DeveloperSide.NET Forums

DeveloperSide.NET => Web.Developer Server Suite Community Edition,
Public Support Forum => Topic started by: admin on January 29, 2006, 11:09:54 AM



Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 29, 2006, 11:09:54 AM
DeveloperSide.NET v1.16 Web-Server Suite with...

Apache 2.0.55 with...
mod_security 1.9.2
mod_jk 1.2.15
mod_perl 2.02
mod_deflate

Tomcat 5.5.15

MySQL 5.0.18

PHP 5.1.2

OpenSSL 0.9.8a

Perl 5.8.7
   
phpMyAdmin 2.7.0-pl2

analog 6.0

...should be released within the next 24 hours (lacking a major disaster like a HD crash).  I have everything ready, working, and debuged, but still need some time to edit the docs and create all the packages (it's 6am here and I need to get some sleep). Maybe I'll also add filezilla and mod_dav functionality.

The biggest changes are the inclusion of Tomcat 5.5, mod_jk 1.2, and mod_security (with rulesets).

Soon, some of our competitors will see the Tomcat 5.5 w/mod_jk Guide and incorporate it into their packages.  Just like they did when we first released the win32 Tomcat 5.0 w/ mod_jk Guide about a year or two ago.  Back then and now, most, if not all, of the Windows Apache w/ Tomcat w/ mod_jk Guides did not work, were incomplete, or completely out of date.  It's a bit better right now, but still not enough to do it right.  First they took our minimized and modularized httpd.conf, then everything else they were missing.  Personally, I do not mind at all, but a little credit would do.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 30, 2006, 01:32:02 AM
I think I'm going to leave out mod_dav and filezilla.  For this one I just want a basic build.  The above two can be easily added via instructions.

WebDav Clients...

MS Web Folders
http://support.microsoft.com/?kbid=195851

DataFreeway
http://www.enginsite.com/ssh-webdav-ftp-sftp-client.htm

WebDrive -- $50.00
http://www.webdrive.com/


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 30, 2006, 07:03:00 AM
Here are the rar and exe files of the manual install packages (install via the included readme1st.txt)...
http://www.devside.net/download/std/www-1.16.exe
http://www.devside.net/download/std/www-1.16.rar

I still have to create the auto-install package and edit the online Manuals to reflect changes.

If anyone want to give some feedback on the Tomcat5/mod_jk part...


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 30, 2006, 09:23:19 AM
January 30, 2006
The links are up on the official pages.  Now I just need to update the Manuals to reflect some changes.  Before that happens, I would strongly recommend reading the readme1st.txt file that comes with the download.

If you want to run Tomcat, you will need to download the Java JDK -- everything is explained.

Also, PHP4 is included if you want to downgrade -- which is also explained step-by-step.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 31, 2006, 12:10:53 AM
Also...

.htaccess and directory indexes have been turned on -- since lots of people have come here asking about this functionality.  The proper notes have been made under httpd.conf for anyone that wants to turn this off.

PHP extensions php_mysql, php_mysqli, gd2, mbstrings have been uncommented.

The Manual notes recommend copying libmysql.dll from PHP to the %SystemRoot%\system32 dir.  The auto-installer does this now.  This is not needed for most people, but will help some.

mod_security has been activated with a very comprehensive ruleset package...
You might now notice a 'server banner' displaying "NOYB" instead of the regular "Apache version, PHP version, modules, etc..."
I'm not exactly sure what "NOYB" stands for -- "none of your business" perhaps?


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: Jorge on January 31, 2006, 04:23:06 PM
Quote from: "admin"
Also...

.htaccess and directory indexes have been turned on -- since lots of people have come here asking about this functionality.  The proper notes have been made under httpd.conf for anyone that wants to turn this off.

PHP extensions php_mysql, php_mysqli, gd2, mbstrings have been uncommented.

