Re: [users@httpd] HSTS verification

[@lbutlr]

On 03 Jul 2021, at 03:20, apache-httpd-us...@thomas.freit.ag wrote:
> On 02.07.21 09:27, @lbutlr wrote:
>> When checking for https HSTS compliance on htstpreload.org I get a warning 
>> 
>>> We cannot connect to https://example.net using TLS ("Get 
>>> https://example.net: http: server gave HTTP response to HTTPS client").

> What is in your access logs, can you identify the request and check which 
> virtual hosts served it? You can enable logging of the
> virtual host in the access log or log to dedicated files (see 
> https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats for
> a list of what is available).

The virtaulhost blocks I posted are for the virtual host that responds to the 
query, but I din't check the apache logs specifically.

The site works, and going to it on http redirects to https as expected, it is 
just this check tool that is complaining.

> 
>> And I do not understand how this can be. The page in questions loads as 
>> https with a valid cert and the http query is set to redirect to https
>> 
>> 
>>   ServerName www.example.net
>>   ServerAlias foo.example.net
>>   ServerAlias example.net
>>   DocumentRoot /usr/local/www/example/
>>   DirectoryIndex index.html
>>   ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/www/example/$1
>>   SSLEngine on
>>   SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
>>   SSLCertificateKeyFile 
>> /usr/local/etc/dehydrated/certs/example.net/privkey.pem
>>   SSLCertificateChainFile 
>> /usr/local/etc/dehydrated/certs/example.net/chain.pem
>>   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>>   SSLHonorCipherOrder on
>>   SSLCipherSuite 
>> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>>   #SSLUseStapling On
>>   Header always set Strict-Transport-Security "max-age=15638400; 
>> includeSubdomains;"
>>   Header always set X-Frame-Options DENY
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> 
>> 
>> 
>>   ServerName www.example.net
>>   ServerAlias foo,example.net
>>   ServerAlias example.net
>>   ServerAlias webmail.example.net
>>   Redirect / https://www.example.net/
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> 
>> 
>> 
> 
> I do not see anything onbviously wrong here (there is a typo on "ServerAlias 
> foo,example.net" though, assume this is just an example issue).

Oops, yes.

> However, your TLS virtualhost is bound to a fixed IP, your plain HTTP virtual 
> host is bound to all available IPs on the machine.

Yes, that is intentional. Is this wrong?

> My guess would be virtual host mismatch or a DNS specific issue (does 
> example.net resolve to different IPs for different resolvers?)

Nope. It resolves to the IP used in the main VitualHost block.

> access logs may reveal some more information on that.

I will check, but since everything goes to where it should, I don't think that 
is the issue.


-- 
'It is always useful to face an enemy who is prepared to die for his
country,' he read. 'This means that both you and he have exactly
the same aim in mind.'


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] HSTS verification

[@lbutlr]

When checking for https HSTS compliance on htstpreload.org I get a warning 

> We cannot connect to https://example.net using TLS ("Get https://example.net: 
> http: server gave HTTP response to HTTPS client").

And I do not understand how this can be. The page in questions loads as https 
with a valid cert and the http query is set to redirect to https


   ServerName www.example.net
   ServerAlias foo.example.net
   ServerAlias example.net
   DocumentRoot /usr/local/www/example/
   DirectoryIndex index.html
   ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/www/example/$1
   SSLEngine on
   SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
   SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/example.net/privkey.pem
   SSLCertificateChainFile /usr/local/etc/dehydrated/certs/example.net/chain.pem
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder on
   SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
   #SSLUseStapling On
   Header always set Strict-Transport-Security "max-age=15638400; 
includeSubdomains;"
   Header always set X-Frame-Options DENY
   Alias /.well-known/ /usr/local/www/.well-known/



   ServerName www.example.net
   ServerAlias foo,example.net
   ServerAlias example.net
   ServerAlias webmail.example.net
   Redirect / https://www.example.net/
   Alias /.well-known/ /usr/local/www/.well-known/



-- 
Last night I stayed up late playing poker with Tarot cards. I got a
full house and four people died.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] School Project cancelled

[@lbutlr]

On 30 Apr 2021, at 18:48, Ruben Safir  wrote:
> On 4/30/21 6:36 PM, emily.bun...@aol.com.INVALID wrote:
>> 
>> My Daddy will help me to pursue legal action for obstructing me from
>> doing my school project.
> 
> lovely

Well, that sock puppet was the dumbest thing I've read today, and I just read 
up on the whole Basecamp implosion, so the bar is rather high. Or is it low?


-- 
When a distinguished but elderly scientist states that something is
possible, he is almost certainly right. When he states that
something is impossible, he is probably wrong.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite DEFAULT

[@lbutlr]

On 20 Apr 2021, at 13:20, Jim Albert  wrote:
> On 4/20/2021 2:56 PM, @lbutlr wrote:
>> Right, and I am running the current version of OpenSSL which, for example, 
>> doesn't support SSLv3 or TLSv1.1.
> 
> I'd be surprised if that were true.
> If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?

TLSv1 is not a cipher, the cipher suites are different than the protocols, 
right?

I'm pretty sure you cannot make a TLSv1 or TLSv1.1 connection to a openSSL 
1.1.1k versions of OpenSSL.


-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but what if the hippopotamus won't wear the beach
thong?"


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite DEFAULT

[@lbutlr]

On 20 Apr 2021, at 09:45, Jim Albert  wrote:
> On 4/20/2021 9:48 AM, @lbutlr wrote:
>> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are 
>> defined by openSSL and will be used?
>> 
>> Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
>> 
>> The complete list of ciphers that openssl supports numbers 60 and still 
> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
>> 
>> Trying to search on recommendations comes up with a lot of "use these 
>> settings to allow IE 6.0" which is of literally no. interest to me at all.
>> 
>> This is what I am looking at using:
>> 
>> Protocols h2 h2c http/1.1
>> SSLCipherSuite DEFAULT
>> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
>> 
>> But I may relent on TLSv1/1.1 after checking logs.
>> 
>> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow 
>> the older TLS and SSL that will provide ciphers and security that are 
>> supported by current browsers and if I allow TLSv1 it should support old 
>> browsers going back more than a decade, yes?
>> 
> 
> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.

Right, and I am running the current version of OpenSSL which, for example, 
doesn't support SSLv3 or TLSv1.1.

> I believe running 'openssl ciphers'

Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.

> will list your openssl installation's default cipher list which I am assuming 
> is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have 
> to confirm that.
> 
> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a 
> decent starting point. Intermediate is usually a pretty good starting point 
> for a public web server. Then watching for any cipher-based vulnerabilities 
> that are announced or reported by any vulnerability testing you might have 
> performed.

Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ 
years old.

It's impressive how much faster h2 is than http/1.1.

-- 
Bart, don't use the Touch of Death on your sister.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] SSLCipherSuite DEFAULT

[@lbutlr]

If I define SSLCipherSuite DEFAULT will apache show the ciphers that are 
defined by openSSL and will be used?

Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?

The complete list of ciphers that openssl supports numbers 60 and still 
includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.

Trying to search on recommendations comes up with a lot of "use these settings 
to allow IE 6.0" which is of literally no. interest to me at all.

This is what I am looking at using:

Protocols h2 h2c http/1.1
SSLCipherSuite DEFAULT
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3

But I may relent on TLSv1/1.1 after checking logs.

I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the 
older TLS and SSL that will provide ciphers and security that are supported by 
current browsers and if I allow TLSv1 it should support old browsers going back 
more than a decade, yes?

-- 
You know what they say about paradigms:  Shift happens.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] config is silently ignored

[@lbutlr]

On 20 Apr 2021, at 06:59, Adrian  wrote:
> Daniel Ferradal  wrote:
>> 
>> ServerName whatever.example.com
>> Redirect / https://whatever.example.com/
>> CustomLog logs/whatevever.example.com.log common
>> 

This is one more line that my port 80 configs have, I do not log connections to 
port 80.

> So if I redirect to the https version I can out all my per-directory
> config into the *:443 vhost entry?

Everything goes in the 443 VH, only the redirect and server name (and aliases, 
if any) need to be in the 80 VH.

> My worry is where that leaves some primitive browsers that don't
> support SSL.

It's 2021, not 2005.

> Can they not access the page at all?

Nope.

> Do they use the
> *:80 vhost entry and bypass any config that's in the *:443 one?

If you have a config in the 80 VH then it will use that, but the examples given 
and the right way to do this is to redirect ALL HTTP traffic to HTTPS.

> Or should I copy all config into both?

I would say no, you should not. There is no reason at all to use HTTP at this 
point, but that is my opinion. HTTPS is trivial to setup, can be used for free, 
and it simply makes everything better. Start by assuming security is the one 
lesson everyone should take from the last 40 years of the Internet.

If for some reason you want to support very old browsers on very old computers 
running very old OSes, then you would need to have a working config, complete, 
in your port 80 VH and NOT have a redirect.

-- 
'I really should talk to him, sir. He's had a near-death experience!'
'We all do. It's called living.'


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How can I configure “apache2” correctly using multiple sites through VirtualHost?

[@lbutlr]

20 Apr 2021, at 06:25, Marcel Roșca  wrote:
> I configured two sites using the "VirtualHost" method in apache2, but if 
> there is an error in the first configuration file when I call my site, it 
> enters the second site. my configuration files are:

This is very confusing. Using white space to set off the two files and you 
comments would be helpful. Bonus points for a clear indents and structure.

> 1: audio-castle.live:
> 
>   Protocols h2
>   Redirect / https://audio-castle.live
> 

> 
> 

For what it's worth, my configurations all list the web server IP in the 443 
VirtualHost. I seem to recall having issues if I used *. YMMV.

>   Protocols h2
>   ServerName audio-castle.live
>   ServerAlias www.audio-castle.live
>   ServerAdmin
>   DocumentRoot /var/www/audiocastle/web

Document root requires a final / (I think this was a bad decision in the 
parsing of the config file and causes far more trouble than allowing document 
roors without a final / could ever solve, but I did not get a vote).

>   ErrorLog ${APACHE_LOG_DIR}/error.log

Where is APACHE_LOG_DIR defined? If it's defined outside this file, pretty sure 
that doesn't work.

>   CustomLog ${APACHE_LOG_DIR}/access.log combined
>   SSLEngine on
>   Include /etc/letsencrypt/options-ssl-apache.conf
>   SSLCertificateFile /etc/letsencrypt/live/audio-castle.live/fullchain.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/audio-castle.live/privkey.pem
>   
> AllowOverride All
>   
> 
> 

This virtualhost only exists inside your ifmodule, so if it is not loading the 
virtaulost, it is probably because of this. I have no idea why you have an if 
module at all, since your virtual host is defined as listening to port 443. 
What are you expecting that if module to do? If it is loading, I would expect 
alt you would get a 404 error on "https://audio-castle.liveindex.html;.

