Introduction

OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers.

OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD project. Its design goals include being secure (non-exploitable), easy to configure, accurate enough for most purposes and with source code that can be distributed under a BSD license.

This tool helped me a lot. Using openntpd we can set the same time on multiple system.

Installation

$ sudo apt-get install openntpd

Openntp configuration file /etc/openntpd/ntpd.conf

To set the time use the command ntpdate-debian

$ sudo ntpdate-debian
[sudo] password for shahid:
 7 Aug 00:20:33 ntpdate[26597]: adjust time server 59.165.131.82 offset -0.089443 sec

Introduction

httperf is a tool to measure web server  performance.

Example

$ httperf --server haproxy.com --port=80 --uri /frontend_dev.php --num-conns=25
httperf --client=0/1 --server=haproxy.com --port=80 --uri=/frontend_dev.php --send-buffer=4096 --recv-buffer=16384 --num-conns=25 --num-calls=1
Maximum connect burst length: 1

Total: connections 25 requests 25 replies 25 test-duration 0.528 s

Connection rate: 47.4 conn/s (21.1 ms/conn, <=1 concurrent connections)
Connection time [ms]: min 4.9 avg 21.1 max 408.2 median 4.5 stddev 80.6
Connection time [ms]: connect 0.3
Connection length [replies/conn]: 1.000

Request rate: 250 req/s (3.1 ms/req)
Request size [B]: 78.0

Reply rate [replies/s]: min 250 avg 319.6 max 250 stddev 0.0 (1 samples)
Reply time [ms]: response 0.7 transfer 5.1
Reply size [B]: header 487.0 content 34774.0 footer 0.0 (total 35261.0)
Reply status: 1xx=0 2xx=25 3xx=0 4xx=0 5xx=0

CPU time [s]: user 0.07 system 0.42 (user 12.9% system 80.4% total 93.2%)
Net I/O: 2124.7 KB/s (17.4*10^6 bps)

Errors: total 0 client-timo 0 socket-timo 0 connrefused 0 connreset 0
Errors: fd-unavail 0 addrunavail 0 ftab-full 0 other 0

In the above output you can see the line ”

Total: connections 25 requests 25 replies 25 test-duration 0.528 s

This line means httperf gave request  for 25 connection (means 25 connections) and it get replies for all the 25 request. And time took to 25 request and 25 replies is the test-duration and in the above example it took 0.528 seconds.

The bellow line means

Reply rate [replies/s]: min 250 avg 250 max 250 stddev 0.0 (1 samples)

Replay rate gives various statistics for the  reply  rate.   In  the  example  above,  the minimum  (‘‘min’’)  reply  rate was 250 replies per second, the verage (‘‘avg’’) was 250 replies per second,  and  the  maximum (‘‘max’’) rate was 250 replies per second.  The standard deviation was 0.3 replies per second.  The number enclosed in parentheses  shows  that  60  reply  rate  samples were acquired.

You can test whether the Replay rates where correct by using the argument –rate with the httperf command.

$ httperf --server haproxy.com --port=80 --uri /frontend_dev.php --num-conns=25 --rate 250

The the line Replay Time means

Reply time [ms]: response 0.7 transfer 5.1

The line labeled ‘‘Reply Time’’ gives information on how long it took for the server to respond and how long it took  to  receive the  reply. In the above example, it took on average 0.7 milliseconds between sending the first byte of the request and receiving  the first byte of the reply.  The time  to ‘‘transfer’’, or read, the reply was 5.1 milliseconds.

For more help

$ man  httperf

httperf

What is Port Forwarding?

Port forwarding is a feature of the IPTables system. It allows one computer to forward connections made to it so that another computer can actually process the request. If you want a very simple metaphor you can think of it as mail forwarding. Each computer has a number of addresses called ports, and IPTables allows connections to these ports to be sent to another computer. With port forwarders, you can redirect data connections from the Internet to an internal, privately addressed machine behind your IP MASQ server. This forwarding ability includes network protocols such as TELNET, WWW, and SMTP. Protocols such as FTP, legacy ICQ, and others require special handling via kernel modules.

Setup

On Ubuntu you need to enable port forwarding. For doing this you have to be the root user.

root@shahid-laptop:~# echo 1 > /proc/sys/net/ipv4/ip_forward

After this you need to write iptable rule.

root@shahid-laptop:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@shahid-laptop:~# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.10 --dport 555 -j DNAT --to 192.168.0.12:22
root@shahid-laptop:~# iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.12 --dport 22 -j ACCEPT

In this rule, when we tries to connect to the IP 192.168.0.10 through the port 555 this system redirects the connection to the IP and 192.168.0.12 and port 22.

