Re: [users@httpd] Issues with files accessed over NFS

2022-06-30 Thread Bender, Charles 
check the mount options for the NFS mount on apache server as well as the 
underlying file system on the NFS server. unless needed, set to noatime and 
nodiratime

From: Chris Woelkers - NOAA Federal 
Sent: Thursday, June 30, 2022 3:07:01 PM
To: users@httpd.apache.org 
Subject: [users@httpd] Issues with files accessed over NFS

Although I realize that this question is more about NFS than Apache it still 
concerns my web server so here goes. This is at work so a bit of history first, 
sorry for the novel length email in advance.

The set up I have was already in existence when I started my current position. 
The web server, running Apache on top of Debian 8, was directly connected to a 
storage server, also on Debian 8, via a dedicated 10Gbps network link. The 
storage was accessed via NFS mounts, different mounts for different areas in 
order to section them off within the website with aliases. Not all of the 
website  was stored on the server, just the ones that used the most disk space.
Of course this was three years ago and Debian 8 went EOL. Before that occurred 
it was my job to upgrade the servers to a later version of Debian. In order to 
keep the distribution upgrades as far apart as possible I went with Debian 11, 
upgrading on a path from 9 to 10 to 11. During the upgrade all services were 
checked out for basic functionality and no problems were seen.
Not long after the upgrade an interesting problem was apparent. Files accessed 
over NFS were not downloading properly. The download would start but then stop 
anywhere from 30% to 60%. These files were not large with the smallest ones 
being just over 1MB. Any file stored on the web server itself downloaded just 
fine, no matter the size. I checked just about everything on that connection 
from the cable, which was only 1 foot in length so I got a longer one, to the 
NFS mount options. Changes were made but they did not seem to make a difference 
and all file transfer tests done within the OS itself worked fine with files up 
to 100MB tested.
The only thing I did not check until recently was the NFS version. The mounts 
were automatically using NFSv4 which I considered, at this point in its 
development, to be stable. However when I switched to NFSv3 the problem went 
away. So after all that I seemed to have "solved" it by dropping back to an 
older version of NFS.

So the questions I have for the community are: Has anyone seen a similar issue 
and solved it? If so did you find another solution other than reverting to 
NFSv3?

Thanks,

Chris Woelkers

Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all need IPs?

2022-05-20 Thread Bender, Charles 
Your virtual host is defined wrong. Use the names not IP addresses

http://1.1.1.13:443/>>
Servername 
example2.com
SSLEngine on
SSLCertificateFile /etc/http/certs/example2.crt
...


From: frank picabia 
Sent: Friday, May 20, 2022 12:55 PM
To: users@httpd.apache.org 
Subject: Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all need IPs?

I'm trying hard to get the lay of the land logic here, and it isn't happening.  
I'm bouncing between what I read here,
and what apache actually does, and it doesn't add up.

In my case we tried to introduce a new domain, let's call it 
example2.com
It will have a different set of cert files.  I let it have an IP which nothing 
else shares.
I'm keenly aware of this IP as I've set it up in DNS as well.

http://1.1.1.13:443>>
Servername 
example2.com
SSLEngine on
SSLCertificateFile /etc/http/certs/example2.crt
...


Every other vhost had a different servername, and they used the
cert for 
example1.com
 .  They also had *:443
Only for 
example1.com
 do we have multiple aliases on the same IP.

When visiting the 
example2.com
 site, the web site shows apache has served a certificate for 
example1.com

I had believed this was because we had used *:443 rather than explicitly show 
the IP
for all our vhosts.  It seemed the early conversation on SSL/TLS was matching a 
random
vhost via this use of *:443 and that's how it got the cert for 
example1.com
Since before this point all vhosts were on 
example1.com
 the wildcard cert it
found was always working while we had *:443 in use.

What can we say about how multi-domain SSL works that we can rely on?
I can find a dozen pages on google search from people who get the wrong
certificate and they never get an answer.  Some good hard rules on what
is required would probably help a lot of people over the years.



On Fri, May 20, 2022 at 11:59 AM Frank Gingras 
mailto:thu...@apache.org>> wrote:
As mentioned, name-based vhosts will work with SNI and *:443 provided that you 
have the correct certificate assigned to each vhost.

In rare cases, you can use IP:443 vhosts if you want specific handling based on 
the IP used to handle the request, such as https://IP1/ or https://IP2/. 
However, it is rarely needed by most servers.

For now, you can use *:443, and run apachectl -S to make sure there is no 
overlap before restarting httpd.

On Fri, 20 May 2022 at 07:04, frank picabia 
mailto:fpica...@gmail.com>> wrote:

Sorry, that should not have said "top level domains".  I meant domains.  Like 
example.com, 
example.net.


On Fri, May 20, 2022 at 7:05 AM frank picabia 
mailto:fpica...@gmail.com>> wrote:

It looks like there are two requirements for multiple top level domains with SSL
on the same apache.

1. IP values must be used inside VirtualHost, not *:443
2. All IP values must be unique, even on the same top level domain

Is the above conjecture true?

We have many setup like this example...


   ServerName

RE: [users@httpd] Re: Graceful shutoff of Apache without it being a service.

2021-05-06 Thread Bender, Charles 
httpd.exe -k graceful

will reload config without stopping Apache or dropping connections

From: Talin Sharma 
Sent: Thursday, May 06, 2021 6:10 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: Graceful shutoff of Apache without it being a 
service.

These commands only work if apache is running as a service. I don't want this 
because apache would be running on my personal computer and I won't always be 
using it. Is this possible?

What I want to do is make a c# script that turns apache on and off. I was able 
to turn it on but I cannot figure out how to turn it off.

Thanks!

On Thu, May 6, 2021 at 5:22 PM  Good Guy  
mailto:xfs...@hotmail.com>> wrote:
On 06/05/2021 19:50, Talin Sharma wrote:
> Look at the subject. How do I do this?
>
> I am on windows 10.
>
> Thanks!


httpd -k stop

or

httpd -k shutdown

If you need general help about httpd then just type:

httpd -h

This will give you all the essential commands to control apache.

Good luck.


--

With over 1.3 billion devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.



-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-08 Thread Bender, Charles 
You're making this very difficult for yourself by having 2 different versions 
of PHP installed on 1 server box. Even if you get working maintaining will be 
challenging.

Suggestion- run PHP and PHP-FPM in separate Docker containers on same server, 
each with specific version of PHP you need. Then have Apache proxy to these 
containers as required

From: H 
Sent: Thursday, April 8, 2021 9:26 PM
To: users@httpd.apache.org 
Subject: Re: [users@httpd] Running php 7.0 and 7.2 for different websites with 
apache

On 04/08/2021 08:57 PM, Daniel Ferradal wrote:
> There is no such thing as default php version for a site.
>
> You have to make sure you have really two different instances of
> php-fpm running for the different php versions you want to use.
>
> Chances are you have the same php-fpm service with two pools, so both
> may be with the same version.
>
> Apache doesn't care what you do from now on, since it is just reverse
> proxying requests to the selected servers. So it is up to you and your
> php-fpm config and how you start them now.
>
> El vie, 9 abr 2021 a las 1:55, H () escribió:
>> On 04/08/2021 07:34 PM, H wrote:
>>> On 04/08/2021 06:05 PM, Daniel Ferradal wrote:
 Hello,

 What you must remove is all scriptalias, addhandler/action directives.
 So I'd say with a directive for each virtualhost you mentioned you
 have you just would need (and of course disable mod_php module):

 In one for one version pointing to 9002 port:
 
 SetHandler  "proxy:fcgi://localhost:9002"
 

 In the other virtualhost you  want to have pointing to 9003:
 
 SetHandler  "proxy:fcgi://localhost:9003"
 

 Apache is really much more simple and easier than many examples out
 there try to show.

 El jue, 8 abr 2021 a las 23:54, H () escribió:
> On 04/08/2021 05:06 PM, Daniel Ferradal wrote:
>> Hello,
>>
>> You mention PHP is set to listen to different tcp ports, yet the
>> config you show from apache points to a unix socket with
>> mod_proxy_fcgi
>>
>> Also worth mentioning you don't need php7_module at all when pointing
>> to FPM with mod_proxy_fcgi, so I would just unload that module asap in
>> case you have some other config lying around taking precedence and
>> causing the problems you mention.
>>
>> Cheers
>>
>> El jue, 8 abr 2021 a las 22:40, H () escribió:
>>> Using CentOS 7 and need to run two different versions of php for the 
>>> websites, php 7.0 and 7.2. The set up is x.x.x.x/site1 and 
>>> x.x.x.x/site2 and I am using php-fm for both php versions configuring 
>>> port 9002 for php 7.0 and 9003 for php 7.2.
>>>
>>> I have a conf file for each site (this is site 1 which is supposed to 
>>> run php 7.0) and called site1.conf, similar to:
>>>
>>> 
>>> ServerAdmin xxx
>>> ServerName x.x.x.x/site1
>>> DocumentRoot /var/www/html/
>>> DirectoryIndex info.php
>>> ErrorLog /var/log/httpd/site1-error.log
>>> CustomLog /var/log/httpd/site1-access.log combined
>>>
>>> 
>>> 
>>> SetHandler 
>>> "proxy:unix:/var/opt/rh/rh-php70/run/php-fpm/www.sock|fcgi://localhost"
>>> 
>>> 
>>> 
>>>
>>> The other site is identical and supposed to run php 7.2 so the file 
>>> obviously uses site2 instead of site1 and php72 instead of php70.
>>>
>>> I have installed both php versions and can successfully switch between 
>>> them on the commandline but have run into problem getting apache to use 
>>> both. I consulted 
>>> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.digitalocean.com%2fcommunity%2ftutorials%2fhow-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-7=E,1,nGU2QIv_y4smfnrUNnx9CDP8bkt1CgBCY00J7ykv7wIqnjBmryO1KuEik3Og-vkjZWpESUYdCo9JVJ3o77e7nOazFVuJCoH57Wvd5gM1XdQ,=1
>>>  but apachectl configtest complains that "module php7_module is already 
>>> loaded, skipping". I can successfully get the websites to use the same 
>>> php version, either 7.0 or 7.2.
>>>
>>> I must have missed some configuration step and would appreciate any 
>>> pointers.
>>>
>>> Thank you.
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
> Thank you for your quick reply. I am sort of dabbling with apache and am 
> not 100% sure what I need to change but would the following change to the 
> above conf file be what you are telling me?
>
>  SetHandler "proxy:fcgi://localhost:9002
>  ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
>  AddHandler php70-fcgi .php
>  Action php70-fcgi

Re: [users@httpd] Apache in under attack.

2021-01-11 Thread Bender, Charles 
Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

Can you help me? 






On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 





Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
> It is a lot of IP addresses !!!
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
> 
> 
> 
> 
> 
> How to find pattern:
> Look at log.
> Find bad things that are similar.
> 
> Then:
> Block bad things from reaching web server.
> 
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
>> How to find pattern?
>> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
>> 
>> 
>> 
>> 
>> 
>> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
>> 
>> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
>>> I used a rule like:
>>> 
>>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
>>> 
>>> But not matter.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
>>> 
>>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
 Hello,
 On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
 [url]https://imgur.com/O33g3ql[/url]
 Any idea to solve it?
 
 
 Thank you.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 
 
>>> 
>>> 
>>> -- 
>>> [ ]'s
>>> 
>>> Filipe Cifali Stangler
>>> 
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>> 
>>> 
>> 
>> 
>> -- 
>> [ ]'s
>> 
>> Filipe Cifali Stangler
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] 404 error - locationmatch and proxypassmatch with parentheses in URL

2019-12-09 Thread Bender, Charles 
Hi,


We have observed the following error. If a URL contains parentheses, and is 
matched by LocationMatch that sends to ProxyPassMatch, the backend doesn't 
receive request and Apache returns 404 error.



   ProxyPassMatch "https://1.2.3.4:443;



This URL should work, but doesn't- http://example.com/path/to/url(2)


If the parentheses are in the query string it works as expected.


Is there a different regex needed to match parentheses in URL?