> the second file is: gtdvm.com:

And when you say it is the second file, are you sure that it is SECOND as far 
as apache is concerned? `apachectl -S` will list your virtual configurations in 
the order apache loads them.

> the problem is when an error occurs in one of these two files, when I access 
> for example audio-castle.live, I reach the site gtdvm.com, if the error is in 
> the audio-castle.live file. my question is: how to avoid this redirect from 
> one site to another when one of them encounters errors? . I use Ubuntu 20.04, 
> apache2.4.46.

The way to avoid errors is to check your configuration for errors with 
`apachectl -t`, `apachectl -S`  and maybe `apachectl -X` if you are still 
having troubles.

I suspect that what you think is your "second file" is the only one being 
loaded.


-- 
"We take off our Republican hats and put on our American hats" --
Many Republicans in Sep 2008


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] prompting for user+passwd for a websocket proxied url

[@lbutlr]

On 09 Apr 2021, at 03:08, karrageorgiou giannis 
 wrote:
>  have a ws:// url proxied 

That's a new one for me, what is ws:// ??

-- 
"Some cause happiness wherever they go; others, whenever they go.." -
Oscar Wilde


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Wordpress | user:group setting

[@lbutlr]

On 04 Apr 2021, at 17:05, Daniel Ferradal  wrote:
> Set it to root:root, change them when you need to update and set them
> back to root:root when finished.

That is not the norm as far as the servers I see.

Www:staff or www:wheel or www:www are the usual permission.

Directories are 755, files are 444 or 644 if the files are managed by a local 
user account. Of course, depending on how the files are managed, they may need 
to be writable by a process (for example, WordPress need to be able to write 
its files as well as to a database in order to update, something it needs to do 
frequently).

-- 
I WILL NOT YELL "FIRE" IN A CROWDED CLASSROOM Bart chalkboard Ep. 7G01


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[@lbutlr]

On 14 Jan 2021, at 04:48, Jason Long  wrote:
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of servers must 
> be examine?

Throwing more resources at the problem is not likely to fix the problem. You 
need to figure out what is going on with your server and WHY it is taking so 
much time it is bogging down and WEHRE the slowdown is happening.

This is not something that someone can just say "Oh, it's this" because the 
problem is unique to your machine, your content, and your users.

I would start with those very suspicious (to me) looking URL requests 
containing dozens of digits of hex. Do those look like they are legitimate 
links to your server's web content?

Also, please stop top-posting and quoting the entire message thread below.

-- 
We are born naked, wet and hungry; then it's all downhill.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[@lbutlr]

> On 12 Jan 2021, at 01:52, Jason Long  wrote:
> 
> It show me:
> 
> 13180 X.X.X.X
>1127 X.X.X.X 
> 346 X.X.X.X 
> 294 X.X.X.X 
> 241 X.X.X.X 
> 169 X.X.X.X 
> 168 X.X.X.X
> 157 X.X.X.X
> 155 X.X.X.X
> 153 X.X.X.X

Your server would not be getting bogged down by that few connections unless 
your hardware is very weak or you are hosting something insane.

I have a very lightly used web server that gets more than 40K hits a day 
running on a Celeron machine with a whole 4GB of RAM and my load average is in 
the 1.2 range consistently.

I wonder if there is not some configuration error.

Also, the URLs shown in your logs starting with /tag/ followed by a long series 
of hex digits, do those look like valid URLs for your server?

Do a dig -x on the IP that is hitting you 13,000 times and see where it is. You 
can try firewalling it, but if it's not some misconfigured server, the DOS will 
simply move to another IP.

> https://paste.ubuntu.com/p/PsxM8yPXPQ/

I haven't run F2B in quite a while, but is that a list of IPs that you are 
whitelisiing or does [Protect] mean "Protect FROM"?

But if 13,000 queries are crippling your web server, I think your real problem 
lies elsewhere than the 13,000 hits.

(You are loading almost double the modules that I am, by the way. It seems like 
an lot. Do you know why each of those modules is enabled?)

-- 
They say whisky'll kill you, but I don't think it will I'm ridin'
with you to the top of the hill


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to config Authz form ?

[@lbutlr]

On 03 Jan 2021, at 16:23, Jens Kallup  wrote:
> I would inform you, that all is done, and working well.
> Now, I have a simple two-factor authz.

How did you fix it?


-- 
I desire the things that will destroy me in the end.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] failure using wss proxy

[@lbutlr]

On 16 Dec 2020, at 08:03, Guennadi Liakhovetski  wrote:
> that the server was only accepting TLSv1.3 

I would consider that to be a misconfiguration at this point. TLSv1.2 is fully 
supported and current and a server that requires TLSv1.3 is doing something 
wrong.


-- 
I get the feeling that some people's idea of heaven is an "I told you
so" T-shirt - mmalc


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] To Gzip or not?

[@lbutlr]

On 12 Dec 2020, at 06:59, @lbutlr  wrote:
>  TLS 1.4

1.3

-- 
"Are you pondering what I'm pondering?"
"Well, I think so, Brain, but snort no, no, it's too stupid!"


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] To Gzip or not?

[@lbutlr]

On 10 Dec 2020, at 07:38, Tom Browder  wrote:
> When I last serious upgrades to my servers last July one problem with using 
> TLS 1.3 was that the Firefox browser couldn't use it as because of 
> post-handshake problems. So I'm currently running TLSv1.2.

Firefox in general? Or some specific (or old) version? It has no issues 
connecting to TLS 1.4 for me. All you have to do for TLS 1.2 to be secure 
agains BREACH/CRIME is to disable the header compression, if you are unlucky 
enough to have an implementation that enabeld it by default. If you have 
recent-ish versions of openSSL I don't think you can enable compression without 
patching and rebuilding.

(I don't run Firefox myself, but I launch it every few months to make sure my 
stuff at least loads on it)

-- 
Say, give it up, give it up, television's taking its toll That's
enough, that's enough, gimme the remote control I've been nice,
I've been good, please don't do this to me Turn it off, turn it
off, I don't want to have to see


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Questions to SSLciphersuite

[@lbutlr]

On 27 Nov 2020, at 08:34, Lentes, Bernd  
wrote:
> I have an elder software (ServersAlive) 

,,,

> What can i do ?

You need software that works with modern current security. Seems to me like 
your old software is using SSL which is insecure and not supported and should 
NOT be used. Trying to find a work-around that breaks security is not the 
direction you should be looking.

Any Internet facing machine (and I would say that ANY machine, regardless of if 
you THINK it can be accessed from the Internet or not) should be on TLSv1.2 and 
1.3 only at this point, no old deprecated security need apply.

-- 
"You get a wonderful view from the point of no return."


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Bad Gateway with large file upload

[@lbutlr]

On 28 Oct 2020, at 18:05, eric tse  wrote:
> We’re are getting a Bad Gateway error returned when trying to upload large 
> files through an IE browser to our webserver.  

Have you tried with a currently supported browser?

IE is on death watch.

-- 
If I were you boys, I wouldn't talk or even think about women.
'T'ain't good for your health.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Recommended best practices or guides

[@lbutlr]

On 29 Sep 2020, at 08:33, Niranjan Rao  wrote:
> We have a need to allow certain group of people to perform operations such as 
> start/stop/reload etc. Traditionally these operations are performed using 
> sudo command e.g. sudo service apache2 start. These people don't need full 
> sudo permissions. All they need is apache related permissions. We can tinker 
> with an entry in sudoers.d and grant required permissions - but permissions 
> need to be granted to "service" command

Write a command (a simple shell script) that executes the command you want to 
allow, for example, /usr/local/bin/starta2 => "sudo apache2 start" and grant 
the user access to that script in the shudders file.

Repeat with other commands.

Make sure the script(s) is owned by root and has permissions 0700.

> Are there any recommended best practices or guides to allow these kinds of 
> granular permissions? My searches so far has revealed commands using sudo.

Sudo is the way to do this, but to restrict specific commands to specific 
options, you have to to a little two-step.

I do something like this to allow an unprivilegeduser to start rsnapshot.



-- 
"He uses statistics as a drunken man uses lamp-posts... for support
rather than illumination." - Andrew Lang (1844-1912)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Base server versus virtual servers

[@lbutlr]

On 02 Sep 2020, at 04:52, Tom Browder  wrote:
> My question is: what is a "base server" in this context. For many years I 
> have always listed my main virtual host as the base server but that was 
> pre-OCSP. Do I now have to run a non-https server?

The name I define in https.conf as ServerName is the rDNS for the machine. This 
domain has no pages associated with it, though it does have an info page under 
a sub directory, and is only there for the base config.

I don't know if this is the 'right' way to do this, but I prefer having all the 
domains in cost for consistency.



-- 
Of course, there were various groups seeking his overthrow, and this
was right and proper and the sign of a vigorous and healthy
society. No-one could call him unreasonable about the matter.
Why, hadn't he founded most of them himself? And what was so
beautiful was the way they spent nearly all their time bickering
with one another. Human nature, the Patrician always said, was a
marvelous thing. Once you understood where its levers were.
--Guards! Guards!


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 access control (.htaccess)

[@lbutlr]

On 29 Jul 2020, at 17:57, Jim Albert  wrote:
> If I have say 100 separate  sections I have to repeat that same 
> Require ip line for each . Adding or removing IP addresses becomes a 
> maintenance issue.

In regular conf files you can do something like

Define DOMAIN example.com
Define ROOT /usr/local/www/${DOMAIN}/
Define WEBROOT /usr/local/www/${DOMAIN}/html/


   ServerName ${DOMAIN}
   Serveralias www.${DOMAIN}
   Redirect / https://www.${DOMAIN}/


Perhaps something along those lines is possible in htaccess files as well?

I normally do the  blocks in the chest conf file and not in htaccess 
though, but it looks like you can use a rewrite rule to create a variable that 
you then use later in the file.



Or you can use SetEnvIf



Hope that helps?



-- 
I WILL NOT FAKE RABIES Bart chalkboard Ep. 8F07


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] client removal of .htaccess file

[@lbutlr]

On 19 Jul 2020, at 05:48, Joel  wrote:
> Does the .htaccess file physically remain in the directory where it was 
> initially loaded?  Or, does the server remove, transfer, or otherwise dispose 
> of the file?

Impossible for anyone else to answer this who is not in charge of the server.

Just as an example, one on server I had to deal with, the user could overwrite 
or delete .htaccess, but the system replaced it with the system-defined one any 
time the user did this.

In short, the host can do anything they want.




-- 
Forgive your enemies, but remember their names.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Test an SSL certificate before installation

[@lbutlr]

On 02 Jul 2020, at 14:08, Yves Goergen  wrote:
> I'd like to let my users install their own SSL certificates through a web 
> interface for self-management services.

WOuldn't it be simpler to just get a LE cert for those domains? What is the 
advantage to having them upload their own certs?

