Category Archives: Web

Web related topics-server-cdn-sessions

How to update certificate to use the SHA-2 hashing algorithm

Followed by National Institute of Standards and Technology (NIST) recommendations certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) algorithm will stop supporting after 2017.Accourding to experts, using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.SHA-1(more than 98%) is currently the most widely used digest algorithm.
Microsoft is announcing a policy change to the Microsoft Root Certificate Program and Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017, and will stop accepting SHA-1 code signing certificates without timestamps after January 1, 2016.

Google Chrome has started warning end users when they connect to a secure website using SSL certificates encrypted with the SHA-1 algorithm (read google blog

Read more how to do

How to update certificate to use the SHA

Google Authenticator

Google Authenticator is an application that implements Time-based One-time Password Algorithm (TOTP) security tokens in mobile apps made by Google.The Authenticator can also generate codes for third-party applications or file hosting services.Previous versions of the software were open source but subsequent releases are proprietary.
The service provider generates an 80-bit secret key for each user (in contravention of RFC 4226 §4[33]). This is provided as a 16, 24 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key.
users will install the Authenticator app on their smartphone to log into a site or service that uses two-factor authentication, they provide user name and password to the site and run the Authenticator app which produces an additional six-digit one-time password. The user provides this to the site, the site checks it for correctness and authenticates the user.
how works fig2
How to two-step authentication is enabled for your Google account

1.Make sure that two-step authentication is enabled and configured for your account.
2.Download and install the app on your Android device or on your iPhone, iPad or iPod Touch
3.Login to your Google account at Choose “Security” from the left-side menu, then look for “2-step verification” and click “Edit”. You may need to login again.
Connect your Google Authenticator app to your Google account by following the prompts after “How to Connect” a Mobile Application.

Setting up for google applications.
fig1 fig5 fig4 fig3
Setting up OTP for  WordPress









Install Google Authenticator

How to Browser Default Language changing

Below documents shows how to change default language in Internet Explorer,Mozilla and Chrome.

Browser Default Language changing

Nginx using as load balancer

Basic HTTP server features

Serving static and index files, autoindexing; open file descriptor cache;
Accelerated reverse proxying with caching; simple load balancing and fault tolerance;
Accelerated support with caching of FastCGI, uwsgi, SCGI, and memcached servers; simple load balancing and fault tolerance;
Modular architecture. Filters include gzipping, byte ranges, chunked responses, XSLT, SSI, and image transformation filter. Multiple SSI inclusions within a single page can be processed in parallel if they are handled by proxied or FastCGI/uwsgi/SCGI servers;
SSL and TLS SNI support.
Other HTTP server features

Name-based and IP-based virtual servers;
Keep-alive and pipelined connections support;
Flexible configuration;
Reconfiguration and upgrade of an executable without interruption of the client servicing;
Access log formats, buffered log writing, fast log rotation, and syslog logging;
3xx-5xx error codes redirection;
The rewrite module: URI changing using regular expressions;
Executing different functions depending on the client address;
Access control based on client IP address, by password (HTTP Basic authentication) and by the result of subrequest;
Validation of HTTP referer;
The PUT, DELETE, MKCOL, COPY, and MOVE methods;
FLV and MP4 streaming;
Response rate limiting;
Limiting the number of simultaneous connections or requests coming from one address;
Embedded Perl.

Load balancing methods

The following load balancing mechanisms (or methods) are supported in nginx:

round-robin — requests to the application servers are distributed in a round-robin fashion,
least-connected — next request is assigned to the server with the least number of active connections,
ip-hash — a hash-function is used to determine what server should be selected for the next request (based on the client’s IP address).
Default load balancing configuration

The simplest configuration for load balancing with nginx may look like the following:

http {
upstream myapp1 {

server {
listen 80;

location / {
proxy_pass http://myapp1;
In the example above, there are 3 instances of the same application running on srv1-srv3. When the load balancing method is not specifically configured, it defaults to round-robin. All requests are proxied to the server group myapp1, and nginx applies HTTP load balancing to distribute the requests.

Reverse proxy implementation in nginx includes load balancing for HTTP, HTTPS, FastCGI, uwsgi, SCGI, and memcached.

