RE: [users@httpd] specification of .htaccess [EXT]

2022-10-26 Thread James Smith 
If you have that many look at RewriteMap
https://httpd.apache.org/docs/current/rewrite/rewritemap.html
From: Frank Gingras 
Sent: 26 October 2022 02:42
To: users@httpd.apache.org
Subject: Re: [users@httpd] specification of .htaccess [EXT]

This is an extremely bad idea. Do you have access to your config files / the 
root user? If so, edit your vhost, and place your redirects in there instead.

Such a large .htaccess file will perform very poorly.

Further, avoid using mod_rewrite to redirect unless you have no choice.

On Tue, 25 Oct 2022 at 20:07, Yuji_myst 
mailto:yuji_m...@yahoo.co.jp.invalid>> wrote:

hello



Please tell me the specification of .htaccess.

Place .htaccess in the root directory of the website and set the redirect.

We are considering setting more than 2000 redirects.

Is there a limit on the number of redirect settings or .htaccess file size?



I read the .htaccess documentation, but couldn't find any mention of 
restrictions.



Best Regards,

Yuji





-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] site compromised and httpd log analysis [EXT]

2022-07-06 Thread James Smith 
Never had these issues at all if you set up vhosts correctly.

But agree we tend to have 2 vhosts for the domain

 * vhost 1 is the real vhost and handle requests
 * vhost 2 contains all the redirects from other domain names to the canonical 
one

The only ServerAlias lines in vhost 1 are for development URLs which are run on 
different servers

But we also don't expose our wordpress - but use a mirroring script to serve 
the site as predominantly static {takes careful design to do this!}


-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.)  
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]


ok may or may not be related but i found i had to lock php, wordpress etc down 
heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things more 
strict

yes its a pain to have one vhost per site but its the only way to fully isolate 
one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a 
database --> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
 
Redirect permanent / 
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY=
 



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
 
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 

004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g=
>   
>   >
> 
> One of the websites hosted  by a customer on our Cloud infrastructure 
> was compromised, and the attackers were able to replace the home page 
> with their banner html page.
> 
> The log files output I have pasted above.
> 
> The site compromised was PHP 7 with MySQL.
> 
>  From the above log, can someone point out what exactly happened and how 
> they are able to deface the home page.
> 
> How to prevent these attacks ? What is the root cause of this 
> vulnerability  and how the attackers got access ?
> 
> Any other logs or command line outputs required to trace back kindly let 
> me know what other details  I have to produce ?
> 
> Kindly shed your expertise in dealing with these kind of attacks and 
> trace the root cause and prevention measures to block this.
> 
> Regards,
> Krish
> 
>

RE: [users@httpd] NameVirtualHost fails [EXT]

2022-07-06 Thread James Smith 
Lets encrypt is reliable from our point of view - never had an issue with it - 
we occasionally have issues when renewing certs - we have about 90 of them - 
but that is mainly with the "fake-manual" process of updating DNS which is not 
100% reliable with the changes we make.

In use speed should be no different from any other cert - as long as you have 
the appropriate intermediates and your browser has the right root certs.

You can also create a cert with multiple SANs so you may only need one cert 
anyway.





-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Upgrade from non_ssl to ssl possible? [EXT]

2021-11-20 Thread James Smith 
If touching the configuration of the system is proving difficult – there is 
always an option to run a further apache on another machine which handles the 
SSL, and passes the requests back of plain HTTP, in fact this is the way most 
of the Apache servers we have are set up – it may be Apache, nginx or another 
traffic manager sitting in front of the backend apaches.

From: Tobias Müller 
Sent: 17 November 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] Upgrade from non_ssl to ssl possible? [EXT]

Hi all,

I undertook an old Win-Server 2008R2 System with a httpd 2.2.25 win32 non_ssl.
I know it's outdated. But before we can switch to a new system we need to have 
https on the current machine.
Is there any way to upgrade the system without losing all its configuration?
A fresh installation is not possible because of other outdated dependencies I 
could not reinstall.

best regards

Tobias



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] SSL VHosts [EXT]

2021-09-01 Thread James Smith 


> I'd suggest to keep the HTTP vhost for pure redirects and additionally set 
> the Strict-Transport-Security header on HTTPS requests. With the header, most 
> browsers will cache the information that HTTPS is enabled for your site and 
> even enforce it for the time you set in the header.

If all your domain and its subdomains are HTTPS  - you could look at using 
preload on the HSTS header...

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

and then submit the domain to https://hstspreload.org/

Most of the mainstream browsers will know not to send HTTP requests - and 
instead send HTTPS requests. This works better than the redirect as with the 
redirect the payload has already been sent un encrypted before being resent, 
and also POST data is in the redirect.


James



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] query regarding httpd server [EXT]

2021-07-16 Thread James Smith 
You can add:

Header always set X-XSS-Protection "1;  mode=block"

which will help – but the rest you need to look at the way you code your pages.

Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks

Remembering that XSS is often a vector for other attacks.

From: Thejas Hl 
Sent: 16 July 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] query regarding httpd server [EXT]

Hello team,
Is xss attack internally taken care by httpd apache server if yes 
kindly share the steps to activate for protection against such attack.

Thanks and regards
tej




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Improve memory use [EXT]

2021-06-14 Thread James Smith 
Yes the answer is almost certainly to do with the number of domains/size of 
code – even if all the sites are running the same code – they are likely to 
have different copies of it (unless they are all running the exact same copy of 
the code – and using a name based switch somewhere in it) There may be better 
ways of handling this – having 800 PHP children is not ideal – look at ways of 
using static servers if you can e.g.

  *   you may be able to sit another apache in front of this one to handle the 
static requests {using the event mpm} and use this one to server PHP code;
  *   or more this to mpm event model and use one of the fcgi wrappers for PHP 
{mileage may vary on this if you have a large number of PHP code basese};

From: Marc Serra 
Sent: 14 June 2021 10:08
To: users@httpd.apache.org
Subject: [users@httpd] Improve memory use [EXT]

Hi again,

I got an old Ubuntu server 16.04 with apache 2.4.18 serving 140 different 
domains.

