Re: [users@httpd] Avoiding host header exploit in apache

2021-08-27 Thread Daniel Ferradal 
Define servername with the ip if necessary and do not use RewriteRules
which use %{HTTP_HOST} variable, specify your ip/host manually in the
rewrite.

El vie, 27 ago 2021 a las 10:42, alchemist vk
() escribió:
>
> Hi All,
>  I am running Apache 2.4.46 and below is the problem statement.
>  system IP: 10.10.10.10
>  Client IP: 10.10.10.20
>
> When I make a request like curl -vk 'https://10.10.10.10' -H "Host: 
> badsite.com", its redirecting to "https://badsite.com/start.html;, instead of 
> redirecting to "https://10.101.10.10/start.html;.
> Server is not configured with any domain names, so I cant use ServerName and 
> UseCanonicalName directives to address the issue properly.
>
> Pls help me, how to check the Host header to listening address and take 
> corrective action.
>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: apache2 / httpd graceful/reload failures on Ubuntu 21.04

2021-08-27 Thread Spil Oss 
Digging further, using LogLevel slotmem_shm:debug

[Fri Aug 27 11:10:25.724715 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(408): AH02611: create:
apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_wdprd_ssn_example_org_2.shm)
succeeded
[Fri Aug 27 11:10:25.724768 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(378): AH02602: create didn't find
/var/run/apache2/slotmem-shm-pd38fd8d0_www_config_example_org_8085_2.shm
in global list
[Fri Aug 27 11:10:25.724781 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(387): AH02300: create
/var/run/apache2/slotmem-shm-pd38fd8d0_www_config_example_org_8085_2.shm:
1064/2
[Fri Aug 27 11:10:25.724824 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(408): AH02611: create:
apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_www_config_example_org_8085_2.shm)
succeeded
[Fri Aug 27 11:10:25.724905 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(378): AH02602: create didn't find
/var/run/apache2/slotmem-shm-pd38fd8d0_acc_ppm_signify_com_2.shm in
global list
[Fri Aug 27 11:10:25.724915 2021] [slotmem_shm:debug] [pid 176913:tid
139917097439872] mod_slotmem_shm.c(387): AH02300: create
/var/run/apache2/slotmem-shm-pd38fd8d0_acc_ppm_signify_com_2.shm:
1064/2
[Fri Aug 27 11:10:25.724959 2021] [slotmem_shm:error] [pid 176913:tid
139917097439872] (28)No space left on device: AH02611: create:
apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_acc_ppm_signify_com_2.shm)
failed
[Fri Aug 27 11:10:25.725012 2021] [:emerg] [pid 176913:tid
139917097439872] AH00020: Configuration Failed, exiting