To configure load balancing for HTTPS instead of HTTP, just use “https” as the protocol.

When setting up load balancing for FastCGI, uwsgi, SCGI, or memcached, use fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass directives respectively.

Least connected load balancing

Another load balancing discipline is least-connected. Least-connected allows controlling the load on application instances more fairly in a situation when some of the requests take longer to complete.

With the least-connected load balancing, nginx will try not to overload a busy application server with excessive requests, distributing the new requests to a less busy server instead.

Least-connected load balancing in nginx is activated when the least_conn directive is used as part of the server group configuration:

upstream myapp1 {
Session persistence

Please note that with round-robin or least-connected load balancing, each subsequent client’s request can be potentially distributed to a different server. There is no guarantee that the same client will be always directed to the same server.

If there is the need to tie a client to a particular application server — in other words, make the client’s session “sticky” or “persistent” in terms of always trying to select a particular server — the ip-hash load balancing mechanism can be used.

With ip-hash, the client’s IP address is used as a hashing key to determine what server in a server group should be selected for the client’s requests. This method ensures that the requests from the same client will always be directed to the same server except when this server is unavailable.

To configure ip-hash load balancing, just add the ip_hash directive to the server (upstream) group configuration:

upstream myapp1 {

Weighted load balancing

It is also possible to influence nginx load balancing algorithms even further by using server weights.

In the examples above, the server weights are not configured which means that all specified servers are treated as equally qualified for a particular load balancing method.

With the round-robin in particular it also means a more or less equal distribution of requests across the servers — provided there are enough requests, and when the requests are processed in a uniform manner and completed fast enough.

When the weight parameter is specified for a server, the weight is accounted as part of the load balancing decision.

upstream myapp1 {
server weight=3;

With this configuration, every 5 new requests will be distributed across the application instances as the following: 3 requests will be directed to srv1, one request will go to srv2, and another one — to srv3.

It is similarly possible to use weights with the least-connected and ip-hash load balancing in the recent versions of nginx.

Health checks

Reverse proxy implementation in nginx includes in-band (or passive) server health checks. If the response from a particular server fails with an error, nginx will mark this server as failed, and will try to avoid selecting this server for subsequent inbound requests for a while.

The max_fails directive sets the number of consecutive unsuccessful attempts to communicate with the server that should happen during fail_timeout. By default, max_fails is set to 1. When it is set to 0, health checks are disabled for this server. The fail_timeout parameter also defines how long the server will be marked as failed. After fail_timeout interval following the server failure, nginx will start to gracefully probe the server with the live client’s requests. If the probes have been successful, the server is marked as a live one.

Other posts


nginx [engine x] is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. According to Netcraft, nginx served or proxied 21.21% busiest sites in February 2015.Netflix,, FastMailare used by ngix for eg.

Apache powers more websites,because it has been available for so many years and Microsoft IIS is in next place.Using apache slows down under heavy load, because of the need to spawn new processes,it also creates new threads that must compete with others for access to memory and CPU.

Installation and configurations


TMG2010-End Of Life

Microsoft discontinued(EOL-End Of Life)Forefront TMG 2010 product.Thismeans

there will not be another new version of TMG in the future, and there will be

no more feature enhancements made to TMG (only security updates and bug

fixes),But announced will continue to provide mainstream support for TMG until

April 14, 2015, and extended support until April 14, 2020. The Forefront TMG

2010 Web Protection Services (WPS) will be discontinued on December 31, 2015.

Beginning on January 1, 2016, Web Protection Services (URL filtering,

virus/malicious software scanning, and Network Inspection System) will

continue to function but will no longer receive updates.

This is the time to think to considering a replacement for your Forefront TMG

2010 firewall deployed your network.

AS per Richard Hicks from Celestix networks,Microsoft OEM partner They also

stated that they would discontinue selling TMG later that year.


There is no reason reported from Microsoft,but seems to be Forefront TMG 2010

cannot be installed on the latest release of the Windows Server operating

system(windows 2012).Supported OS is(recommended os by Microsoft is Windows

Server 2008 R2 which is not as secure as Windows Server 2012 R2.Also, not

possible to install Forfront on Windows Server core


Medium to large enterprise want more than the basic protection capabilities

and not likely to rely on Windows Defender (or Microsoft Security Essentials).
Read Microsoft official annoncement of product lifecycle.