The server has 8 vCPUs and 16GB of memory. It's a virtual server hosted in 
Digital Ocean.

As you can see above, the average memory use per apache process is 93MB.

It's possible to improve that? If not, why is so much memory used? In other 
servers with similar configurations but with fewer hosted domains and low 
resources (see at the bottom of this email), the memory usage is much lower. Is 
it due precisely to the number of domains hosted? If not, what?

Sorry to insist on the memory used by each apache process, but I need to 
improve it (if it's possible).

# ls /etc/apache2/sites-enabled/|grep -v ssl |wc
140

# cat /etc/issue
Ubuntu 16.04.6 LTS

# apache2 -V
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2019-10-08T13:31:25
Server's Module Magic Number: 20120211:52
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM: prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

# apache2 -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

Relevant part of /etc/apache2/apache2.conf ...

ServerLimit 800
StartServers10
MinSpareServers 200
MaxSpareServers 400
MaxRequestWorkers   800
MaxConnectionsPerChild  1


# free -m
  totalusedfree  shared  buff/cache   available
Mem:  160467198 496 23283518187
Swap:  4095 2433852

# ps aux | grep apache
root  1204  0.0  0.2 431016 47312 ?Ss   May04   7:43 
/usr/sbin/apache2 -k start
www-data  4778  0.0  0.4 531744 77132 ?S09:00   0:03 
/usr/sbin/apache2 -k start
www-data 11661  0.1  0.3 518652 57868 ?S10:00   0:03 
/usr/sbin/apache2 -k start
www-data 13839  0.0  0.2 443036 45928 ?S10:12   0:01 
/usr/sbin/apache2 -k start
www-data 14763  0.1  0.2 443004 40676 ?S10:18   0:02 
/usr/sbin/apache2 -k start
www-data 26848  0.0  0.4 533496 81960 ?S06:35   0:11 
/usr/sbin/apache2 -k start
www-data 26849  0.0  0.5 537956 96632 ?S06:35   0:14 
/usr/sbin/apache2 -k start
www-data 26850  0.0  0.5 528608 87912 ?S06:35   0:09 
/usr/sbin/apache2 -k start
www-data 26851  0.0  0.4 519652 79560 ?S06:35   0:10 
/usr/sbin/apache2 -k start
www-data 26852  0.1  0.6 545400 103880 ?   S06:35   0:19 
/usr/sbin/apache2 -k start
www-data 26853  0.0  0.5 541456 97776 ?S06:35   0:09 
/usr/sbin/apache2 -k start
www-data 26854  0.0  0.8 578080 132944 ?   S06:35   0:10 
/usr/sbin/apache2 -k start
www-data 26855  0.0

RE: [users@httpd] Is NGINX faster than Apache? [EXT]

2021-03-11 Thread James Smith 
This is what we saw as well - simple things like disabling .htaccess files can 
make a huge difference in performance (I haven't set up a server with .htaccess 
files enabled for the best part of 20 years now because of the performance hit)

From: Rose, John B 
Sent: 11 March 2021 21:02
To: users@httpd.apache.org; Jason Long 
Subject: Re: [users@httpd] Is NGINX faster than Apache? [EXT]

We did some testing of Apache and nGinx head to head for something a few years 
ago.

We also did a bit of testing of Apache, nGinx, haproxy and lighthttpd a couple 
years ago for something else, and ended up picking Apache after whittling it 
down to Apache and HAProxy.

Apache was as fast as nGinx once we configured it properly. In both instances.



From: Rich Bowen mailto:rbo...@rcbowen.com>>
Sent: Thursday, March 11, 2021 2:57 PM
To: users@httpd.apache.org 
mailto:users@httpd.apache.org>>; Jason Long 
mailto:hack3r...@yahoo.com.INVALID>>
Subject: Re: [users@httpd] Is NGINX faster than Apache?



On 3/11/21 12:33 PM, Jason Long wrote:
> Hello,
> Is it true that NGINX is faster than Apache?
>
> https://www.hostingadvice.com/how-to/nginx-vs-apache/ 
> [hostingadvice.com]
>
> In which environment, Apache must use?


No, it is not true.

However, it is also not false.

It depends on so many factors that it's disingenuous to answer your
question either way. To simplify, it depends on what your content is,
and how you've configured each server, but even that is too simplistic
an answer.

The real answer, as we say on the #httpd IRC channel, is TIAS - Try It
And See. Test them for your content and see which one is best.

It's also a good rule that any time you see an article that says X is
faster/better/stronger than Y, you can rest assured that the person
running it is an expert on X and not on Y, and that an expert on Y (and
not X) could probably configure things such that the reverse was true.

Use the one you're more comfortable with, more experienced with. If you
choose Apache httpd, we'll be here to help you configure it.

--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

2021-03-11 Thread James Smith 
Never used ATS to be honest - just use the standard apache web server - looking 
at the ATS I don't think it is as easy to configure {and tbh - I place static 
sites/content on the frontend Apache for faster serving - so it's dual purpose}

The answer was to Q3...

Q1 - we tried mod_security - but out of the box it is to restrictive (it breaks 
wordpress admin ) so we don't actually use it

-Original Message-
From: Jason Long  
Sent: 11 March 2021 18:47
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
How about questions number 2 and 3?






On Thursday, March 11, 2021, 09:46:03 PM GMT+3:30, James Smith 
 wrote: 





A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long 
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity 
registered in England with number 1021457 and a company registered in England 
with number 2742969, whose registered office is 215 Euston Road, London, NW1 
2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Is NGINX faster than Apache? [EXT]

2021-03-11 Thread James Smith 
mod_event is comparable to NGINX I believe speed wise - but from experience 
Apache is more stable!

