Disable Trace method – PCI

For PCI compliance it’s often required that you disable the trace method. This can be done by adding the following to your apache config or httpd.conf file:

TraceEnable off

In cpanel we typically add this entry in the following file:
/usr/local/apache/conf/includes/pre_main_global.conf

Then restart apache:
/etc/init.d/httpd restart

Then you can test it:
telnet 127.0.0.1 80

Trying 127.0.0.1…

Connected to 127.0.0.1.

Escape character is ‘^]’.

TRACE / HTTP/1.0

Host: foo

testing… <- ENTER twice

You should receive an error – i.e.

HTTP/1.1 403 Forbidden

Date: Sat, 20 Oct 2007 20:38:31 GMT

Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)

Content-Length: 320

Connection: close

Content-Type: text/html; charset=iso-8859-1

httpd fullstatus

Here’s a quick apache command that will help you with tracking down apache processes and usage:

httpd fullstatus

Disable mod security

It’s easy to disable mod security, however the fix varies depending upon the version of mod_security and the way that it has been installed. For mod_security 1.X try the following in a .htaccess within the user’s home folder:
SecFilterEngine Off

If that causes a site error or it doesn’t work you’re most likely using mod security 2.X. To disable mod security on version 2.X:
First you have to find the path to your whitelist file. To find this cd into your apache configuration folder. On cpanel you would run:
cd /usr/local/apache/conf
Then run:
grep whitelist *|grep modsec

This should show you the exact location of your whitelist file. If the file doesn’t exist create it using touch or vi. Once the file has been created add the following:
SecRule SERVER_NAME “yourdomain.com” phase:1,nolog,allow,ctl:ruleEngine=off
Be sure to replace yourdomain.com with the domain that you want to disable mod security on. Then save the file and restart apache.

critical_create No space left on device

Recently we attempted to restart apache on a client’s server and we received the following error:
critical_create(): semget() failed: No space left on device

Although the error hinted at a disk space issue it actually had nothing to do with the available disk space. To resolve this you have two options:
1.) You could reboot the server which will clear the apache semaphores
2.) Or you can run the following:

killall -9 httpd
for i in $(ipcs|grep httpd|awk '{print $2}');do ipcrm -s $i;done


This will get a list of the semid’s and shmid’s and pass them to the ipcrm command. By using the ipcrm command on each id you will mark System V interprocess communication API kernel entities for removal. In short it will free up the memory being used by the kernel for these processes so you have enough memory to restart the service. Once you run this command simply restart apache!


/etc/init.d/httpd restart


Apache Basics

Secure config file:
vi /usr/local/apache-ssl/conf/httpd.conf

Normal config file:
vi /etc/httpd/conf/httpd.conf

This command can be used especially when Apache is already running and you have just made a change in a configuration file.
# /usr/local/bin/httpd.reload

This command can be used especially if Apache is down and needs to be started up.
# /usr/local/bin/httpd.reload –restart

The Apache Error Log:
tail -35 /var/log/httpd/error_log

No listening sockets

httpd not running, trying to start

no listening sockets available, shutting down
Unable to open logs

Look for log files greater than 2GB in size.  This usually occurs when a log file grows too large or if the file system has been set to read only due to drive errors.