On Fri, Aug 27, 2021 at 11:26 AM Spil Oss  wrote:
>
> Hi,
>
> I've been experiencing a failed apache2 service on Ubuntu 21.04 when
> performing a reload using the `systemctl reload apache2` command. The
> command does not always fail, but seems to be failing more often as
> the number of vhosts increases (currently ca 120). My
>
> The `systemctl reload apache2` command exits without error, but the
> service ends up in a failed state. Running `systemctl start apache2`
> after this failure starts the service without issues.
> I had taken to do running `systemctl reload apache2; systemctl status
> apache2` to validate that I have a running service, but this would
> report "success" even when the service is "failed".
>
> Expecting some timing issue, I increased the "RestartSec" systemd
> parameter to 500ms using
> `/etc/systemd/system/apache2.service.d/override.conf`
> [Service]
> RestartSec=500ms
>
> This has not fixed the issue either.
>
> Testing the reload using `apachectl -k graceful` can also trigger the
> "failed" state of the process.
>
> The consistent error is with the persistence of shared memory
> segments. The indicated error is incorrect, there's plenty of space on
> the filesystem. The configuration has been kept as close as possible
> to the default Ubuntu config.
>
> My gut feeling is some weird interaction between graceful and systemd
> as seen in the logs. The RestartSec change not solving the problem
> kind of goes against that.
>
> Any help appreciated! Thanks, Bernard Spil.
>
> $ df -h /var/run/apache2/
> Filesystem  Size  Used Avail Use% Mounted on
> tmpfs   1.6G  6.6M  1.6G   1% /run
>
> $ ls mods-enabled/*.load | sed 's/mods-enabled\///;s/\.load//'
> access_compat
> alias
> auth_mellon
> authn_core
> authn_file
> authz_core
> authz_host
> authz_user
> brotli
> deflate
> dir
> env
> filter
> headers
> http2
> lbmethod_byrequests
> mime
> mpm_event
> negotiation
> proxy
> proxy_balancer
> proxy_http
> proxy_http2
> proxy_wstunnel
> remoteip
> reqtimeout
> rewrite
> setenvif
> slotmem_shm
> socache_shmcb
> ssl
> status
>
> /var/log/apache2/error.log:
> [Fri Aug 27 00:00:18.881934 2021] [mpm_event:notice] [pid 138928:tid
> 140168396681856] AH00493: SIGUSR1 received.  Doing graceful restart
> [Fri Aug 27 00:00:19.155640 2021] [slotmem_shm:error] [pid 138928:tid
> 140168396681856] (28)No space left on device: AH02611: create:
> apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_acc_example_org_6.shm)
> failed
> [Fri Aug 27 00:00:19.155679 2021] [:emerg] [pid 138928:tid
> 140168396681856] AH00020: Configuration Failed, exiting
> [Fri Aug 27 00:05:01.645184 2021] [core:warn] [pid 166984:tid
> 140602886914688] AH00098: pid file /var/run/apache2/apache2.pid
> overwritten -- Unclean shutdown of previous Apache run?
> [Fri Aug 27 00:05:01.656692 2021] [mpm_event:notice] [pid 166984:tid
> 140602886914688] AH00489: Apache/2.4.46 (Ubuntu) OpenSSL/1.1.1j
> configured -- resuming normal operations
> [Fri Aug 27 00:05:01.656748 2021] [core:notice] [pid 166984:tid
> 140602886914688] AH00094: Command line: '/usr/sbin/apache2'
>
> journalctl:
> Aug 27 02:00:13 web01.example.org systemd[1]: Starting Rotate log files...
> Aug 27 02:00:18 web01.example.org systemd[1]: Reloading The Apache HTTP 
> Server.
> Aug 27 02:00:18

Re: [users@httpd] SSL Cipher configuration issue

2021-08-27 Thread Paul Claridge 

JFI

The important ssl.conf options I ended up with (ie no weak ciphers)... 
as of 27Aug21


SSLCipherSuite 
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA256


SSLHonorCipherOrder on

SSLProtocol +TLSv1.2 +TLSv1.3

Enjoy

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL Cipher configuration issue

2021-08-27 Thread Paul Claridge 

Apache fans,

Delighted so report I have got to the bottom of my problem.
So to share a few nuggets!

My confs-enabled/ssl.conf was being overridden by a LetsEncrypt 
ssl-options include in the VirtualHost.


Once I have commented out that, I made changes to ssl.conf which were 
reflected in the Qualys SSL Labs test.


In trying to build a list of 1.2 & 1.3 "safe" ciphers, using the [!-+] 
prefixes, you need to use names that are valid for openssl.


Documentation for openssl gives lists of common names (eg displayed in 
the ssl labs test) and the openssl equivalent.


Hopefully this will spare you many hours ...

Thanks for the help, Paul

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittently the TLS handshake results in plaintext 400 Bad Request response

2021-08-27 Thread Rob Emery 

Hello,

I just wanted to provide a resolution to this problem for future 
searches etc. So the behaviour we were seeing is totally normal for 
httpd. If you do a HTTPS request to httpd on a socket that it is 
listening on, but doesn't have a VirtualHost configured, it will return 
a plaintext HTTP 400.