-Original Message-
From: Jason Long  
Sent: 11 March 2021 17:34
To: Users Maillingsliste Apache 
Subject: [users@httpd] Is NGINX faster than Apache? [EXT]

Hello,
Is it true that NGINX is faster than Apache? 

https://urldefense.proofpoint.com/v2/url?u=https-3A__www.hostingadvice.com_how-2Dto_nginx-2Dvs-2Dapache_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=zwEHkwAqMaJ19z5gP8PxzZ1szu3KVuB4eBmHcy2uk_w=UjsBK_ecK6grm3rgwFuriCGnC8fyiAIW8QVVv9oslIg=
 

In which environment, Apache must use?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

2021-03-11 Thread James Smith 
A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long  
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

2021-03-11 Thread James Smith 
1> If the server you are proxying to is unavailable - due to a server error or 
reconfiguration - the front end should display a custom error page - rather 
than display the error page generated by the backend server
2> There are other reverse proxies out there - there is the community version 
of the Pulse Secure vADC, and also nginx etc
3> Yes to do the proxying - but it is often easier to put a first level of 
security on the frontend (reduces risk/increases performance) especially if the 
backend server is a heavier dynamic server.
3> And another if you are proxying multiple backend servers then you can put 
the security settings on the frontend - no need to duplicate across all 
servers. You can also add/remove headers on the way in/out.



-Original Message-
From: Jason Long  
Sent: 11 March 2021 12:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Hello,
Can anyone answer to my questions?
1- What does "handle backend server down" mean?
2- Can I launch a Reverse Proxy without Apache Web Server?
3- In general, an Apache Reverse Proxy Server is just some lines to forward the 
requests?







On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long 
 wrote: 





Thank you so much.
Thus, The Front end and Back end servers are same about the security.
What does "handle backend server down" mean?






On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, James Smith 
 wrote: 





Yes - you should harden the front-end as this is what is likely to be 
compromised by general attacking.

Run SSL, run a static server & proxy server,  set security headers, handle 
backend server down, handle http -> https redirects, handle basic auth (you can 
have a general rule for wordpress admin URLs as a 2FA)

Drop certain requests by:
* connection types if you don't want them trace/track/options etc, 
* IP address if you can't get to firewall settings,
* suspicious/malfunctioning useragents,
* particular paths that are general attack vectors, hide URLs that are likely 
to be tmp files (.files,.bak,.swp etc)




-Original Message-
From: Dino Ciuffetti  
Sent: 08 March 2021 22:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

> 
> ProxyPreserveHost On
> ProxyPass / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP=DwIF
> aQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM
> 7vQ=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo= ProxyPassReverse / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP=DwIF
> aQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM
> 7vQ=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo=
> 
> I have some questions:
> 
> 1- the real work of a proxy server is just that lines?


It's OK if you only have one backend HTTP worker without load balancing and no 
HTTPS.
If you need load balancing (advised!) and HTTPS on the reverse proxy (much 
advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl 
and mod_proxy_balancer. I also recommend you to enable some logging (error_log 
and access_log) on your virtualhost.


> 2- The real configuration of the web server must be done on the 
> another server? Consider below
> figure:
> 
> The Internet --> Reverse Proxy Server --> Apache Web Server
> 
> The SSL configuration and other Apache hardening and configuration 
> must be done on the Apache Web Server and not the Reverse Proxy Server?

Don't know what you mean for "the real configuration". You'll need to configure 
the apache reverse proxy node as a reverse proxy, and the backend HTTP worker 
as a backend HTTP worker.
Please remember that a apache httpd reverse proxy node works at Layer 7 
(Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg 
wordpress, static pages, js, css, etc) must be implemented on your backend 
workers and the reverse proxy will publish those contents to your clients.

BTW HTTPS must be terminated on the reverse proxy. The security hardening must 
be enforced on both nodes. Rreverse proxy is generally directly exposed on 
outside, so it obviously needs more attentions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.


--

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

2021-03-09 Thread James Smith 
Yes - you should harden the front-end as this is what is likely to be 
compromised by general attacking.

Run SSL, run a static server & proxy server,  set security headers, handle 
backend server down, handle http -> https redirects, handle basic auth (you can 
have a general rule for wordpress admin URLs as a 2FA)

Drop certain requests by:
 * connection types if you don't want them trace/track/options etc, 
 * IP address if you can't get to firewall settings,
 * suspicious/malfunctioning useragents,
 * particular paths that are general attack vectors, hide URLs that are likely 
to be tmp files (.files,.bak,.swp etc)




-Original Message-
From: Dino Ciuffetti  
Sent: 08 March 2021 22:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

> 
> ProxyPreserveHost On
> ProxyPass / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP=DwIF
> aQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM
> 7vQ=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo= ProxyPassReverse / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP=DwIF
> aQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM
> 7vQ=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo=
> 
> I have some questions:
> 
> 1- the real work of a proxy server is just that lines?


It's OK if you only have one backend HTTP worker without load balancing and no 
HTTPS.
If you need load balancing (advised!) and HTTPS on the reverse proxy (much 
advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl 
and mod_proxy_balancer. I also recommend you to enable some logging (error_log 
and access_log) on your virtualhost.


> 2- The real configuration of the web server must be done on the 
> another server? Consider below
> figure:
> 
> The Internet --> Reverse Proxy Server --> Apache Web Server
> 
> The SSL configuration and other Apache hardening and configuration 
> must be done on the Apache Web Server and not the Reverse Proxy Server?

Don't know what you mean for "the real configuration". You'll need to configure 
the apache reverse proxy node as a reverse proxy, and the backend HTTP worker 
as a backend HTTP worker.
Please remember that a apache httpd reverse proxy node works at Layer 7 
(Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg 
wordpress, static pages, js, css, etc) must be implemented on your backend 
workers and the reverse proxy will publish those contents to your clients.

BTW HTTPS must be terminated on the reverse proxy. The security hardening must 
be enforced on both nodes. Rreverse proxy is generally directly exposed on 
outside, so it obviously needs more attentions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Which parameters must be set to solve these Vulnerabilities? [EXT]

2021-02-08 Thread James Smith 
Without knowing what your website is we can’t really see what is wrong. Have 
you used chrome (or whatever browser you are using) developer’s tools to see 
what is blocked by your content security policy (CSP)

From: Nick Folino 
Sent: 08 February 2021 17:30
To: users@httpd.apache.org
Subject: Re: [users@httpd] Which parameters must be set to solve these 
Vulnerabilities? [EXT]

What a great site!  It consolidates weak servers for hackers to find easier.