To see the iptables rule use the command ‘iptables -L’

root@shahid-laptop:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.12        tcp dpt:ssh 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saving Data

When you reboot the system the iptables rules will be removed from the kernel module , so either you need to use iptables-save and iptables-restorefor saving and restoring iptable rules or you need to write a script which will execut on every boot for enabling and create the iptable rule.

In Linux there has a number of useful bandwidth monitoring tools such as nload, netwatch, iftop, trafshow, bandwidthd, vnstat. If all you need is a basic overview of your total bandwidth usage, iptables is all you really need. Usually we use iptables for setting firewall and port forwardings, but iptables also provides packet and byte counters.

Writting iptables rules

The IP addresses in this article are modified from the real addresses. We’ll use the private IP space 192.168.0.0/16, subnetted into smaller blocks.

In this example, the FORWARD chain will only provide the global counters.

$ sudo iptables -N system-1

The rule will match any source and any destination. Everything that is being passed through this router matches this rule and will provide the total of combined downloaded and uploaded data.

# System-1 Downloads
  iptables -A FORWARD -d 192.168.1.0/26 -j system-1
# System-1 Uploads
  iptables -A FORWARD -s 192.168.1.0/26 -j system-1

The rules created above give us separate totals for all downloads to and uploads for system-1. This is accomplished by matching the source and destination of all traffic through the router for target-1’s specific subnet. After a rule is matched, the -j option invokes a jump to one of the custom chains. These custom chains can then be used to add additional rules pertaining to the subnet. For instance, rules can be created for each individual IP address in that subnet to track bandwidth on a per-host basis:

# Town A, Host 192.168.1.10 Download
  iptables -A town-a -d 192.168.1.10
# Town A, Host 192.168.1.10 Upload
  iptables -A town-a -s 192.168.1.10

You could repeat this process for every IP address for all systems within the subnet.

Bandwidth statistics

Viewing the current bandwidth usage is a matter of running iptables with the -L and -v options. The -L outputs the statistics for a chain (or all chains if none is provided). The -v option provides verbose output, including the packet and byte counters that we are interested in. I recommend using the -n option as well to prevent DNS lookups, meaning iptables will show the IP addresses without attempting to resolve the hostnames for the IP addresses, which would put additional and unnecessary load on the router.

$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 311K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 system-1   all  --  *      *       0.0.0.0/0            192.168.1.0/26
    0     0 system-1   all  --  *      *       192.168.1.0/26       0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 325K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain system-1 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            192.168.1.10
    0     0            all  --  *      *       192.168.1.10         0.0.0.0/0

Saving data across reboots

If you reboot the machine or remove the iptables kernel modules, you’ll lose all of your packet and byte counters. So you want to make backups of the running counters, and in the event of a reboot, restore the counters rather than starting from zero.

The iptables package comes with two programs that aid in this: iptables-save and iptables-restore. Both programs need to be told to explicitly use the packet and byte counters during backup and restore using the -c command line option.

The backup and restore process is fairly straightforward. To back up your iptables data, use

$ sudo iptables-save -c > iptables-backup.txt.

To restore the data, after reboot, use

$ sudo iptables-restore -c < iptables-backup.txt.

Conclution

The flexibility and power of iptables allows for more complex onitoring scenarios. You can create rules to not only track different subnets, but also to track specific ports and protocols, which lets you rack exactly how much of each customer’s traffic is Web, email, file
sharing, etc.

In addition, these bandwidth monitoring rules can also become blocking rules. If a host has used too much bandwidth, its rule in a town’s specific chain can be modified by adding -j DROP to both the download and upload rules. This effectively stops traffic being routed to and from that host.

Logrotate

Log files are important for Linux system security and trouble shooting.  Log files tend to grow, and if a log grows too much you compress it and takes the backup. Logrotate enables you to do this in a much better way. The process that is in charge of compressing and rotating these logfiles is called logrotate and it is executed once per day upon Debian installations.

Here you will find the logrotate driver script. Every day this script runs and examines two things:

• The configuration file /etc/logrotate.conf
• The configuration directory /etc/logrotate.d/

A typical logrotate configuration file looks like this:

/var/log/apache/*.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 root adm
        sharedscripts
        postrotate
                if [ -f /var/run/apache.pid ]; then
                        /etc/init.d/apache restart > /dev/null
                fi
        endscript
}

If you want to add new log rotate for any other file you can new logrotate configuration file to /etc/logrotate.d 

Assuming we have a new service “mon” which produces its output in /var/log/mon/mon.log we can cause this to be rotated every day with a script like this:

/var/log/mon/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  create 640 mon mon
  sharedscripts
     /etc/init.d/mon restart
  endscript
}

For more help man logrotate

Haproxy

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. Supporting tens of thousands of connections is clearly realistic with todays hardware. Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the Net.

