"

Mail servers enforcing DKIM signatures will throw a message similar to below when they do not find signatures in the incoming mail headers:


To configure DKIM signatures, you have to first enable DKIM settings for the verified email in Amazon SES. From AWS console, you click on "enable DKIM" for the particular verified email address:


The above CNAME entries have to be added to the DNS server. Once added, they can be verified using the below "dig" command:

$dig -t CNAME t2....sz._domainkey.mycompany.com @ns.mycompany.com

; <<>> DiG 9.7.1 <<>> -t CNAME t2...sz._domainkey.mycompany.com @ns.mycompany.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 858
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;t2...sz._domainkey.mycompany.com. IN CNAME

;; ANSWER SECTION:
t2...sz._domainkey.mycompany.com. 3600 IN CNAME t2...sz.dkim.amazonses.com.

;; AUTHORITY SECTION:
mycompany.com.              3600    IN      NS      ns1.mycompany.com.
mycompany.com.              3600    IN      NS      ns2.mycompany.com.
mycompany.com.              3600    IN      NS      ns3.mycompany.com.

;; ADDITIONAL SECTION:
ns1.mycompany.com.          86400   IN      A       x.x.x.x
ns2.mycompany.com.          86400   IN      A       x.x.x.x
ns3.mycompany.com.          86400   IN      A       x.x.x.x

;; Query time: 250 msec
;; SERVER: 63.100.100.153#53(63.100.100.153)
;; WHEN: Sat Mar 15 19:06:17 2014
;; MSG SIZE  rcvd: 235

The CNAME records on both DNS servers, mycompany.com and amazonses should match. Once both DNS servers have been updated, you will see DKIM as verified on the Amazon console like below:


Now you can send a test email from AWS console to see if DKIM-signature headers are being populated. The mail headers will look like

*************
Received: from mx-server.mycompany.com (x.x.x.x) by
mx-server.mycompany.com (x.x.x.x) with Microsoft SMTP Server (TLS) id
14.3.158.1; Fri, 7 Mar 2014 12:22:57 -0800
Received: from mx-app.mycompany.com (x.x.x.x) by mx-server.mycompany.com
(x.x.x.x) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 7 Mar2014 12:22:57 -0800
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ar...WD0
X-IPAS-Result: Ar...WD0
X-IronPort-AV: E=Sophos;i="4.97,610,1389772800"; 
   d="scan'208";a="95665020"
Received: from a8-27.smtp-out.amazonses.com ([x.x.x.x])  by
mx-app.mycompany.com with ESMTP; 07 Mar 2014 12:22:57 -0800
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
            s=t2...sz; d=mycompany.com; t=1394223775;
            h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Message-ID;
            bh=yu...IY=;
            b=Xp...Is=
Return-Path: 00000e1-7f74a-124-44-bf57-d80d3-000000@amazonses.com
From: <noreply@mycompany.com>
To: <test@gmail.com>
Subject: test DKIM header
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Date: Fri, 7 Mar 2014 20:22:55 +0000
Message-ID: <00000e1-7f74a-124-44-bf57-d80d3-000000@email.amazonses.com>
X-SES-Outgoing: 2014.03.07-54.240.8.27
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: mx-server.mycompany.com
X-MS-Exchange-Organization-AuthAs: Anonymous
*************

Adding Amazon SES to SPF (Sender Policy Framework) DNS records to prevent emails sent from a verified email address as being marked as spam

If your DNS server maintains SPF records, you can determine the TXT records by making the below "dig" query:

$dig @ns.mycompany.com mycompany.com TXT
; <<>> DiG 9.7.1 <<>> @ns.mycompany.com mycompany.com txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30737
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mycompany.com.                     IN      TXT

;; ANSWER SECTION:
mycompany.com.              3600    IN      TXT     "google-site-verification=W....A"
mycompany.com.              3600    IN      TXT     "v=spf1 mx ip4:x.x.x.x ip4:
x.x.x.x ip4:x.x.x.x ip4:x.x.x.x.x ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x include:mail.com include:yahoo.com include:_spf.google.com ~all"

;; AUTHORITY SECTION:
mycompany.com.              3600    IN      NS      ns1.mycompany.com.
mycompany.com.              3600    IN      NS      ns2.mycompany.com.
mycompany.com.              3600    IN      NS      ns3.mycompany.com.