On Mon, Feb 8, 2021 at 11:00 AM Jason Long 
mailto:hack3r...@yahoo.com.invalid>> wrote:
Thank you for your useful information.
I checked my server with "https://securityheaders.com/ 
[securityheaders.com]"
 and result is:
https://i.postimg.cc/SsBBtRsT/Header.png 
[i.postimg.cc]

To solve the Content Security Policy, I added below line to "httpd.conf":
Header set Content-Security-Policy "default-src 'self';"

But after it my web site style messed up! Why?
How about "Permissions-Policy" ?






On Monday, February 8, 2021, 04:58:11 PM GMT+3:30, Dino Ciuffetti 
mailto:d...@tuxweb.it>> wrote:





> Hello,
> I scanned my Apache web server and below Vulnerabilities discovered:


There are many ways of solving those vulnerabilities. Most of them can be fixed 
patching your
applications.

As rule of thumb, your application should:
- not use frames or iframes at all
- use only HTTPS everywhere, always redirect HTTP to HTTPS
- disable anything you don't need (eg mod_perl, mod_php, etc)
- enable Strict-Transport-Security to force all traffic to HTTPS with no 
failback to HTTP
- don't use cookies if possible, or setup your cookies with those attributes: 
secure; HostOnly; HttpOnly;
SameSite=Lax
- CSP, Anti-CSRF Tokens and Cache-control headers and frameworks should be 
setted directly by your application and not from apache, if possible

Please consider that enabling one or more countermeasures via configuration 
file in httpd could make your applications stop working properly if they are 
not designed accordingly! Please double check any of them and test them in your 
staging environment before setting them live for production.

Also you should be well confident in all of them before running live, or 
strange things will happen to your applications and your live debug will be 
difficult.

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Which parameters must be set to solve these Vulnerabilities? [EXT]

2021-02-08 Thread James Smith 

-Original Message-
From: Eric Covener  
Sent: 08 February 2021 13:13
To: users@httpd.apache.org
Subject: Re: [users@httpd] Which parameters must be set to solve these 
Vulnerabilities? [EXT]

On Mon, Feb 8, 2021 at 6:24 AM Jason Long  wrote:
>
> Hello,
> I scanned my Apache web server and below Vulnerabilities discovered:
>
> 1- Content Security Policy (CSP) Header Not Set
Read up about these and set an appropriate header
> 2- HTTP to HTTPS Insecure Transition in Form Post
Make sure you don't actively have an http:// request use HSTS headers
> 3- Reverse Tabnabbing
Set rel=noopener 
> 4- Source Code Disclosure - PHP
Make sure you make all PHP code be executed by php handler and make sure you 
have got full PHP tags ( 5- Source Code Disclosure - Perl
Don't put perl in your htdocs directory - keep it outside
Don't log errors to browser
> 6- Sub Resource Integrity Attribute Missing
See 10
> 7- Absence of Anti-CSRF Tokens
Look at form code - you need to set a cookie and a hidden field in the form
> 8- Cookie No HttpOnly Flag
Add this to your cookie creation statement (note there may be some cases where 
it is impossible to set this - if you want the client to see this!)
> 9- Cookie Without SameSite Attribute
Add this to your cookie creation statement (note there may be some cases where 
it is impossible to set this - if you want the client to see this!) and specify 
exactly which sub-domain gets the cookie not .mydomain.com but 
server.mydomain.com
> 10- Cross-Domain JavaScript Source File Inclusion
Don't if you do - look at CSP and set "integrity" or only allow from certain 
sites...
> 11- Incomplete or No Cache-control and Pragma HTTP Header Set
Again look this up - there may be reasons why this isn't set - e.g. 
> 12- Insufficient Site Isolation Against Spectre Vulnerability
Look at CORS
> 13- Strict-Transport-Security Header Not Set
Just set it again read docs...
>
> I'm thankful if anyone tell me which parameters and headers must be set and 
> enable in the Apache configuration.

I suggest searching the web for existing explanations/resources. You will also 
need to address most of these with an understanding of your content.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Replays from Internet [EXT]

2021-01-19 Thread James Smith 
Trying to understand - was it just the last POST that you were seeing - not the 
series of posts leading up to that stage of the form process..

In this case it looks as (Yehuda is just saying) that the request is kept in 
the browser.

There are some ways to get around this:
(1) never POST and print - always do a full redirect for the user - this takes 
the "successful post" out of the users history
(2) Have a unique ID representing the cart (you probably have a cart ID 
somewhere for the order) and make sure that the same cart ID is not used twice 
for payment.
This is better to be something like a UUID or similar.
Second time payment is attempted on cart with given UUID the attempt is 
rejected.

James

-Original Message-
From: John  
Sent: 19 January 2021 16:56
To: Apache 
Subject: [users@httpd] Replays from Internet [EXT]

Since the beginning of 2021 we have encountered two online orders and possibly 
a third, where the customer denies making the order and the httpd log seems to 
confirm that.

In each case, the person made an order and a day or more later a second order 
was placed for the same item and carrying the same credit card information.  
Since everything looked valid and the delay bypassed our duplicate order check, 
the order was accepted.  

Some background: a customer can connect to our catalogue and move around 
untracked for as long as they want until they decide to place an order.  At 
this point there is only one path to follow to enter address info, credit card, 
etc. This ends with a summary of the order and if they click to proceed, it 
POST's the server order processor with the relevant info causing the credit 
card to be charged and the order to be entered. In total 3 scripts must be 
processed in the correct order.

I scanned for the customer's IP in the httpd access log in each case and found 
that when they made the valid order they were on our catalogue and followed the 
correct path to place the order, confirming it as expected.