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain. But will anyone other than Eskimos buy
blubber-flavored chewing gum?"
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Let's Encrypt (LE) and port 80

[@lbutlr]

On 17 Jun 2020, at 16:37, Tom Browder  wrote:
> Thanks for the info--but all I'm only running a dozen or so hosts on a single 
> server

Same.

> and trying to minimize maintenance.

Zero maintenance. Set it up once and forget it. It is all automated.




-- 
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Let's Encrypt (LE) and port 80

[@lbutlr]

On 17 Jun 2020, at 07:05, Tom Browder  wrote:
> 
> Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any 
> way to allow port 80 access but only from an LE server?

In addition to the other replies, you can use the DNS-01 method for 
establishing and rewriting a cert. That doesn't involved your Webserver at all 
(the methodology for doing this depends on your named server so is out of spec 
for this group).



Most of the automation scripts for LE pretty much walk your through setting 
this up.

One other reason you might want to consider doing this is that DNS-01 allows 
for a wildcard certificate for the domain so instead of listing www.example.com 
and smtp.example.com and 47 others, you can just list *.example.com example.com 
and have a set for all possibilities.

In addition, DNS-01 gives you a lot more flexibility in what servers handle the 
renewals, allowing you to easily have a non-web servers run the renewal tasks 
and get the certs then distribute them to you web, mail, and other servers. 
This makes your certificate chain more secure because your public facing 
machine (www) is not the one that is configured to do renewal. Which means that 
getting into your authentication chain is much much harder.

Not making a suggestion, as this is harder to setup, but it is something to 
think about.

HTH



-- 
Train Station: where the train stops. Work Station: …



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Authentication plugins/front end

[@lbutlr]

I'm not sure exactly what I am looking for, so not sure exactly what to search 
for.

Basically, I would like to add authentication to web applications or sites that 
have no support for authentication, and I wonder if there is some sort of 
plugin for apache that I can use that sits between the outside and the web 
pages that handles authentication better than the simple httpauth? Perhaps even 
with support for such "advanced" features as password reset or OAuth?

In most cases I do not want to touch the code for the actual webapp/site beyond 
maybe changes to .htaccess that would not interfere with the settings already 
in htaccess.

This must be something people have already done.



-- 
Did they get you to trade your heroes for ghosts? Hot ashes for
trees? Hot air for a cool breeze? Cold comfort for change?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ErrorDocument directory hierarchy

[@lbutlr]

On 20 May 2020, at 13:57, Paul  wrote:
> On 2020-05-20 1:23 p.m., Eric Covener wrote:
>> On Wed, May 20, 2020 at 1:10 PM Paul  wrote:
>>> 
>>> VirtualHost on 2.4.29-1ubuntu4.13. .conf includes :
>>>  DocumentRoot "/www/mysite"
>>>  /.../
>>>  ErrorDocument 404 /error/404.html
>>> 
>>> The 404.html has :
>>>  
>>> 
>>> Works perfectly for 404s at DocumentRoot level, but fails for
>>> subdirectories eg DocumentRoot/foo/bar/mypages. Error logs show:
>>> 
>>> "GET /bar/css/general.css HTTP/1.1" 404 5245 "-" etc...
>>> 
>>> Apache finds the text of the custom 404 at the DocRoot reference, but
>>> apparently interprets the >> page, so does not format the text. The client "page source" shows the
>>> correct relative path.
> 
> Thanks Eric, problem solved. Wrote the styles into the html. I just wanted to 
> keep the client's browser showing the file [s]he had tried to find, rather 
> than /error/404.html.

You could also put the absolute path to the css file in the href.


-- 
I WILL NOT YELL "FIRE" IN A CROWDED CLASSROOM Bart chalkboard Ep.
7G01



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Debugging apache configs

[@lbutlr]

On 01 May 2020, at 16:19, Rich Bowen  wrote:

(Tried to fix the quote levels, apologies if I missed something)

>> The login in apache is… well, terrible? Appalling? Almost entirely a waste 
>> of disk space?
> 
> You can configure it to whatever level suits you. That's your choice.  

Changing the level doesn’t actually improve the logging though, just changes 
how much or little is logged.

>> I mean, 86%% of my error log (yes, I checked and did the calculation) is  
>> ever so helpful lines like this:
>> 
>> [Fri May 01 15:53:14.704934 2020] [ssl:info] [pid 17522] [client 
>> 65.121.55.45:46411] AH01964: Connection to child 1 established (server 
>> www.covisp.net:443)
>> 
>> Really? That’s an ERROR? In what universe is that an error? And how they 
>> hell is it even HELPFUL since it is entirely a stand-alone line devoid of 
>> any context whatsoever?

> No. It's an info. Says right there in the message. 

It is logged to httpd-error.log

>> [Fri May 01 15:26:31.491833 2020] [ssl:info] [pid 17508] AH01914: 
>> Configuring server www.covisp.net:443 for SSL protocol
>> 
>> Yep, that is an error I need to be aware of. Sure.

> Also an info 

Also logged to httpd-error.log

> I'm completely unclear what the purpose of this comment is. If you're asking 
> what the error message means I can probably help you with that, but it kind 
> of sounds like you're picking a fight here. Did you have an actual question?

Not picking a fight, just frustrated by the very bad user-hostile logging. I 
suppose it’s great for log analysis tools, but not so great for humans. 


-- 
I WILL NOT PLEDGE ALLEGIANCE TO BART Bart chalkboard Ep. 7F09



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Odd 302s in the logs

[@lbutlr]

On 01 May 2020, at 15:41, Rich Bowen  wrote:
> That's what we call referrer spam. I've never really understood what the 
> point was, but they make requests with bogus information in the referral 
> field, which then ends up in your log files. Somehow this makes them feel 
> good about themselves. 
> 
> https://en.m.wikipedia.org/wiki/Referrer_spam

OK. Weird, but OK.


-- 
In other news, Gandalf died. -- Secret Diary of Boromir



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Debugging apache configs

[@lbutlr]

On 01 May 2020, at 15:38, Rich Bowen  wrote:
> On the other hand, adding a bunch of additional debug level prints in the URL 
> mapping modules would serve the same purpose. But, again, that doesn't exist 
> at this time, as far as I'm aware.

The login in apache is… well, terrible? Appalling? Almost entirely a waste of 
disk space?

I mean, 86%% of my error log (yes, I checked and did the calculation) is  ever 
so helpful lines like this:

[Fri May 01 15:53:14.704934 2020] [ssl:info] [pid 17522] [client 
65.121.55.45:46411] AH01964: Connection to child 1 established (server 
www.covisp.net:443)

Really? That’s an ERROR? In what universe is that an error? And how they hell 
is it even HELPFUL since it is entirely a stand-alone line devoid of any 
context whatsoever?

[Fri May 01 15:26:31.491833 2020] [ssl:info] [pid 17508] AH01914: Configuring 
server www.covisp.net:443 for SSL protocol

Yep, that is an error I need to be aware of. Sure.

And the access logs are no better.

[Fri May 01 05:43:27.032221 2020] [cgid:error] [pid 95842] [client 
150.136.214.147:54436] AH01264: script not found or unable to stat: 
/usr/local/www/apache24/cgi-bin/luci

Is that a configuration error, or some idiot trying to hack something that’s 
not there?

grmbl.

Sorry for my rant, but it’s your own fault for mentioning logs, even if 
obliquely!  


-- 
And there were all the stars, looking remarkably like powered
diamonds spilled on black velvet, the stars that lured and
ultimately called the boldest towards them…



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Odd 302s in the logs

[@lbutlr]

Seeing a Loy of lines like this in the logs (mixed in with all the attemepts to 
accesses wordprex/admin-login types of URLS, of course)

46.118.227.27 - - [01/May/2020:15:10:37 -0600] "GET / HTTP/1.1" 302 213 
"https://french-poetry.com/; "Mozilla/4.7 (compatible; OffByOne; Windows 2000) 
Webster Pro V3.4" 162 397
46.118.227.27 - - [01/May/2020:15:10:37 -0600] "GET / HTTP/1.1" 302 213 
"https://studentguide.ru/; "Mozilla/4.7 (compatible; OffByOne; Windows 2000) 
Webster Pro V3.4" 160 397
46.118.227.27 - - [01/May/2020:15:10:37 -0600] "GET / HTTP/1.1" 302 213 
"https://french-poetry.com/; "Mozilla/4.7 (compatible; OffByOne; Windows 2000) 
Webster Pro V3.4" 162 397
46.118.227.27 - - [01/May/2020:15:10:38 -0600] "GET / HTTP/1.1" 302 213 
"https://studentguide.ru/; "Mozilla/4.7 (compatible; OffByOne; Windows 2000) 
Webster Pro V3.4" 160 397
46.118.227.27 - - [01/May/2020:15:10:38 -0600] "GET / HTTP/1.1" 302 213 
"https://french-poetry.com/; "Mozilla/4.7 (compatible; OffByOne; Windows 2000) 
Webster Pro V3.4" 162 397

Don’t think my server is redirecting to studentguide.ru, but what is happening 
here?



-- 
'You know the worst of it?' said Rincewind. 'Oook?' 'I don't even
remember walking under a mirror.' —Mort



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem new virtual host

[@lbutlr]

On 01 May 2020, at 08:55, Rich Bowen  wrote:
> The fact that you can "ping" it seems to point to options 2 or 3 in that list.

Maybe. Ping doesn’t require DNS.


-- 
I WILL STOP TALKING ABOUT THE TWELVE INCH PIANIST Bart chalkboard Ep.
3F07



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Debugging apache configs

[@lbutlr]

On 01 May 2020, at 08:52, Rich Bowen  wrote:
> On 4/30/20 6:08 PM, @lbutlr wrote:
>> I'm trying to troubleshoot a Domain that is loading the wrong content (Well, 
>> I am sure it is loading the RIGHT content, but not the INTENED content) and 
>> was wondering if there is a flag for apachectl that will show me what apache 
>> thinks the document root is for each vhost? And possibly a way of piping in 
>> a URL and having apache spit back where that URL points to locally and the 
>> steps taken to get there (redirect, proxy, lookup, whatever).
>> A trace, essentially.
> 
> 
> Not directly, but
> 
> httpd -t -D DUMP_VHOSTS
> 
> is a good start. It at least tells you what names are handled by what bits of 
> the configuration file(s).

Yeah, but it dodoesn’t show the path that apache takes to load a page, which is 
what I am looking for.

For example, the issue that I had turned out to be that since DirectoryIndex 
globally contains index.php, the fcgi was triggering even when there was no 
index.php file present instead of loading the index.html. Either setting 
DirectoryIndex locally or disabling the fcgi resulted in the expected page 
loading.

That wasn’t discoverable by looking at the configuration until I thought, “Huh, 
I wonder…”

Seems there would be some tool out there that would do this as it must be 
someone else has thought of for troubleshooting,


-- 
I gotta straighten my face This mellow-thighed chick just put my
spine out of place



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Debugging apache configs

[@lbutlr]

On 30 Apr 2020, at 16:08, @lbutlr  wrote:
> A trace, essentially.

What I am thinking is something along the lines of:

Apache received http://w.example.com/
  Redirected https://w.example.com/
DocumentRoot /usr/local/www/example/web/
  Loading DocumentIndex index.php
fcgi redirect /usr/local/www/example/otherweb/index.php

-- 
You are twisted and sick; I like that in a person.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Debugging apache configs

[@lbutlr]

I'm trying to troubleshoot a Domain that is loading the wrong content (Well, I 
am sure it is loading the RIGHT content, but not the INTENED content) and was 
wondering if there is a flag for apachectl that will show me what apache thinks 
the document root is for each vhost? And possibly a way of piping in a URL and 
having apache spit back where that URL points to locally and the steps taken to 
get there (redirect, proxy, lookup, whatever).

A trace, essentially.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Why does httpd consume more memory over a period of time ?

[@lbutlr]

On 20 Mar 2020, at 03:42, Satish Chhatpar 02  wrote:
> Why does httpd consume more memory over a period of time ?

It doesn’t.

> Any know issues with this version of Apache ?
> 
> 
> We are using below version of OS and HTTPD in our production.
> 
> Red Hat Enterprise Linux Server release 7.5 (Maipo)
> 
> Server version: Apache/2.4.39 (codeit)
> Server built:   May 31 2019 14:14:30
> 
> PHP 7.2.24 (cli) (built: Oct 22 2019 11:15:01) ( NTS )
> Copyright (c) 1997-2018 The PHP Group
> Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
> with Zend OPcache v7.2.24, Copyright (c) 1999-2018, by Zend Technologies

What else do you have installed and running?

> ::DISCLAIMER:: 
> 
> Confidentiality Notice from Dixons Carphone plc (registered in England & 
> Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons Carphone"). The 
> information contained in this e-mail and any attachments may be legally 
> privileged, proprietary and/or confidential. If you received this e-mail in 
> error, please notify the sender by return, permanently delete the e-mail and 
> destroy all hard copies immediately. No warranty is made as to the 
> completeness or accuracy of the information contained in this e-mail. 
> Opinions, conclusions and statements of intent in this e-mail are those of 
> the sender and will not bind any Dixons Carphone group company (Dixons 
> Carphone Group) unless confirmed by an authorised representative 
> independently of this e-mail. We do not accept responsibility for viruses; 
> you must scan for these. E-mails sent to and from Dixons Carphone Group are 
> routinely monitored for record keeping, quality control, training purposes, 
> to ensure regulatory compliance and to prevent viruses and unauthorised use 
> of our computer systems. The Carphone Warehouse Limited (registered in 
> England & Wales No.02142673) is a member of the Dixons Carphone Group and is 
> authorised and regulated by the Financial Conduct Authority. 
> 

I do not agree to your terms,





-- 
he'd moved like music, like someone dancing to a rhythm inside his
head. And his face for a moment in the moonlight was the skull of
an angel…



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache on windows

[@lbutlr]

On 27 Feb 2020, at 17:10, Paul  wrote:
> On 2020-02-27 3:56 p.m., @lbutlr wrote:
>> On 26 Feb 2020, at 18:58, wtf  wrote:
>>> -- 
>>>   
>>> With over 1.2 billion
>>>   devices now running Windows 10, customer satisfaction is
>>>   higher than any previous version of windows.
>>>   
>>> 
>> Seriously? Please don’t post garbage formatting like this to public lists.
> 
> Totally agree, but "seriously?" do not use MicroS**t "From:" with coloured 
> smileys into your responses (for ref they're something along the lines of "ð 
> Ÿ ˜ ‰ " white space hopefully added) ;=}

Those smileys have nothing at all to do with Microsoft, they are standard UTF 
characters. While they can be annoying, they are nowhere near as annoying as 
giant badly-colored text blocks. (And to be clear, I am not suggestiogn that 
better colors would make this better).

I wish all mailing lists rejected HTML formatted mail.


-- 
They all have husbands and wives and children and houses and dogs,
and you know, they've all made themselves a part of something and
they can talk about what they do. What am I gonna say? "I killed
the president of Paraguay with a fork. How've you been?”



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache on windows

[@lbutlr]

On 26 Feb 2020, at 18:58,  Good Guy   wrote:

> -- 
>   
> With over 1.2 billion
>   devices now running Windows 10, customer satisfaction is
>   higher than any previous version of windows.
>   
> 


Seriously? Please don’t post garbage formatting like this to public lists.


-- 
AUDITORS OF REALITY. THEY THINK OF LIFE AS A STAIN ON THE UNIVERSE. A
PESTILENCE. MESSY. GETTING IN THE WAY. 'In the way of what?' THE
EFFICIENT RUNNING OF THE UNIVERSE.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configuration question

[@lbutlr]

On 27 Jan 2020, at 19:27, Richard  wrote:
> If you're trying to serve your content via http, which appears to be
> your goal, then to serve it out on different ports - without using
> the apache virtual host configuration - you'd need to have multiple
> instances of apache running. That's possible, but very ugly. 

Is this a change in recent versions? I recall using apache in the past to 
server pages on port 80 and 8080 and 8081 all from the same conf file.

I mean, I am reasonably sure it was apache, though it was quite a long time ago 
(1.3 days, probably)


-- 
When a distinguished but elderly scientist states that something is
possible, he is almost certainly right. When he states that
something is impossible, he is probably wrong.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7

[@lbutlr]

On 07 Jan 2020, at 21:20, Sac Isilia  wrote:
> "apache and IIS are communicating is where your problem appears to be" - How 
> to trace that IIS and apache are communicating.

No Idea, I do not use IIS.

> Because the existing certificate works fine. The problem arises only when new 
> certificate is updated. The server on which website is hosted runs on Linux 
> and was recently migrated to Azure.

IIS is not Linux, it runs on Microsoft's Windows.



(I am going from this message:


On 07 Jan 2020, at 03:14, Daniel Ferradal  wrote:
> I'm confused now. The server responding says it is a IIS server, not Apache.
> 
> "Server: Microsoft-IIS/10.0”=

)


-- 
you cannot code around infinite implementations of OCD -John C Welch


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7

[@lbutlr]

On 07 Jan 2020, at 06:53, Sac Isilia  wrote:
> apachectl -S

This isn’t going to help as long as the server facing the outside is an IIS 
server and not apache.

However apache and IIS are communicating is where your problem appears to be.

I bet if you can access the apache server directly without AWS/IIS, it will 
work as expected.


-- 
I'm completely in favor of the separation of Church and State. My
idea is that these two institutions screw us up enough on their
own, so both of them together is certain death.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Access control, VirtualHost & Apache 2.4

[@lbutlr]

On 06 Jan 2020, at 11:21, Adrian Gschwend  wrote:
> If I add
> 
> --
>  
>Require all granted
>  
> --
> 
> This seems to work.

FSVO of “work” that include potentialy allowing access to every single file in 
every singe directory on your system, sure.

You should never ever change the  block.

DocumentRoot "/usr/local/"

Options +Indexes +FollowSymLinks +Includes -SymLinksIfOwnerMatch
AllowOverride All
Require all granted


This will allow access to only your www directories. Of course, change [ath to 
match your install, and you can add other blocks for other directory trees.


AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS


To allow local users to put web stuff in $HOME/html/ for example.



-- 
Lister: What d'ya think of Betty? Cat: Betty Rubble? Well, I would go
with Betty... but I'd be thinking of Wilma. Lister: This is
crazy. Why are we talking about going to bed with Wilma
Flintstone? Cat: You're right. We're nuts. This is an insane
conversation. Lister: She'll never leave Fred, and we know it.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7

[@lbutlr]

On 04 Jan 2020, at 10:02, Sac Isilia  wrote:
> ah01909: rsa certificate configured for xxx:443 does not include an 
> id which matches the server name  
> 
>   Please help me in resolving this issue.

That seems clear to me.

What is the server name and what are the servers listed in the certificate? Is 
there a match?

Are you sure?

Are you looking at the right certificate? Is the server looking at the right 
certificate? Has apache been restarted?



-- 
NOTHING IS FINAL. NOTHING IS ABSOLUTE. EXCEPT ME, OF COURSE. SUCH
TINKERING WITH DESTINY COULD MEAN THE DOWNFALL OF THE WORLD.
THERE MUST BE A CHANCE, HOWEVER SMALL. THE LAWYERS OF FATE DEMAND
A LOOPHOLE IN EVERY PROPHECY. —Sourcery


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling SHA1 for client certificates

[@lbutlr]

On 23 Oct 2019, at 09:38, Stefan Eissing  wrote:
> "WARNING at this time setting the security level higher than 1 for general 
> internet use is likely to cause considerable interoperability issues and is 
> not recommended. This is because the SHA1 algorithm is very widely used in 
> certificates and will be rejected at levels higher than 1 because it only 
> offers 80 bits of security.”

When was that written, because it is absolutely not true in October 2019.



-- 
Looking into Granny's eyes was like looking into a mirror. What you saw
looking back at you was yourself, and there was no hiding place.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling SHA1 for client certificates

[@lbutlr]

On 23 Oct 2019, at 03:49, Wouter Verhelst  wrote:
> I know that SHA1 is insecure these days, but I have no control over the 
> algorithms used in this particular CA, and I need to be able to use it.

This is a case of pushing back to get the incompetent CA to update. Even if you 
manage to get Apache to do this, the browsers will balk at it.

> Anyone have any idea if it's possible to relax the requirements for client 
> CAs somehow?

I don’t think so, it’s been deprecated for several years and breakable for 
several more.

Chrome dropped support in 2016, possibly early 2017 (Chrome 54 comes to mind)?

Safari dropped any support for SHA1 this year.


-- 
99 percent of lawyers give the rest a bad name.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthzSendUnauthorizeOnFailure?

[@lbutlr]

On Oct 2, 2019, at 5:53 PM, Jack Simmons  wrote:
> Is it possible to force apache to return HTTP 401 instead of HTTP [403] if 
> any condition inside RequireAll fails?

The two codes mean different things.

401 basically means “hey, you need to login or login again” (Unauthorized) 
while 403 means “Hey, I know you logged in, but you aren’t allowed to access 
this” (Forbidden).

> Yet if I will put "Require env SMTH" additionally, apache will check "Require 
> valid user" but then, after it will fail with "denied (no authentocated user 
> yet)", it will also check my second "Require" and will fail just with 
> "denied" and throw HTTP 403. I think this is a bug. Why apache checks for a 
> second Require in RequireAll if the first one failed already?

Digging far into the recesses of my memory, RequireAll always checks every 
clause because, for example, you can do something like this:


Require all granted
Require not ip 10.252.46.165


Which allows all users UNLESS they are from 10.252.46.165



The purpose of  is to group things into one logical block. If you 
want things to fail in order without checking other conditions, don’t use 
requireAll?



-- 
I'm just going to go home, lie down, and listen to country
music. The music of pain.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] protect apache to stop work if logdir is missing

[@lbutlr]

On Sep 10, 2019, at 3:39 AM, Anton Gorlov  wrote:
> 10.09.2019 5:09, @lbutlr пишет:
>> On Sep 9, 2019, at 11:21 AM, Anton Gorlov  wrote:
>>> I need to provide users with the ability to archive logs on their own
>> Yes? And? You’ve been told two ways to do this that do not require modifying 
>> the source code.
> 
> pipe logs to some  script/program and???

Nope. That was not one of the suggestions at all.



-- 
There are 10 types of people in the world: Those who understand binary
and those who don’t.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] protect apache to stop work if logdir is missing

[@lbutlr]

On Sep 9, 2019, at 11:21 AM, Anton Gorlov  wrote:
> I need to provide users with the ability to archive logs on their own

Yes? And? You’ve been told two ways to do this that do not require modifying 
the source code.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] protect apache to stop work if logdir is missing

[@lbutlr]

On 9 Sep 2019, at 10:13, Anton Gorlov  wrote:
> 09.09.2019 19:07, @lbutlr пишет:
>> On 9 Sep 2019, at 09:57, Anton Gorlov 
>>  wrote:
>> 
>>> I need the web server to continue working if the user has deleted the log 
>>> directory.
>>> 
>> I would solve this by preventing the user from deleting the directory or 
>> recreating it on deletion, not by patching the source code.
> 
> unfortunately I can’t prevent users from deleting directories

Why not? If that is the case, do not put the log folders in the user’s space 
and instead replicate logs for the users who do want them.

Either way, patching the source code doesn’t seem like the solution.



-- 
"He has no enemies, but is intensely disliked by his friends.." Oscar
Wilde


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] protect apache to stop work if logdir is missing

[@lbutlr]

On 9 Sep 2019, at 09:57, Anton Gorlov  wrote:
> I need the web server to continue working if the user has deleted the log 
> directory.

I would solve this by preventing the user from deleting the directory or 
recreating it on deletion, not by patching the source code.


-- 
'There's a kind of magic in masks. Masks conceal one face, but reveal
another. The one that only comes out in darkness. I bet you could do
just what you liked, behind a mask...?' —Maskerade


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Has anybody used a SQL database to store static pages without using PHP?

[@lbutlr]

On 1 Sep 2019, at 01:39, timothylegg .  wrote:
> Can you store an entire static page in an SQL database such as MariaDB
> or MySQL and have httpd initiate the database query by parsing the
> search parameter from the URL?  i.e.
> https://www.example.org/benny/index.html would search a table for
> "/benny/index.html" and return back a corresponding VARCHAR, or maybe
> BLOB, that contains the entire HTML document.

Sure.

> Searching for this idea on a modern search engine was maddening.


Just because you can do it, doesn’t mean it’s a good idea. The way to do this 
is to use a CDN that load the contents for pages dynamically into a template 
document.

WordPress, for example. There are, of course, many other choices.


-- 
The King of Marigold was in the kitchen cooking breakfast for the Queen
The Queen was in the parlor playing piano for the children of the King


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issue while generating large documents

[@lbutlr]

On 22 Aug 2019, at 11:03, Santosh Kondapuram 
 wrote:
> This e-mail message and any files transmitted with it may contain 
> confidential and proprietary information and are intended solely for the use 
> of the individual or entity to which they are addressed. Any unauthorized 
> review, use, disclosure or distribution is strictly prohibited. If you have 
> received this e-mail in error please notify the sender by reply email and 
> destroy all copies of the original message. Thank you for your cooperation.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.29 ubuntu 18.04 VirtualHost ssl redirect not working?

[@lbutlr]

On 13 Aug 19, at 10:48 , gene me  wrote:
> Solution: My mistake was leaving "DocumentRoot" commented out. I thought the 
> root specification in "80" section might suffice, but no. Once I fixed that - 
> everything works. All correct pages are shown.
> 
> I think at least a warning from Apache should be visible for "apachectl -t" 
> or "apachectl -S" options, but ...
> 

I think the DocumentRoot defaults to that specified for the primary domain 
(that is, in http.conf outside Andy VirtualHost) if otherwise unset, so there 
is no syntax error for Apache to detect.



-- 
if you ever get that chimp off your back, if you ever find the thing
you lack, ah but you know you're only having a laugh. Oh, oh here we
go again -- until the end.

Re: [users@httpd] Blocking particular URL/file patterns

[@lbutlr]

On 2 Jul 2019, at 14:16, James Moe  wrote:
> /condalia1398.xml.gz
> /heling348628-h1819-746-be2dochmiacal-97a2-/6a465d7hll78i1/

… 

> Is there a way to write a filter that blocks the above URL patterns
> without generating a 404 response?

Have you looked into robots.txt? And a sitemap?




-- 
"Patience has its limits. Take it too far, and it's cowardice." - George Jackson



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Adding perl-cgi in apache 2.4

[@lbutlr]

On 18 Jun 2019, at 22:03, @lbutlr  wrote:
> I need to enable perl-cgi for a specific directory local to a single site. 

I just punted and rewrote the the script in php.

-- 
You only had to look into Teatime's mismatched eyes to know one thing,
which was this: if Teatime wanted to find you he would not look
everywhere. He'd look in only one place, which would be the place where
you were hiding. --Hogfather



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Adding perl-cgi in apache 2.4

[@lbutlr]

On 19 Jun 2019, at 09:00, Bret Stern  wrote:
> Your original post log error indicated:
> 
> No such file or directory: AH01241: exec of '/usr/local/www/bi/cgi-
> local/b4.pl' failed
> 
> Perhaps the path for cgi scripts has been changed/redifined from the
> default in the apache config file

 # ls -ls /usr/local/www/bi/cgi-local/b4.pl 

   16 -rwxrwxrwx  1 www  wheel  4852 Jun 18  2004 
/usr/local/www/bi/cgi-local/b4.pl

And I have that same path set in the  in the site’s conf file

  

I mean, I don’t think there’s a tyop there, but I’ve been known to miss them.

-- 
Lead me not into temptation, I can find the way.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Adding perl-cgi in apache 2.4

[@lbutlr]

On 19 Jun 2019, at 00:25, bret_st...@machinemanagement.com wrote:
> Permissions on the executable/.pl
> script correct to run when called?

Permissions are the same they’ve been since 2004, 777.


On 19 Jun 2019, at 05:07, Eric Covener  wrote:
> bad shebang in the file itself?  Suspicious that you added "perl" in
> front explicitly.

It is a perl cgi, there is no shebang at all.

> If you don't want to run it via its defined interpreter, which is what
> mod_cgi does

No, I very much do want to run it just as it has been run in the past.



-- 
You and me Sunday driving Not arriving



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Adding perl-cgi in apache 2.4

[@lbutlr]

I need to enable perl-cgi for a specific directory local to a single site. 

I uncommented cgi in http.conf

LoadModule cgid_module libexec/apache24/mod_cgid.so

In the conf for the site in question I have the following:

   
 AllowOverride All
 Require all granted
   
   
  AllowOverride None
  Options +ExecCGI 
  AddHandler cgi-script .pl .cgi
  Order allow,deny
  allow from all
   

When I try to go to the file at /usr/local/www/bi/cgi-local/b4.pl I get 

> Internal Server Error
> 
> The server encountered an internal error or misconfiguration and was unable 
> to complete your request.
> 
> Please contact the server administrator at ad...@covisp.net to inform them of 
> the time this error occurred, and the actions you performed just before this 
> error.
> 
> More information about this error may be available in the server error log.

in the http-error.log there is only:

[cgid:error] [pid 25120] (2)No such file or directory: AH01241: exec of 
'/usr/local/www/bi/cgi-local/b4.pl' failed
[Tue Jun 18 21:54:59.858842 2019] [cgid:error] [pid 24551] [client 
x.x.x.x:58890] End of script output before headers: b4.pl, referer: 

However, the script itself hasn’t been modified in 15 years, so I don’t think 
the script itself is the problem and if I run it from the command line it 
outputs a regular html file (without the content since the flags that are 
normally passed on the URL are not present.

# perl cgi-local/b4.pl  

Content-type: text/html

http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd;>





…




-- 
Lead me not into temptation, I can find the way.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Control / Modify the HTTP Status Line

[@lbutlr]

On 22 May 2019, at 14:29, Shmuel Krakower  wrote:
> I guess I should add few pieces of information.
> The client is one SaaS and the backend is another SaaS. The backend returns 
> 302 which is right but the client consider anything which is not 2xx as error 
> which cause it to retry.

So, that simply moves the incorrect behavior from eh backend to the server you 
do control.

302 is not a "retry" request, and treating it as such would be considered 
abusive.

> Therefore I must "hack" or stitch it with a proxy. I am using mod_proxy.
> My other alternative is to use other software than httpd to stitch those two 
> services and show 200 instead of the 302.

Or fix the software that doesn't understand what a 302 code is.

> The solution mentioned in stackoverflow will not work for 302 response as I 
> cannot set error page for such non-error response codes.

Of course not, it's not an error code, it's a success code.

-- 
I used to work in a fire hydrant factory. You couldn't park anywhere near the 
place.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Control / Modify the HTTP Status Line

[@lbutlr]

On 22 May 2019, at 12:00, Shmuel Krakower  wrote:
> I am using Apache for proxying a backend server.
> The backend server may return, in some occaisons, a 302 response code for 
> successful requests.

This is incorrect behavior and you should fix that, not try to hack the reply 
codes.

-- 
"Humor is a rubber sword - it allows you to make a point without drawing
blood." - Mary Hirsch



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: CVE-2019-0211/0215/0217

[@lbutlr]

On 6 Apr 2019, at 08:59, Sunhux G  wrote:
> Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only 
> & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
> affected?

The CVE lists, explicitly, what versions are affected.

"The flaw was discovered by Charles Fol and impacts all Apache HTTP Server 
releases from 2.4.17 to 2.4.38. The issue has been addressed with the release 
of Apache httpd 2.4.39"

Also, as you should be aware, Apache 2.0 and Apache 2.2 are both End-of-life 
and not supported any longer.


-- 
Love is like oxygen / You get too much / you get too high / Not enough
and you're gonna die


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: apache service unavailable

[@lbutlr]

On 13 Mar 2019, at 23:26, @lbutlr  wrote:
> "The service is not available. Please try again later."

Never mind. The issue was not apache related at all, it was a 
misconfiguration/corruption of pound that came to light after the reboot.



-- 
"We're philosophers. We think, therefore we am."



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: apache service unavailable

[@lbutlr]

forgot to include the version info.

On 13 Mar 2019, at 23:26, @lbutlr  wrote:
> apachectl -S reports no errors.

# apachectl -V
Server version: Apache/2.4.37 (FreeBSD)
Server built:   unknown
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   32-bit
Server MPM: prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_USE_FLOCK_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr/local"
 -D SUEXEC_BIN="/usr/local/bin/suexec"
 -D DEFAULT_PIDLOG="/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="/var/run/apache_runtime_status"
 -D DEFAULT_ERRORLOG="/var/log/httpd-error.log"
 -D AP_TYPES_CONFIG_FILE="etc/apache24/mime.types"
 -D SERVER_CONFIG_FILE="etc/apache24/httpd.conf"



-- 
It was where the city kept all those things it occasionally needed but
was uneasy about, like the Watch-house, the theatres, the prison and the
publishers. It was the place for all those things which might go off
bang in unexpected ways.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] apache service unavailable

[@lbutlr]

Due to a large blizzard, we lost power for some period of time today, and the 
server's UPS didn't hold out. After the power was back, https responds to all 
attempts to connect with

"The service is not available. Please try again later."

displayed in the browser.

Nothing shows up in the httpd-error.log, but httpd-access.log looks odd. This 
is what happened when I just tried to load a specific page.

x.x.x.x - - [13/Mar/2019:23:14:25 -0600] "\x16\x03\x01\x02" 400 226 "-" "-" 50 0
x.x.x.x - - [13/Mar/2019:23:14:25 -0600] "\x16\x03\x01\x02" 400 226 "-" "-" 56 0
x.x.x.x - - [13/Mar/2019:23:14:25 -0600] "\x16\x03\x01" 400 226 "-" "-" 48 0

apachectl -S reports no errors. I've restarted apache and even restarted the 
server.

When I start apache, I get this in the error log

[Wed Mar 13 22:39:38.847868 2019] [ssl:info] [pid 75453] AH02568: Certificate 
and private key www.example.com:443:0 configured from 
/usr/local/etc/dehydrated/certs/example.com/cert.pem and 
/usr/local/etc/dehydrated/certs/example.com/privkey.pem
[Wed Mar 13 22:39:38.847945 2019] [ssl:info] [pid 75453] AH01876: 
mod_ssl/2.4.37 compiled against Server: Apache/2.4.37, Library: 
OpenSSL/1.0.2o-freebsd
[Wed Mar 13 22:39:38.849271 2019] [mpm_prefork:notice] [pid 75453] AH00163: 
Apache/2.4.37 (FreeBSD) OpenSSL/1.0.2o-freebsd configured -- resuming normal 
operations
[Wed Mar 13 22:39:38.849278 2019] [mpm_prefork:info] [pid 75453] AH00164: 
Server built: unknown
[Wed Mar 13 22:39:38.849293 2019] [core:notice] [pid 75453] AH00094: Command 
line: '/usr/local/sbin/httpd'

Not sure what to do at this point.

-- 
Far away, across the fields, the tolling of the iron bell calls the
faithful to their knees to hear the softly spoken magic spells.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: How to block Apache2 from showing dir lists on Ubuntu 16.04 server...

[@lbutlr]

Bo Berglund  wrote:
> equire valid-user
> Options -Indexes
> DirectoryIndex dirlist.php

Does you main configuration have AllowOverride?

> I even went as far as editing the
> /etc/apache2/sites-available/000-default.conf file and adding this to
> the end of the directory block:

I didn't know that file, nor do I have the directory structure on my apache 
install (for me, sites-available is an nginx directory), but what does 
apachectl -S show as the path to the configuration files?

for example:

default server www.example.com 
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:1)

-- 
all your snowflakes are urine and you can't even find the cat


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Graceful shutdown of apache

[@lbutlr]

On 10 Dec 2018, at 10:11, Hemant Chaudhary  
wrote:
> I have updated apache-2.4.29 to apache-2.4.37 but still I am not able to 
> graceful shutdown in debug mode.

What do you mean by a graceful shutdown? The graceful command doesn’t shutdown 
apache. If you are using graceful-stop then that will either stop apache or 
report an error.

Please provide some logs.

-- 
This above all, to thine own self be true And it must follow, as the
night the day, Thou canst not then be false to any man.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Configuring redirects from http to https

[@lbutlr]

On Mon Dec 03 2018 12:17:01 Jack M. Nilles   said:
> 
> 
> 
> 





Should be just fine.


-- 
And I was grounded while you filled the skies I was dumbfounded by
truth; you cut through lies


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: SSL Handshake Exception in call from Android

[@lbutlr]

On 02 Nov 2018, at 14:58, Jerry Malcolm  wrote:
> The same Android app calls Google Maps https with no problem and also calls 
> another server with https that I do not own with no problem.  So I'm assuming 
> I have something wrong in my httpd config.  But I need some help figuring it 
> out.


Have you checked your server against an ssl reporter like SSL Labs?



If you domain is malcolms.com there are some minor issues:



I suspect the source of your issues are the SNI mismatch, though it could be 
allowing the deprecated/weak TLS_RSA_* cipher suites.

The lack of SNI leads to “Not trusted by Android trust store"

-- 
'It's a lovely morning, lads,' he said. 'I feel like a million dollars.
Don't you?' There was a murmur of reluctant agreement. 'Good,' said
Cohen. 'Let's go and get some.' --Interesting Times


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Warning from users@httpd.apache.org

[@lbutlr]

On 03 Nov 2018, at 07:26, Leland  wrote:
> Return-Path: <>
> Received: (qmail 11330 invoked for bounce); 23 Oct 2018 17:04:55 -
> Date: 23 Oct 2018 17:04:55 -
> From: mailer-dae...@apache.org
> To: users-digest-return-1181...@httpd.apache.org
> Subject: failure notice

Your mail server rejected a message from the mailing list. The time stamp 
should allow you to find the event in your logs and figure out why the message 
was rejected.

You can also follow the instructions in the mail to have the message resent to 
you, or click the following link. If the message failure was because of some 
filter on your server, it should trigger again, possibly making it easier to 
find in the logs.

  

-- 
If you could do a sort of relief map of sinfulness, wickedness and
all-round immorality, rather like those representations of the
gravitational field around a Black Hole, then even in Ankh-Morpork the
Shades would be represented by a shaft. In fact the Shades was
remarkably like the aforesaid well-known astrological phenomenon: it had
a certain strong attraction, no light escaped from it, and it could
indeed become a gateway to another world. The next one.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Failed to acquire SSL session cache lock

[@lbutlr]

On 22 Oct 2018, at 08:02, Muhammad Hernawan  wrote:
> please create new thread for your issue

Says the person who posted 4 times for one issue…

-- 
Up the airy mountains, down the rushy glen... From ghosties and bogles
and long-leggity beasties... My mother said I never should... We dare
not go a-hunting for fear... And things that go bump... Play with the
fairies in the wood... --Lords and Ladies


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Failed to acquire SSL session cache lock apache2.4 on Ubuntu 18.04

[@lbutlr]

On 21 Oct 2018, at 01:13, Muhammad Hernawan  wrote:
> I use Apache/2.4.29 (Ubuntu 18.04). I use http2 and ssl-stapling. Here is the 
> info:

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1565744

perhaps? (first google hit)


-- 
"But you read a lot of books, I'm thinking. Hard to have faith, ain't
it, when you've read too many books?"


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 06 Oct 2018, at 17:59, Filipe Cifali  wrote:
> It's described on the CustomLog docs: 
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
> 
> "The second argument specifies what will be written to the log file. It can 
> specify either a ***nickname*** defined by a previous LogFormat directive, or 
> it can be an explicit ***format*** string as described in the log formats 
> section. “

Yes, I know this. The oddity is simply that changing it to, essentially, a 
nonsense setting has prevented the site from crashing exactly like disabling 
the Proxy prevented the site from crashing.

-- 
Just give us a kiss to celebrate here, today.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 03 Oct 2018, at 17:11, @lbutlr  wrote:
> It’ been over 4 hours now (almost 5) and the site is still responding 
> perfectly. 

Well, I am more confused. I changed the log from common to debug and the site 
has been fine for days now.

-  CustomLog /home/user/logs/XXX.access_log combined
+  CustomLog /home/user/logs/XXX.access_log debug

This was a mistake, as it simply logs “debug” now, so the logs are useless, but 
the site is up. 

In https.conf:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" 
combined

¯\_(ツ)_/¯ 

-- 
ALL WORK AND NO PLAY MAKES BART A DULL BOY ALL WORK AND NO PLAY MAKES
BART A DULL BOY ALL WORK AND NO PLAY MAKES BART A DULL BOY Bart
chalkboard Ep. 1F07er}i\" \"%{User-Age
nt}i\"” combined



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 04 Oct 2018, at 13:20, Filipe Cifali  wrote:
> And the docs, this project is open source, we can change (or rather, propose 
> changes) to documentation anytime we want.

Sure, but first you have to figure out the multiple layers of complexity in the 
current docs.


-- 
Boy, it sure would be nice if we had some grenades, don'tcha think?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 04 Oct 2018, at 11:50, Filipe Cifali  wrote:
> You want to use a CustomLog for virtualhost config to gather the most info 
> you can from the request:
> 
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog

Ugh. That is a terrible bit of documentation written by and for people who 
don’t need documentation.

It would be nice if there was something that clearly explained all of this, 
especially considering how it’s changed since 2.2.

I’ve enabled the proxy and set CustomLog /path/log debug

Everything has been working for a bit now; this is annoying. :/

-- 
FRIDAYS ARE NOT "PANTS OPTIONAL" Bart chalkboard Ep. AABF23



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 03 Oct 2018, at 18:27, Filipe Cifali  wrote:
> you can for example turn log level to debug and access the site, tailing the 
> logs should provide some information about what is breaking.

Is it possible to set the log level just for a virtual host? I thought that was 
a server-wide setting. I tried adding 

LogLevel warn rewrite:trace8

to the virtual host and didn’t get an error on starting apache, but the 
http-error log for the site didn’t appear any different.

> Also, why you have a ProxyPass on a virtualhost that doesn't run anything 
> PHP? Create a template without the config and use it. 

All the sites are setup for php so that I don’t have to get an email, go edit a 
file, and restart apache just because someone wants to put some php code in 
their page.

At least today it is failing immediately, so debugging should be easier.

-- 
@mdhughes: One of the few regrets I have about lawn-less apartments:
Shallow graves are so much harder to come by.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 03 Oct 2018, at 12:27, @lbutlr  wrote:
> There is exactly one line in the site configuration that, when commented, 
> makes the site work again. Though, possibly only for a little while. I’ll 
> have to check more in 3-4 hours. There is no other proxy logic at all.

It’ been over 4 hours now (almost 5) and the site is still responding 
perfectly. I still have no idea what is causing it to break if I uncomment the 
ProxyPass line considering there is no php anywhere on the site other than a 
couple of href to external sites.

-- 
"What's a Velvet Underground?" "You wouldn't like it." "Oh, Be-bop.”


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 03 Oct 2018, at 12:07, Filipe Cifali  wrote:
> you can check what virtualhost is being served via apache2ctl like this: $ 
> apache2ctl -S
> $ apache2ctl -h provides this info:
>   -S : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG

Yes that is all fine, and the site was loading perfectly for almost three and a 
half hours.

 port 443 namevhost www.XXX.com 
(/usr/local/etc/apache24/users/XXX.conf:1)
 alias XXX.com
 port 80 namevhost www.XXX.com 
(/usr/local/etc/apache24/users/XXX,conf:26)
 alias XXX.com

I do not have an apache2ctl, just apachectl (apache 2.4 FreeBSD 11.2-REALEASE 
compiled from ports)

> After checking that the right vhost is being served, start removing proxy 
> logic and just make the txt work again, then slowly start adding the proxy 
> config to make the php work again. 

There is exactly one line in the site configuration that, when commented, makes 
the site work again. Though, possibly only for a little while. I’ll have to 
check more in 3-4 hours. There is no other proxy logic at all.

> If you can, post the full vhost here regarding the domain that misbehaves. 

Sure, but other than the host name, it is identical to all the other sites.


   ServerName www.XXX
   ServerAlias XXX
   DocumentRoot /www/XXX/
   #ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/www/XXX/$1
   
 Options +Indexes +FollowSymLinks +MultiViews -SymLinksIfOwnerMatch
 AllowOverride all
 Require all granted
   
   SSLEngine on
SSLCertificateFile /usr/local/etc/dehydrated/certs/XXX/cert.pem
SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/XXX/privkey.pem
SSLCertificateChainFile /usr/local/etc/dehydrated/certs/XXX/chain.pem
   SSLProtocol ALL -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
   # 15638400 seconds is 181 dayds
   # 63072000 seconds is 730 days
   Header always set Strict-Transport-Security "max-age=15638400; 
includeSubdomains;"
   Header always set X-Frame-Options DENY
   ErrorLog /home/user1/logs/XXX.error_log
   CustomLog /home/user1/logs/XXX.access_log combined



> The important part is: Having a zeroed robots.txt doesn't break httpd.

Yeah, it didn’t seem likely, but then again it seemed to work for q bit…

And, just for kicks:
# apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 authn_file_module (shared)
 mpm_prefork_module (shared)
 authn_dbm_module (shared)
 authn_core_module (shared)
 authz_host_module (shared)
 authz_groupfile_module (shared)
 authz_user_module (shared)
 authz_dbm_module (shared)
 authz_core_module (shared)
 access_compat_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 socache_shmcb_module (shared)
 socache_dbm_module (shared)
 reqtimeout_module (shared)
 include_module (shared)
 filter_module (shared)
 mime_module (shared)
 log_config_module (shared)
 env_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 version_module (shared)
 proxy_module (shared)
 proxy_fcgi_module (shared)
 ssl_module (shared)
 unixd_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 dir_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)

# cat /www/XXX/.htaccess
Options +Includes +FollowSymLinks +MultiViews

-- 
One tequila, two tequila, three tequila, floor.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: 0 length robot.txt

[@lbutlr]

On 03 Oct 2018, at 11:39, @lbutlr  wrote:
> Removing that file made the site load properly.

Well, it did for about 3h25 minutes, in fact.

Just after posting the message, the site went back to showing only “File Not 
Found”

I’m at a loss.

The only other issue I see is in the main http-error log there are repeated 
instance of:

[ssl:info] [pid 43234] (70014)End of file found: [client 106.45.1.92:48564] 
AH01991: SSL input filter read failed.

(From various client addresses)

The site in question gets a grade of A+ from SSL Labs, and this error message 
appears to be somewhat spurious in nature as apache tries to use the default 
cert for the site before getting the server name, then loads the correct cert, 
so I don’t think this is really an issue.

-- 
Han : This is not going to work.
Luke: Why didn't you say so before?
Han : I did say so before!


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] 0 length robot.txt

[@lbutlr]

This is probably a coincidence, but I had one of my hosted sites (with no php 
code anywhere, and certainly no .php files) returning a script error on load 
instead of showing the non-php webpage:

[proxy_fcgi:error] [pid 88148] [client xx.xx.xx.xx:63137] AH01071: Got error 
'Primary script unknown\n’

And it would display a blank page for a few seconds, then “File Not Found” 
would appear. There was no HTTP error code.

Other hosted sites, also not using php, didn’t have this problem, and sites 
that did use php were working fine.

All sites are configured to allow php, and have an fcgi in their configuration:

   DocumentRoot ${WEBROOT}
   ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/${WEBROOT}$1

On the problem site, if I commented out the ProxyPassMatch line and reloaded 
apache, the site would load.

Confusing.

Not being sure what was causing this one one specific site, I started comparing 
the directory structure, .htaccess, and anything I could look at to see what 
was different about this particular site and I noticed that it had a zero 
length robots.txt file in the webroot, which no other site had.

Removing that file made the site load properly.

I still get many script errors in the error log, but these mostly have a 
referer [sic] at the end and are obviously attempts to hack into the page:

[proxy_fcgi:error] [pid 42901] [client 178.137.92.187:61783] AH01071: Got error 
'Primary script unknown\n', referer: /www/XXX/license.php

[proxy_fcgi:error] [pid 18168] [client 74.71.9.14:59624] AH01071: Got error 
'Primary script unknown\n'
[core:info] [pid 43056] [client 74.71.9.14:59637] AH00128: File does not exist: 
/www/XXX/apple-touch-icon-120x120-precomposed.png

But I still get a few bare ones:

[Wed Oct 03 08:13:05.504129 2018] [proxy_fcgi:error] [pid 43364] [client 
74.71.9.14:57753] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 09:17:36.194394 2018] [proxy_fcgi:error] [pid 42840] [client 
54.36.148.74:60192] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 10:08:08.834583 2018] [proxy_fcgi:error] [pid 18168] [client 
74.71.9.14:59624] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 10:17:17.791282 2018] [proxy_fcgi:error] [pid 43056] [client 
180.76.15.30:29494] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 10:40:17.322634 2018] [proxy_fcgi:error] [pid 42840] [client 
74.71.9.14:64211] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 11:27:58.098639 2018] [proxy_fcgi:error] [pid 18168] [client 
202.46.50.182:22728] AH01071: Got error 'Primary script unknown\n'
[Wed Oct 03 11:33:13.054967 2018] [proxy_fcgi:error] [pid 43056] [client 
123.125.71.77:21018] AH01071: Got error 'Primary script unknown\n'

(The 74.71.9.14 IP has made more than 50,000 requests for non-existent files on 
this hosted domain, sadly it is a residential IP from RoadRunner, and they are 
worthless to deal with, regardless of how often they change their company name)

Why would a blank robots.txt cause this issue? Or is there something else going 
on here and this is just a weird coincidence?

-- 
There's a race of men that don't fit in, A race that can't stay still So
they break the hearts of kith and kin, And they roam the world at will.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Updating to php 7.0 and having apache still work?

[@lbutlr]

On 01 Oct 2018, at 13:49, Filipe Cifali  wrote:
> This seems to be a problem inside mod_fcgi and not httpd, proxies in general 
> don't care about what's the language behind it, as long as the protocol is 
> being respected. 

Yes, that was my understanding as well, but even when I recompiled apache24 
(which includes PROXY_FCGI) it still failed.

> Are you sure you are not getting into trouble just because you are not using 
> mod_proxy_fcgi instead?

I am using

LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so

> Anyway, I would recommend you to check what you are installing, maybe the 
> binaries changed names or they are being installed with a suffix like 
> php7-fpm, php7-bin, etc and the httpd config needs to be changed to reflect 
> that accordingly.

Php-fpm doesn’t have any version identification in the file name, unlike many 
php modules.

-- 
The very existence of flame-throwers proves that some time, somewhere,
someone said to themselves, You know, I want to set those people over
there on fire, but I'm just not close enough to get the job done.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Updating to php 7.0 and having apache still work?

[@lbutlr]

On 30 Sep 2018, at 12:11, Jonathon Koyle  wrote:
> Simply to avoid assumptions, did you update php-fpm to 7 as well?

php-fpm is built as part of the core php, it is not a separate package.

# pkg info php56
php56-5.6.38
Name   : php56
Version: 5.6.38
Installed on   : Fri Sep 28 09:33:08 2018 MDT
Origin : lang/php56
Architecture   : FreeBSD:11:i386
Prefix : /usr/local
Categories : devel lang www
Licenses   : PHP301
Maintainer : a...@freebsd.org
WWW: http://www.php.net/
Comment: PHP Scripting Language
Options:
CGI: on
CLI: on
DEBUG  : off
DTRACE : off
EMBED  : on
FPM: on
IPV6   : on
LINKTHR: on
MAILHEAD   : on
PHPDBG : off
ZTS: off


-- 
The new Death raised his cowl. There was no face there. There was not
even a skull. Smoke curled formlessly between the robe and a golden
crown. Bill Door raised himself on his elbows. A CROWN? His voice
shook with rage. I NEVER WORE A CROWN!  You never wanted to rule.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Updating to php 7.0 and having apache still work?

[@lbutlr]

On 29 Sep 2018, at 21:02, Frank Gingras  wrote:
> As for the "filter_var" error, you're missing a php extension/module.

No, I'm not. filter is built in to php and is properly listed in php -m


On 30 Sep 2018, at 03:43, Carmel NY  wrote:
> Add the following to the "/etc/make.conf" file:
> 
>   DEFAULT_VERSIONS+=php=7.0

Ah, I did not do that.

> Seriously though, why not install 7.2 and be done with it.

I don't really know the status of 7.2 and don't know it anything else will 
break. I did test my php stuff against 7.0 and all is fine.

> Now install php 7.0 and "lang/php70-extensions". Be sure to configure it to
> install the extensions you need. Install any ones from your list that are not
> included in the package by hand. You will have to install the "mod_php70"
> manually also.
> 
> Now, restart apache24, or better yet, just do a reboot of your machine to
> insure it all works correctly.

I gave up on mod_php a couple of years ago when I went to apache 2.4. Apache 
2.4 really seems to prefer fcgi with php-fpm. the initial configuration changes 
were a pain, but now it is all fine and php apps (like roundcube) are 
noticeably faster and the load not eh machine is ... well, nonexistent.

I will give it another go and see where I get.

Thanks all for the comments and suggestions.

-- 
Experience is something you don't get until just after you need it.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Updating to php 7.0 and having apache still work?

[@lbutlr]

On 29 Sep 2018, at 05:59, Frank Gingras  wrote:
> "Everything breaks" isn't really a useful statement. Be more specific if you 
> want more precise feedback.

I mentioned a couple of the issues in the original post, which are either fcgi 
cannot find the scripts to run, or there is an error with filter.

[proxy_fcgi:error] … AH01071: Got error 'Primary script unknown\n'
[proxy_fcgi:error] … AH01071: Got error 'PHP message: PHP Fatal error:  Call to 
undefined function filter_var()

Though these are the most common issues in trying to upgrade, they are by no 
means the only ones.

But my post wasn’t about the specific errors, but more a request to see if 
there was a “this is how you upgrade from php 5.6 to php 7.0” which seems like 
it should just be a simple upgrade, but doesn’t seem to be, at least interns of 
getting it to work with apache 2.4.

1. Upgrade php to 7.0
2. restart php-fpm
3. Stop and start apache

Seems simple enough, but after step 3 php works fine, but apache doesn’t.

Even if I go ahead and reinstall/upgreade apache 2.4, things are still broken.

Repeating the steps with php56 and everything is back to normal


-- 
Passion is the pill you can swallow forever Taking them one by one One
by One --Agents of Good Roots "Come On”


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Updating to php 7.0 and having apache still work?

[@lbutlr]

On 28 Sep 2018, at 16:15, Frank Gingras  wrote:
> Consider the wiki article:
> 
> http://wiki.apache.org/httpd/php

That's not helpful.

I already have proxy_fcgi working with php56. The issue is that everything 
breaks whenever I try to update to php70


-- 
The "H" in Jesus H Christ comes from "Harold be Thy name" in the Lord's
Prayer.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Updating to php 7.0 and having apache still work?

[@lbutlr]

Once again I have tried, and failed, to move from php 5.6 to php 7.0 (using 
postmaster under FreeBSD 11.3-RELEASE). The results are largely the same, php 
pages don’t load either "Primary script unknown” or complaints about filter(0 
(which is built in to both php56 and php70).

I’m sure this is all my doing.

So… is there a decent document or how-to or step-by-step on how to updated the 
php under apache without everything in apache breaking?

(php itself works fine, it’s the integration with apache 2.24 that I keep 
managing to FUBAR. Currently on apache 2.4.35)


-- 
Otto: Apes don't read philosophy.
Wanda: Yes, they do Otto, they just don't understand it.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Reverse proxy

[@lbutlr]

If I have a secondary web service service running on www.example.com:8000 and I 
want to create a reverse proxy on port 8001, how do I prevent users from 
connecting to :8000 anyway?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: DocumentRoot in ProxyPass?

[@lbutlr]

On 19 Sep 2018, at 14:41, Eric Covener  wrote:
> On Wed, Sep 19, 2018 at 4:35 PM @lbutlr  wrote:
>> 
>> Is it possible to do something along these lines in the apache.conf files?
>> 
>> DocumentRoot /usr/local/www/roundcube/
>> ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000${DocumnetRoot}$1
>> 
>> (that is, not have to repeat the information that is already in the 
>> configuration)
> 
> Not automatically like that, but e.g.:
> 
> # Will also use native environment variable if not found as a 'Define'
> Define ROOT /var/www
> DocumentRoot ${ROOT}
> 
>  Require all granted
> 

Six of one, half a dozen of the other, I suppose. I just wrote a script to 
parse all the conf files, extract the document root, and add the fcgi line 
after it.

It is annoying to have to do this for every domain, but so it goes.

But thanks, that is good to know for future reference, it will make generating 
a ne domain conf file simpler.

cat domain_info > /path/to/confs/domain.conf
cat default_conf >> /path/to/confs/domain.conf

How about this:

Define DOMAIN example.com
Define ROOT /www/${DOMAIN}
Define ALIAS www.${DOMAIN}

Eh, I should just try it. How bad can it be? :)

-- 
No matter how fast light travels it finds the darkness has always got
there first, and is waiting for it.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] DocumentRoot in ProxyPass?

[@lbutlr]

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the 
configuration)



-- 
I WAS NOT TOUCHED "THERE" BY AN ANGEL Bart chalkboard Ep. BABF14


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Testing for apache open relaying

[@lbutlr]

On 05 Sep 2018, at 09:58, Robert Moskowitz  wrote:
> 
> So I suspect my apache server as a proxy relay.
> 
> Is there a similar site to mxtoolbox that will test apache for improper 
> relaying?

Are you allowing php? You should be able to root out any badly behaved mail 
scripts.

You should check exactly what your server is being blocked for. For example, if 
you are on a dynamic IP there’s nothing necessarily wrong with your 
configuration, you *will* be blacklisted regardless.

https://mxtoolbox.com/blacklists.as

-- 
A man, in a word, who should never have been taught to write and whom if
unhappily gifted with that ability, should have been restrained by a Act
of Parliament from writing Reminiscences. - PG Wodehouse


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: How do I enable HTTP or HTTPS Redirection on my Apache HTTP servers to my Blogger and Wordpress blogs?

[@lbutlr]

On 13 Aug 2018, at 19:14, Turritopsis Dohrnii Teo En Ming 
 wrote:
> How do I enable HTTP or HTTPS Redirection on my Apache HTTP servers to my 
> Blogger and Wordpress blogs?

Do you mean to blogger.coma nd WordPress.com or are these local to your machine?

There are verious ways to redirect, but the usual way to redirect in apache is 
basically:


   ServerName www.mydomain
   Redirect / http://www.otherdomain/


(This is also how I redirect http requests to automatically fo to https)

Or did you have something else in mind?


-- 
'Sometimes there has to be a civil war, and sometimes, afterwards, it's
best to pretend something didn't happen. Sometimes people have to do a
job, and then they have to be forgotten.' --Men at Arms


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: [OT] bounced messages

[@lbutlr]

On 13 Aug 2018, at 13:43, James Moe  wrote:
> 
> I received a note from the list manager complaining that our server
> has rejected an unconscionable number of message.
>  Has there been some configuration change of the mailing list recently?
> 
>  There are reasons for the rejections: our SPAM filter.

It is not a good idea to spam filter list messages.

-- 
What would be the point of cyphering messages that very clever enemies
couldn't break? You'd end up not knowing what they thought you thought
they were thinking... --The Fifth Elephant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Website Down - Help Really Needed

[@lbutlr]

On 18 Jun 2018, at 13:21, Macksymil Marketplace  wrote:
> sudo -i /etc/apache2/sites-available/000-default.conf-bash: 
> /etc/apache2/sites-available/000-default.conf: Permission denied

Not sure why you’re using sudo?


The error in the screenshot specifically points to line 31 in the conf file 
above, so…

Also, what version of apache?

-- 
Humans are always slightly lost. It's a basic characteristic. It
explains a lot about them.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Apache 2.4 and DirectoryIndex and htaccess

[@lbutlr]

On 13 Jun 2018, at 11:25, Frank Gingras  wrote:
> What does the error log say, exactly?

From the original message:
> The only thing in the http-error.log is:
> 
> [Mon Jun 11 12:26:28.390150 2018] [ssl:info] [pid 34433] [client 
> xx.xx.xx.xx:56493] AH01964: Connection to child 9 established …
> 
> Httpd-access.log shows:
> 
> xx.xx.xx.xx - - [11/Jun/2018:12:26:28 -0600] "GET /foo/ HTTP/1.1" 403 215 "-" 
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, 
> like Gecko) Chrome/67.0.3396.79 Safari/537.36"
> xx.xx.xx.xx - - [11/Jun/2018:12:26:28 -0600] "GET /favicon.ico HTTP/1.1" 200 
> 34494"https://www.example.com/foo/; "Mozilla/5.0 (Macintosh; Intel Mac OS X 
> 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 
> Safari/537.36”



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Apache 2.4 and DirectoryIndex and htaccess

[@lbutlr]

No ideas?

On 11 Jun 2018, at 12:34, @lbutlr  wrote:
> I can access the files directly, but if I access the folder, I get a 
> permission error.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache 2.4 and DirectoryIndex and htaccess

[@lbutlr]

I have a working webroot, and it has an index.php file. In httpd.conf I havre 
DirectoryIndex for /usr/local/www set to “index.php index.html"

I create a folder under the webroot named foo and I put an index.html file in 
the folder.

I can access the files directly, but if I access the folder, I get a permission 
error.

If I created foo/.htaccess with the content “foo goes here” and load the 
directory or the file, I get a server error (so .htaccess isn’t being ignored 
by an AllowOverrid none upstream).

If I change the .htaccess to read

DirectoryIndex index.html

I can access the file directly, but I still get a permission error if I access 
the directory 

“Forbidden You don't have permission to access /renna/ on this server.”

The only thing in the http-error.log is:

[Mon Jun 11 12:26:28.390150 2018] [ssl:info] [pid 34433] [client 
xx.xx.xx.xx:56493] AH01964: Connection to child 9 established …

Httpd-access.log shows:

xx.xx.xx.xx - - [11/Jun/2018:12:26:28 -0600] "GET /foo/ HTTP/1.1" 403 215 "-" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/67.0.3396.79 Safari/537.36"
xx.xx.xx.xx - - [11/Jun/2018:12:26:28 -0600] "GET /favicon.ico HTTP/1.1" 200 
34494 "https://www.example.com/foo/; "Mozilla/5.0 (Macintosh; Intel Mac OS X 
10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 
Safari/537.36”




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Distribution repository vs compiled.

[@lbutlr]

On 01 Jun 2018, at 00:09, Mimiko  wrote:
> Tell me, please, what's better to use in production:
> 1) Precompiled binaries of apache httpd from distribution
> 2) or Self compiled from sources
> 
> What are the risks for each options and pro and cons of each?

Which is better to use in our company cafeteria, a kitchen staff to make food 
or a food service company to bring in food?

There is no better, they are both solutions that will work well, Which one you 
want depends on you and your needs and not inherent properties of the food.

There is certainly more ease and convenience in using compiled binary installs, 
but there is more flexibility in compiling your own from source.


-- 
SOURCERERS MAKE THEIR OWN DESTINY. THEY TOUCH THE EARTH LIGHTLY.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: TLS 1.3

[@lbutlr]

On Mar 29, 2018, at 02:17, Michael A. Peters  wrote:
> TLS 1.3 *mandates* PFS so you don't accidentally enable a cipher that does 
> not have it, and that is a HUGE benefit.

Yes, sorry about that. 

-- 
This is my signature. There are many like it, but this one is mine.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: TLS 1.3

[@lbutlr]

On 2018-03-28 (09:02 MDT), David Mehler  wrote:
> 
> What are some advantages of 1.3?

Faster. Less kruft. Drops many near-EOL cryptos. But the main one is that is 
allows Perfect Forward Secrecy (PFS) which means that even is someone captures 
the traffic and stores it, and even if they interfere with the traffic actively 
at the time of communication, and then at some later time gets access to the 
private keys used by the client and the server, they STILL can't decrypt it.



This is kind of the holy grail in cryptography.

-- 
Wife: Who are you talking to?
Husb: [on phone] Jon
Wife: Aren't you going to talk to me?
Husb: I talked to you at dinner, do I need to talk to you again?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] TLS 1.3

[@lbutlr]

Now that TLS 1.3 has been approved, what is the status of using it with Apache? 
Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year 
ago.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org