The Manual notes recommend copying libmysql.dll from PHP to the %SystemRoot%\system32 dir.  The auto-installer does this now.  This is not needed for most people, but will help some.

mod_security has been activated with a very comprehensive ruleset package...
You might now notice a 'server banner' displaying "NOYB" instead of the regular "Apache version, PHP version, modules, etc..."
I'm not exactly sure what "NOYB" stands for -- "none of your business" perhaps?


Have you ever considers an install that allows simple changes like this to be changed on install?


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on January 31, 2006, 10:50:08 PM
Yes, and that is why I'm in the process of writing my own installer rather than using something like Inno or Nullsoft.  The things I want the installer to do -- all the things (I know a simple script would handle what you have quoted) -- would be too hard or impossible to do with something you have not paid $300-1000 for.  I'd rather just start with a C compiler and the win32 API.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: Jorge on February 01, 2006, 11:59:11 AM
Quote from: "admin"
Yes, and that is why I'm in the process of writing my own installer rather than using something like Inno or Nullsoft.  The things I want the installer to do -- all the things (I know a simple script would handle what you have quoted) -- would be too hard or impossible to do with something you have not paid $300-1000 for.  I'd rather just start with a C compiler and the win32 API.


Cool, good luck coding C, I never manged it :(
So i usualy go with winrar sfx with a costome vbscript or a small deplhi exe


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: Demoric on February 01, 2006, 11:40:55 PM
Glad to see mod_security included.
Yes, NOYB means none of your buisness, however you can change it to other things, but they are limited to 5 characters (if I remember correctly)  so you could use: Devsd, or whatver you'd like.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 02, 2006, 01:02:01 AM
Since I've had a few e-mails about this...

JDK: Java Development Kit
JRE: Java Runtime Environment

The Java 1.5/5.0 JDK installs at about 190MB max.  This includes two JREs, one private (for the JDK's use), and one public, which is installed under the same base dir as the JDK...

JDK
C:\Java\jdk1.5.0_06
118MB

JDK's private JRE
C:\Java\jdk1.5.0_06\jre
77MB

Public JRE
C:\Java\jre1.5.0_06
69MB

The JDK is needed to develop programs in Java, as it contains the development tools, classes, libraries, and the java compiler(s). The JDK cannot be redistributed in its entirety, only specific parts can -- and there is a question of "who" can do this.

The JRE has no ability to compile anything and has one primary function -- to run the compiled Java-based apps.  The JRE can be redistributed.

The installer has an option of not installing the public JRE, but you need to keep it. Tomcat only requires the JDK, but still, applications should not try to use the JDK's private JRE.  "The public JRE has entries in the Registry that allow browsers and applets to use the Java Plugin that's part of the JRE.  These entries do not exist for the JDK's JRE".

Note: You might be able to get rid of the JDK by copying the lib\tools.jar file from the JDK installation to the common\lib path of the Tomcat installation or the lib\ext dir of the JRE. (Question is, would there be a need for JAVA_HOME and would it be set to the public JRE?)

Note: You do not need to set the System PATH for the public JRE's bin dir -- the installation process copies java.exe (and other files) to your %SystemRoot%\system32 dir, and sets the Registry so this happens...
Quote

C:\>java -verbose -version | more
[Opened C:\Java\jre1.5.0_06\lib\rt.jar]
[Opened C:\Java\jre1.5.0_06\lib\jsse.jar]
[Opened C:\Java\jre1.5.0_06\lib\jce.jar]
[Opened C:\Java\jre1.5.0_06\lib\charsets.jar]

...the java.exe under the sys32 dir knows where to look...
Quote

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment...
JavaHome : C:\Java\jre1.5.0_06
RuntimeLib : C:\Java\jre1.5.0_06\bin\client\jvm.dll


http://java.sun.com/j2se/1.5.0/install-windows.html#private
Quote

Private vs. public JRE - Installing the JDK installs a private J2SE Runtime Environment (JRE) and optionally a public copy. The private JRE is required to run the tools included with the JDK. It has no registry settings and is contained entirely in a jre directory (typically at C:\Program Files\jdk1.5.0\jre) whose location is known only to the JDK. On the other hand, the public JRE can be used by other Java applications, is contained outside the JDK (typically at C:\Program Files\Java\jre1.5.0), is registered with the Windows registry (at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft), can be removed using Add/Remove Programs, might or might not be registered with browsers, and might or might not have java.exe copied to the Windows system directory (making it the default system Java platform or not).