BUT, and here is what I am having trouble understanding, for the invalid order 
ONLY the last request was logged as received by httpd.
It shows the correct source (ie the page that should have resulted in an order) 
yet that page does not show in the httpd log as having been served.  In one 
case, NO other page was served to that customer on that day ahead of the 
received order, at least judging from IP addresses in use. 

So what I appear to be seeing is a replay from the Internet which I find hard 
to accept as real.  Has anyone ever seen this before and if so what did they do 
to resolve it?  The only other possibility that I can think of is that their 
browser cached the page and re-transmitted it. (a violation of the HTML 
standard I think for a form page).

The environment is Apache 2.4.25 on Fedora using php-fpm.

Thanks in advance and apologies for the length of this post.

John


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-14 Thread James Smith 
The first place to look in this case is the size of the apache processes. Once 
the OP has got on top of this - then other issues can be investigated.

So process would be:
1) Reduce number of modules in Apache (>100 at the moment) should be 
around 15-25 region;
2) Look at memory usage;
3) If high would also look to see which PHP packages have been 
installed;
4) Once past these I would start looking at the actual attack and the 
particular requests;



-Original Message-
From: @lbutlr  
Sent: 15 January 2021 06:37
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

On 14 Jan 2021, at 04:48, Jason Long  wrote:
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of servers must 
> be examine?

Throwing more resources at the problem is not likely to fix the problem. You 
need to figure out what is going on with your server and WHY it is taking so 
much time it is bogging down and WEHRE the slowdown is happening.

This is not something that someone can just say "Oh, it's this" because the 
problem is unique to your machine, your content, and your users.

I would start with those very suspicious (to me) looking URL requests 
containing dozens of digits of hex. Do those look like they are legitimate 
links to your server's web content?

Also, please stop top-posting and quoting the entire message thread below.

-- 
We are born naked, wet and hungry; then it's all downhill.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
 The Wellcome Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

2021-01-13 Thread James Smith 
You can get the information from top - but if you want it in the command line 
you run:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

rsz - is the resident size - this is the amount of memory the programme is 
actually reserving in memory

The output had the following type of lines:

> 1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND

So you can three the resident memory is approx. 1.25G

-Original Message-
From: Andrea Croci  
Sent: 13 January 2021 09:59
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Hi James,

what was the command you used to see that apache uses ~1GB of memory? I deleted 
the mail and that was a bad idea: there were some very useful commands you were 
giving us here.

On 12.01.21 12:17, James Smith wrote:
> That shows you only have 2 incoming requests. How many lines if you 
> remove the TIME_WAIT
>
> Try: netstat -n | grep ':80 ' | wc
>
> This may show lots of short requests happening over time
>
> But to be honest the host important thing you need to do is strip down 
> the list of modules you are using - that is what is causing you 
> problems - the apache processes are so large you are causing the 
> server to swap -
>
> If you are permanently using a lot of swap then that slows down your 
> processes and can cause your request to back up (a bit like a traffic 
> jam)
>
> You should only really have about 20-30 modules running.
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 11:14
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> It show me:
>
> # netstat -n | grep ':80 ' | grep -v TIME_WAIT
> tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2
> tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
>  wrote:
>
>
>
>
>
> If you want incoming traffic you can do:
>
> netstat -n | grep ':443 ' | grep -v TIME_WAIT
>
> The incoming IP should be the 2nd address
>
> (or ':80 ' if you aren't doing SSL)
>
> Remove the grep -v TIME_WAIT to see all connections {and recent 
> connections}
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 10:33
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> Output is:
>
> 1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
>   6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
> 1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
> 1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
> 1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
> 1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND
>
> How can I see the IP addresses and their incoming traffic?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
>  wrote:
>
>
>
>
>
> Another thing to look at is to restart the apache process and see memory 
> usage. You can either use top. Or you can use a cron job which emails you the 
> output of:
>
> ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 
> -n
>
> to see if you start or if it grows gradually
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 10:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> I did below rule, but not worked:
> # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit 
> --connlimit-above 20 -j REJECT --reject-with tcp-reset
>
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
>  wrote:
>
>
>
>
>
>
> It can be done with iptables or take a look at fail2ban:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexc
> hange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZF
> I0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX
> 88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
>
> Am 12.01.21, 10:26 schrieb Jason Long :
>>    Thank you, but "Firewalld" or "iptables" can't do it automatically? When 
>> an IP sending many request then it automatically blocked.
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>>  wrote:
>>
>>
>>
>>
>>
>> Jason,
>>
>> I would also query why your process are ~ 1G resident that seems quite large 
>> for apache.
>>
>> What modules do yo

RE: [users@httpd] How to clean Apache memory automatically? [EXT]

2021-01-12 Thread James Smith 
Htcacheclean is I think only a disk based cache cleaner (something you 
shouldn't really be using anyway!)

The only way to clean up apache memory is a either to kill your child processes 
or restart apache itself.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 23:26
To: Users Maillingsliste Apache 
Subject: [users@httpd] How to clean Apache memory automatically? [EXT]

Hello,
Can I use "htcacheclean" for clean memory instead of reset Apache service?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
For that answer you will probably have to ask a RH expert - in ubuntu there are 
two folders mods_enabled & mods_available - the mods_available contains links 
to the files in mods_enabled - and you can just remove the symlinks.

Not sure for just a wordpress site whether this list would be sufficient - it's 
using mod_php - which is easy to setup - someone else may be able to point you 
in the direction of the fastcgi solution {which isn't necessarily faster! Or 
more performant}

 alias_module (shared)
 expires_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 php7_module (shared)
 rewrite_module (shared)
 status_module (shared)

You are almost certainly getting large numbers of requests because it is a 
wordpress site - and so there are standard attack patterns to try and 
compromise your admin interface (or PHP)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:51
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

# netstat -n | grep ':80 ' | wc
     12      72     960

> How to disable modules? It just a WordPress website.