We ended up going round the houses on this issue, until we noticed that 
the problem was that our load balancer (relayd in this case) would 
'randomly' increment the IP address that it was directing the request to 
by 1 (i.e. instead of handshaking with .144 it would handshake with 
.145) which on some addresses, we didn't have a virtual host configured.


So, the long and short of it is: not a bug with httpd; as was predicted 
by everyone, it's a problem outside of its control and misbehaviour 
upstream.


The main thing I think that's useful information for other people 
experiencing something similar is that the logs for this are only 
available at debug, so we've changed our production httpd configuration 
to be:


LogLevel warn core:debug

That way we get in the error log:

AH00566: request failed: malformed request line

This provided us with the visibility of the problem that then let us 
track back exactly what was going on.



Thanks for the input everyone!

Rob

On 29/04/2021 14:36, Rob Emery wrote:


Assuming your site is public facing, give this evaluation a try and 
see if anything interesting is mentioned.

https://www.ssllabs.com/ssltest/


It is indeed public and I've just run that. Nothing strikes me as 
weird or unusual about it at all unfortunately:


https://www.ssllabs.com/ssltest/analyze.html?d=services.codeweavers.net

Thanks,
Rob



--



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Fwd: apache2 / httpd graceful/reload failures on Ubuntu 21.04

2021-08-27 Thread Dino Ciuffetti 
Reading the source code:

>From mod_slotmem_shm:
...
401 apr_shm_remove(fname, pool);
402 rv = apr_shm_create(, size, fname, gpool);
...
408 ap_log_error(APLOG_MARK, rv == APR_SUCCESS ? APLOG_DEBUG : 
APLOG_ERR,
409  rv, ap_server_conf, APLOGNO(02611)
410  "create: apr_shm_%s(%s) %s",
411  fbased && is_child_process() ? "attach" : "create",
412  fname, rv == APR_SUCCESS ? "succeeded" : "failed");


Autoconf defines APR_USE_SHMEM_SHMGET for SHM namebased memory allocation
...
decision on anonymous shared memory allocation method... 4.4BSD-style mmap() 
via MAP_ANON
decision on namebased memory allocation method... SysV IPC shmget()


in APR, shm.c, apr_shm_create():
380 if ((new_m->shmid = shmget(new_m->shmkey, new_m->realsize,
381SHM_R | SHM_W | IPC_CREAT | IPC_EXCL)) < 
0) {
382 apr_file_close(file);
383 return errno;
384 }


>From shmget() manual page, possible errors in errno:
   ENOSPC: All possible shared memory IDs have been taken (SHMMNI), or 
allocating a segment of the requested size would cause the system to exceed  
the  system-wide limit on shared memory (SHMALL).
  
So your "No space left on device" is not on your filesystem but on your shared 
memory sysv.
 
Since SHMALL on a 64bit linux system is very big (please try this: cat 
/proc/sys/kernel/shmall), I would bet on a low SHMMNI value on your system 
(pls: cat /proc/sys/kernel/shmmni)

SHMMNI is the global maximum number of shared memory segments on your system.
Default on Ubuntu should be 4096. Please try to increase the value (echo 8192 > 
/proc/sys/kernel/shmmni) or more.


HTH.
Ciao, Dino.



27 agosto 2021 11:43, "Spil Oss"  wrote:

> Hi,
> 
> I've been experiencing a failed apache2 service on Ubuntu 21.04 when
> performing a reload using the `systemctl reload apache2` command. The
> command does not always fail, but seems to be failing more often as
> the number of vhosts increases (currently ca 120). My
> 
> The `systemctl reload apache2` command exits without error, but the
> service ends up in a failed state. Running `systemctl start apache2`
> after this failure starts the service without issues.
> I had taken to do running `systemctl reload apache2; systemctl status
> apache2` to validate that I have a running service, but this would
> report "success" even when the service is "failed".
> 
> Expecting some timing issue, I increased the "RestartSec" systemd
> parameter to 500ms using
> `/etc/systemd/system/apache2.service.d/override.conf`
> [Service]
> RestartSec=500ms
> 
> This has not fixed the issue either.
> 
> Testing the reload using `apachectl -k graceful` can also trigger the
> "failed" state of the process.
> 
> The consistent error is with the persistence of shared memory
> segments. The indicated error is incorrect, there's plenty of space on
> the filesystem. The configuration has been kept as close as possible
> to the default Ubuntu config.
> 
> My gut feeling is some weird interaction between graceful and systemd
> as seen in the logs. The RestartSec change not solving the problem
> kind of goes against that.
> 
> Any help appreciated! Thanks, Bernard Spil.
> 
> $ df -h /var/run/apache2/
> Filesystem Size Used Avail Use% Mounted on
> tmpfs 1.6G 6.6M 1.6G 1% /run
> 
> $ ls mods-enabled/*.load | sed 's/mods-enabled\///;s/\.load//'
> access_compat
> alias
> auth_mellon
> authn_core
> authn_file
> authz_core
> authz_host
> authz_user
> brotli
> deflate
> dir
> env
> filter
> headers
> http2
> lbmethod_byrequests
> mime
> mpm_event
> negotiation
> proxy
> proxy_balancer
> proxy_http
> proxy_http2
> proxy_wstunnel
> remoteip
> reqtimeout
> rewrite
> setenvif
> slotmem_shm
> socache_shmcb
> ssl
> status
> 
> /var/log/apache2/error.log:
> [Fri Aug 27 00:00:18.881934 2021] [mpm_event:notice] [pid 138928:tid
> 140168396681856] AH00493: SIGUSR1 received. Doing graceful restart
> [Fri Aug 27 00:00:19.155640 2021] [slotmem_shm:error] [pid 138928:tid
> 140168396681856] (28)No space left on device: AH02611: create:
> apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_acc_example_org_6.shm)
> failed
> [Fri Aug 27 00:00:19.155679 2021] [:emerg] [pid 138928:tid
> 140168396681856] AH00020: Configuration Failed, exiting
> [Fri Aug 27 00:05:01.645184 2021] [core:warn] [pid 166984:tid
> 140602886914688] AH00098: pid file /var/run/apache2/apache2.pid
> overwritten -- Unclean shutdown of previous Apache run?
> [Fri Aug 27 00:05:01.656692 2021] [mpm_event:notice] [pid 166984:tid
> 140602886914688] AH00489: Apache/2.4.46 (Ubuntu) OpenSSL/1.1.1j
> configured -- resuming normal operations
> [Fri Aug 27 00:05:01.656748 2021] [core:notice] [pid 166984:tid
> 140602886914688] AH00094: Command line: '/usr/sbin/apache2'
> 
> journalctl:
> Aug 27 02:00:13 web01.example.org systemd[1]: Starting Rotate log files...
> Aug 27 02:00:18

[users@httpd] Fwd: apache2 / httpd graceful/reload failures on Ubuntu 21.04

2021-08-27 Thread Spil Oss 
Hi,

I've been experiencing a failed apache2 service on Ubuntu 21.04 when
performing a reload using the `systemctl reload apache2` command. The
command does not always fail, but seems to be failing more often as
the number of vhosts increases (currently ca 120). My

The `systemctl reload apache2` command exits without error, but the
service ends up in a failed state. Running `systemctl start apache2`
after this failure starts the service without issues.
I had taken to do running `systemctl reload apache2; systemctl status
apache2` to validate that I have a running service, but this would
report "success" even when the service is "failed".

Expecting some timing issue, I increased the "RestartSec" systemd
parameter to 500ms using
`/etc/systemd/system/apache2.service.d/override.conf`
[Service]
RestartSec=500ms

This has not fixed the issue either.

