Tag: Apache

Categories
Knowledge Support Support exacqVision Enterprise

Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

To mitigate currently known vulnerabilities, the following updates are recommended. Apache to 2.4.51, Apache Solr to 7.5.0 and exacqVision Enterprise Manager (EM) to 21.12.1 or higher.

Note: Updates for both Apache and Apache Solr are available as part of the EM install package for version 21.09 and higher.  However, updating to EM versions 21.12 or higher is recommended as this will also address the Log4j vulnerability.

WARNING:  You must update EM manually i.e. download from our site and then launch the installer directly.  The optional updates will not be prompted for if any other update method is used. Once the updates are in place future updates can be launched from the dashboard.

ALERT:  If previous modifications have been made to the default configuration settings such as adding a certificate and key for SSL they will need to be reapplied. See Recover custom settings section below.

Determine the current version of Apache

  • Open and administrative Command Prompt
  • Navigate to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
  • Run the command httpd.exe -v
  • Make note of the Server Version

Determine the current version of Apache Solr

Determine the current version of exacqVision Enterprise Manager

  • From the EM dashboard
  • Click the Information icon in the upper right-hand corner
  • Select About
  • Make note of the Version

Install exacqVision Enterprise Manager

  • Download the 64-bit Enterprise Manager installer for Windows from our site at  https://exacq.com/support/downloads.phpNote: 32-bit updates are not supported.
  • Launch the installer
  • During the install you will be prompted to update Apache Solr 7.5.0 and/or Apache 2.4.51 it is recommended that you check both.
  • A backup folder is created for folders being replaced by each update.
  • By default, the newly created backup folders will be located at:
    C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old
    C:\Program Files\exacqVision\EnterpriseManager\apache2.old
  • Using the instructions provided earlier verify the versions of Apache, Apache-Solr and Enterprise Manager have changed to confirm the updates.

Note:  Resource utilization may be high for a period of time after the update as reindexing is performed.

Recover custom settings (Optional)

As previously mentioned, the updates will overwrite any previous configuration changes. However, those settings were backed up as part of the update. By default, they are located at C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old

  • Copy the file httpd-ssl.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\extra\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
  • Copy httpd.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.crt
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.key
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Restart the solrApache Service

RESTORE (SPECIAL CASE)

When restoring EM to a previous version that used Apache Solr 6.6.0 or earlier it is necessary to manually restore an Apache Solr backup containing the targeted version of Apache Solr for that install.  Note: If a backup does not exist a restore cannot be performed.  

  • To perform a restore first determine the version of the apache_solr backup which is appropriate.
  • Stop all exacqVision Enterprise Manager service including solrApache and solrJetty.
  • Copy the existing C:\Program Files\exacqVision\EnterpriseManager\apache_solr  folder to a safe location renaming it as appropriate
  • Replace with the apache_solr backup folder
  • Start all exacqVision Enterprise Manager service including solrApache and solrJetty.

Notes

The presence of Log4j files in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache-solr\server\resources does not mean there is a vulnerability ensure the version of apache is either 2.4.51 or 7.5.0.

Related Trac Tickets

Categories
Knowledge Support Support Categories exacqVision Webservice Products

Update web service for Apache httpoxy vulnerabilities

Description

The version of Apache embedded in the web service has been found to expose a security vulnerability, known as “httpoxy” (technical details: ​CVE-2016-5387). This vulnerability can be avoided by changing the configuration of Apache.

<br>

Version Introduced

2.3.9

<br>

Platform

Web Service / All

<br>

Work Around

  1. Open the evApache httpd.conffile for editing

    Windows: C:\Program Files\exacqVision\WebService\evApache\conf\httpd.conf
    Linux: /etc/evapache/httpd.conf
  2. Find and change the line #LoadModule headers_module modules/mod_headers.so to LoadModule headers_module modules/mod_headers.so. (Remove the ‘#’)
  3. Add the following line to the end of the file: RequestHeader unset Proxy early
  4. Save the file.
  5. Restart the web service.
Categories
Knowledge Support Support exacqVision Enterprise Categories Products Uncategorized

Can not log into EM after updating to 21.03

Customers report that on Windows 10 units updated to 21.03 they experience an issue when they browse to the localhost to log into EM, it fails with an error that shows: This site can’t be reached.

Microsoft link found here detailing other issues similar.

HERE

If you check the services the Apache service will be in a stopped state.
Also check the System Logs for an error:

Error in System Logs show:
The Apache service reported the following error:
httpd.exe: Could not open configuration file C:/Program Files/exacqVision/EnterpriseManager/apache_solr/apache2/conf/httpd.confN: The system cannot find the file specified.