So,what is the replacement for TMG used places

Replacing TMG with UTM
Celestix MSA



Web cache/accelerator/filter/proxy:Sqiud/varnish/Nginx

Microsoft Forefront Threat Management Gateway (TMG) 2010

Forefront TMG is a comprehensive secure web gateway solution that helps to

protect users from web-based threats(a proxy server, a firewall, a web content

filtering, a VPN Server,intrusion prevention,malware inspection etc).This is

revised version of Microsoft Internet Security and Acceleration Server (ISA

Server)of windows 2008(

What’s new in Forefront TMG 2010 SP2

For making your system as TMG, you required 2 Network card ,one is LAN

(internal networks)and a WAN(Internet)

System requirements for Forefront TMG

Installations are usual by clicking next and finish.

Installation design guide for Forefront TMG

There is a step by step guide from

HTTP and HTTPS rule

By default all access rules are denied. You need to Create web access rules

for internal networks allowing HTTP and HTTPs traffic pass through from

internal network to external and perimeter. Also allow HTTP and HTTPs traffic

pass through from perimeter to external and internal.

Click Firewall Policy>Click Create Access Rule on Task Pan.

Installing Forefront TMG on a domain controller

Configuring networks and routing

Configuring roles and permissions

Configuring client computers

Configuring client authentication servers

Configuring Network Access Protection


Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered

this SSL(Secure Socket Layer) vulnerability in September 2014.The POODLE

(Padding Oracle On Downgraded Legacy Encryption) attack are not serious as the

Heartbleed and Shellshock attacks.On December 8, 2014 a variation of the

POODLE vulnerability that impacted TLS was announced.
The CVE ID’s(CVE-2014-3566 and CVE-2014-8730) associated with the original

POODLE attack and F5 Networks’ faulty implementation of TLS that allows


There is currently no fix for the vulnerability SSL 3.0.To mitigate the POODLE

attack,completely disable SSL 3.0 on the Server and client side.But, some old

clients and servers do not support TLS 1.0 and above. Thus,for such clients

browser and server better to implement TLS_FALLBACK_SCSV.

Browser enabled
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Chrome 39,already support TLS_FALLBACK_SCSV.
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released

in December 2014, and will add support of TLS_FALLBACK_SCSV in Firefox 35.
Microsoft announced the plan to disable SSL 3.0 by default in their products

and services and a fix for to disable SSL 3.0 in Internet Explorer and Windows

Apple’s Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against

POODLE by removing support for all CBC protocols in SSL 3.0.

Service providers status
OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and

recommend the following upgrades
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should

upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent

downgrade attacks

Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0.
CloudFlare has disabled SSL 3.0 support by default for all customers.
Twitter and Wikimedia have dropped support of SSL 3.0 to prevent the POODLE



How to check your server&client
Web site test

Client test

Resolutions for Server and Clients

Disable in Microsoft Server
Microsoft OS registry disable for SSL

\SCHANNEL\Protocols\SSL 3.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Type 00000000 in Binary Editor to set the value of the new key equal to “0”

and restart.

CVE-2014-3566 – KB3009008

How to disable SSLv3 in Apache?
Include “SSLProtocol all -SSLv2 -SSLv3 ” within every VirtualHost in

httpd.conf of version 2.2.23

DocumentRoot /var/www/directory

SSLEngine on

SSLProtocol all -SSLv2 -SSLv3


Note : if there is separeate ssl configuration like Ubuntu 10.04
/etc/apache2/mods-available/ssl.conf :
SSLProtocol all -SSLv2 -SSLv3

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a

wildcard for all TLS versions.

SSLProtocol TLSv1

For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+.

NSSProtocol TLSv1.0,TLSv1.1

Apache Tomcat Web server
Tomcat 5

Configured via $TOMCAT_HOME/conf/server.xml

port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocols = “TLSv1,TLSv1.1,TLSv1.2″ />

Tomcat 6,7

port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2” />

For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf

ssl.use-sslv2 = “disable”

ssl.use-sslv3 = “disable”

Postfix SMTP
Modify the smtpd_tls_mandatory_protocols configuration line.