On Tuesday, January 12, 2021, 02:55:14 PM GMT+3:30, James Smith 
 wrote: 





That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
&g

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -Original Message- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
&

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -Original Message- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
&

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Yes - it is something we need to do when we come under attack at work - as 
often the attacks are not enough to trigger standard intrusion detection (esp 
as our requests can be quite heavy)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith 
 wrote: 





Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long 
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-----
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >&g

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Sometimes we are attacked from a farm of machines so it may have to be an ip 
range that is the issue

-Original Message-
From: James Smith 
Sent: 12 January 2021 10:19
To: 'users@httpd.apache.org' 
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Yes - it is something we need to do when we come under attack at work - as 
often the attacks are not enough to trigger standard intrusion detection (esp 
as our requests can be quite heavy)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith 
 wrote: 





Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long 
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-----
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port=&q

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -Original Message- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
>     
>     
>     
>     Concentrate on just one... 
>     
>     On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
> wrote: 
>     > It is a lot of IP addresses !!! 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
>  wrote: 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > How to find pattern: 
>     > Look at log. 
>     > Find bad things that are similar. 
>     > 
>     > Then: 
>     > Block bad things from reaching web server. 
>     > 
>     > On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
>  wrote: 
>     >> How to find pattern? 
>     >> Log show me: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34All

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
That's one shed load of modules - when I run it on my dev server I have - you 
should really go through the modules and work out which ones you are actually 
using:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 alias_module (shared)
 apreq_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 perl_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:06
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Modules are:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_DJSWpSP7xZ_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=puY-fTQsV1ysiCnOpy4EHYLVx0o9AIycA5oenO7FFMM=gP5iBUkwbSUx03jK4ekkBLEDcX-4sn9jg_x70ubMVto=
 






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith 
 wrote: 





Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-----
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of re

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
     Hello,
     On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
     
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=xhD5gmWVf2E5_eScXEzWEDDLoztUMgj7kLGoHVJREIE=
 
     Any idea to solve it?
     
     
     Thank you.
     
     -
     To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     For additional commands, e-mail: users-h...@httpd.apache.org
     
     
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler

    >>> 
    >>> 
    >>>

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith  
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
    >>>> 
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=

RE: [users@httpd] Apache in under attack. [EXT]

2021-01-12 Thread James Smith 
Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long  
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
     Hello,
     On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
     
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0=
 
     Any idea to solve it?
     
     
     Thank you.
     
     -
     To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     For additional commands, e-mail: users-h...@httpd.apache.org
     
     
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler
    >>> 
    >>> 
    >>> -
    >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >>> For additional commands, e-mail: users-h...@httpd.apache.org
    >>> 
    >>> 
    >> 
    >> 
    >> -- 
    >> [ ]'s
    >> 
    >> Filipe Cifali Stangler

    >> 
    >> 
    >> -
    >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >> For additional commands, e-mail: users-h...@httpd.apache.org
    >> 
    >> 
    > 
    > 
    > -
    > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    > For additional commands, e-mail: users-h...@httpd.apache.org
    > 
    > 
    
    
   

RE: [users@httpd] Ratelimiting Apache File Upload Speed [EXT]

2020-12-17 Thread James Smith 
Why do you want to rate limit the upload speed to your server - slow upload 
speeds tend to be the thing that causes Apache issues rather than the other way 
round.

If it is because your server is on a narrow pipe and you are worried about 
being swamped by one connection - then rate limiting won't change anything the 
user sending large amounts of data will still send it - it will just be 
processed slower by apache.


-Original Message-
From: Gryzli Bugbear  
Sent: 14 December 2020 15:19
To: users@httpd.apache.org
Subject: [users@httpd] Ratelimiting Apache File Upload Speed [EXT]

Hi guys,

Is there a way to limit/ratelimit the upload speed to Apache ?

I'm searching for a way to ratelimit the upload speed per IP address, or even 
better per IP , per Location.

Regards,

--
-- Gryzli

https://urldefense.proofpoint.com/v2/url?u=https-3A__gryzli.info=DwICaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=5JaH_y-SK3nU12rslEDlsjoxZCLMEd56ZsV0dxYbTfk=ai1CndtV8RADJ9lgTPhJxnucBOsVw2VBcranFGKYDrI=
 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Questions to SSLciphersuite [EXT]

2020-11-27 Thread James Smith 
To be honest from a security point of view - you shouldn't be doing this if 
the client can't talk to your server you need to look for a new client? 
Assuming from what you say this is just a monitoring tool.

We have switched off TLS v1.0 and v1.1 as all the browsers which we consider 
secure support these protocols.

We have also dropped support for many of the "insecure" Key ex algorithms and 
cipher strengths.

We may lose a few visitors - but at least our servers and requests are 
considered secure.




-Original Message-
From: Lentes, Bernd  
Sent: 27 November 2020 16:25
To: users Maillingsliste Apache 
Subject: Re: [users@httpd] Questions to SSLciphersuite [EXT]


- On Nov 27, 2020, at 4:58 PM, Stefan Eissing stefan.eiss...@greenbytes.de 
wrote:


> If your client cannot connect, maybe it is old and wants to talk SSLv3 
> which is no longer supported?
> 
Hi Stefan,

thanks for your answer.
That's what i assume. Isn't it possible to adapt the cipher-suite that the 
client can talk to the server ?
I tried "SSLCipherSuite SSLv3:+TLSv1", but client still complains.

Bernd
Helmholtz Zentrum München

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter 
Landstr. 1
85764 Neuherberg
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de=DwICaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=qeXuar_R9BDFNQu_nNx4qx0JhdIKKdtsLgteuLKW6Pk=mMWdwX0jWqgdvrXZ7v6jJ3T6ZLf04Nu4bG6XRxuas0w=
Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling
Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] apache tuning for 1500/2000 concurrent connections [EXT]

2020-11-15 Thread James Smith 
It's not clear why you would need to serve that many "concurrent" connections, 
a bit more information would be required.

 * What is your dynamic content being generated by, is it running inside 
apache, or is it running on it's own "server" and being to proxied by Apache?
 * Is content mainly static or dynamic?
 * Is the database a large number of small entries, or a smaller number of 
large entries?
 * Is it nearly all reads or contains lots of writes as well?
 * Are both the MySQL and the database on the same server?