;; ADDITIONAL SECTION:
ns1.mycompany.com.          86400   IN      A       x.x.x.x
ns2.mycompany.com.          86400   IN      A       x.x.x.x
ns3.mycompany.com.          86400   IN      A       x.x.x.x

;; Query time: 204 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Sat Mar 15 16:54:06 2014
;; MSG SIZE  rcvd: 474

Since Amazon SES is not part of the above SPF records maintained by mycompany's DNS server, the email's sent through Amazon SES with an verified email address such as no-reply@mycompany.com may be marked as spam by receiving email servers. This record tells what servers are authorized to send messages from your domain and Amazon SES servers are not included on this list.It also says what to do if a message is received from a server outside of that list - "~all" means "messages should be accepted but tagged".

The reasons to implement SPF is outlined in wikipedia article: Reasons to implement SPF - "If a domain publishes an SPF record, spammers and phishers are less likely to forge e-mails pretending to be from that domain, because the forged e-mails are more likely to be caught in spam filters which check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Because an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters and so ultimately the legitimate e-mail from the domain is more likely to get through."

Once you add Amazon SES to your DNS server's SPF records, the "dig" query return values will look like

$dig @ns.mycompany.com mycompany.com TXT
; <<>> DiG 9.7.1 <<>> @ns.mycompany.com mycompany.com txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30737
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mycompany.com.                     IN      TXT

;; ANSWER SECTION:
mycompany.com.              3600    IN      TXT     "google-site-verification=W....A"
mycompany.com.              3600    IN      TXT     "v=spf1 mx ip4:x.x.x.x ip4:
x.x.x.x ip4:x.x.x.x ip4:x.x.x.x.x ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x include:mail.com include:yahoo.com include:_spf.google.com include:amazonses.com ~all"

;; AUTHORITY SECTION:
mycompany.com.              3600    IN      NS      ns1.mycompany.com.
mycompany.com.              3600    IN      NS      ns2.mycompany.com.
mycompany.com.              3600    IN      NS      ns3.mycompany.com.

;; ADDITIONAL SECTION:
ns1.mycompany.com.          86400   IN      A       x.x.x.x
ns2.mycompany.com.          86400   IN      A       x.x.x.x
ns3.mycompany.com.          86400   IN      A       x.x.x.x

;; Query time: 204 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Sat Mar 15 16:54:06 2014
;; MSG SIZE  rcvd: 474


Spam filters mark email received from Amazon SES as spam and quarantine them

When you are using Amazon SES to send emails to users of a site, some of the users may not be receiving the emails because the spam filters check for common spoofing signatures. In the below example the "Reply-To:" header (johndoe@mycompany.com) is a different doman compared to sending email server (Received: from a8-24.smtp-out.amazonses.com)

**************
Received: from .... by
 .... with Microsoft SMTP Server (TLS) id
 14.3.158.1; Fri, 7 Mar 2014 02:27:41 -0800
Received: from .... by ....
with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 7 Mar 2014 02:27:40 -0800
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A....Q
X-IPAS-Result: A....Q
X-IronPort-AV: E=Sophos;i="4.97,607,1389772800";
   d="scan'208";a="95624959"
Received: from a8-24.smtp-out.amazonses.com ([x.x.x.x])  by
 .... with ESMTP; 07 Mar 2014 02:27:40 -0800
Date: Fri, 7 Mar 2014 10:27:39 +0000
Return-Path: 00049c1581ee-0b0cfd-67d-48d-901-9bb1fc318-000000@amazonses.com
To: <abc@mycompany.com>
From: John Doe <johndoe@mycompany.com>
Reply-To: John Doe<johndoe@mycompany.com>
Subject: Test subject
Message-ID: <00049c1581ee-0b0cfd-67d-48d-901-9bb1fc318-000000@email.amazonses.com>
X-Mailer: PHPMailer 5.2.2 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-SES-Outgoing: 2014.03.07-x.x.x.x
X-MS-Exchange-Organization-SCL: -1
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: mycompany.com
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0
**************