1. Preperation

For configuring haproxy you need the following setups. Here I used ACL.

1.1. Using ACL

The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status. The principle is simple

1.2. Load Balancer

Hostname: lb.example.com

IP: 192.168.0.110

1.3 Web Server 1

Hostname: http1.example.com

IP: 192.168.0.111

1.4. Web Server 2

Hostname: http2.example.com

IP: 192.168.0.112

1.5. First download and install haproxy

To get latest version click here

$ wget  http://haproxy.1wt.eu/download/1.2/src/haproxy-1.2.18.tar.gz
$ tar -xzvf haproxy-1.2.18.tar.gz
$ cd  haproxy-1.2.18
$ sudo make  TARGET=linux24

 1.6. Configuring Load Balancer System IP : 192.168.0.110

set ENABLED to 1 in /etc/default/haproxy

 $ sudo vim /etc/default/haproxy

# Set ENABLED to 1 if you want the init script to start haproxy.

ENABLED=1

# Add extra flags here.
#EXTRAOPTS="-de -m 16"

We back up the original /etc/haproxy.cfg and create a new one like this

cp /etc/haproxy.cfg /etc/haproxy.cfg_orig
cat /dev/null > /etc/haproxy.cfg
vi /etc/haproxy.cfg

Sample haproxy configuration file /etc/haproxy.cfg which uses ACL. In the below example if you use the domain example.com haproxy always uses web server 1,if you use loadbalancer.com

global
global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        pidfile /var/run/haproxy.pid
        daemon
#       debug           # If you want to start haproxy in debugging mode uncomment this line and comment the above line.
        nbproc      4   # Number of processing cores. Dual Dual-core Opteron i    s 4 cores for example.
defaults
        log     global
        mode    http
        option  httplog
        option  httpchk
        option  dontlognull
        retries 3
        option          redispatch
        maxconn 2000
        contimeout      50000
        clitimeout      500000
        srvtimeout      500000

backend back_std
        balance roundrobin
        option redispatch
        cookie JSESSIONID prefix
        option httpclose
        option forwardfor
        option httpchk HEAD /check.txt HTTP/1.0
        server ws4 192.168.0.111:82 weight 1 check
#      stats uri /status   # Custom status URI
        stats auth username:password
        stats enable
        stats refresh 10

backend back_lb
        balance roundrobin
        option redispatch
        cookie JSESSIONID prefix nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        server ws1 192.168.0.111:81 cookie ws1 weight 1 check
        server ws2 192.168.0.112:81 cookie ws2 weight 1 check
        option httpclose
        option forwardfor
        stats enable
        stats refresh 10

frontend http-in
        bind :80
        acl hosts_std hdr_end(host) -i example1..com          # Which is not load balanced
        acl hosts_std hdr_end(host) -i example1.com:80

        acl hosts_lb hdr_end(host) -i loadbalancer.com      # Which is load balanced
        acl hosts_lb hdr_end(host) -i loadbalancer.com:80

        use_backend back_std if hosts_std       # If requests comes to the domain which is in host_std then that URL will use back_std
        use_backend back_lb if hosts_lb          # If requests comes to the domain which is in host_lb then that URL will use back_lb

To allow HAProxy to bind to the shared IP address, we add the following line to /etc/sysctl.conf:

$ sudo vim /etc/sysctl.conf

[...]
net.ipv4.ip_nonlocal_bind=1
[...]

and run

$ sudo sysctl -p

1.7 Start haproxy

$ sudo /etc/init.d/haproxy start

1.8. Configuring Web Server 1 & Web Server2

We will configure HAProxy as a transparent proxy, i.e., it will pass on the original user’s IP address in a field called X-Forwarded-For to the backend web servers. Of course, the backend web servers should log the original user’s IP address in their access logs instead of the IP addresses of our load balancers. Therefore we must modify the LogFormat line in /etc/apache2/apache2.conf and replace %h with %{X-Forwarded-For}i:

 $ sudo vim /etc/apache2/apache2.conf

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#LogFormat "%h %l %u %t \"%r\" %>s %b" common
#LogFormat "%{Referer}i -> %U" referer
#LogFormat "%{User-agent}i" agentLogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Also, we will configure HAProxy to check the backend servers health by continuously requesting the file check.txt (translates to /var/www/check.txt if /var/www is your document root) from the backend servers. Of course, these requests would totally bloat the access logs and mess up your page view statistics (if you use a tool like Webalizer or AWstats that generates statistics based on the access logs).

