Jun 042016
 

Starting from version 2.4 apache offers 3 MPM we can choose, it’s depend in what you needs.

  • prefork MPM uses multiple child processes without threading. Each process handles one connection at a time without creating separate threads for each.
  • worker MPM uses several threads per child processes, where each thread handles one connection at a time.
  • event MPM It is similar to the worker MPM in that it also creates multiple threads per child process but with an advantage: it causes KeepAlive or idle connections (while they remain in that state) to be handled by a single thread, thus freeing up memory that can be allocated to other threads. This MPM is not suitable for non-thread-safe modules like mod_php, to use event MPM, PHP-FPM must be used instead.

check the MPM used by your Apache:

# httpd -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 202.74.43.187. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

To change this, edit /etc/httpd/conf.modules.d/00-mpm.conf
and uncomment the line that loads mpm_event_module

LoadModule mpm_event_module modules/mod_mpm_event.so

install php-fpm, fcgi,mod_fcgid

# yum -y install php-fpm mod_fcgid fcgi

change php handler in order to use php-fpm in /etc/httpd/conf.d/php.conf

<FilesMatch \.php$>
#   SetHandler application/x-httpd-php
    SetHandler "proxy:fcgi://127.0.0.1:9000" 
</FilesMatch>

restart/start all services

# systemctl start php-fpm.service 
# systemctl enable php-fpm.service
# systemctl restart httpd.service

recheck the MPM used by your Apache:

# httpd -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 202.74.43.187. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

create phpinfo if php handler using fpm/fastCGI now

$ echo '<?php phpinfo(); ?>' > /var/www/html/info.php

have fun 🙂

May 252016
 

in order to make rbldnsd as rhsbl authoritative nameserver for unbound, the simple way is to create stub-zone like this:

stub-zone:
        name: "rhsbl.example.com."
        stub-addr: 172.18.1.1@530

if we configured unbound as iterator and validator, this minimal configuration will not work. when you query for example:

# dig blacklisted.domain.com.rhsbl.example.com

we will get “SERVFAIL” replied.
the simple way is by turned off validator function in unbound, but if we still want validator function in unbound, we can simply exclude our rhsbl zone in stub-zone as insecure domain.

domain-insecure: "rhsbl.example.com."

now, we wlll get reply as expected

# dig blacklisted.domain.com.rhsbl.example.com +short
127.0.0.2

and in rbldnsd start up config

RBLDNSD="dsbl -r/var/lib/rbldnsd -t 300 -b 172.18.1.1/530 rhsbl.example.com:dnset:hosts"

happy blacklisting 😀

edited:
combined with checkdbl.pl script here: http://www.kutukupret.com/2010/12/03/postfix-header_checks-using-tcp_table-and-checkdbl-pl-script/ we can use it as header_checks map. here’s the result:

May 25 19:11:31 mx1 postfix/cleanup[146988]: 68A203080DD: reject: header From: Dominic McXXX <McXXX@domainspammer.com> from sub.domainspammer.com[xxx.xxx.xxx.xx]; from=<McXXX@domainspammer.com> to=<myuser@example.org> proto=ESMTP helo=<spammer>: 5.7.1 domainspammer.com, which appears in the 'From' header, is listed on rhsbl.example.com