In order for SPAM filters to allow the emails, you will have to add either or both of the below

  • add "include:amazonses.com" to your domain's DNS server's SPF (sender policy framework) records. Refer to Amazon docs on SPF: sender policy framework
  • add DKIM (domain keys identified mail) signature to your outbound email. Refer to Amazon docs on DKIM: easy dkim

Reporting EC2 instance abuse with Amazon

If in case your EC2 instance is compromised by an SSH attack or some other form of attack from another service that is hosted on Amazon infrastructure, you can report the incident back to Amazon with details and logs proving the attack. The link for reporting abuse is:

Amazon EC2 instance abuse

Amazon would take immediate steps to inform the owner of AWS a/c that hosts the EC2 instance from which the attack was launched. The AWS a/c owner will get an email such as below


Amazon AWS Service Limits

By default Amazon has service limits on each AWS a/c both in EC2 as well as VPC. For e.g., we have to open a service limit ticket to increase the number of available elastic ip addresses (EIP) to a number higher than 5 per region. Similarly for no. of ec2 instances that can be provisioned by default is 20. You can look at the tables for service limits on AWS website: - aws service limits

Browser warning if depth of your wildcard server certificate does not match the depth of domain of the site and SAN attribute doesn't explicitly contain that domain name of server

If your site is protected by a wildcard server cert, with a common name such as CN=*.mycompany.com, and SAN (Subject Alternative Name) X509 attribute contains *.mycompany.com, mycompany.com values, then this certificate will cause a browser warning such as below


when protecting sites that have a different domain depth, for example "site1.us-east-1.mycompany.com" or "site2.us-west-1.mycompany.com". Since the server certificate was signed by a CA for *.mycompany.com, the site depth should match that of the certificate issued. 

Two options are available to you:

  • Reissue the server certificate and ask CA to add "site1.us-east-1.mycompany.com" and "site2.us-west-1.mycompany.com" explicitly to SAN attribute of the server certficate.

(OR)

  •  Modify your Route53 recordset to match the depth of the certificate that was originally issued. For example, "site1.us-east-1.mycompany.com" will need to be modified to "site1-us-east-1.mycompany.com" and "site2.us-west-1.mycompany.com to "site2-us-west-1.mycompany.com"


RHEL 6.4 bug causes SSH login issues into EC2 instance launched from an AMI created from an existing running RHEL 6.4 instance

When an instance is launched from an AMI that was created from an existing running RHEL 6.4 instance, we have to aware of a bug in RHEL 6.4 where UseDNS and PermitRootLogin are present multiple times in /etc/ssh/sshd_config file

bug ref:- RHEL 6.4 bug with EC2 AMI Copy

**********
$ tail -20 sshd_config
# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs serverUseDNS no
PermitRootLogin without-password
UseDNS no
PermitRootLogin without-password
UseDNS no
PermitRootLogin without-passwordUseDNS no
PermitRootLogin without-passwordUseDNS no
PermitRootLogin without-password
UseDNS no
PermitRootLogin without-password
*********

and rc.local under /etc/rc.local

*******
$ cat rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
if [ ! -d /root/.ssh ] ; then
    mkdir -p /root/.ssh
    chmod 0700 /root/.ssh
    restorecon /root/.ssh
fi

# bz 707364
if [ ! -f /etc/blkid/blkid.tab ] ; then
        blkid /dev/xvda &>/dev/null
fi

cat <<EOL >> /etc/ssh/sshd_config
UseDNS no
PermitRootLogin without-password

******

To workaround, if the instance store is ebs volume, unmount the volume and attach as a new ebs volume to an existing instance then comment out UseDNS and PermitRootLogin from sshd_config and rc.local and remount the volume back to the original EC2 instance.