My gut feeling (and experience) would suggest that you would almost certainly 
come into issues trying to put that workload on a single server, you can tune 
to a certain extent but then you will get to the limits of the server.

Have you done any benchmarking on your current set up - using something like 
Apache Bench or Siege? How many concurrent connections can it handle?

James


-Original Message-
From: Massimo Iovino  
Sent: 14 November 2020 09:35
To: users@httpd.apache.org
Subject: [users@httpd] apache tuning for 1500/2000 concurrent connections [EXT]

Hello everyone. I need to configure Apache 2.4 mpm-prefork (or I don't know if 
mpm-worker is better) for about 1500/2000 concurrent connections (even up to 
4000). These are the characteristics of the server: Server
Version: Apache / 2.4.46 MPM server: prefork Server: 12-core Intel (R) Core 
(TM) i7-8700 CPU @ 3.20GHz Speed: 800.000 MHz Cache: 12288 KB
Memory: 128GB RDBMS: mySQL 5.7 Can anyone give me some advice on how to 
configure Apache? Do you have to do anything in particular about the mySQL 
configuration? Thanks a lot to everyone Massimo


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
 The Wellcome Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Bad Gateway with large file upload [EXT]

2020-10-29 Thread James Smith 
Not sure about tuning the network – that is out of my skill set – I am lucky at 
work to have a 1G connection to my desk so these sort of uploads are not an 
issue. From home I only have around 18M so it is noticeable how long uploads 
take. You may want to look to see if you have intermediate hosts on your 
network – are you going through a transparent proxy?

If the user is using a VPN there is often a large overhead than you see on the 
local network – not just the “distance” he is away – but whatever security 
layer the VPN adds, and whether content goes through multiple different nodes 
to get to you. We have noticed quite large differences with users going through 
VPNs having major issues. And remember that remotely many users will be using 
asymmetric connections – download is fast, upload is usually throttled to 
between 10 and 25% of the download speed.

James
From: eric tse 
Sent: 29 October 2020 19:16
To: users@httpd.apache.org
Subject: Re: [users@httpd] Bad Gateway with large file upload [EXT]

Good afternoon James

Thank you very much for your help.
We are inside a working organization network.
The client is using VPN.

I don't know if you guys have a little bit more extra tips/directions to tune 
the enterprise network,
if not, it is all okay for now.

Thank you very much for your help.

Thanks and regards
Eric



On Thu, Oct 29, 2020 at 12:03 PM James Smith 
mailto:j...@sanger.ac.uk>> wrote:
Is your test over a local network or over the internet. If the latter there is 
little you can do.

HTTP upload was never really designed for large files like this. That’s why 
more languages/frameworks put a limit on the size of uploads. And these are 
usually in the 5-10M size.

There are much better ways of transferring large files in web-browsers nowadays 
using clever JavaScript which slices the file and a script which stitches the 
parts back together at your end – transfers are smaller and avoids time outs. 
Can also parallelize them if required.

James

From: eric tse mailto:hfe...@gmail.com>>
Sent: 29 October 2020 18:15
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] Bad Gateway with large file upload [EXT]

Hi community,

Thank you for your valuable hint again.

Can we tune something from chrome?
that can make chrome 147MB test works?

Or we need to tune our network infrastructure?
For now, I haven't been able to google anything yet.

Thanks and regards,
Eric




On Thu, Oct 29, 2020 at 11:10 AM eric tse 
mailto:hfe...@gmail.com>> wrote:
Good morning,

Thanks for your excellent tip last night.
We have some significant turn around from an investigation perspective.

We’ve done some additional testing this morning and had a surprising result. 
Does this provide any hints to the cause?

Firefox 60 MB:   bad gateway
Firefox 147 MB:bad gateway

Chrome 60 MB: success!
Chrome 147 MB:  bad gateway

IE 11 60 MB:   bad gateway
IE 11 147 MB:bad gateway

 My client said that we’re bound to using IE 11 for this project, although 
Chrome was identified as a acceptable alternative.
For now we can ignore his comment for troubleshooting.

Is it a bug, or limitation, or work as designed?
Or something we can tune (like browser or network infrastructure?) ?
Is it caused by timing?

Please advise.
Eric




On Thu, Oct 29, 2020 at 4:00 AM @lbutlr 
mailto:krem...@kreme.com>> wrote:
On 28 Oct 2020, at 18:05, eric tse mailto:hfe...@gmail.com>> 
wrote:
> We’re are getting a Bad Gateway error returned when trying to upload large 
> files through an IE browser to our webserver.

Have you tried with a currently supported browser?

IE is on death watch.

--
If I were you boys, I wouldn't talk or even think about women.
'T'ain't good for your health.


-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: 
users-h...@httpd.apache.org<mailto:users-h...@httpd.apache.org>
-- The Wellcome Sanger Institute is operated by Genome Research Limited, a 
charity registered in England with number 1021457 and a company registered in 
England with number 2742969, whose registered office is 215 Euston Road, 
London, NW1 2BE.



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Bad Gateway with large file upload [EXT]

2020-10-29 Thread James Smith 
Is your test over a local network or over the internet. If the latter there is 
little you can do.

HTTP upload was never really designed for large files like this. That’s why 
more languages/frameworks put a limit on the size of uploads. And these are 
usually in the 5-10M size.

There are much better ways of transferring large files in web-browsers nowadays 
using clever JavaScript which slices the file and a script which stitches the 
parts back together at your end – transfers are smaller and avoids time outs. 
Can also parallelize them if required.

James

From: eric tse 
Sent: 29 October 2020 18:15
To: users@httpd.apache.org
Subject: Re: [users@httpd] Bad Gateway with large file upload [EXT]

Hi community,

Thank you for your valuable hint again.

Can we tune something from chrome?
that can make chrome 147MB test works?

Or we need to tune our network infrastructure?
For now, I haven't been able to google anything yet.