To resolve this on the EM server go to
Windows: C:/Program Files/exacqVision/EnterpriseManager/apache_solr/apache2/conf/
There is a file called httpd.conf
Copy this file and paste it back into the same folder and rename the file to httpd.confN .

Once this is done go to the services and start the solr apache service.
Now log into the localhost.

Categories
exacqVision Webservice Windows x64 exacqVision Webservice Linux x64 exacqVision Webservice Linux exacqVision Webservice Windows User Guides Documentation Categories exacqVision Webservice Products

Configuring Nginx or Apache as a Web Service Gateway

Description

The 9.0 release of the web service has replaced Apache with an in-house developed web frontend (WFE) for handling API requests. Certain users may wish to configure a gateway web server to enforce custom policies.

The following provides users with a reference for configuring either Nginx or Apache as a gateway. Additionally, it describes various undocumented settings in the new frontend configuration should the user need to modify them.

<br>

Gateway Configuration

The following sections explain how to set up Nginx or Apache to proxy requests to the web service. For the purposes of this guide, it is assumed the gateway server will be installed on the same machine as the web service and the service is listening on port 8080. The gateway must use a different listening port number than the ExacqVision Web Service.

Note: You may wish to backup the existing host files if they exist.

<br>

Nginx

Edit the virtual hosts file, located in:

Windows:
C:\nginx\conf\sites-available\default

Linux:
/etc/nginx/sites-available/default

with the following configuration:

server {
    listen 80 default_server;
    server_name localhost;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

<br>

Apache

NOTE: The installation directory for Apache on Windows will vary based on how it was installed.

  1. Run the OS-specific command to enable the necessary modules for Apache.

Windows:
Ensure the following lines in <apache install directory>\conf\httpd.conf are UNcommented; they do NOT begin with a ‘#‘.

  • LoadModule proxy_module modules/mod_proxy.so
  • LoadModule proxy_http_module modules/mod_proxy_http.so
  • LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
  • LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so<br>

Linux:
Open Terminal, by pressing CTRL+ALT+T and run the following commands:

  • sudo a2enmod proxy
  • sudo a2enmod proxy_http
  • sudo a2enmod proxy_balancer
  • sudo a2enmod lbmethod_byrequests<br><br>
  1. Edit the virtual hosts file with the following configuration:

    <VirtualHost *:80>
        ProxyPreserveHost On

        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
    </VirtualHost>

NOTE: You MUST have the ‘/’ at the end of each address, unlike Nginx.<br><br>

  1. Apache and Nginx will require restart before they can accommodate proxy requests.

<br>

Modifying the Web Frontend (WFE) configuration

The configuration for WFE contains several options that are omitted by default. These options can be used to place additional constraints on the web service if necessary.

The configuration file, which is stored as JSON, is located at:

Windows:
C:\ProgramData\Webservice\conf\wfe.json

Linux:
/etc/webservice/wfe.json

If you wish to restrict the service to listen for HTTP requests on a particular NIC, you can do so by specifying the NIC’s address using the webserver.address key:

{
    "webserver": {
        "listen": 8080,
        "address": 192.168.1.115,
        [...]
    }
}

NOTE: If the target is an IPv6 address, you MUST enclose the address in square brackets [ ].

<br>

The same can be done for HTTPS requests with the webserver.tls.address key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "address": [fe80::...],
            [...]
        }
    }
}

<br>

The way the web service handles HTTP requests when HTTPS is configured can be controlled with the webserver.tls.httpPolicy key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "httpPolicy": (redirect|disable),
            [...]
        }
    }
}

The key can be one of the following values:

  • redirect” will cause HTTP traffic to be redirected to HTTPS
  • disable” will reject any requests not sent over HTTPS

NOTE: This key will only take effect if SSL is configured.

<br>

Categories
Knowledge Support Support Categories exacqVision Webservice Products

Hiding a Web Server from Internet Searches (Legacy)

NOTE: This document only applies to exacqVision Web Service 2.4.0 to 8.8. Web Service 9.0.0 replaced Apache with proprietary WFE service.

If your exacqVision Web Service is connected to the Internet, the server could be located using certain search parameters in a search engine. To hide the server from an Internet search engine, complete the following procedure:

<br>

Note: Depending on the operating system, you might need to log in as an administrator to complete this process.

  1. Browse to C:\Program Files\exacqVision\WebService\Apache2.2\htdocs.
  2. Use Notepad to create a text file named robots.txt.
  3. Add the following lines to disallow all indexing on the entire Web Service:
  4. Restart the Web Service to ensure all changes are published.

<br>

For more information on configuring robots.txt, visit http://www.robotstxt.org/ .

<br>