Friday, March 14, 2014

Pingdom Uptime & downtime conversion cheat sheet

Determine the free space available in MySQL DB

To determine size of database:

mysql>SELECT table_schema "Data Base Name",
sum( data_length + index_length ) / 1024 /
1024 "Data Base Size in MB",
sum( data_free )/ 1024 / 1024 "Free Space in MB"
FROM information_schema.TABLES
GROUP BY table_schema ;

ref:- MySQL Forums



To determine size of tables within a particular database:

mysql> SELECT table_name AS "Tables",
round(((data_length + index_length) / 1024 / 1024), 2) "Size in MB"
FROM information_schema.TABLES
WHERE table_schema = "$DB_NAME"
ORDER BY (data_length + index_length) DESC;

Determine the size of databases in MySQL DB

mysql>SELECT table_schema                                        "DB Name",
   Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size in MB"
FROM   information_schema.tables
GROUP  BY table_schema;


 

Update DNS settings in VPC for instances to have hostnames using Amazon DNS service

If you would like your EC2 instances launched within a VPC to have DNS hostnames and also use Amazon's DNS service, then you sure make sure the below boxes are checked after creating a VPC:


Hostname resolution problems when you launch instances in non-default VPC's?.

Typically when you create VPC (virtual private cloud) using VPC wizard, the VPC already has DHCP option sets created for you with "domain-name" attribute pointing to the region where the VPC was created and "domain-name-servers" pointing to Amazon DNS servers such as below:


In cases where non-default VPC has been created, the "domain-name" attribute may need to point to "mycompany.com" and "domain-name-servers" to point your company's DNS server. In absence of which, the EC2 instances will not be publicly addressable.

A simple "ping" check can reveal problems with dhcp option set:
  • $ping ip-10-98-0-1. eu-west-1.compute.internal – will RESOLVE 
  • $ping ip-10-98-0-1 - will FAIL
Also, you can check on the actual instance by running a $hostname command. The AWS console will also give you additional information about Public/Private DNS


You can refer to detailed documentation on Amazon site below:-

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html


Thursday, March 13, 2014

Configuring AWS ELB present complete certificate chain for SSL server verification

Some REST clients as well as Salesforce applications require servers to present the server certificate along with the chain of certificates up the trust chain all the way upto root certificate. If only the server certificate is presented, then the client may throw an exception like

System.VisualforceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 In order to overcome the above exception, you have configure your web server to present the complete chain. In cases where SSL connection is terminated at the Amazon Load Balancer, you will have to configure the chain in the below configuration of the ELB's "Listener" page:



  1. Give the certificate a name in the "Certificate Name" box.
  2. Paste unencrypted RSA private key in pem format in the "Private Key" box:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

     3. Paste X509 public certificate in pem format in the "Public Key Certificate" box:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

     4. Paste intermediate and root certificate in the "Certificate Chain" box:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Once the above has been configured, you can choose this for the https port on the ELB.


Disabling phpinfo() in a joomla site to prevent fingerprinting

If you are running a joomla site, you can disable running phpinfo() to prevent fingerprint of php module

$cat phpinfo.php


Once disabled, users cannot view the below info from the site:-


Way to determine whether Apache httpd is using prefork MPM or worker MPM

1. To determine modules httpd is compiled with run

$ /opt/apache2/bin/httpd -l


2. To determine the MPM in use

$/opt/apache2/bin/httpd -V


Recursive find command in unix grepping for a string

$find . -exec grep -i "hello" {} \; -print


Enabling 'x-forwarded-for' header in apache configuration to log actual client ip address

To log the actual client IP address from the X-Forwarded-For header of a request using an Apache server, make the following changes to the apache httpd.conf file


  1. Log into the EC2 instance running apache httpd process.
  2. Navigate to /etc/httpd/conf or /opt/products/apache2/conf path and open the file httpd.conf.
  3. Search for the string: “LogFormat “%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined”
  4. Change the %h to %{X-Forwarded-For}i. The string now appears as “LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined”
  5. Save the httpd.conf file and restart httpd process (if running as service "sudo service httpd restart")