Send Apache Logs to Papertrail With Rsyslog

Over the last few days, I’ve been looking at Apache web server logs, a lot, mostly quick checks for Shellshock probes and exploit attempts. All on client servers, thankfully. All of the servers I operate through DigitalOcean are patched up. It just so happens that all the sites I host have their DNS hosted by Cloudflare, which has been blocking all Shellshock attempts.

A majority of my sites send their Apache logs to Papertrail. Having all my apache logs easily accessible and searchable is extremely nice. It’d make sniffing out Shellshock attempts quite simple. You can check for Shellshock attempts relatively easily from the command line, as well, something like the command below would work:

grep '() {' /var/log/apache2/access.log

1. Setup Rsyslog to Send to Papertrail

Anyway, sending Apache logs to Papertrail is pretty easy. I’m going to assume you’ve already setup rsyslog to send logs to Papertrail. If not, this post should help.

2. Add CustomLog Directive To Your VirtualHost

You just need to modify your virtualhost configuration and add a CustomLog directive. Here’s what I do to send longren.io logs to Papertrail:

CustomLog "| /usr/bin/logger -t httpd -p local1.info" "%{%b %d %X}t longren.io apache %h %l %u %t "%r"%>s %b "%{Referer}i" "%{User-agent}i""

The -t httpd piece sets the service name for Papertrail. The -p local1.info flag sets the priority. You’ll want to change the longren.io piece in the above code to whatever site you’re capturing logs for. You can also change or remove apache that immediately follows longren.io.

3. Reload Apache

After you’ve added the CustomLog directive to your virtualhost, you’ll want to reload Apache:

sudo service apache reload

That’s all there is to it. You should start seeing your Apache logs in Papertrail shortly after reloading Apache.

HackerNews Front Page: I Stayed Up

Load (cpu and memory) was significantly lower than I expected

Didn’t expect anything specific for load, but more load than what I did see, for sure.

A post I made hit the front page of HackerNews the other day. Here’s the discussion at HackerNews. Traffic was steady, For about five hours, there were between 50 and 250 users on the site at any given time.

I use two DigitalOcean droplets, one running Apache 2, the other for MySQL (mostly). The Apache 2 droplet is a 2GB droplet in the NYC2 datacenter and the MySQL droplet is a 1GB droplet in the same datacenter. They talk to each other over a private network.

I’ve really liked the setup so far, and without any tweaks to Apache or MySQL, both servers have performed quite well. I use a WordPress caching plugin and CloudFlare, but that’s all there is for caching.

CPU Usage

CPU usage remained quite low, you can clearly see the HackerNews traffic.

Eventually, one could expect thousands of users on a site at any given time. That greatly depends on the type of site, though.

At that point, you’d probably need the power of Nginx, using it as a front-end (reverse) proxy to Apache.

I’m going to setup a DigitalOcean droplet to serve as a reverse proxy in the event I need to serve massive amounts of traffic. It’s sole job will be to run Nginx.

I simply don’t need it right now, though. Unless this hits the front page of HackerNews and makes it further up the page. ;). Then I’ll be scrambling to get that Nginx box up. So, put me to work later.

Bandwidth Usage

Highest bandwidth usage was 2.33Mbps. DigitalOcean can do a LOT more than that.

I didn’t receive any alerts from New Relic, Mist.io, or Uptime Robot, so all was good. I am, however, still going to prep some kind of solution with Nginx sitting in front of Apache, to at least serve static files.

Nginx, Apache, or Nginx + Apache?

View Results

Loading ... Loading ...

Basic Routing in PHP with AltoRouter

Routing in PHP using AltoRouter

I’ve been using AltoRouter for help with building simple API’s. A full framework (even a micro-framework), like Slim, is usually overkill for my needs, and often, any kind of routing class is overkill. A .htaccess file with the proper rewrite rules will usually suffice.

When I do need a bit more control than a .htaccess file provides, I usually go with AltoRouter. AltoRouter is really easy to use.

First thing to do when using AltoRouter, or pretty much any PHP routing class/script, is to direct all requests to index.php. We do this with a .htaccess file. Here’s the .htaccess file I usually use with a project using AltoRouter:

That will direct all requests to your site to index.php. Inside index.php is where we setup AltoRouter, define our routing rules, and specify any parameters that we want to capture. A basic example of an index.php file using AltoRouter can be seen below.

Lines 10-15 are just standard routes being setup, we could easily do this with a .htaccess file. The next block, with the “Special” comment title, is a little more involved. But only because we’re passing a parameter or two to our PHP controller.

When I say PHP controller, I’m referencing the third parameter in the AltoRouter map() method. The first parameter is the HTTP request method, usually either GET or POST. The second parameter is the route we want to watch for. The third parameter is the controller, or the PHP file that we want when the route from parameter two is matched. And the fourth parameter is just a unique name for that route.