Therefore we open our virtualhost configuration (in this example it’s in /etc/apache2/sites-available/default) and put these two lines into it (comment out all other CustomLog directives in your vhost configuration):

$ sudo touch /var/www/check.txt
$ sudo vi /etc/apache2/sites-available/default

[...]
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog
[...]

Adds the ports to /etc/apache2/ports.conf file.

Listen 81
Listen 82
<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Afterwards we restart Apache:

$ sudo /etc/init.d/apache2 restart

Now to check the status of haproxy use the custom URI or use http://example1.com/haproxy?stats

I hope it helped, a comment with your questions are welcome 

Monitoring services using Mon

mon is a general-purpose scheduler and alert management tool used for monitoring service availability and
triggering alerts upon failure detection.

Mon uses some Linux command and services such as ping command to check host connectivity and mail servers for sending mail, so you must install postfix and other packages so that mon should work smoothly.

Installing and configuring Mon in Ubuntu

Now we will see how we can install and configure mon in Ubuntu.

Install process

$ sudo apt-get install mon

Start mon 

$ sudo /etc/init.d/mon start

Configuring Mon 

For configuring mon edit the configuration file /etc/mon/mon.cf

hostgroup servers 192.168.1.6  #There must be a one line gape after hostgroup line.

watch servers
    service ping
        interval 1m
        monitor fping.monitor
        period wd {Mon-Fri} hr {7am-10pm}
            alert mail.alert user@example.com
            alertevery 3m
        period wd {Sat-Sun}
            alert mail.alert user@example.com

First we define the hosts that we want to monitor. Then we create the a “watch” section for this hosts with only one service to monitor, the “ping” service. The service will be monitored using the monitor “fping.monitor” that you can find in “/usr/lib/mon/mon.d/fping.monitor”. Then we define the periods in which we want to monitor the hosts and the alert we will use if the monitor detects a fail. In this case we use the “mail.alert” agent that you can find in “/usr/lib/mon/alert.d/mail.alert”. An email to “user@example.com” will be sent if a fail is detected in the monitor.

Sample example for configuring mon for monitoring a host connectivity, mysql, apache and a web page.

hostgroup ping_services 192.168.1.6

hostgroup webservers itswork.com

hostgroup mysql_server localhost

hostgroup apache_service 192.168.1.6

watch ping_services
service ping
    interval 1m
    monitor fping.monitor
    period wday {Mon-Sun} hour {0-23}
        alert mail.alert user@example.com
        alertevery 1m

watch webservers example.com
service site
        interval 1m
        monitor http.monitor -p 80 -u /index.php
        period wday{Mon-Sun} hr {0am-24pm}
            alert mail.alert user@example.com

watch apache_service 192.168.1.6
service apache
        interval 1m
        monitor http.monitor
        period wday{Mon-Sun} hr {0am-24pm}
            alert mail.alert user@example.com

watch mysql_server
    service mysql
        interval 1m
        monitor mysql.monitor --username=mon --password=mon --database=mon localhost
        period wday {Mon-Sun}
            alert mail.alert -S "Host 1 Mysql Server is down!!" user@example.com
            upalert mail.alert -S "Host1 MYSQL server is back up" user@example.com
            alertevery 60s
            alertafter 3

For more help click here

Monit is a utility for managing and monitoring processes, files, directories and devices on a Unix system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations. E.g. monit can start a process if it does not run, restart a process if it does not respond and stop a process if it uses to much resources. You may use monit to monitor files, directories and devices for changes, such as timestamps changes, checksum changes or size changes.  Monit will monitor a service and in case of any problems monit will will raise an email alert.

Install the package monit using apt on Ubuntu.

$ sudo apt-get install monit

First edit the file  /etc/default/monit and change startup=0 to  startup=1. The file should look like below text.