Modify the LOCAL_CONFIG section of the file.


ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3


ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the below lines and then

restart Dovecot.

ssl_protocols = !SSLv2 !SSLv3

For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the below lines and

then restart Dovecot.

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

For Ubuntu 12.04, edit /etc/courier/imapd-ssl.






HAProxy Server
Edit the bind line in your /etc/haproxy.cfb file.

bind :443 ssl crt  ciphers  no-sslv3

Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If

you do not have a ssl_protocols directive, add it to the top of your

configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

389 Directory Server
Modify cn=encryption,cn=configA and restart the server.

ldapmodify -x -D “cn=Directory Manager” -W <<EOF

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

Enabling on Browser Settings
right click on shortcu and go to properties,and go to end “C:\Program Files

\Google\Chrome\Application\chrome.exe” add type ––ssl-version-min=tls1

Click on the Settings and then Internet options,advanced tab then security

section,un check SSL and check TLS

download and install the SSL Version Control 0.2 add-on from
Alternatively, you can set the value security.tls.version.min = 1 in the

about:config dialog.

Apple has released Security Update 2014-005, which disables CBC-mode ciphers

in coordination with SSLv3.

Mac OS Mavericks:
MAC OS Mountain Lion:
MAC OS Yosemite:

Hardware providers
F5 Networks

A10 Networks


Cisco Networks



Juniper Networks

Note:POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014.

This attack exploits implementation flaws of CBC mode ciphers in the TLS 1.0 –

1.2 protocols. Even though TLS specifications require servers to check the

padding, some implementations fail to validate it properly, which makes some

servers vulnerable to POODLE even if they disable SSL 3.0. SSL Pulse showed

“about 10% of the servers are vulnerable to the POODLE attack against TLS”

before this vulnerability is announced. The CVE ID for F5 Networks’

implementation bug is CVE-2014-8730. The entry in NIST’s NVD states that this

CVE ID is to be used only for F5 Networks’ implementation of TLS, and that

other vendors whose products have the same failure to validate the padding

mistake in their implementations like A10 Networks and Cisco Systems need to

issue their own CVE ID’s for their implementation errors because this is not a

flaw in the protocol itself and is a flaw in the protocol’s implementation.

The POODLE attack against TLS was found to be easier to initiate than the

initial POODLE attack against SSL. There is no need to downgrade clients to

SSL 3.0, requiring less real-world scenarios to appear active.

Openssl cert generation

Generate a Private Key
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generate a CSR (Certificate Signing Request)
These are the X.509 attributes of the certificate.

openssl req -new -key server.key -out server.csr

Remove Passphrase from Key
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.

cp server.key
openssl rsa -in -out server.key

Generating a Self-Signed Certificate
To generate a temporary certificate which is good for 365 days

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Installing the Private Key and Certificate
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

If using certificates in Apache then

Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd stop

SVN installation under linux

yum install httpd
yum -y install subversion mod_dav_svn
mkdir -p /var/www/svn/repository
cd /var/www/svn/repository
svnadmin create test_svn
chown -R apache.apache svn
vim subversion.conf
vi /etc/httpd/conf/httpd.conf
/etc/init.d/httpd restart
cd /var/www/svn/repository/
vi activities.
vi activities.dir
vi svnserve.conf
lsof | grep svn
strings activities.pag |less
svnadmin help
svnadmin list-dblogs
svnadmin list-dblogs /var/www/svn/repository/
svn co /var/www/svn/repository/test_svn/
svn status
#command to type svn as a service
svnserve -d
ps -ef|egrep -ir svn
rpm -ql subversion
rpm -ql subversion|egrep -ir init
rpm -ql subversion|egrep -ir init|less
rpm -ql subversion|egrep -ir scri
ps -ef|egrep -ir svn
netstat -anp|less
svn co  http://svnadmin:svnadmin@localhost:3690/test_svn
svn co file://var/www/svn/repository/test_svn/
svn co file:///var/www/svn/repository/test_svn/
svn update

client(tortoise svn)
svncheckout(add url-
repobrowser open create dir-create files
then svn commit
svn update after changing

%d bloggers like this: