Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 18:57:13, Marc wrote:

> 15 years ago people were not writing about gays.
>
> Maybe it takes another 15 years to be allowed to write about idiots.

Don't be silly.

Gay people identify themselves as gay, and talking about them as such is not a 
pejorative term.

If you can find someone who identifies themselves as an idiot, then perhaps 
you're allowed to refer to them as such, but if it's just your own opinion 
that they're an idiot, you're being anti-social and unpleasant.

I think all Frank was trying to say was "please let's keep to the technical 
support of people who are trying to use Apache, and stop throwing insults at 
them, because it's not constructive to the conversation".


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 18:42:09, Marc wrote:

> This is more about the ability to host an application regardless if it is
> on http or https. How https is enforced/applied is up to the manager of
> the server, why would you even care as a developer of an application?

I often develop applications on servers which I manage.

Please stop trying to enforce your opinion of the demarcation between 
disciplines on other people.

Not every developer is only a developer.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 16:07:09, Marc wrote:

> A developer should just do developing.

Some people, especially in smaller organisations, have to be multi-skilled.

> A dentist is also not telling an ophthalmologist what to do.

No, but a dentist might have some valuable advice on diet.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe

[Antony Stone]

On Monday 04 March 2024 at 14:43:16, Serge Krawczenko wrote:

> unsubscribe

Quoting from headers:

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 

Quoting from footers:

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite query string?

[Antony Stone]

On Thursday 04 January 2024 at 23:18:52, Frank Gingras wrote:

> On Thu, Jan 4, 2024 at 5:03 PM Will Fatherley  wrote:
> > 
> > RewriteCond to know. Also, isn’t that the “starts with” operator, ^? What
> > if the parameter comes second? A bit verbose, but:
> >  ^.*searchword=(\w{1})[&]{0,1}.*$
> 
> You don't want to use ^.* - just use the substring match behaviour by
> removing ^.* if you want to match searchword anywhere in the value.

Same thing applies for .*$ - leave it out.


Antony.

-- 
The GPL-Violations project was formed on this day in 2004.
https://gpl-violations.org/

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: users Digest 11 Dec 2023 01:09:34 -0000 Issue 6525

[Antony Stone]

On Tuesday 12 December 2023 at 21:10:37, Michael B. Harris wrote:

> I use Apache2 version 2.4.52 on Ubuntu server
> 
> Apache2 is not running due to error encountered after last upgrade:
> 
> AH00534: Apache2: Configuration error: No MPM loaded
> 
> Does anyone have a fix for this?  I am stumped.

One (short-term, but immediately effective) fix would be to downgrade Apache to 
its previous version.

Another idea is to check whether you have the apache2-mpm package 
https://packages.ubuntu.com/search?suite=default=all=any=apache2-
mpm=names installed / upgraded.

If not, try installing / upgrading that and see whether it resolves your 
problem.


Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unsubscribe

[Antony Stone]

On Monday 13 November 2023 at 21:54:49, Michela wrote:

> Empty Message

Please see the headers of every mail on this list:

list-help: 
list-unsubscribe: 
list-post: 

Or the footers:

To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


Thanks,

Antony.

-- 
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are 
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this 
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to 
class something as a cake or a biscuit.  McVitie's defended the classification 
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas 
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale 
and McVitie's won the case.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it true that Nginx is faster, more secure and better than Apache?

[Antony Stone]

On Wednesday 04 October 2023 at 20:48:19, Jason Long wrote:

> Hello,Thanks again.Why has Apache Foundation never tested Apache
> performance with Nginx?

I am not affiliated with the Apache Foundation in any way, but I would guess 
that the primary reason is that one can make statistics say almost whatever 
one wants them to, simply by selecting the data or analysis which supports the 
desired outcome.  Therefore nobody is going to trust numbers put out either by 
the Apache Foundation, or by Nginx, showing how they compare against the 
competition.  I'm not saying that either of these organisations would be 
lying, but they'd be expected to choose the tests and scenarios which show 
them up in the most favourable comparative light possible.

A secondary reason is that one person's use of a web server is not the same as 
another's, so any benchmarks showing Apache vs. Nginx would be idealistic and 
almost certainly not what any specific real-world implementation would achieve.

Suppose you wanted to compare two makes of cars to find out which is "faster, 
more secure and better" (to quote from the subject line of your email).  Would 
you want such a comparison to be done by manufacturer A, manufacturer B, or an 
independent third party?  No matter who it's done by, does their definition of 
"better" match with yours (assuming you're a potential purchaser of one of the 
cars)?


Antony.

-- 
The Free Software Foundation was formed on this day in 1985
https://www.fsf.org

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Need help with correlating HTTP request with a database call

[Antony Stone]

On Tuesday 04 July 2023 at 18:52:10, Sudesh Gowda J wrote:

> I'm currently working on a project where Apache server is being used with a
> database. I need to find out which HTTP request maps to which database call
> without modifying the server code(eg., Logs). I read the documentation
> regarding logging and the parameters don't seem to be of any help in this
> case. So is there any other way in which we can do this

I would have thought the simplest way is to look at the code running on the 
server (no need to modify it, just read it) and work out what it does in the 
database for any given type of request.

What language is the server code written in?


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache VirtualHost Config Tool management

[Antony Stone]

On Thursday 27 April 2023 at 12:53:29, Carlos García Gómez wrote:

> I am looking for a tool that makes it easier for me to manage the all
> virtual hosts that I have configured.

How about http://doxfer.webmin.com/Webmin/Apache_Webserver ?


Antony.

-- 
I just got a new mobile phone, and I called it Titanic.  It's already syncing.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache HTTP Server 2.4.57: file SHA256 correct?

[Antony Stone]

On Saturday 22 April 2023 at 15:48:23, Mittel, Alexander wrote:

> Hi,
> is the checksum SHA256 for httpd-2.4.57.tar.bz2 correct?

It matches for me:

$ wget https://downloads.apache.org/httpd/httpd-2.4.57.tar.bz2
--2023-04-22 16:14:06--  
https://downloads.apache.org/httpd/httpd-2.4.57.tar.bz2
Resolving downloads.apache.org (downloads.apache.org)... 88.99.95.219, 
135.181.214.104, 2a01:4f8:10a:201a::2, ...
Connecting to downloads.apache.org (downloads.apache.org)|88.99.95.219|:443... 
connected.
HTTP request sent, awaiting response... 200 OK
Length: 7457022 (7.1M) [application/x-bzip2]
Saving to: `httpd-2.4.57.tar.bz2'

100%[===>]
 
7,457,022   2.64M/s   in 2.7s

2023-04-22 16:14:09 (2.64 MB/s) - `httpd-2.4.57.tar.bz2' saved 
[7457022/7457022]

$ sha256sum httpd-2.4.57.tar.bz2 
dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a  
httpd-2.4.57.tar.bz2


Antony.

-- 
Is it venison for dinner again?  Oh deer.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Render custom status to both browser and REST API Client

[Antony Stone]

On Saturday 25 February 2023 at 11:43:17, Kaushal Shriyan wrote:

> Hi,
> 
> Is there a way to configure apache httpd 2.4.55 as per the below flow when
> the below conditions occurs
> 
> User -> Apache Web Server -> PHP-FPM Upstream server -> MySQL DB
> 
> *Condition 1 when MySQL DB is down*
> When MySQL DB is down, httpd to render JSON output when invoking
> http://mydomain.com/apis by the user using postman rest api client.
> JSON Output
> {"status_code": 500, "status" : "MySQL DB Server is down"}
> 
> HTML Output
> HTML output when invoking http://mydomain.com/apis using client browser.

I just realised that you might be saying here "I want JSON output if the 
client sends a request from postman, and I want HTML output if it's from a 
browser, but in both cases the URL is the same".

To achieve that your CGI script simply needs to look at the User-Agent in the 
incoming request, and send back the appropriate format depending on whether 
it's postman or a browser.

I do not know offhand what the User-Agent string is for postman, but it can't 
be hard to find out.


Antony.

-- 
The GNU General Public Licence was first published on this day in 1989
https://www.gnu.org/licences/gpl.html

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Render custom status to both browser and REST API Client

[Antony Stone]

On Saturday 25 February 2023 at 11:43:17, Kaushal Shriyan wrote:

> Hi,
> 
> Is there a way to configure apache httpd 2.4.55 as per the below flow when
> the below conditions occurs
> 
> User -> Apache Web Server -> PHP-FPM Upstream server -> MySQL DB
> 
> *Condition 1 when MySQL DB is down*
> When MySQL DB is down, httpd to render JSON output when invoking
> http://mydomain.com/apis by the user using postman rest api client.
> JSON Output
> {"status_code": 500, "status" : "MySQL DB Server is down"}
> 
> HTML Output
> HTML output when invoking http://mydomain.com/apis using client browser.
> 
> *Condition 2 when PHP-FPM is down*
> When PHP-FPM Upstream server is down, httpd to render JSON output when
> invoking http://mydomain.com/apis by the user using postman rest api
> client. JSON Output
> {"status_code": 502, "status": "php-fpm server is down"}}';
> 
> HTML Output
> HTML output when invoking http://mydomain.com/apis using client browser.

I would say that this depends primarily on what API (CGI script?) you are 
running on the Apache server.  Yes, such a script can generate the JSON you 
specified, provided:

a) it has some way of detecting when the PHP-FPM upstream server is "down"

b) it has some way of asking the PHP-FPM upstream server whether the MySQL DB 
server is "down"

You also don't say what you want to happen when neither of those servers is 
down, however I suspect that in this case you simply want Apache to act as a 
reverse proxy and feed back to the client whatever it got from the PHP-FPM 
server.  That should be a simple case for any CGI script which can do the 
exceptions outlined above.

Without a CGI script, Apache can only be a reverse proxy in the above 
configuration, and pass back to the client whatever it got from the PHP-FPM 
server, so if this is genuinely "down", there won't be anything to create the 
JSON you want.


Antony.

-- 
The GNU General Public Licence was first published on this day in 1989
https://www.gnu.org/licences/gpl.html

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache is unable to access /tmp in any way

[Antony Stone]

On Wednesday 15 February 2023 at 15:21:58, accelerator0099 wrote:

> Apache is unable to access /tmp in any way.

> I always get 403 Forbidden for that.

> Why is /tmp different from others?

My guess (and it is one) is that since /tmp can be written to by any user, 
this is a security feature which stops someone running Apache in such a way 
that an attacker could get some process to write either a file or a symlink 
into /tmp and then be able to retrieve the content remotely over HTTP.

However, given that many systems routinely delete the contents of /tmp on 
startup and/or shutdown, why would you ever want to point Apache at files which 
exist there?

What is the use case for having servable content under /tmp?


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] cannot run test program while cross compiling

[Antony Stone]

On Tuesday 14 February 2023 at 13:35:14, 유원석 wrote:

> Png file would be helpful

Copy and paste (text) of the command you run and the *error* output you get 
would be helpful.

> As i was configurating, it shows the same message as the title.

Is "cannot run test program while cross compiling" an error message, or simply 
a notification telling you that this bit won't be run?

> Namely, building issues

Does the source code compile?


Antony.

> -Original Message-
> From: "Antony Stone"
> To: ;
> Cc:
> Sent: 2023-02-14 (화) 21:28:29 (GMT+09:00)
> Subject: Re: [users@httpd] cannot run test program while cross compiling
> 
> On Tuesday 14 February 2023 at 13:12:19, 유원석 wrote:
> > Hello
> > I was trying to cross-compile apache to no avail
> > How can I fix this error below?
> 
> What error are you trying to fix?
> 
> > apache2 branch trunk
> > install pcre-config from pcre.org
> > 
> > ./configure --prefix=$PWD/final --host=aarch64-linux
> > --with-pcre=/usr/local/pcre/bin/pcre2-config CC = aarch64-gnu-linux-gcc
> > -march=armv8-a+crc+sha2+sha3 -fstack-protector-strong -D_FORTIFY_SOURCE=2
> > -Wformat -Wformat-security
> > --sysroot=/opt/drive5-linux/5.0.40.0-29154167/sysroots/aarch64-gnu-linux
> > -lcrypt -lm

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] cannot run test program while cross compiling

[Antony Stone]

On Tuesday 14 February 2023 at 13:12:19, 유원석 wrote:

> Hello
> I was trying to cross-compile apache to no avail
> How can I fix this error below?

What error are you trying to fix?

> apache2 branch trunk
> install pcre-config from pcre.org
> 
> ./configure --prefix=$PWD/final --host=aarch64-linux
> --with-pcre=/usr/local/pcre/bin/pcre2-config CC = aarch64-gnu-linux-gcc
> -march=armv8-a+crc+sha2+sha3 -fstack-protector-strong -D_FORTIFY_SOURCE=2
> -Wformat -Wformat-security
> --sysroot=/opt/drive5-linux/5.0.40.0-29154167/sysroots/aarch64-gnu-linux
> -lcrypt -lm


Regards,


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Product Bug h5bp/tls/certificate_files.conf

[Antony Stone]

On Friday 10 February 2023 at 14:38:13, Zahid Rahman wrote:

> *my apache2 installation directory is /etc/apache2 not /usr/local *

Do you really meant that Apache is *installed* under /etc/apache2!?

I think you mean that its configuration files are there.

It should be *installed* in /usr/sbin/apache2 with some libraries in 
/usr/lib/apache2


Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] cannot use cache in forward proxy configuration

[Antony Stone]

On Thursday 09 February 2023 at 12:24:44, bc BC wrote:

> Thanks for your suggestion
> 
> 1) yes, but same issue
> 
> 2) i just tried now, and cache remains empty, and no log about caching on
> debug mode

I would recommend testing with http:// only to start with - don't complicate 
things by using https:// until the unencrypted version work.

Can you confirm that the website address you put in the configuration file is 
one 
for which your machine is acting as a forward proxy?


Antony.

-- 
Neurotics build castles in the sky;
Psychotics live in them;
Psychiatrists collect the rent.


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] cannot use cache in forward proxy configuration

[Antony Stone]

On Tuesday 24 January 2023 at 16:47:17, bc BC wrote:

> i tried in a location
> 
> 
> CacheEnable disk
> 
> this too:
> CacheEnable disk "https://*;
> 
> CacheEnable disk "http://*;
> 
> CacheEnable disk "http://The_PROXY_IP;
> 
> apache is running, proxy is working but my cache is remains empty
> 
> any suggestion appreciated

1. Did you try http:// without the asterisk?

2. Did you try http://some.web.site and then visit that website?


Antony.

-- 
"Hi, I've found a fault with the English language and I need an entomologist."
"I think you mean an etymologist."
"No.  It's a bug, not a feature."

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache dropping Content-Length header for HEAD responses where Content-Length is 0

[Antony Stone]

On Thursday 02 February 2023 at 11:02:26, Piotr Dobrogost wrote:

> Hi,
> 
> On freshly installed Apache 2.4.52 on Fedora with default
> configuration I'm observing that for HEAD response the Content-Length
> header is not being sent for empty files

Content-length is not a required field for Head responses.

https://www.rfc-editor.org/rfc/rfc9110#section-8.6

Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Server won't direct to Internal IP address

[Antony Stone]

On Friday 06 January 2023 at 11:05:42, jason kerr wrote:

> The full message is.
> 
> This site can’t be reached
> 192.168.1.194 took too long to respond.

So, that tells you that the *Raspberry Pi* is not trying to connect to the 
boiler on behalf of the browser, but is simply telling the browser to connect 
to the boiler itself.  In other words, the Pi is not doing anything useful in 
this setup.

As others have already suggested, you should look up how to configure Apache as 
a reverse proxy, so that http://192.168.1.168/somepath ends up connecting 
*from the Pi* to http://192.168.1.194 and then returning the response to the 
browser.


Antony.

-- 
"Hi, I've found a fault with the English language and I need an entomologist."
"I think you mean an etymologist."
"No.  It's a bug, not a feature."

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Server won't direct to Internal IP address

[Antony Stone]

On Friday 06 January 2023 at 01:51:13, jason kerr wrote:

> I can access the Apache web server when internally on the LAN and use the
> boiler control page, however I can't get the boiler control page to display
> when accessing the webssever from an external IP. I can access the
> webssever externally but when I click on the boiler link it tells me that
> it cannot be found.

1. What *is* that boiler link - when you hover on it, what URL is shown?

2. What, exactly, does the browser say after clicking on it?

> I can also successfully ping the boiler IP address from the raspberry pi.
>
> Is there something I am missing ?

Probaby a reverse proxy.


Antony.

-- 
Ich habe gerade ein Bier getrunken.
Jetzt habe ich kein Bock mehr :(

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Can't display an index.html on our public IP

[Antony Stone]

On Monday 21 November 2022 at 18:16:45, Frank Gingras wrote:

> Do not remove nginx without checking if anything depends on it first. As
> counter-intuitive as this may look, many hosters use nginx as a front-end
> proxy.

Hm.  I had assumed that whatever this system was. the OP had set it up for 
their own use, rather than that someone else may have pre-configured it, and 
for me the concept of using nginx as a front-end proxy to Apache is just 
bizarre.

They can both be proxies and they can both be web servers, so why not just 
pick one and use it for whatever you need?

Oh well, I agree that if the OP did not set this system up themselves, such 
things are worth checking.


Antony.

> On Mon, 21 Nov 2022 at 12:12, Antony Stone wrote:
> > On Monday 21 November 2022 at 17:59:58, Ju lien wrote:
> > > Hello,
> > > 
> > > We are developers and supposed to create a website. The website is
> > > created but we are also supposed to put it on line through Apache.
> > 
> > The first thing I recommend that you do, then, is to remove nginx from
> > the machine.
> > 
> > In case you are not aware, Apache and nginx are both web servers, and you
> > will run into all sorts of trouble if you try to run both on the same
> > machine.
> > 
> > I also recommend that you do no configuration of apache whatsoever, and
> > make sure you can get to the example web page which is supplied with every
> > installation of Apache I have come across.
> > 
> > Here is a random example I just found from a Google search:
> > http://www.lukminer.net/
> > 
> > Once you can get your web server to show *that*  then you are ready to
> > start configuring it for your own content.

-- 
I know I always wanted to be somebody, but I guess I should have been more 
specific.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Can't display an index.html on our public IP

[Antony Stone]

On Monday 21 November 2022 at 17:59:58, Ju lien wrote:

> Hello,
> 
> We are developers and supposed to create a website. The website is created
> but we are also supposed to put it on line through Apache.

The first thing I recommend that you do, then, is to remove nginx from the 
machine.

In case you are not aware, Apache and nginx are both web servers, and you will 
run into all sorts of trouble if you try to run both on the same machine.

I also recommend that you do no configuration of apache whatsoever, and make 
sure you can get to the example web page which is supplied with every 
installation of Apache I have come across.

Here is a random example I just found from a Google search:
http://www.lukminer.net/

Once you can get your web server to show *that*  then you are ready to start 
configuring it for your own content.


Antony.

-- 
“If code doesn’t receive constant love, it turns to shit.”

 - Brad Fitzpatrick, Google engineer

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.54 x64 securing the SSL private key with Apache httpd on Windows beyond BitLocker

[Antony Stone]

On Friday 29 July 2022 at 21:37:02, Curtis Maurand wrote:

> the private will generate errors and some browsers will not talk to a
> server with a private key.

I think you are talking about self-signed certificates.

> I thought bitlocker simply encrypted disk volumes

I think so too.


Antony.

> > On Jul 29, 2022, at 12:25 PM, Antony Stone wrote:
> > 
> > On Friday 29 July 2022 at 17:38:20, Curtis Maurand wrote:
> >> letsencrypt
> > 
> > What difference does the choice of CA make to the method for securing the
> > private key?

> >>>> On Jul 29, 2022, at 10:07 AM, Orendt, John wrote:
> >>> Hi All
> >>> 
> >>> What is the current best practice for securing the SSL private key with
> >>> Apache httpd on Windows beyond BitLocker?

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.54 x64 securing the SSL private key with Apache httpd on Windows beyond BitLocker

[Antony Stone]

On Friday 29 July 2022 at 17:38:20, Curtis Maurand wrote:

> letsencrypt

What difference does the choice of CA make to the method for securing the 
private key?


Antony.

> > On Jul 29, 2022, at 10:07 AM, Orendt, John wrote:
> > 
> > Hi All
> > 
> > What is the current best practice for securing the SSL private key with
> > Apache httpd on Windows beyond BitLocker?

-- 
This sentence contains exacly three erors.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unable to read code in Apache httpd

[Antony Stone]

On Tuesday 19 July 2022 at 11:42:52, Pasupuleti, Sri Sai RamKumar wrote:

> We require a help from as apache is unable to read code which is placed in
> /var/www/html folder. Suddenly our working application stopped working. WE
> have verified all the configurations everything look good.

Show exactly what commands you are running and what the results are, and show 
us the exact error messages you are seeing in any log files.

Also please give us some basic information such as:

 - which Linux distribution and version is this running on?
 - which version of Apache are you running?
 - what do the following three commands (as root) show:

ps aux | grep apache
ps aux | grep http
ls -l /var/www/html

Antony.

-- 
I think, therefore I am.
I'm pink, therefore I'm Spam.
I drink, therefore I think I am.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Apache threads getting killed

[Antony Stone]

On Tuesday 17 May 2022 at 19:01:55, Rajkumar Adsule wrote:

> Hi,
> I am using apache / httpd as a web server i.e. lamp configured on CentOS
> system. Apache version 2.4.34 was working fine, it started killing threads
> when I upgrade apache to 2.4.53.
> 
> Please help with the possible reasons and solutions.

I would start with "what appears in the log files when this happens?"


Antony.

-- 
"It would appear we have reached the limits of what it is possible to achieve 
with computer technology, although one should be careful with such statements; 
they tend to sound pretty silly in five years."

 - John von Neumann (1949)

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Log to syslog?

[Antony Stone]

On Tuesday 12 April 2022 at 13:32:40, Paul Claridge wrote:

> Did you find the info on loggly.com?

I found https://www.loggly.com/ultimate-guide/centralizing-apache-logs/ and it 
was essentially a summary of the two mechanisms I had already found elsewhere 
and posted in my original question - telling rsyslog to track file contents 
written by Apache, or using logger in a CustomLog definition.

> Not sure if it covers precisely your requirements.

They look like they would work for me, however I regard them as "workarounds" 
and wanted to see whether anyone knew of a way to do it natively in Apache.

I'm surprised that it appears not to be possible, but thanks to everyone for 
their responses so far.


Antony.

> On 12 Apr 2022, at 11:59, Marc  wrote:
> >>> i went through this issue the hard way
> >> 
> >> Urgh - thanks for the comprehensive reply.
> >> 
> >>> there does not seem to be anything at all as apache seems to be all
> >>> file related
> >> 
> >> I wonder why mod_syslog has not been made more generic?
> >> 
> >>> redirecting to logger just does not work.
> >>> 
> >>> i wrote a python script that uses sockets (assuming linux, freebsd etc)
> >> 
> >> Yes, I'm on Linux - thanks for the script, and for the comments re
> >> logger etc.
> >> 
> >> *If anyone else has a suggestion for how Apache can log to syslog, I'm
> >> still interested in other possible ways to achieve it!*
> > 
> > I have been asking something similar a while ago, logggin to something
> > like influx. I know how to redirect syslog to influx. So if I can
> > redirect eg ip's and 2XX/4XX to syslog, that would be very interesting.

-- 
Please apologise my errors, since I have a very small device.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Log to syslog?

[Antony Stone]

On Tuesday 12 April 2022 at 12:33:01, Paul Kudla (SCOM.CA Internet) wrote:

> i went through this issue the hard way

Urgh - thanks for the comprehensive reply.

> there does not seem to be anything at all as apache seems to be all file
> related

I wonder why mod_syslog has not been made more generic?

> redirecting to logger just does not work.
> 
> i wrote a python script that uses sockets (assuming linux, freebsd etc)

Yes, I'm on Linux - thanks for the script, and for the comments re logger etc.

*If anyone else has a suggestion for how Apache can log to syslog, I'm still 
interested in other possible ways to achieve it!*


Thanks,


Antony.

-- 
Why is "dyslexia" so difficult to spell, and why can I never remember "aphasia" 
when I want to?

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Log to syslog?

[Antony Stone]

Hi.

I'd like to have Apache send all log entries to syslog instead of files 
(because I run a central syslog aggregator and want to have many servers all 
send their log files to this system).

I have found:
https://httpd.apache.org/docs/trunk/mod/mod_syslog.html

However this appears only to be for Error Logs, whereas I would want _all_ 
logs to be sent to syslog.


Can Apache do this?


I have found some workarounds such as:

https://serverfault.com/questions/1025281

https://kifarunix.com/forward-apache-logs-to-central-log-server-with-rsyslog/

however I would be more comfortable if there were a way to tell Apache I want 
it to talk directly to syslog, if this can be done.


Thanks in advance,


Antony.

-- 
If you were ploughing a field, which would you rather use - two strong oxen or 
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unable to unsubscribe

[Antony Stone]

On Friday 03 September 2021 at 19:48:38, Scott A. Wozny wrote:

> Hi Antony,
> 
> No reply to either of my unsubscribe messages was received.  And yes, I did
> check my spam folder.  Not sure if the issue is on the Apache side or the
> Hotmail side, but I appreciate your letting me know there's supposed to be
> a reply and confirmation.  At least now I know where the process is
> breaking down.

Well, I can confirm that the problem is not on the Apache side of things, 
because I just (19:51:11) sent an email from my subscribed address to
users-unsubscr...@httpd.apache.org and I got the response back timed at 
19:51:27.

Of course, I haven't replied to that, because I don't actually want to 
unsubscribe myself, but it certainly shows that the process at the Apache end 
is working as expected.

If you aren't getting this auto-reponse back again then I'd say either you're 
not sending from the subscribed address, or the response is being filtered out 
by your email provider for some reason.


Antony.

-- 
René Descartes walks in to a bar.
The barman asks him "Do you want a drink?"
Descartes says "I think not," and disappears.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unable to unsubscribe

[Antony Stone]

On Wednesday 01 September 2021 at 18:46:23, Scott A. Wozny wrote:

> Per the instructions in list emails, I've sent a couple emails to
> users-unsubscr...@httpd.apache.org this week, but I'm still getting emails
> from the list.  Any idea what gives?

Have you received a reply asking you to confirm the unsubscription, and you 
then confirmed?

It's a two-step process - you have to confirm from the same email address - to 
prevent someone else from simply unsubscribing you by sending an email with 
your address in the From header.


Antony.

-- 
I own three Windows books, published by O'Reilly.   They are "Windows 
Annoyances", "Office 97 Annoyances" and "Windows 98 Annoyances".   That pretty 
much sums it up for me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache CGI - How to get ALSA functions to work properly.

[Antony Stone]

On Monday 23 August 2021 at 18:35:20, Dominik Wrona wrote:

> Thank you! It is possible the CGI program is not in the 'audio' group.
> Would you know how to add it to the audio group?

As root, or the current owner of the script:

chown :audio /the/cgi/script
or
chgrp audio /the/cgi/script

Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Sending mail from Apache Module

[Antony Stone]

On Saturday 31 July 2021 at 12:11:16, Harald Schlangmann wrote:

> The error log is rather odd and is coming with a debugging output I add
> myself only:
> 
> [Sat Jul 31 10:13:29.824371 2021] [:debug] [pid 30273:tid 3027227680]
> src/mod_mini_booking.c(73): [client 81.169.144.135:34004] handleBooking():

Hehe - I have servers hosted at Strato too :)

> smtp failed with Failed to authenticate with the given credentials,

So, that clearly tells us it's the authentication part that's not working.

> referer: 

> The smtp library sends debugging output to stderr. This would be
> interesting to see. Any idea where stderr is forwarded to by apache?

I would *expect* it to go into /var/log/apache2/error.log but I've not tried 
building a module in to Apache, so that's not definite.

> > On 31. Jul 2021, at 11:55, Antony Stone wrote:
> > 
> > Try starting simple and eliminate the TLS - just send SMTP to some mail
> > server on port 25.  If that works, we know it's not the module per se,
> > and we can focus on the SSL library.

Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Sending mail from Apache Module

[Antony Stone]

On Saturday 31 July 2021 at 11:46:50, Harald Schlangmann wrote:

> First post to this group, so please forgive anything I'm doing wrong.

Welcome.

> Problem: everything is going fine except for sending a confirmation mail to
> users once a booking has been successful. I use
> https://github.com/somnisoft/smtp-client as a simple C based SMTP client
> embedded into the module. While the function to send a mail is working
> fine when compiling it as a separate C program and running it from the
> command line, it fails when embedding  the function into my Apache module.

Show us details of what "fails" means.

Minimum: what shows up in Apache's log files when the email is supposed to be 
sent.

Maybe helpful: a packet capture (using something like tcpdump or tshark) of 
any communication with the remote mail server.

Also "For SMTP, port 465 and TLS security (openssl) is used."

Try starting simple and eliminate the TLS - just send SMTP to some mail server 
on port 25.  If that works, we know it's not the module per se, and we can 
focus on the SSL library.


Antony.

-- 
People say that nothing is impossible, so I try to do the impossible every 
day.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: users Digest 30 Jun 2021 16:18:56 -0000 Issue 6154

[Antony Stone]

On Thursday 22 July 2021 at 16:57:58, Gabriel Edmundo wrote:

> unsubscribe

Not the way any mailing list I've ever seen works.

As placed at the bottom of every posting on the list:

To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Misbehaving CustomLog logger causing local denial-of-service, intended behaviour?

[Antony Stone]

On Friday 04 June 2021 at 11:09:33, Olli Pasanen wrote:

> Hello,
> 
> I’ve encountered an interesting local DOS issue on Apache 2.4.48, and I am
> not sure whether this is intended behavior.
> 
> Symptom:
> - Apache2 hangs indefinitely (stops processing incoming requests)
> 
> Setup:
> - Apache 2.4.48 built from source, running on Debian 10
> - A dummy CustomLog program that does not consume stdin

Do you believe the first step to be a requirement, or can this situation be 
reproduced using standard packaged versions of Apache (it sounds like this 
would be true)?

> An example of a directive causing the issue:
> CustomLog “|/tmp/logger.py” combined OR
> CustomLog “|$/tmp/logger.py” combined
> 
> To reproduce the issue, simply configure CustomLog as above where the
> target logger is a dummy executable that does not consume stdin. After
> this, generate enough requests to hang the server (in my case around
> 700-800, but this depends on what the log format is and probably other
> directives too). Apache then stops processing any incoming requests.

I don't think I would call this a DoS problem - it's not as though there is 
anything an external agent can do to a correctly configured Apache to cause 
this behaviour.  I'd say it is an error in configuration (admin needs to ensure 
that anything told to accept log entries from Apache does actually do so), 
although I agree it might be good if Apache's logging could be decoupled from 
request processing, so that a blockage in one does not affect the other.

> I am not entirely sure about the root cause of the issue, but I believe it
> apache wants to write to the stdin buffer of the target logger, and since
> it is full, it will try to wait until there is space. Since the logger is
> not consuming the stdin, this causes apache to hang indefinitely.
> 
> Is this intended behaviour? If so, are there any ways to mitigate the issue
> by changing the Apache / OS configuration? The logger that is actually
> used is not a dummy program, but unfortunately has similar behaviour (full
> buffers) under heavy load.

I would guess that it's not exactly "intended", but it's a consequence of 
request processing being dependent on log processing.  Maybe a feature request 
to the developers to have these decoupled would be worthwhile?


Antony.

-- 
Just when you think you're done, a cat floats by with buttered toast strapped 
to its back.

 - Steve Krug, "Don't make me think"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

[Antony Stone]

On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:

> > If these things don't have access to the Internet, what security concerns
> > are you trying to address by using encryption at all?
> 
> > Maybe you could explain where the IoT devices are and where Apache is, in
> > networking terms, so we can understand what communications you are trying
> > to secure, and against what threats.
> 
> The devices are very simple embedded controllers, and they're monitoring
> environmental factors, the exact things they monitor depends on how they're
> configured.

> Apache is installed on a dedicated computer with a private wifi network
> that houses the control scripts, update files, and database.  This machine
> is also not internet connected.  The machine can be queried to create
> reports on the data, and can reach out to a third machine (via wired lan)
> to send alerts if something goes out of range. It currently runs a version
> of Debian.

> The security concerns are two fold, one technical, one political.

> The technical issue is fairly straightforward. Using PSK, only devices that
> have the PSK can talk to Apache, giving a degree of validation that only
> verified devices can send data.  This is for data integrity purposes.
> Others cannot connect. In a large (physical size) organization, they can be
> configured to connect over the location's internal WiFi so WiFi encryption
> alone is not sufficient.
> 
> The political issue is (imho) kind of pointless but very real.  Many
> organizations have little checklists that will eliminate you from competing
> for business.  Very often there will be a requirement like "All
> communication is encrypted using a minimum of TLS 1.2 or higher". If you
> can't pass that checkbox, you are disqualified.
> 
> So the question is:
> Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> sharing a key between the server and the client?

I can find no indication that Apache supports TLS / PSK.

Provided your IoT devices can manage the client end, I would suggest you look 
into using https://www.stunnel.org/ on the Apache server, to provide TLS over 
the network, and plain HTTP internally on the server (localhost only) between 
stunnel and Apache.


Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

[Antony Stone]

On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:

> Hi,
> 
> I'm new to the maling list, and was wondering if anyone used pre-shared
> keys with Apache for encrypted connections?

I don't know about PSK with Apache, but...

> I'm working with some processor constrained IOT devices, and doing a full
> TLS 1.3 setup is quite heavy.  These devices don't have access to the
> internet, so updating certs becomes a problem too.

If these things don't have access to the Internet, what security concerns are 
you trying to address by using encryption at all?

Maybe you could explain where the IoT devices are and where Apache is, in 
networking terms, so we can understand what communications you are trying to 
secure, and against what threats.


Antony.

-- 
"If I've told you once, I've told you a million times - stop exaggerating!"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Reverse proxy to local container suddenly & randomly 503

[Antony Stone]

On Sunday 23 May 2021 at 13:15:13, lejeczek wrote:

> Hi guys.
> 
> I have a regular & pretty vanilla reverse proxy

Can you show us the configuration for this?

> to a Linux container (also Apache) which is on the same host.

Out of interest, why?  Why use Apache as a reverse proxy to another Apache 
instance on the same machine?

> Sometimes and randomly - if there is only pattern if behavior then I'd say
> proxy does 503 299 after "some" period of inactivity - would not proxy.

Show us more detail from the access log.  You say this happens after some 
period of inactivity - can you show us all the log file lines you get after 
that inactivity, when the problem occurs?

> Suffices I do, I'm on CentOS,:
> -> $ systemctl reload httpd.service
> and all comes back up and site is available again.

Does that restart both Apache instances or just the reverse proxy?

> I'll be grateful for any ideas and suggestion on how to
> troubleshoot and fix it.

I'd start by:

 - examining the log files of the proxy server
 - examining the log files of the web server
 - checking that the web service is running when the proxy complains
 - accessing the web service directly (bypass the proxy) to see whether the 
response is as expected


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] which bit ?

[Antony Stone]

On Tuesday 18 May 2021 at 14:35:56, back button wrote:

> I do not need any help setting up and installing any software.

So, what is your purpose on this mailing list?

> The internet was not invented by Americans

I suggest you try reading the second paragraph of 
https://en.wikipedia.org/wiki/Internet

Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] which bit ?

[Antony Stone]

On Tuesday 18 May 2021 at 14:07:03, back button wrote:

> That it is a long standing problem that apache httpd and ubuntu httpd are
> two different products  therefore case for widespread  confusion ?

I've only been on this mailing list for 2 years, but I'm pretty sure this is 
the first time I've seen such a long-running discussion about the difference, 
instead of someone quite innocently asking here about Ubuntu httpd, being told 
"sorry, that's not the same as Apache httpd" and then going off to talk to the 
Ubuntu people about it instead.

> Obviously ubuntu feel the apache docs and setup do not meet their
> standard so they have made their point by redesigning  their  own product.
> In my opinion Apache should ask themselves what they are doing wrong that
> others are redesigning the product making the point Apache do not meet
> their standard.

Let's assume that the Apache Software Foundation believes the product is good, 
and sufficiently well-documented.

It's then a question for the Ubuntu community as to why they decided to change 
things.

So, both for the technical support you are seeking, and an answer to the 
philosophical question about why Ubuntu changed the project without 
sufficiently 
changing the name, please go and ask Ubuntu people who know.


Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is proxy to proxy improving the security?

[Antony Stone]

On Saturday 15 May 2021 at 16:21:56, Jason Long wrote:

> Hello,
> Is proxy to proxy improving the security? For example:
> 
> The Internet --> Reverse Proxy Server --> Reverse Proxy Server --> Web Site

I would say that if the two reverse proxies, and the web server, are all 
running different software, then this arrangement makes you less susceptible to 
any vulnerabilities in any of them which otherwise might be exploited.

The weakest part of the system, of course, is the proxy exposed to the 
Internet.  If that can be compromised then it might be persuaded to send a 
perfectly legitimate (but undesirable) request through to the second proxy, 
etc.

If the two proxies are running the same software, though (for example Apache), 
then you might as well just put all your effort into securing the first one.

After all, suppose you know how to secure a reverse proxy to level X (whatever 
that means).  You would be mad then to place another identical proxy behind it 
secured to a lower level than X, and if you can secure that second proxy to a 
higher level than X (call it X+), then you should just implement level X+ on 
the first one to begin with.


Regards,


Antony.

-- 
In the Beginning there was nothing, which exploded.

 - Terry Pratchett

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittent "'www-browser --dump http://localhost:80/server-status' failed" errors generated by "apachectl status"

[Antony Stone]

On Thursday 06 May 2021 at 16:38:47, Steve Dondley wrote:

> Maybe I'd be better off using the right tool for the job which appears
> to be this perl script:
> http://httpd.apache.org/docs/2.4/programs/log_server_status.html
> 
> However, I can't find this script anywhere on my Debian Buster install.
> How do I get and install this script?

https://packages.debian.org/search?mode=filename=contents=log_server_status

Looks like you need to install apache2-doc


Antony.

-- 
 yes, but this is #lbw, we don't do normal

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: LAN to WAN access: SOLVED -> how-to

[Antony Stone]

On Wednesday 28 April 2021 at 19:09:29, back Button wrote:

> Yes I have sky broadband package with their max broad band offering.

I look forward to this list getting back to discussing the Apache web server 
rather than home network routing configurations.


Antony.

-- 
What do you get when you cross a joke with a rhetorical question?

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: LAN to WAN access

[Antony Stone]

On Tuesday 27 April 2021 at 22:53:07,  Good Guy  wrote:

> On 27/04/2021 21:01, back Button wrote:
> > 
> > Please get me to the stage when I can have the index.html page
> > display from the internet

> Load your index.html file to the root of the htdocs folders.

> To test it, just type:
> 
> localhost

And, how does this get "the index.html page to display from the Internet"?

I really think the fundamental problem here is that the public IP address is 
not routed through to the private address, so requests from the Internet never 
reach the laptop which is running the webserver.


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LAN to WAN access

[Antony Stone]

On Tuesday 27 April 2021 at 22:35:35, back Button wrote:

> I tired http://backbtn.ddns.net/  from my laptop.
> after setting up the no-ip.com  client application and following these
> instructionshttps://www.noip.com/download?page=linux

> This ip http://176.253.2.116/shows  the sky, broadband supplier page, 
> with a list of my  home devices connected.

> I have only followed the instructions as per no-ip.com  so far.

I'm sorry, but I can only repeat that this is not an Apache / HTTP problem.

This is a matter of IP routing, and needs to be configured correctly on your 
modem (cable / DSL / UMTS / whatever), which is a device we know nothing 
about.

I'm not trying to put you off (or fob you off); I'm just saying that this is 
something we cannot help you with - it needs to be set up on your Internet 
router, and we do not know what that is or how it works.


Antony.

-- 
I bought a book about anti-gravity.  The reviews say you can't put it down.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LAN to WAN access

[Antony Stone]

On Tuesday 27 April 2021 at 22:02:40, back Button wrote:

> > PS; Why do you always append ".invalid" to whatever email address you
> > happen  to be using at the time?

> That just happens 

I would complain at my email client if it did that sort of thing without me 
wanting it to.

On Tuesday 27 April 2021 at 22:01:18, back Button wrote:

> if I type  http://backbtn.ddns.net/
> then I get   
> 
> 400 Bad Request
> Invalid Header.

I get "connection timed out".

So, two questions:

1. Did you try accessing http://backbtn.ddns.net/ from inside your netwrk (the 
one where the laptop running the website is) or outside?

You said you wanted to access it from the Internet - that's not necessarily 
the same as being able to access it from inside your own network.

2. Did you set up inward routing rules on whatever device connects you to the 
Internet (ie: connects the Internet to you) so that 176.253.2.116:80 gets 
forwarded to your laptop's internal network address?


Antony
 
-- 
Never automate fully anything that does not have a manual override capability. 
Never design anything that cannot work under degraded conditions in emergency.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LAN to WAN access

[Antony Stone]

On Tuesday 27 April 2021 at 21:11:38, back Button wrote:

> I want to know how to setup  a website on my home laptopand access it from
> anywhere in the world .

1. Set up a website on your home laptop.

2. Set up inbound routing on your Internet connection so that requests to your 
public IP address are forwarded to the private address of your laptop.

This really isn't an Apache question - this is just IP routing.


PS; Why do you always append ".invalid" to whatever email address you happen 
to be using at the time?


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logging issue

[Antony Stone]

On Friday 23 April 2021 at 18:01:58, paul@stgconsulting.com wrote:

> Quick question re: DNS.  Can CNAMEs be used, or can they only be A records?
> (Assuming each sub-domain is on same IP address as domain.

You can use CNAMEs.

Just bear in mind that if you do use a CNAME for a hostname, you cannot have 
anything else (including another CNAME) for that hostname.

So, if you want a hostname to resolve to one IP address and not have any MX 
records etc, a CNAME is fine.

If the hostname needs to resolve to more than one IP address, or resolve to an 
address and also have an MX record, or similar, then you cannot use a CNAME.

Antony.

> -Original Message-
> From: Richard 
> Sent: Thursday, April 22, 2021 6:51 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Logging issue
> 
> > Date: Thursday, April 22, 2021 20:24:02 -0400
> > From: H 
> > 
> > On 04/22/2021 06:02 PM, Richard wrote:
> >>> Date: Thursday, April 22, 2021 16:53:56 -0400
> >>> From: H 
> >>> 
> >>> I read on one webpage that the locations (ie app1, app2 etc) have to
> >>> have their own A records. Does that mean that I need to have
> >>> app1.mydomain.com, app2.mydomain.com etc. registered individually
> >>> with my domain registrar for each of them to get its own A record?
> >> 
> >> Yes, the sub-domains need A-records, that is done through the DNS
> >> records you set up for the domain. Only the *domain* (e.g.,
> >> example.com) is registered with the registrar.
> > 
> > Great, thank you. I just did that and another piece of knowledge fell
> > into place... :-) I will let it propagate overnight and look at it
> > again tomorrow.
> 
> DNS is a query and cache system, records don't "propagate". If done
> properly, once you have entered a record and the zone has been loaded a
> query should result in an accurate answer. "Properly" includes bringing
> down the TTL if you are changing details on an existing record, and of
> course updating the serial so that secondaries know to update.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Planning on setting up Postfix + Dovecot + Webmail + Apache + MariaDB + PHP using Webmin Control Panel in the Cloud

[Antony Stone]

On Wednesday 21 April 2021 at 17:00:45, Turritopsis Dohrnii Teo En Ming wrote:

> I am planning to setup Postfix Email Server + Dovecot IMAP/POP3
> Incoming Mail Server + Webmail (Roundcube or Squirrelmail) + Apache
> Web Server + MariaDB Database Server + PHP using Webmin Control Panel
> specifically, in the cloud, preferably Amazon EC2.
> 
> Are there any very good and well written guides on doing this type of
> setup?

You could try:

https://speedkills.io/email-server-aws/

https://www.vultr.com/docs/how-to-install-postfix-dovecot-and-roundcube-on-
ubuntu-20-04

https://www.ionos.com/digitalguide/e-mail/technical-matters/postfix-mail-
server-with-dovecot-and-roundcube-on-centos-7/

https://wiki.archlinux.org/index.php/Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube

https://ubuntu.tutorials24x7.com/blog/install-mail-server-on-ubuntu-20-04-lts-
using-postfix-dovecot-and-roundcube

On the other hand, if you already did your own Google search and found these 
articles, but they weren't suitable for your needs, by all means let us know 
what was missing or confusing and maybe someone can help.

> Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 21 April 2021

Please don't post such long sigs to mailing lists.


Antony.

-- 
The best time to plant a tree is 20 years ago.
The second best time is now.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe

[Antony Stone]

On Friday 16 April 2021 at 02:06:56, H. E. wrote:

> unsubscribe

Quoting from the footers on the list:

To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

I know of no mailing list ever where the unsubscribe facility is to send any 
sort of message to the list address.


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RewriteRule Time settings for sub folders

[Antony Stone]

On Wednesday 17 March 2021 at 22:35:36, Jens Kallup wrote:

> Hello,
> 
> I use Apache 2.4.  is it possible to add time based openings in vhost's
> sub/multiple directories?

I do not believe apache can use time specifications in its configuration files.

Out of interest, what would you do with them if this were possible?

Maybe I'm wrong, maybe there's another solution to your requirement, or maybe 
this is a feature request for apache...


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:53:03, Jason Long wrote:

> Thank you Antony.
> No, Google and Yahoo are exmaple.

So, please use more meaningful names when asking your questions.  I've already 
said that using existing domains which are not yours misleads the person 
answering into thinking you really are trying to use these services.

> > however you manage that using DNS
> 
> You meant was my DNS server that when a client write "google.com" in
> his\her browser and it forward to my Reverse Proxy server with that name
> and my Reverse Proxy server forward that request to properly server.
> Right?

I think the answer to that is "yes".

More specifically, I mean that when someone enters "google.com" into their 
browser, the DNS server which that machine is using will return the IP address 
of your proxy server so that the request goes to it.

Now, if you do not mean "google.com" but instead something like 
"wiki.example.com" then the DNS result for wiki.example.com simply needs to 
point at your reverse proxy, and assuming that you own example.com this is 
easy to do.


Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:44:07, Jason Long wrote:

> No, it is not home work.

What Eric means is that you should start trying to solve some of these 
problems on your own, and not ask so many questions here on the list which are 
either explained in the documentation, or already answered elsewhere on the 
Internet.

People are willing to share their time and expertise, but this is in exchange 
for seeing that the person asking for help has done as much as they can to 
solve their problem for themselves.

Everyone here is a volunteer, and goodwill can be over-used.


It is also important to know how to ask questions to get the best possible 
answer.

In short:

 - explain fully what you are trying to achieve

 - explain your setup in sufficient detail that someone else could reproduce it 
for themselves

 - explain how you are testing things (again, in sufficient detail that someone 
else knows how to do precisely the same thing)

 - explain what happens and how this differs from what you expected.


In longer format:

http://www.catb.org/~esr/faqs/smart-questions.html

Please pay particular attention to the "Before you ask" section.


Regards,


Antony.

-- 
Never automate fully anything that does not have a manual override capability. 
Never design anything that cannot work under degraded conditions in emergency.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:49:17, Antony Stone wrote:

> On Wednesday 17 March 2021 at 17:45:13, Jason Long wrote:
> > > In a real scenarios the 100 backend servers run the same
> > > application/website, not different ones. This makes them
> > > interchangeable. That's why when one goes down, the reverse proxy can
> > > route to another transparently.
> > 
> > Thus, for 100 different websites, we need 100 reverse proxy servers.
> 
> No.
> 
> One reverse proxy points to all 100 backend servers and shares the requests
> amongst them.

Oh, sorry, I just realised you said "100 *different* websites".  In that case 
the answer is yes.

> Antony.

-- 
I bought a book about anti-gravity.  The reviews say you can't put it down.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:45:13, Jason Long wrote:

> > In a real scenarios the 100 backend servers run the same
> > application/website, not different ones. This makes them interchangeable. 
> > That's why when one goes down, the reverse proxy can route to another
> > transparently.
> 
> Thus, for 100 different websites, we need 100 reverse proxy servers.

No.

One reverse proxy points to all 100 backend servers and shares the requests 
amongst them.


Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:33:46, Jason Long wrote:

> The load balancing is different. It is kind of HA.

Yes.

> When my real server is down then Apache forward requests to my backup server

That is HA.

> and my website never down.

Right.

> Excuse me, according to below diagram, is my configuration work in a real
> scenario?
> 
> The Internet ---> Apache Reverse Proxy ---> Apache Web Server 1 (IP:
> 1.2.3.4, Name: Yahoo.com) ---> Apache Web Server 2 (IP: 1.2.3.5, Name:
> Google.com)

Now, do you *really* mean yahoo.com and google.com?

If you do, then no, this can never work.

> My Virtual Host configuration is:
> 
> 
>  ServerName yahoo.com
>  ErrorLog /var/log/httpd/Yahoo_error_log
>  TransferLog /var/log/httpd/Yahoo_access_log
>  
>  ProxyPass  http://1.2.3.4/
>  ProxyPassReverse   http://1.2.3.4/
>  
>
> 
> 
>  ServerName google.com
>  ErrorLog /var/log/httpd/Google_error_log
>  TransferLog /var/log/httpd/Google_access_log
>  
>  ProxyPass  http://1.2.3.5/
>  ProxyPassReverse   http://1.2.3.5/
>  
>

So, that defines two VirtualHosts.  One requires requests to come in for 
"yahoo.com" (however you manage that using DNS) and it forwards those on to 
1.2.3.4

The other VirtualHost requires requests to come in for "google.com" and it 
forwards these to 1.2.3.5

There is no failover, no high availablility, no load balancing, no interaction 
between the two.


Antony.

-- 
I lay awake all night wondering where the sun went, and then it dawned on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:21:24, Jason Long wrote:

> Why this is a matter to the Apache? In a real scenario, consider that an
> Apache Reverse Proxy servicing to 100 web servers, one of these servers is
> turned off or...Apache must service to other servers!! I turned off a
> server to solve this conflict. Why Apache never read another Virtual Host
> configuration?

Because you have not put all the potential servers into the same definition.

Apache regards one VirtualHost as being different from another.

I mean, suppose you have two VirtualHosts:

music.example.com --> 198.51.100.36

images.example.com --> 203.0.113.78

If you send a request into Apache for images.example.com and 203.0.113.78 is 
not available, you're not going to want the other machine which contains music 
to try to answer the request, are you?


If you want more than one back-end server to be able to answer a request which 
comes in, they must be put into a single VirtualHost definition using

https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 17:05:37, Jason Long wrote:

> Thank you.
> My VM uses port forwarding. When I browse 127.0.0.1:2080 on my host then it
> forwarded to my guest port 80.

That's neither here nor there for what we're discussing.

> > Are you suggesting that a request which *would* go to 192.168.1.4 if it
> > were turned on, should in fact go to 192.168.1.20 if 192.168.1.4 is turned
> > off?
> 
> Yes.

In that case you *are* talking about load balancing.

> My browser can't distinguish my requests and when a server is off then it
> must forwarded to other servers automatically.

https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html

> I know in a real scenario, it solved by domain name.

I do not understand that.

A reverse proxy which forwards incoming requests to various back-end servers 
based on whether they are available or not doesn't care what the names or IP 
addresses of those back-end servers are (they need to be configured into the 
reverse proxy setup, of course, but they can be totally independent of each 
other without problem).

> If my configuration is OK, then Apache accepts a request from port 80, one of
> my servers is turned off and Apache must forward it to another server.

I can only repeat myself:

https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html


Antony.

-- 
A good conversation is like a miniskirt;
short enought to retain interest,
but long enough to cover the subject.

 - Celeste Headlee


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 15:15:49, Jason Long wrote:

> One of my Apache server (192.168.1.4) is turned off and I tried to see my
> server.

Please specific exactly how you "tried to see my server".

> Reverse Proxy must show other Apache server(192.168.1.20)

Are you suggesting that a request which *would* go to 192.168.1.4 if it were 
turned on, should in fact go to 192.168.1.20 if 192.168.1.4 is turned off?

> # cat /var/log/httpd/node3_access_log 
> 10.0.3.2 - - [17/Mar/2021:17:38:55 +0330] "GET / HTTP/1.1" 503 299
> 10.0.3.2 - - [17/Mar/2021:17:38:58 +0330] "GET /favicon.ico HTTP/1.1" 503
> 299

How are you distinguishing between trying to access node3 and node4 in your 
browser requests?


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 14:57:06, Jason Long wrote:

> My current configuration is:
> 
> 
>  ServerName node3
>  ErrorLog /var/log/httpd/error_log
>  TransferLog /var/log/httpd/access_log
>  

I don't like the look of the / in that tag.  It's closing the  tag 
before you've defined what it contains.  Try:



instead.

>  ProxyPass  http://192.168.1.4/ 
>  ProxyPassReverse   http://192.168.1.4/
>  
>
> 
>
>  ServerName node4
>  ErrorLog /var/log/httpd/error_log
>  TransferLog /var/log/httpd/access_log

I also suggest using separate log files for separate servers, just to keep 
things clear.

> And my Reverse Proxy can see both of Apache web servers:

Good.

> On Wednesday, March 17, 2021, 05:15:35 PM GMT+3:30, Antony Stone wrote:
> 
> Show us what your configuration looks like now, and also tell us how you
> are testing it, what you expect the results to be, and what results you
> actually get.

You've done the first part, thank you.  How about the next parts?


Antony.

-- 
3 logicians walk into a bar. The bartender asks "Do you all want a drink?"
The first logician says "I don't know."
The second logician says "I don't know."
The third logician says "Yes!"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 14:40:32, Jason Long wrote:

> Thank you.
> Which part of my configuration is wrong?

I don't know.  I've lost track of what your configuration looks like now.

> My Reverse Proxy can see my Apache web servers and as I said, its worked
> with one host, but can't work with two hosts. it sounds like, my Reverse
> Proxy just see the first Virtual Host config!!!

Show us what your configuration looks like now, and also tell us how you are 
testing it, what you expect the results to be, and what results you actually 
get.


Antony.

-- 
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 14:28:29, Jason Long wrote:

> I want to have one Reverse Proxy server that service to some web servers
> that each of them has theirs domains and IPs. I want to know, for 10
> different websites that each of them has different IPs and domain names, I
> need 10 Reverse Proxy servers?

No, you can do this all on one server, but you do need 10  
definitions in your Apache configuration.  These can all be in the same file or 
in 10 different files, as you prefer.


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it means it doesn't work.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 13:25:34, Jason Long wrote:

> No, I don't need a load balance.

Okay, so each request goes to one back-end server, and if that server is 
unavailable, the request fails.  You do not expect the request to be sent to 
another backend server instead.

> I want my Reverse Proxy service to these web servers. Each servers has a
> different domain name and IP address.

I find it highly confusing that you have called these servers yahoo.com and 
google.com.  Those servers already exist out on the Internet and they're not 
yours.

Please choose more meaningful names in what you tell us (by all means use 
example.com for your domain if you don't want to publish anything which really 
is yours, but similarly don't confuse the issue by using names which do exist 
but are not yours).

> My Yahoo.com server maybe turned off or...but I want my Apache Reverse Proxy
> service to Google.com server.
> 
> Is it clear?

Not quite.

Tell us what should happen in the following cases (I have modified the names 
used, I hope this is clear):

serviceA.example.com is being reverse proxied to machine1.example.com

serviceB.example.com is being reverse proxied to machine2.example.com

What happens when someone requests serviceA.example.com and both 
machine1.example.com and machine2.example.com are operational?

What happens when someone requests serviceA.example.com and 
machine1.example.com is unreachable, turned off, or refusing to reply?


Regards,


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Wednesday 17 March 2021 at 12:34:44, Jason Long wrote:

> I'm a newbie and as you said you are here from 2010. OK, tell me how can I
> configure an Apache Reverse Proxy to service to the multiple web servers?

I did a Google search for "Apache reverse proxy multiple web servers".

https://stackoverflow.com/questions/50611098 was the fourth result and gives 
you a pretty complete example.


Antony.

-- 
I thought I had type A blood, but it turned out to be a typo.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy for more than one website.

[Antony Stone]

On Tuesday 16 March 2021 at 19:16:56, Jason Long wrote:

> Hello,
> For a website, I created a reverse proxy config file under the
> "/etc/httpd/conf.d/" directory as below:
> 
> 
> ProxyPreserveHost On
> ProxyPass / http://192.168.1.4/
> ProxyPassReverse / http://192.168.1.4/
> 
> 
> If I have other servers, then I must create a config file for each of them
> or I just need to add my servers IP addresses to the above file?

You can put all your configurations into one file, that is not a problem.

You will need a completely separate  section for each machine you 
want to act as a reverse proxy for.

Finally, I trust you realise that you cannot use  with more 
than one back-end server - there needs to be a way to distinguish which 
incoming requests are to be passed to server A and which ones to server B etc 
(in other words, you have to change the * to something which identifies what 
you want to reverse proxy to where).


Antony.

-- 
In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are 
British, the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the beer is American, the chefs are British, the supermarkets are 
German, the mechanics are French, the lovers are Swiss, the entertainment is 
Belgian, and everything is organised by the Italians.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Tuesday 16 March 2021 at 09:13:54, Jason Long wrote:

> Hello,
> Instead of "ErrorDocument 403 "Unusual activity has been detected from
> this IP address."" message, how can I forward it to another page?

Try https://httpd.apache.org/docs/2.4/custom-error.html

Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Monday 15 March 2021 at 18:37:40, Jason Long wrote:

> Yes. I saw the same IP address.

What is the answer to Richard's question: "what was the response code? Was it 
(still) a 200 or was it a 401 or 403 or something else?"

> What is the problem?

The problem is that your block list is not getting used correctly.

For now we just don't know why.


Given that this discussion has been going on for quite some time and various 
things have been tried, suggested, tested and reported, I no longer have a 
clear idea of what your Apache configuration for this is, so please can you 
post here:

1. Your Apache configuration for the website in question

2. A clear indication of how you are implementing the block list

3. A small sample of how the IP addresses are specified in the block list

By all means obfuscate anything you think is necessary, but please make it 
obvious:

a) where you have done so, and

b) where two obfuscated things are actually the same

This might help anyone who may be able to help, to be sure they're starting 
from the correct understanding and assumptions.

> On Monday, March 15, 2021, 05:07:07 PM GMT+3:30, Antony Stone wrote:
> 
> So, just to be clear, you added 46.167.45.* to your file of blocked IPs,
> restarted Apache, re-visited your website, and found the same address again
> in Apache's access file with a timestamp after the restart?
> 
> 
> Antony.

-- 
If you ask a Yorkshireman whether he knows the German word for "egg",
don't be surprised if he just smiles and says "Aye".

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Monday 15 March 2021 at 14:51:36, Richard wrote:

> > Date: Monday, March 15, 2021 14:36:45 +0100
> > From: Antony Stone
> > 
> > On Monday 15 March 2021 at 14:23:18, Jason Long wrote:
> >> Thank you.
> >> As I said, I visted https://www.myip.com/ website without Tor
> >> Browser and it showed me my real IP address. OK, I added the IP
> >> address that Apache log file showed me and restart my Apache
> >> service, but I can visit my site!!! Apache log tell me my IP is :
> >> 46.167.45.*
> >> myip website tell me my IP is : 79.99.83.*
> > 
> > So, just to be clear, you added 46.167.45.* to your file of blocked
> > IPs,  restarted Apache, re-visited your website, and found the same
> > address again in  Apache's access file with a timestamp after the
> > restart?
> 
> The real question is, what was the response code? Was it (still) a
> 200 or was it a 401 or 403 or something else. An apache config block
> doesn't keep the client that is targeted from reaching the site, just
> from accessing content.

True, but I'm assuming that when JL says "I can visit my site", he means he's 
getting content in his browser.

This may be an unreasonable assumption on my part, though (and we haven't even 
discussed local caching yet).


Antony.

-- 
Why is "dyslexia" so difficult to spell, and why can I never remember "aphasia" 
when I want to?

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Monday 15 March 2021 at 14:23:18, Jason Long wrote:

> Thank you.
> As I said, I visted https://www.myip.com/ website without Tor Browser and
> it showed me my real IP address. OK, I added the IP address that Apache
> log file showed me and restart my Apache service, but I can visit my
> site!!! Apache log tell me my IP is :46.167.45.*
> myip website tell me my IP is : 79.99.83.*

So, just to be clear, you added 46.167.45.* to your file of blocked IPs, 
restarted Apache, re-visited your website, and found the same address again in 
Apache's access file with a timestamp after the restart?


Antony.

-- 
If you were ploughing a field, which would you rather use - two strong oxen or 
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Monday 15 March 2021 at 13:48:27, Jason Long wrote:

> Thank you.
> I guess something is wrong!

I agree with you.

> I put my IP address

Please answer, in as much detail as you can, where you got that address from.  
My question is "how do you believe you know what your IP address is?"

> in "tor-ip.conf" file and restarted my Apache service, then visit my website
> and checked the log file, but the IP address in the log file Vs. my IP
> address!!!

So, the address shown in your log file is the actual address your request came 
from.

Put *that* address into your list of blocked addresses and try again.

Let us know whether you are then blocked from accessing the page.

> For example, the https://www.myip.com/ website shows me that my IP address
> is "1.2.3.4", but in Apache log, my IP address is "1.2.3.5".

Those fake addresses don't help us to understand what is happening.

Firstly it makes it look as though you are talking about two adjacent 
addresses in the same subnet (I doubt whether that is true).

Secondly it gives us no clues as to whether either of the addresses could be 
an RFC 1918 private address (ie: it starts with 10. or 172.16. to 172.31. or 
192.168.).

If you want to obfuscate your addresses on a public list (which is not a bad 
idea) but still make it clear to us what sort of addresses you are talking 
about, modify *just* the first byte of the addresses to be something higher 
than 300, and leave the rest the same.

If either of the addresses in question is an RFC 1918 address, though, leave 
it as it is - that is not sensitive information.


Regards,


Antony.

-- 
Neurotics build castles in the sky;
Psychotics live in them;
Psychiatrists collect the rent.


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Monday 15 March 2021 at 12:22:07, Jason Long wrote:

> Thank you.
> I opened Tor Browser and visited "https://www.iplocation.net/; website and
> find my IP address, then checked my IP address with the list of IP
> addresses in "tor-ip.conf" file. My IP existed in the list, but I can
> visit my website!!!

I thought one of the aspects of the Tor network was that subsequent connection 
requests can enter the standard Internet from different egress points (ie: you 
appear to have a different IP address for different requests).

Therefore visiting one website and finding out what IP address you appear to 
have, and then visiting another website does not confirm that your visit to the 
second site comes from the same IP address as the first.

As I already suggested:

*Look in your website log files* to find out which address the connection came 
from.

Then compare this with the list of blocked addresses you used to prevent 
access.


Regards,


Antony.

-- 
"Hi, I've found a fault with the English language and I need an entomologist."
"I think you mean an etymologist."
"No.  It's a bug, not a feature."

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Antony Stone]

On Sunday 14 March 2021 at 20:37:15, Jason Long wrote:

> I can visit my website with the Tor Browser!!!

Look in your website log files to find out which address the connection came 
from.

Then compare this with the list of blocked addresses you used to prevent 
access.


Antony.

-- 
This space intentionally has nothing but text explaining why this space has 
nothing but text explaining that this space would otherwise have been left 
blank, and would otherwise have been left blank.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Antony Stone]

On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Antony Stone]

On Thursday 11 March 2021 at 13:20:32, Jason Long wrote:

> Hello,
> Can anyone answer to my questions?
>
> 1- What does "handle backend server down" mean?

You have to decide what the proxy is supposed to do if the back-end server 
which it would normally pass requests on to is unable to handle those 
requests.

> 2- Can I launch a Reverse Proxy without Apache Web Server?

Yes.  You install what most people would call the "Apache web server" but you 
configure it in such as way that it is a reverse proxy and not an origin server 
(technical term for something that provides its own content in response to 
requests).

> 3- In general, an Apache Reverse Proxy Server is just some lines to forward
> the requests?

Yes, that and a few modules which need to be loaded.  It's all in the 
configuration files.


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] result codes from Bash CGI

[Antony Stone]

On Monday 15 February 2021 at 17:36:46, Claude Warren wrote:

> Greetings,
> 
> I am playing with Bash based CGI.

Maybe if you give us an example of exactly how you are doing this, it would 
help us to answer your question:

> I can see how to generate any result code other than 200.

I assume a "not" is missing from that sentence :)

> Is there a way to set the result code to anything else?  If so how?  Is
> there documentation?

There are plenty of examples of CGI scripts return other status codes, 
although I've no idea how many might be written in bash.

My guess is that you might need to set the exit code of your script to 
something specific, but as I say, show us what you're doing so far and we might 
have a better idea.


Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used a 
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe did not work

[Antony Stone]

On Tuesday 09 February 2021 at 16:17:12, Heather Lotz wrote:

> Yes.

Did you receive, and reply to, a confirmation email following your unsubscribe 
request?

If not, have you checked your spam folder to see if it got filtered out?

> 
> From: Antony Stone 
> Sent: Tuesday, February 9, 2021 9:15 AM
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] unsubscribe did not work
> 
> On Tuesday 09 February 2021 at 16:13:33, Heather Lotz wrote:
> > The unsubscribe request did not seem to work as e-mails from
> > users@httpd.apache.org are still coming through.
> 
> Are you certain you unsubscribed from the same address as the emails are
> coming through to?
> 
> > ____
> > From: Antony Stone 
> > Sent: Tuesday, February 9, 2021 6:48 AM
> > To: users@httpd.apache.org 
> > Subject: Re: [users@httpd] unsubscribe
> > 
> > On Tuesday 09 February 2021 at 13:39:06, Heather Lotz wrote nothing.
> > 
> > See the footers on messages to this list:
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe did not work

[Antony Stone]

On Tuesday 09 February 2021 at 16:13:33, Heather Lotz wrote:

> The unsubscribe request did not seem to work as e-mails from
> users@httpd.apache.org are still coming through.

Are you certain you unsubscribed from the same address as the emails are 
coming through to?

> 
> From: Antony Stone 
> Sent: Tuesday, February 9, 2021 6:48 AM
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] unsubscribe
> 
> On Tuesday 09 February 2021 at 13:39:06, Heather Lotz wrote nothing.
> 
> See the footers on messages to this list:
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe

[Antony Stone]

On Tuesday 09 February 2021 at 13:39:06, Heather Lotz wrote nothing.

See the footers on messages to this list:

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


regards,


Antony.

-- 
If you can smile when all about you things are going wrong, you must have 
someone in mind to take the blame.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it possible to exclude a directory from listing?

[Antony Stone]

On Thursday 21 January 2021 at 22:09:39, Jason Long wrote:

> I did:
> 
> Options -Indexes
> AllowOverride All
> Require all granted
> 
> 
> But when I browse "https://MyDomain.net/wp-content/plugins; then I can see
> the content of the plugins directory! Why?

Perhaps because "wp-content" is not the same as "wp"?

You've told us what your settings are for "/var/www/wp".

We have no idea how this relates to "https://MyDomain.net/wp-content/plugins;

Show us more of your configuration and someone might be able to help.

Oh, and by the way, why do you want "AllowOverride All"?


Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Replays from Internet

[Antony Stone]

On Tuesday 19 January 2021 at 18:00:11, Ruben Safir wrote:

> this has nothing to do with apache

I think that's a somewhat harsh way of putting it, but I do agree that since 
"that page does not show in the httpd log as having been served" you are 
correct, and the problem lies elsewhere.  I would suggest looking at any 
database logs for transactions made, to see whether that shows where the 
duplicate order updates came from.

> On Tue, Jan 19, 2021 at 11:55:41AM -0500, John wrote:
> > Since the beginning of 2021 we have encountered two online orders and
> > possibly a third, where the customer denies making the order and the
> > httpd log seems to confirm that.
> > 
> > In each case, the person made an order and a day or more later a
> > second order was placed for the same item and carrying the same credit
> > card information.  Since everything looked valid and the delay
> > bypassed our duplicate order check, the order was accepted.
> > 
> > Some background: a customer can connect to our catalogue and move
> > around untracked for as long as they want until they decide to place
> > an order.  At this point there is only one path to follow to enter
> > address info, credit card, etc. This ends with a summary of the order
> > and if they click to proceed, it POST's the server order processor
> > with the relevant info causing the credit card to be charged and the
> > order to be entered. In total 3 scripts must be processed in the
> > correct order.
> > 
> > I scanned for the customer's IP in the httpd access log in each case
> > and found that when they made the valid order they were on our
> > catalogue and followed the correct path to place the order, confirming
> > it as expected.
> > 
> > BUT, and here is what I am having trouble understanding, for the
> > invalid order ONLY the last request was logged as received by httpd.
> > It shows the correct source (ie the page that should have resulted in
> > an order) yet that page does not show in the httpd log as having been
> > served.  In one case, NO other page was served to that customer on
> > that day ahead of the received order, at least judging from IP
> > addresses in use.
> > 
> > So what I appear to be seeing is a replay from the Internet which I
> > find hard to accept as real.  Has anyone ever seen this before and if
> > so what did they do to resolve it?  The only other possibility that I
> > can think of is that their browser cached the page and re-transmitted
> > it. (a violation of the HTML standard I think for a form page).
> > 
> > The environment is Apache 2.4.25 on Fedora using php-fpm.
> > 
> > Thanks in advance and apologies for the length of this post.

Regards,


Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Antony Stone]

On Wednesday 13 January 2021 at 10:59:12, Andrea Croci wrote:

> Hi James,
> 
> what was the command you used to see that apache uses ~1GB of memory? I
> deleted the mail and that was a bad idea: there were some very useful
> commands you were giving us here.

You can view the entire thread archive at 
http://mail-archives.apache.org/mod_mbox/httpd-users/202101.mbox/browser

Regards,


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Disable directory indexing for a specific directory.

[Antony Stone]

On Sunday 22 November 2020 at 16:06:59, Lucien Gentis wrote:

> Hello,
> 
> Could you please join your Virtual host complete configuration ?

Also, it puzzles me somewhat why you would want *any* directories underneath 
Wordpress to be indexed to viewers.

> > On Monday, November 16, 2020, 08:11:58 PM GMT+3:30, Jason Long wrote:
> > 
> > I have a WordPress website and my Virtual Host file include below lines:
> > 
> > 
> > Options Indexes FollowSymLinks
> > AllowOverride all
> > Require all granted
> > 

Antony.

-- 
I bought a book on memory techniques, but I've forgotten where I put it.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Forwarding IP to HTTPS.

[Antony Stone]

On Monday 12 October 2020 at 07:25:56, Jason Long wrote:

> Hello,
> Forwarding an IP address to HTTPS domain is the task of Apache or SSL?

What do you mean by "forwarding", and what protocol (presumably either HTTP or 
HTTPS) is being used by the client application which starts the connection 
(ie: a web browser or equivalent)?

Please give more details about your question so that we have a better idea 
what the correct answer might be.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] To Gzip or not?

[Antony Stone]

On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:

> I've been looking at ways to speed up my web services using 
> https://webpagetest.org for analysis. One thing I've been reading about is
> using mod_deflate to compress certain files but keep seeing the warnings

Which warnings?  Where?

> about using compression with https due to certain known threats.

What threats?

> In my searches so far I've not found anything saying that threat has been
> mitigated. Does anyone here use compression with TLS or have any current
> advice about the issue?

Can you point us at any document about what this "issue" is, so that we know 
what "threat" you're concerned about?


Antony.

-- 
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] I get each Mail to this list twice

[Antony Stone]

On Thursday 03 September 2020 at 14:58:44, Lentes, Bernd wrote:

> Hi,
> 
> i get each E-Mail to this list twice or even three times.
> Do you have the same problem ?

I personally do not.

> Does anyone know what to do ?
> Contact the list-admin ?

I would start by carefully checking the headers of the "identical" emails you 
receive and see whether:

a) they're actually being sent to different addresses (ie: you're subscribed 
more than once)

b) you can identify that the message sent from the list server was the same in 
both (or all three) cases, but then when passing through some onward relay, 
gets duplicated (or triplicated) into the multiple copies you receive.  That 
would then tell you which machine is reponsible and you can contact the 
appropriate admin.


Regards,


Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] shared .htpasswd access across multiple servers?

[Antony Stone]

On Saturday 25 July 2020 at 00:07:23, Antony Stone wrote:

> On Friday 24 July 2020 at 23:08:02, Jason Pitt wrote:
> > We'd like to have a single .htpasswd file shared across multiple
> > machines/servers...is there a way to configure the htaccess file to a
> > shared remote .htpasswd file?
> 
> Apache doesn't install these files - it only reads them.
> 
> How about rsync?

Or NFS?

> Antony.

-- 
This is not a rehearsal.
This is Real Life.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] shared .htpasswd access across multiple servers?

[Antony Stone]

On Friday 24 July 2020 at 23:08:02, Jason Pitt wrote:

> We'd like to have a single .htpasswd file shared across multiple
> machines/servers...is there a way to configure the htaccess file to a shared
> remote .htpasswd file?

Apache doesn't install these files - it only reads them.

How about rsync?


Antony.

-- 
Just when you think you're done, a cat floats by with buttered toast strapped 
to its back.

 - Steve Krug, "Don't make me think"

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Disabling access for git to specific Directory with Apache Basic Authentication

[Antony Stone]

On Thursday 23 July 2020 at 22:13:38, qv...@gmx.de wrote:

> I have git setup with my Apache2 server and it serves git request just
> fine. Now I want to setup Basic Authentication for this, so not
> everybody can use every directory. My goal is that only the ADMIN group
> has access to the complete `/var/www/html/git` directory and my GITGROUP
> can access *only* `/var/www/html/git/subdir` directories. However, while
> Apache is asking for credentials, with the setup (below) GITGROUP is
> still allowed to access *all* git directories. What am I doing wrong?

Maybe you could post the following in a more readable format so we have a 
better idea of how to help?

> |SetEnv GIT_PROJECT_ROOT /var/www/html/git SetEnv GIT_HTTP_EXPORT_ALL 
> ScriptAlias /git/ /usr/lib/git-core/git-http-backend/  /usr/lib/git-core> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> AuthType Basic AuthName "Authentication Required" AuthUserFile
> "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require
> group ADMIN GITGROUP Order allow,deny Allow from all 
>  AuthType Basic AuthName "Authentication
> Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile
> "/etc/apache2/groups" Require group ADMIN Options -Indexes Order
> allow,deny Allow from all   /var/www/html/git/subdir> AuthType Basic AuthName "Authentication
> Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile
> "/etc/apache2/groups" Require group ADMIN GITGROUP Options -Indexes
> Order allow,deny Allow from all |

Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] client removal of .htaccess file

[Antony Stone]

On Sunday 19 July 2020 at 13:48:22, Joel wrote:

> Just to clarify, the remote "client" is the owner of the URL and has full
> access for purposes of uploading the html, css, etc. files to the server,
> as well as .htaccess files.  At least one website states this can be done
> from the command line, but I'm not certain that's correct.  See
> http://www.activewebhosting.com/faq/cgi-htaccess-change.html

a) Is Active Web Hosting the provider you are dealing with?

b) Have you tried following the instructions on that page to delete the file?

> Does the .htaccess file physically remain in the directory where it was
> initially loaded?  Or, does the server remove, transfer, or otherwise
> dispose of the file?

Apache does not, but I think your question is best directed at your hosting 
provider.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Failure to start apache2 after SSL cert update.

[Antony Stone]

On Friday 10 July 2020 at 23:54:05, Jack M. Nilles wrote:

> I recently updated two virtual servers with new SSL certificates, restarted
> apache and got a failure to load.
> 
> Here is a diagnostic:

Never mind what systemd tells you - what's in your apache log files?

Also, have you checked the ownership & permissions of the new certificates and 
keys are the same as the old ones?


Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virtual hosts listening on specific IPv6 addresses

[Antony Stone]

On Sunday 28 June 2020 at 17:44:48, David Mehler wrote:

> Hello,
> 
> Yes netstat does show that the sockets are listening on the correct
> addresses.
> 
> As for wireshark/tshark can you give me a quick howto to get you the
> answer to your question? I've never used it.

tshark -i eth0 -f "port 443 and host :bbb:cc:::"

Change "eth0" if that's not your external interface name, and just put in one 
of your IPv6 addresses as indicated.


Antony.

-- 
How many Prolog programmers does it take to change a lightbulb?
No.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virtual hosts listening on specific IPv6 addresses

[Antony Stone]

On Sunday 28 June 2020 at 17:17:22, David Mehler wrote:

> Hello,
> 
> Thanks, I have done that. Everything looks good they're just not
> responding to an external IPv6 check.

Does netstat -lptn tell you the sockets are listening on those addresses?

What does wireshark/tshark tell you happens when a request comes in to one of 
the addresses?


Antony.

-- 
Don't procrastinate - put it off until tomorrow.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] testing..

[Antony Stone]

On Thursday 25 June 2020 at 23:31:17, bruce wrote:

> test -- hello!

Hello yourself.

Antony.

-- 
In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are 
British, the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the beer is American, the chefs are British, the supermarkets are 
German, the mechanics are French, the lovers are Swiss, the entertainment is 
Belgian, and everything is organised by the Italians.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] how to obtain all directives values command line

[Antony Stone]

On Wednesday 20 May 2020 at 14:48:24, Nacho . wrote:

> I would like to know if there is any way to obtain all directive values
> without reading config files, by linux command line.

Sorry, please can you express in more detail what you are trying to achieve?

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list

[Antony Stone]

On Friday 08 May 2020 at 15:00:07, Marc Haber wrote:

> On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote:
> > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote:
> > > I have a vhost in a https-only IPv6-only setup and would like to make
> > > the web site hosted there reachable from the IPv4 Internet.
> > 
> > Is the vhost capable of dealing with IPv4 queries if you can only manage
> > to get them to the machine?
> 
> Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if
> absolutely necessary.

To be honest I would have thought that "talking to a very large part of the 
current Internet" is reasonably necessary :)

Dual-stack I can quite understand, but attempting IPv6-only seems a bit too 
far ahead of the game for my liking.

> I'd rather take the approach of having a dedicated apache listener for
> the proxied requests than building more IPv4.

Okay, I just thought I'd offer an alternative possible solution.


Regards,


Antony.

-- 
Ramdisk is not an installation procedure.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list

[Antony Stone]

On Friday 08 May 2020 at 13:16:28, Marc Haber wrote:

> Hi,
> 
> I have a vhost in a https-only IPv6-only setup and would like to make
> the web site hosted there reachable from the IPv4 Internet.

Is the vhost capable of dealing with IPv4 queries if you can only manage to 
get them to the machine?

> On a dual-homed host, I have sniproxy that forwards requests coming in via
> IPv4 over IPv6 depending on the SNI header. The web server is directly
> reachable from the IPv6 Internet without proxy.

How about a completely different approach - set up a VPN connection between 
your dual-homed host and the IPv6-only web server, to tunnel IPv4 requests and 
responses over an IPv6 link?

Then you publish the real IPv6 address of the server as your DNS  address, 
and the IPv4 address of the dual-homed host as the A address.  The dual-homed 
host tunnels all requests (source and destination still both IPv4) to the 
vhost, and it routes all IPv4 traffic back across the VPN.

No need for HTTPS interception etc.; you're just tunneling all requests 
directly to the machine which has the certificate on it.


Antony.

-- 
How many Prolog programmers does it take to change a lightbulb?
No.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Custom Error Pages

[Antony Stone]

On Saturday 18 April 2020 at 17:05:22, Praveen Kumar K S wrote:

> Hello,
> 
> Any help would be appreciated. If any of you had done this before or
> published on blogs or somewhere, please suggest your inputs.

Well, first of all, does your web server successfully serve CGI scripts when 
they are found at a standard URL, rather than being an ErrorDocument 
reference?

Antony.

> On Thu, 16 Apr, 2020, 14:29 Praveen Kumar K S wrote:
> > Hello,
> > 
> > Thanks for your response. I had gone through errordocument.
> > 
> > I would like to rephrase my question. I'm looking for help on how to
> > dynamically handle error pages. I wrote a small cgi script.
> > 
> > Below is error config.
> > ErrorDocument 404 "/cgi-bin/customerror.cgi"
> > 
> > But httpd is printing the content of /cgi-bin/customerror.cgi incase of
> > 404 and not executing it.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org