Testing the reload using `apachectl -k graceful` can also trigger the
"failed" state of the process.

The consistent error is with the persistence of shared memory
segments. The indicated error is incorrect, there's plenty of space on
the filesystem. The configuration has been kept as close as possible
to the default Ubuntu config.

My gut feeling is some weird interaction between graceful and systemd
as seen in the logs. The RestartSec change not solving the problem
kind of goes against that.

Any help appreciated! Thanks, Bernard Spil.

$ df -h /var/run/apache2/
Filesystem  Size  Used Avail Use% Mounted on
tmpfs   1.6G  6.6M  1.6G   1% /run

$ ls mods-enabled/*.load | sed 's/mods-enabled\///;s/\.load//'
access_compat
alias
auth_mellon
authn_core
authn_file
authz_core
authz_host
authz_user
brotli
deflate
dir
env
filter
headers
http2
lbmethod_byrequests
mime
mpm_event
negotiation
proxy
proxy_balancer
proxy_http
proxy_http2
proxy_wstunnel
remoteip
reqtimeout
rewrite
setenvif
slotmem_shm
socache_shmcb
ssl
status

/var/log/apache2/error.log:
[Fri Aug 27 00:00:18.881934 2021] [mpm_event:notice] [pid 138928:tid
140168396681856] AH00493: SIGUSR1 received.  Doing graceful restart
[Fri Aug 27 00:00:19.155640 2021] [slotmem_shm:error] [pid 138928:tid
140168396681856] (28)No space left on device: AH02611: create:
apr_shm_create(/var/run/apache2/slotmem-shm-pd38fd8d0_acc_example_org_6.shm)
failed
[Fri Aug 27 00:00:19.155679 2021] [:emerg] [pid 138928:tid
140168396681856] AH00020: Configuration Failed, exiting
[Fri Aug 27 00:05:01.645184 2021] [core:warn] [pid 166984:tid
140602886914688] AH00098: pid file /var/run/apache2/apache2.pid
overwritten -- Unclean shutdown of previous Apache run?
[Fri Aug 27 00:05:01.656692 2021] [mpm_event:notice] [pid 166984:tid
140602886914688] AH00489: Apache/2.4.46 (Ubuntu) OpenSSL/1.1.1j
configured -- resuming normal operations
[Fri Aug 27 00:05:01.656748 2021] [core:notice] [pid 166984:tid
140602886914688] AH00094: Command line: '/usr/sbin/apache2'

journalctl:
Aug 27 02:00:13 web01.example.org systemd[1]: Starting Rotate log files...
Aug 27 02:00:18 web01.example.org systemd[1]: Reloading The Apache HTTP Server.
Aug 27 02:00:18 web01.example.org systemd[1]: Reloaded The Apache HTTP Server.
Aug 27 02:00:18 web01.example.org systemd[1]: logrotate.service: Succeeded.
Aug 27 02:00:18 web01.example.org systemd[1]: Finished Rotate log files.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Main
process exited, code=exited, status=1/FAILURE
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 16 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 166489 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164446 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164448 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164450 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164452 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164454 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164456 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164458 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164459 (n/a) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164460 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164461 (n/a) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164462 (apache2) with signal SIGKILL.
Aug 27 02:00:19 web01.example.org systemd[1]: apache2.service: Killing
process 164463 (n/a) with

[users@httpd] Avoiding host header exploit in apache

2021-08-27 Thread alchemist vk 
Hi All,
 I am running Apache 2.4.46 and below is the problem statement.
 system IP: 10.10.10.10
 Client IP: 10.10.10.20

When I make a request like *curl -vk 'https://10.10.10.10
' -H "Host: badsite.com "*, its
redirecting to "*https://badsite.com/start.html
*", instead of redirecting to
"*https://10.101.10.10/start.html
*".
Server is not configured with any domain names, so I cant use ServerName
and UseCanonicalName directives to address the issue properly.

Pls help me, how to check the Host header to listening address and take
corrective action.