# Defaults for monit initscript
# sourced by /etc/init.d/monit
# installed at /etc/default/monit by maintainer scripts
# Fredrik Steen <stone@debian.org>
# You must set this variable to for monit to start

startup=1

# To change the intervals which monit should run uncomment# and change this variable.
# CHECK_INTERVALS=180

Edit the monit configuration file /etc/monit/monitrc and uncomment the following lines

$ sudo vim /etc/monit/monitrc

Start monit in background (run as daemon) and check the services at 2-minute intervals.

set daemon  120

You can set the alert recipients here, which will receive the alert for each service. The event alerts may be restricted using the list.

set alert abc@xyz.com                                   # receive all alerts
set alert hij@xyz.com only on { timeout }       # receive just service-

Monit has an embedded webserver, which can be used to view the configuration, actual services parameters or manage the services using the web interface.

set httpd port 2812 and
     use address localhost  # only accept connection from localhost
     allow localhost        # allow localhost to connect to the server and
     allow admin:monit      # require user 'admin' with password 'monit'

Next session in the configuration file is where the monit monitors the services,  for that we need to specify the service which needs to be monitored. A sample example for monitoring apache is as follows.

check process apache with pidfile /var/run/apache2.pid
    start program = "/etc/init.d/apache2 start"
    stop program  = "/etc/init.d/apache2 stop"
    if cpu > 60% for 2 cycles then alert
    if cpu > 80% for 5 cycles then restart
    if totalmem > 200.0 MB for 5 cycles then restart
    if children > 250 then restart
    if loadavg(5min) greater than 10 for 8 cycles then stop
    if 3 restarts within 5 cycles then timeout
    group server

For more examples click here
Next we will see some monit commonds.

To satrt monit

$ sudo /etc/init.d/monit start

To start the services which the monit is monitorin, sudo monit start all will start all the services in the monit configuration file, if specify a name insted of start all monit will start only the specified service.

$ sudo monit start all
$ sudo monit start apache

To get the status of monit services

$ sudo monit status

To get the summary of mont services

$ sudo monit summary

To stop all the services monitored my monit use stop all, or specify the name of the servive you need to stop

$ sudo monit  stop all
$ sudo monit stop apache

For more help click here

Introduction

When screen is called, it creates a single window with a  shell  in  it and then gets out of your way so that you can use the program as you normally would.  Then, at any time, you  can create new windows with other programs in them (including more shells), kill existing windows, view a list of windows, turn  output  logging  on and off, copy-and-paste text between windows, view the scroll back history, switch between windows in whatever manner you wish, etc.  All  windows  run  their  programs completely independent of each other.  Programs continue to run when their window is currently not visible and even when the whole screen session is detached from the user’s terminal.  When a program terminates, screen (per  default)  kills  the window  that  contained  it.  If this window was in the foreground, the display switches to the previous  window;  if  none  are  left,  screen exits.

 Usage

To start screen us the command screen.

$ screen

In the virtual terminal you can start any applications as you normaly done in normal terminals. Even if you close the virtual terminal the application will continue running in the back ground.

To list how many screens where on use the following command.

$ screen -ls
There are screens on:
        6475.pts-8.user-desktop        (Attached)
        6400.pts-6.user-desktop        (Attached)
2 Sockets in /var/run/screen/S-user.

To reattaches a screen session use the following command.

$ screen -d -r 6400.pts-6.user-desktop

To removed the distroyed sessions use the following command.

 $ screen -wipe

Install these packages with apt:

php5
php5-cli
php5-dev
php5-sqlite
php-pear

$ sudo apt-get install php5 php5-cli php5-dev php5-sqlite php-pear

Test if Apache and PHP are up and running typing in the browser:

http://localhost/

You should see something like:

Apache/2.0.55 (Ubuntu) PHP/5.1.2-1ubuntu1 Server at localhost Port 80

From the command line, as root:

$ sudo pear upgrade PEAR
$ sudo pear channel-discover pear.symfony-project.com

Edit /etc/php5/cli/php.ini and change the line:

memory_limit = 8M To memory_limit = 16M

Then

$ sudo pear install symfony/symfony
$ sudo pear install –alldeps http://phing.info/pear/phing-current.tgz

Using the command:

$ sudo pear config-show

we find the symfony libraries have been installed in:

$ php_dir/symfony/ /usr/share/php/symfony/ main libraries
$ data_dir/symfony/ /usr/share/php/data/symfony/ skeleton of symfony applications, default modules and configuration
$ doc_dir/symfony/ /usr/share/php/docs/symfony/ documentation

From the command line enter bellow command:

$ symfony -Vsymfony version 0.6.2

From the command line, as root:

$ mkdir /var/www/myproject$cd /var/www/myproject
$ symfony init-project myproject
$ symfony init-app myapp

Edit /Virtual Host configuration file , and append the following at the end:

<VirtualHost 192.168.1.2:81>
ServerAdmin webmaster@localhost
ServerName servername.com
ServerAlias www.servername.com
DocumentRoot /var/www/project/web
Alias /sf /usr/share/php/data/symfony/web/sf
<Directory /var/www/project/web>
     Options FollowSymLinks MultiViews
     AllowOverride all
     Order allow,deny
     allow from all
</Directory>
</VirtualHost>