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 02, 2006, 03:34:05 AM
After reading the below, and a few other sites -- I think I'm going to take out that 'NOYB' and leave the banner/signature as it is...
http://httpd.apache.org/docs/1.3/misc/FAQ.html#serverheader
http://www.onlamp.com/pub/a/apache/2004/09/23/apacheckbk.html

NMAP still shows it as Apache.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 02, 2006, 06:13:14 AM
http://java.sun.com/j2se/1.5.0/README.html#redistribution
Quote

The term "vendors" used here refers to licensees, developers, and independent software vendors (ISVs) who license and distribute the J2SE Development Kit with their programs.


Am I licensing the JDK by agreeing to the license before downloading it?  If this and the above were the same; it could take care of the extra d/l problem.  Though something tells me this vendor and license business more likely refers to companies like IBM and Microsoft and $$$. Also note all the 'and's and no 'or's in the text.  You would probably still need the other 'none redistributable' parts of the JDK for a truly complete package. And if some of this were doable, Tomcat would have already done it.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: bozoka45 on February 03, 2006, 05:22:53 AM
For some reason apache won't install for me. I downloaded the auto installer, and that didn't work. I tried installing apache manually, that doesn't work. Any suggestions?


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 03, 2006, 05:28:38 AM
What are the error or output messages on the command line?  If you have an already installed Apache or IIS Service, Apache will not install.
Run 'netstat -an' to see if anything is listening on port 80, Run 'services.msc' to see if you have an old Apache2 Service installed or IIS.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: Demoric on February 04, 2006, 04:51:39 AM
Quote
After reading the below, and a few other sites -- I think I'm going to take out that 'NOYB' and leave the banner/signature as it is...


It is a small gain in security through obscurity.  I would never recommend changing the source to accomplish the change, but as for mod_security it is done through it, and does help on persons manually searching for weaknesses, and some scripts. Plus depending on the change it may have a smaller header size.

Although in the scheme of things it's a small deal.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 04, 2006, 05:49:11 AM
Ahh, yes...
Quote
security through obscurity

Also know as...
Quote
The Microsoft way.


Quote

...and does help on persons manually searching for weaknesses, and some scripts. Plus depending on the change it may have a smaller header size.


Default setup...
Quote

Server Version: Apache/2.0.55 (Win32) PHP/5.1.2 mod_perl/2.0.2 Perl/v5.8.7
Server Built: Jan 21 2006 04:16:10
...
Apache/2.0.55 (Win32) PHP/5.1.2 mod_perl/2.0.2 Perl/v5.8.7 Server at localhost Port 80


With these changes...
Code:

ServerTokens Prod
ServerSignature Off


Quote

Server Version: Apache
Server Built: Jan 21 2006 04:16:10


With mod_security 'SecServerSignature'...
Quote

Server Version: NOYB
Server Built: Jan 21 2006 04:16:10
...
NOYB Server at localhost Port 80


I do not think mod_security works with IIS?  Either way, from what I have seen, the scripts are just going to try the exploits on port 80, regardless of the server string -- and any real hacker/cracker (anyone doing this manually or targeting your site specifically) is not going to be deterred nor stopped by the 'NOYB'.

BTW, that 'NOYB' string might as well say "I'm running Apache with mod_security" -- another one for the Google Hacking DB (that is, when/if that specific combination and the specific versions open up a problem that could be exploited in some way)...
http://johnny.ihackstuff.com/index.php?module=prodreviews


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: bozoka45 on February 04, 2006, 08:09:18 AM
Quote from: "admin"
What are the error or output messages on the command line?  If you have an already installed Apache or IIS Service, Apache will not install.
Run 'netstat -an' to see if anything is listening on port 80, Run 'services.msc' to see if you have an old Apache2 Service installed or IIS.


