Running Apache w/o nginx? Beware! - GoFuckYourself.com

just a punk · 08-25-2011, 05:14 AM

The killapache.pl launches in a few threads the following simple request:

Quote:

GET / HTTP/1.1
Host: example.com
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,<...>,5-1299,5-1300
Accept-Encoding: gzip
Connection: close

And if there is no nginx installed your Apache server will be easily laid down.

Here is a simple command to check if your server is vulnerable:

Quote:

curl -I -H "Range: bytes=0-1,0-2" -s yourserver.com/robots.txt | grep Partial

If you received 206 Partial Content, you are in big trouble.

just a punk · 08-25-2011, 05:18 AM

http://www.gossamer-threads.com/lists/apache/dev/401638

Babaganoosh · 08-25-2011, 06:02 AM

Looks like many of mine are vulnerable. On my dev server I get the message "Host does not seem vulnerable" after disabling mod_deflate.

Edit: nevermind...looks like a fluke. Still vulnerable.

Klen · 08-25-2011, 06:18 AM

What is this "apache" you speaking of

just a punk · 08-25-2011, 06:25 AM

Quote:

Originally Posted by KlenTelaris

What is this "apache" you speaking of

Babaganoosh · 08-25-2011, 06:37 AM

Haha just crashed my dev server with the tool.

Klen · 08-25-2011, 06:42 AM

Quote:

Originally Posted by Babaganoosh

Haha just crashed my dev server with the tool.

Huh,some of largest tube sites still running on apache....Makes me wonder....

Babaganoosh · 08-25-2011, 06:44 AM

Quote:

Originally Posted by KlenTelaris

Huh,some of largest tube sites still running on apache....Makes me wonder....

After checking a few of them I am 100% confident that I could drop them all within a couple of minutes.

Klen · 08-25-2011, 06:46 AM

Quote:

Originally Posted by Babaganoosh

After checking a few of them I am 100% confident that I could drop them all within a couple of minutes.

Can you do it just for fun

Babaganoosh · 08-25-2011, 06:47 AM

Quote:

Originally Posted by KlenTelaris

Can you do it just for fun

haha no way, I never mess with someone else's stuff.

If they had ever stolen content from me and if I couldn't be prosecuted where I live...maybe.

fuzebox · 08-25-2011, 07:28 AM

Workaround:

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

Babaganoosh · 08-25-2011, 07:32 AM

Quote:

Originally Posted by fuzebox

Workaround:

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

That will break streaming, won't it?

fuzebox · 08-25-2011, 07:48 AM

Quote:

Originally Posted by Babaganoosh

That will break streaming, won't it?

Yes I suppose it could. My streaming is done via lighttpd, so it doesn't bother me.

Babaganoosh · 08-25-2011, 08:16 AM

Quote:

Originally Posted by fuzebox

Yes I suppose it could. My streaming is done via lighttpd, so it doesn't bother me.

It works on the domains I don't stream on and that's what really matters to me. My low-traffic, high income sites aren't vulnerable anymore. I have some blogs that stream from media.domain.com but as long as nobody targets the server those subdomains are on I guess I am ok.

This hack freaks me out. This is the first one I have been vulnerable to EVER.

Klen · 08-25-2011, 08:22 AM

Quote:

Originally Posted by Babaganoosh

It works on the domains I don't stream on and that's what really matters to me. My low-traffic, high income sites aren't vulnerable anymore. I have some blogs that stream from media.domain.com but as long as nobody targets the server those subdomains are on I guess I am ok.

This hack freaks me out. This is the first one I have been vulnerable to EVER.

Feel free to send me your domains if you want me to test are they vulnerable or not

raymor · 08-25-2011, 09:22 AM

A working patch is already available, though it will be improved in the next few days.

raymor · 08-25-2011, 09:37 AM

I gotta chuckle at the nginx fanboy who's never heard of noatime using this to pitch nginx.
It's a little like suggesting that people avoid the latest Vista bug by running Windows 95, isn't it.

just a punk · 08-25-2011, 09:41 AM

Not at all. The wise ppl. using Apache as a main server. nginx should be used for static content only.

Klen · 08-25-2011, 12:53 PM

Quote:

Originally Posted by cyberxxx

Not at all. The wise ppl. using Apache as a main server. nginx should be used for static content only.