If you’re using named parameters in your routes, like you see being done on lines 18 and 19 in the index.php gist, you’re going to want to access them within your controller. Notice the very end of the index.php gist, specifically, everything below the /* Match the current request */ comment. That’s where we’re doing the actual matching, if the current URL matches a defined route, then we require the controller.

Before that though, we’re actually setting the $match variable. Since we’re setting $match before including our controller, $match should be available for use within our controller, which is awesome!

Say we’re charging a customer, and this is done by hitting /charge/the_customer_id/, where the_customer_id is an actual customer ID. In our controller, charge.php, we can access the_customer_id named parameter as seen below. It’s available in $match[‘params’][‘customer_id’].

You can use all sorts of limits on your named parameters, like integer matching, alphanumeric matching, and even hexadecimal character matching. A useful list of named parameter limits and some examples can be seen in the AltoRouter readme. Comments are open, so please let me know if I’ve missed something or am just totally off base somewhere. Thanks!!

CSS Optimization Tools

Optimization can drastically change the way your websites load. Poorly optimized sites load slowly and aren’t very nice to look at for the users. Well optimized sites load quickly and provide the user with the content they need. There’s lots of different ways to optimize site performance. You can optimize apache, mysql, PHP, and even your HTML code.

One thing people often overlook when optimizing a site is the CSS. Blogging Pro takes a look at four different CSS optimization tools. I, for one, have never really thought of optimizing CSS. I just don’t think it’s really ever occurred to me, I need to work on learning CSS before I get into optimization. But, there’s tools to do the optimizing for you, go check out the article at Blogging Pro.

What’s Wrong With OpenDNS?

OpenDNS is surely going to prove to be a useful tool for those not intimately familiar with the internet. OpenDNS, provides some unique functionality compared with other DNS servers in that it detects typos and prevents phishing. For example, say you type http://www.longren.og into your browser. That URL obviously doesn’t exist, notice the .og at the end? OpenDNS will recognize the typo and will redirect the user to http://www.longren.org.

Smart huh? Yes, but it could have it’s drawbacks. This post highlights what could be a potential security risk in OpenDNS. It has to deal with intrusion detection systems (IDS) not realizing which URL is actually being requested. That post uses the mod_speling apache httpd module as an example.

If I send a request for indexh.tml, mod_speling detects the mistake and will serve back index.html. The problem is any security products like an IDS/IPS won’t have this intelligence to try and “fix” the request before they analyze it. The IDS/IPS simply sees and logs a request for indexh.tml Modspelling, like this feature in OpenDNS, allows an attacker to side step the attack signatures on a IDS/IPS to exploit a site because the web server will “fix” the attack once it reaches its target.


I disagree with the logic behind the authors claims. Why? Simply because I have a feeling OpenDNS was built with that taken into consideration. I’m betting there’s some sort of database internally that lets every piece of the network know exactly what is being served when a typo is detected. Everything from the IDS boxes to the DNS servers themselves. Maybe I totally missed the point of what that post was trying to get across.

Another thing OpenDNS should work on ASAP is transparency. I’d really like to know the false positive rate on phishing sites. How many legitimate sites get flagged as a phishing site? A publicly available reporting system would also be nice. Something to show DNS changes in particular would be nice for helping to maintain the integrity of the database.

But, I’m sure these questions will be answered in the near future, after all, today is the company’s first day with exposure to the “public”. There’s already mention of a new feature on the most recent post at the OpenDNS blog.

One important feature which is not yet available, but will be soon, is self-service control over the DNS settings. Ryan’s article, understandably, doesn’t mention this capability, since it’s not yet live.

The point? We’re going to put more control in your hands, so if you want to turn off features like typo correction or phishing prevention, you’ll be able to. Account management is the top priority now, to help demonstrate the power of control over your DNS. We think transparency and control will show you (not just tell) that we’re making the right choices.

Ryan’s article is of course the article that was in Wired this morning. See, they’re already taking steps to provide more transparency, hopefully it will continue.

Harper Reed is also a bit skiddish with OpenDNS still, like me. I think OpenDNS has great intentions though, so I’m not too worried. Founder of OpenDNS, David Ulevitch, already has a pretty outstanding reputation in the internet community, probably due mostly to the success of EveryDNS. OpenDNS is out to do good on the internet, just like EveryDNS. That doesn’t mean they can’t do harm, as we saw with Blue Security.

I’m pretty sold on OpenDNS overall. I put their DNS servers in my DHCP server config tonight after I got home from work. And the Nevada office as well as a couple servers in Ankeny are using OpenDNS now too.