The service isn't installing itself. Could windows be blocking it?


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 04, 2006, 08:44:03 AM
As the other post mentioned, it could be an already installed Apache or IIS Service, bonded to port 80. If you would like to answer the questions in the other post -- I can take a look at it.  Also, read the thread at the top about 'common problems'.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: Demoric on February 04, 2006, 04:37:12 PM
You make valid points about any devoted hacker not being disuaded by NOYB. Personally I use a " "  or my site's name instead of NOYB depending  on the server.

Quote
Also know as... The Microsoft way.

;) Glad you caught the referrence since we all know that obscurity isn't valid security, and thanks for the links on the subject.  I just look at it as why not change it.

Anyways thanks again for the refference links and keep up the good work on devside!  It really is a superior product.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: bozoka45 on February 05, 2006, 09:05:53 AM
Quote from: "admin"
As the other post mentioned, it could be an already installed Apache or IIS Service, bonded to port 80. If you would like to answer the questions in the other post -- I can take a look at it.  Also, read the thread at the top about 'common problems'.


I have no other server installed, and nothing is listening on Port 80. I'll check out 'common problems'


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: bozoka45 on February 05, 2006, 06:37:30 PM
It appears to be something wrong with these release. I found version 1.14 of the devside release and it worked fine. Apache was having troubles starting, but it installed Ok.

UPDATE

I've got the service installed (the 1.16 release), however now it's giving me this error message when I try to start the server:

Quote

Can't load Perl file: /www/Apache2/conf/extra.pl for server localhost:80, exiting...


Running perl.exe on that file produces:

Quote

Perl lib version (v5.8.6) doesn't match executable version (v5.8.7) at G:/www/pe
rl/lib/Config.pm line 32.
Compilation failed in require at G:/www/perl/lib/DynaLoader.pm line 25.
BEGIN failed--compilation aborted at G:/www/perl/lib/DynaLoader.pm line 25.
Compilation failed in require at G:/www/perl/site/lib/ModPerl/Const.pm line 17.
BEGIN failed--compilation aborted at G:/www/perl/site/lib/ModPerl/Const.pm line
17.
Compilation failed in require at G:/www/perl/site/lib/Apache2/Const.pm line 17.
BEGIN failed--compilation aborted at G:/www/perl/site/lib/Apache2/Const.pm line
17.
Compilation failed in require at G:\www\Apache2\conf\extra.pl line 9.
BEGIN failed--compilation aborted at G:\www\Apache2\conf\extra.pl line 9.


Let me know if you need more info.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: admin on February 05, 2006, 08:04:35 PM
There is nothing wrong with the release...
(I would be getting posts everywhere and all kinds of e-mails)

Did you completely uninstall the older Suite before installing v1.16?  Stoped all the Services, uninstalled the Services, removed all components from the System PATH, and deleted or renamed the 'www' directory?
The uninstall instructions are right at the end (just note that the path strings have changed a bit from version to version, so do notice all the '\www\' dirs)
http://www.devside.net/web/server/free/setup/instructions

It sounds _a lot_ like you overwrote the 'www' dir with the new Suite version (which would cause these perl version problems -- as some of those files are marked 'read-only'). Or have an older www dir on one drive and a newer www on another.  Regardless of an uninstall.

I suggest you uninstall everything, clean the PATH of all Suite related dirs (anything that starts with a '\www\'), reboot, and do the v1.16 installation.  Should not take more than 5 minutes.

If this does not solve anything...
The contents of error.log under \www\Apache2\log\ would help.
Also run cmd.exe and 'echo %PATH%' and 'netstat -an'.


Title: Released Web-Server v1.16 w/ Tomcat, mod_jk, mod_security...
Post by: bozoka45 on February 06, 2006, 04:29:56 AM
It's on a new install of windows, that's why I was confused. I uninstalled everything (I think I skipped the PATH step before) and it all seems to work now. Sorry to be a nuisance and thanks.