Apache or NGINX ?

Bagheera

New Member
Joined
Sep 2, 2024
Messages
4
Reaction score
1
Credits
37
I'm a newbie to this Linux.org forum and still in my first year on Linux.

I need to be able to write some Perl CGI programs to support web forms on a website. I used XAMPP on my old WindoZe laptop. On my new laptop operating Linux Mint I'm seriously considering installing either Apache or NGINX. Which would you guys recommend bearing in mind I'm barely a year into Linux and would appreciate something fairly easy to install & configure. I'd like to get started testing some webform submissions asap.
 
Last edited:


I find Apache a bit easier. It has been the more of less default for many years. It's well documented and easy to maintain and configure. There's also a lot of people who use it which means you can usually find someone to answer your questions.
 
apache has more features, plugins, and more integrations.

nginx, is more lightweight, but is slightly faster.
 
I find Apache a bit easier. It has been the more of less default for many years. It's well documented and easy to maintain and configure. There's also a lot of people who use it which means you can usually find someone to answer your questions.
Thank you Kgill. I seem to remember seeing Apache 2 ... is that correct there's a version 2? As you say if I get stuck installing or using there's more people to ask until I get up to speed. I'm much more of an applications level guy rather than the kind of tech attached to networking.
 
Most modern distro's have httpd2 ( Apache 2.0 )

Name : httpd
Version : 2.4.62
Release : 2.fc40
Architecture : x86_64
Size : 47 k
Source : httpd-2.4.62-2.fc40.src.rpm
Repository : updates
Summary : Apache HTTP Server
URL : https://httpd.apache.org/
License : Apache-2.0 AND (BSD-3-Clause AND metamail AND HPND-sell-variant AND Spencer-94)
Description : The Apache HTTP Server is a powerful, efficient, and extensible
: web server.
 
Thank you too dos2unix and for the link. When I searched for Apache on my Linux Mint Software manager, loads and loads of different Apache downloads came up which I find confusing as I didn't (still don't) know which one to choose.
 
Thank you Kgill. I seem to remember seeing Apache 2 ... is that correct there's a version 2? As you say if I get stuck installing or using there's more people to ask until I get up to speed. I'm much more of an applications level guy rather than the kind of tech attached to networking.
The current version is 2.4.something.
 
A CGI program can be written in practically anything. I have written some of my own in C. They are normally stored in /cgi-bin, but can be anywhere the web server can serve up. I use Apache2 myself, but beware: Apache2 has a critical security bug that allows a remote attacker to gain a web shell. From there they may be able to get privilege escalation to root and take over your system. You can use a non-privileged user to run the web server and then use ACLs to block access to all setuid and setgid programs on your system for that user. If the attacker gets a web shell they will be able to access your web server's private key thus allowing them to decrypt all of your web server's traffic if they can listen for it.

Signed,

Matthew Campbell
 
Thanks for the tips Matthew. Yes I knew that CGI pgms can be written in many languages apart from Perl. I suppose PHP and Python are also amongst the most popular.

ACL's ... Access Control Lists ? If so they'e very flexible but can be quite involved to setup I think.

When I was a WindoZe user I always had a standard privileges user id I logged into rather than the Admin user. I think you're advising it'd be good practice for me to do same on my Linux Mint?
 
I think you're advising it'd be good practice for me to do same on my Linux Mint?

Unless you've taken the time and effort to change Mint's settings and are now logging in as root, you're already using an account with limited permissions. You need sudo to use files owned by the system/root.

There's no real need to limit your account further.
 
Thanks for the tips Matthew. Yes I knew that CGI pgms can be written in many languages apart from Perl. I suppose PHP and Python are also amongst the most popular.

ACL's ... Access Control Lists ? If so they'e very flexible but can be quite involved to setup I think.

When I was a WindoZe user I always had a standard privileges user id I logged into rather than the Admin user. I think you're advising it'd be good practice for me to do same on my Linux Mint?
An ACL is easy to install. Look at the man pages for setfacl and getfacl. You can create a list of files and then use a loop in a bash script to assign an ACL to each of the files in the list.

Signed,

Matthew Campbell
 
An ACL is easy to install. Look at the man pages for setfacl and getfacl. You can create a list of files and then use a loop in a bash script to assign an ACL to each of the files in the list.

Signed,

Matthew Campbell
Shouldn't a normal chmod be enough?
 
Shouldn't a normal chmod be enough?
It depends on what you want. Using a ACL allows you to restrict access for a particular user any way you want without having to limit other users on the system. I set ACLs for the two users that run servers on my Linux system to make sure they had no access to any setuid or setgid program without having to affect other users. ACLs work on directories too.

Signed,

Matthew Campbell
 
I use Apache2 myself, but beware: Apache2 has a critical security bug that allows a remote attacker to gain a web shell. From there they may be able to get privilege escalation to root and take over your system. You can use a non-privileged user to run the web server and then use ACLs to block access to all setuid and setgid programs on your system for that user. If the attacker gets a web shell they will be able to access your web server's private key thus allowing them to decrypt all of your web server's traffic if they can listen for it.
Would you be so kind to share the CVE for that. That sounds like a critical one and I haven't seen any CVE's listed by Redhat describing that and if it is still I a thing it sounds like a thing they would patch within a day. Also AFAIK every distribution you install apache own a separate user account will be created to run apache and with selinux it limits what apache can do if it were to try something out of it's own selinux context.
 