It is common recommendation,but there is simply no need for it since nginx can do almost anything what apache do,including CGI.Plus it do even some non-optimization related things better then apache.

Klen · 08-25-2011, 12:55 PM

Quote:

Originally Posted by raymor

I gotta chuckle at the nginx fanboy who's never heard of noatime using this to pitch nginx.
It's a little like suggesting that people avoid the latest Vista bug by running Windows 95, isn't it.

Just for the record,i using noatime along with nginx plus many other optimization methods for which you clueless noob probably never heard.

Babaganoosh · 08-25-2011, 01:11 PM

Quote:

Originally Posted by KlenTelaris

Just for the record,i using noatime along with nginx plus many other optimization methods for which you clueless noob probably never heard.

Why do you think you need nginx?

Klen · 08-25-2011, 01:30 PM

Quote:

Originally Posted by Babaganoosh

Why do you think you need nginx?

It's simply my personal choice,and also way way easier to manage then apache.While you can by stripping apache modules and it's configuration reduce load,on nginx it's enough to install it and it already work better then optimized apache,not the mention you can optimize it further then too.I mean seriously,why i would bother with apache if on nginx i have everything what i need,everything works there and never having any problem unlike on apache which was constant issue till i went to nginx before 4 years.Also,currently nginx is not champion when it comes to load optimization there is one even better solution but for my traffic levels nginx do the job.

fris · 08-25-2011, 05:53 PM

if gzip is disabled it doesnt effect it

raymor · 08-25-2011, 06:37 PM

Digging through the nginx code and testing, I found the apparent advantage for nginx was simply that it basically forces noatime as one of it's bugs.
iIn our testing, Apache beats nginx + Apache as long as you use noatime. Just as you'd expect from profiling either, the time is spent on io, so Apache by itself is just as fast as nginx by itself. Neither can magically make the disks faster. Alternatively, if you don't want noatime, nginx is a non-starter because it skips atime updates whether you like it or not.

08-25-2011, 05:18 AM	#2
just a punk So fuckin' bored Industry Role: Join Date: Jun 2003 Posts: 32,386	http://www.gossamer-threads.com/lists/apache/dev/401638 __________________ Obey the Cowgod

08-25-2011, 06:02 AM	#3
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	Looks like many of mine are vulnerable. On my dev server I get the message "Host does not seem vulnerable" after disabling mod_deflate. Edit: nevermind...looks like a fluke. Still vulnerable. Last edited by Babaganoosh; 08-25-2011 at 06:11 AM..

08-25-2011, 07:28 AM	#11
fuzebox making it rain Industry Role: Join Date: Oct 2003 Location: seattle Posts: 22,130	Workaround: Code: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD\|GET) [NC] RewriteCond %{HTTP:Range} ([0-9]-[0-9])(\s,\s[0-9]-[0-9])+ RewriteRule .* - [F]

08-25-2011, 09:22 AM	#16
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	A working patch is already available, though it will be improved in the next few days. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

08-25-2011, 09:37 AM	#17
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	I gotta chuckle at the nginx fanboy who's never heard of noatime using this to pitch nginx. It's a little like suggesting that people avoid the latest Vista bug by running Windows 95, isn't it. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

08-25-2011, 06:18 AM	#4
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	What is this "apache" you speaking of

08-25-2011, 06:37 AM	#6
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	Haha just crashed my dev server with the tool.

08-25-2011, 09:41 AM	#18
just a punk So fuckin' bored Industry Role: Join Date: Jun 2003 Posts: 32,386	Not at all. The wise ppl. using Apache as a main server. nginx should be used for static content only. __________________ Obey the Cowgod

08-25-2011, 05:53 PM	#23
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	if gzip is disabled it doesnt effect it __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

08-25-2011, 06:37 PM	#24
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Digging through the nginx code and testing, I found the apparent advantage for nginx was simply that it basically forces noatime as one of it's bugs. iIn our testing, Apache beats nginx + Apache as long as you use noatime. Just as you'd expect from profiling either, the time is spent on io, so Apache by itself is just as fast as nginx by itself. Neither can magically make the disks faster. Alternatively, if you don't want noatime, nginx is a non-starter because it skips atime updates whether you like it or not. Last edited by raymor; 08-25-2011 at 06:40 PM..