Would you be so kind to share the CVE for that. That sounds like a critical one and I haven't seen any CVE's listed by Redhat describing that and if it is still I a thing it sounds like a thing they would patch within a day. Also AFAIK every distribution you install apache own a separate user account will be created to run apache and with selinux it limits what apache can do if it were to try something out of it's own selinux context.
To the best of my knowledge there isn't one. It is still being exploited in the wild. The exploit does not appear in the activity log or the error log and provides an unauthenticated remote attacker with a web shell. From there they will try to use another exploit against one or more setuid to root programs to gain privilege escalation to root to fully take over the target system. This has been ongoing for years. I haven't seen anything resembling this in Apache2's list of bug fixes. I can't bring this to them without being able to prove it. I would need the working exploit and a proof of concept video or something. Otherwise they aren't likely to give me the time of day.

Signed,

Matthew Campbell
 
To the best of my knowledge there isn't one. It is still being exploited in the wild. The exploit does not appear in the activity log or the error log and provides an unauthenticated remote attacker with a web shell. From there they will try to use another exploit against one or more setuid to root programs to gain privilege escalation to root to fully take over the target system. This has been ongoing for years. I haven't seen anything resembling this in Apache2's list of bug fixes. I can't bring this to them without being able to prove it. I would need the working exploit and a proof of concept video or something. Otherwise they aren't likely to give me the time of day.
I have a hard time believing this because security researchers would already have published papers on this if this was the case and then it would be a high or critical CVE on every distribution list because it being a RCE. Redhat and other companies would be on top of this, as we have seen with the xz back door. So you are going to have to come up with proof for this, that it's actually a thing because everyone on the internet would be screaming bloody murder if something like this is actually still exploitable.
 
Last edited:
I have a hard time believing this because security researchers would already have published papers on this if this was the case and then it would be a high or critical CVE on every distribution list because it being a RCE. Redhat and other companies would be on top of this, as we have seen with the xz back door. So you are going to have to come up with proof for this, that it's actually a thing because everyone on the internet would be screaming bloody murder if something like this is actually still exploitable.
This vulnerability has been used numerous times to break into my Linux system. It doesn't work for them anymore because I no longer allow outside access to my web server. I was even getting entries in the activity log from my router's IP address at first, which shouldn't happen because it isn't a normal host. The router isn't supposed to be used by a person. It was turned into a "cherry blossom." (See project cherry blossom). The developers can't fix the problem with the web server if they aren't aware of it. The people hacking into my web server went to great lengths to get to the server. The exploit didn't work if they got a 403. I was using IP whitelisting to keep them from coming in from the wifi router. They would use raw sockets to simulate another user. They even went to far as to change their MAC address to match. I was watching with netdiscover. They even listened to my phone calls and reacted to what I said on the phone. They appear to be using tools written by others and they appear to be at an intermediate skill level. I found their "backdoor" to my computer that allowed them to access the web server and welded it shut. You are certainly welcome to believe whatever you wish. I saw the results that they intentionally left behind for me to see. I have not lied to you. This vulnerability allows an unauthenticated remote attacker to gain a web shell that can lead to a total system takeover. Not everyone is like James Bond. They don't just blow the place when they leave. A good spook is a ghost. They don't always want you to know that they were there. They'd rather you believe that they don't even exist and were never there at all. I can only wonder what else they accessed. They ran their tests to see if I could detect them. They demonstrated knowledge of my crontab file. They even created virtual devices inside of the wifi router. I was able to detect their devices by the inconsistencies in their firewall rules when they were trying to hide from me. Those virtual devices would disappear very quickly when I tried to port scan them. At other times those virtual devices were not so closely monitored. They even used the wifi router that I rent from my ISP to run a denial of service attack against my computer that was connecting to an external wifi router on another wifi channel thus demonstrating the ability to change the wifi channel inside the wifi router built into the modem. As far as I know they have never succeeded in taking over my external wifi router, but they did take over the router inside the modem. I could have stopped the DoS attack sooner, but I was tired and simply didn't care. I tried resetting everything else first. It wasn't until I unplugged the modem that the attack stopped and then I was easily able to reconnect to my external wifi router again. This world isn't as peachy and wonderful as so many people seem to think it is. What was, and is still being done to me, is illegal.

Signed,

Matthew Campbell
 
This vulnerability has been used numerous times to break into my Linux system. It doesn't work for them anymore because I no longer allow outside access to my web server. I was even getting entries in the activity log from my router's IP address at first, which shouldn't happen because it isn't a normal host. The router isn't supposed to be used by a person. It was turned into a "cherry blossom." (See project cherry blossom). The developers can't fix the problem with the web server if they aren't aware of it.
I guess there is probably truth to what you are saying, but still hard to believe. Good thing that RHEL uses selinux which confines what the webserver process is allowed to execute and where, blocking anything that it's not allowed to do. Did you do a bug report to the apache developers making them aware of this, like that Microsoft developer who made a bug report when het noticed ssh was reacting slower than normal for the xz backdoor? Also this sounds very targeted, could your job be the reason why they would specially target you? Out of curiosity how long was this ago that this happened to you?
 
Last edited:
I guess there is probably truth to what you are saying, but still hard to believe. Good thing that RHEL uses selinux which confines what the webserver process is allowed to execute and where, blocking anything that it's not allowed to do. Did you do a bug report to the apache developers making them aware of this, like that Microsoft developer who made a bug report when het noticed ssh was reacting slower than normal for the xz backdoor? Also this sounds very targeted, could your job be the reason why they would specially target you? Out of curiosity how long was this ago that this happened to you?
Debian has SELinux as well. I'll have to look into that to see if I can use that to tighten things up a bit more. This issue has been occurring ever since I started running the web server, until I made it unavailable. I'm really not sure why I've been targeted like this. I'm stuck at Debian 11 so I can't update to the newest version of the web server software, which is something the developers will require if they are going to accept a bug report. I tried to update to Debian 12, but the process crashed and left my system in an unusable state. I had to restore everything from a backup. I've been using ACLs to limit what the web user can run or access.

Signed,

Matthew Campbell
 


Top