Thanks and regards,
Eric




On Thu, Oct 29, 2020 at 11:10 AM eric tse 
mailto:hfe...@gmail.com>> wrote:
Good morning,

Thanks for your excellent tip last night.
We have some significant turn around from an investigation perspective.

We’ve done some additional testing this morning and had a surprising result. 
Does this provide any hints to the cause?

Firefox 60 MB:   bad gateway
Firefox 147 MB:bad gateway

Chrome 60 MB: success!
Chrome 147 MB:  bad gateway

IE 11 60 MB:   bad gateway
IE 11 147 MB:bad gateway

 My client said that we’re bound to using IE 11 for this project, although 
Chrome was identified as a acceptable alternative.
For now we can ignore his comment for troubleshooting.

Is it a bug, or limitation, or work as designed?
Or something we can tune (like browser or network infrastructure?) ?
Is it caused by timing?

Please advise.
Eric




On Thu, Oct 29, 2020 at 4:00 AM @lbutlr 
mailto:krem...@kreme.com>> wrote:
On 28 Oct 2020, at 18:05, eric tse mailto:hfe...@gmail.com>> 
wrote:
> We’re are getting a Bad Gateway error returned when trying to upload large 
> files through an IE browser to our webserver.

Have you tried with a currently supported browser?

IE is on death watch.

--
If I were you boys, I wouldn't talk or even think about women.
'T'ain't good for your health.


-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Forwarding IP to HTTPS. [EXT]

2020-10-12 Thread James Smith 
Redirect doesn't allow you to distinguish between 301s and 302s which you can 
do with mod_rewrite {very useful feature tbh when it comes to bits like this} - 
the user is using WordPress so will almost certainly be using mod_rewrite to 
handle the nice URLs

As for the issue without a server name - you don't need one in the 800 unless 
you are doing something clever - as for the redirects it doesn't break but you 
can put one in - just make sure that it is included first! 
-Original Message-
From: Frank  
Sent: 12 October 2020 18:10
To: users@httpd.apache.org
Subject: Re: [users@httpd] Forwarding IP to HTTPS. [EXT]

James,

Unless the user has many hosts, I would recommend against using mod_rewrite 
here. It isn't needed. And your vhost should include an explicity ServerName 
directive.

On 12/10/20 11:56 AM, James Smith wrote:
> So I would do this for the virtual host sections – assuming you are 
> only running ONE externally facing website – there are other things 
> you would need to do if you were running multiple ones
> 
> ## Send all traffic on port 80 to the primary domain over SSL…
> 
> 
> 
> 
>   RequestHeader unset X-is-ssl
> 
>   RewriteEngine on
> 
>   RewriteRule   ^(.*)$ 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com-25-257BREQUEST-5FURI-257D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw=cugyNGRH0HsECtkleCMZbzrYIt0BcYfZk-Y6c00UdxE=
>  
> [R=permanent,L,NE]
> 
> 
> 
>  
> 
> ## Send all traffic on port 443 which isn't the primary domain to the 
> primary domain ## This implicitly picks up the IP for the host, the 
> actual hostname OR the unqualified domain name example.com
> 
>  
> 
> 
> 
>   RewriteEngine on
> 
>   RewriteRule   ^(.*)$ 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com_-25-257BREQUEST-5FURI-257D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw=m4O1DurIDDG4G-kw46brnnEEXNZ9c4pJi52RMgXto3Y=
>   [R,L,NE]
> 
> 
> 
>  
> 
> 
> 
>   Header always set Strict-Transport-Security "max-age=63072000; 
> includeSubdomains; preload"
> 
>   ServerAdmin root@localhost
> 
>   ServerName 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.example.com=
> DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oD
> X0XM7vQ=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw=mw3MrVOeeCL66Y
> rcxABO8NMrnnmzLmHQBeAdm0m8VYA=
> 
>   ## Do not use Server Alias here for alternative domains - only use 
> for test/dev sites...
> 
>   DocumentRoot /var/www/wp
> 
>   
> 
> Options Indexes FollowSymLinks
> 
> AllowOverride all
> 
> Require all granted
> 
>   
> 
>  
> 
>   ## Put the rest of your wordpress stuff here...
> 
> 
> 
>  
> 
> *From:*Jason Long 
> *Sent:* 12 October 2020 16:39
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] Forwarding IP to HTTPS. [EXT]
> 
>  
> 
> Excuse me,
> 
> Can you clean my configuration?
> 
>  
> 
> On Monday, October 12, 2020, 07:06:17 PM GMT+3:30, Frank 
> mailto:thu...@apache.org>> wrote:
> 
>  
> 
>  
> 
> James,
> 
> Omitting an explicit ServerName in name-based vhosts is a bad idea as 
> well. You can create conflicts or ambiguities.
> 
> 
> On 12/10/20 11:22 AM, James Smith wrote:
>> This would be my set-up in your case - note as someone said it was too 
>> complex I've removed the extra security bits I'd left in by accident...
>> 
>> ## Port 80 && 443 default configs...
>> 
>> 
>>  RequestHeader unset X-is-ssl
>>  RewriteEngineon
>>  RewriteRule  ^(.*)$ 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com-25=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw=A8EKvfUUPo1cemy_DRQyzWH7n8UvFx5myg5M7r0b380=
>>   [mydomain.com%]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com
> -25=DwMFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1
> ecj4oDX0XM7vQ=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg=rP2yXysk
> ai3avho4gNa3ivaQdP6NyvIGOONKga7UWLA=>{REQUEST_URI}
> [R=permanent,L,NE]
>> 
>> 
>> 
>>  RewriteEngineon
>>  RewriteRule  ^(.*)$ 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_-25=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw=ueoNZtVbLE1sHVM3T0rcs5Nc_sLHgqvUtNtezSaLZIo=
>>   [mydomain.com]
> <https://urldefense.proofpoi

RE: [users@httpd] Forwarding IP to HTTPS. [EXT]

2020-10-12 Thread James Smith 
So I would do this for the virtual host sections – assuming you are only 
running ONE externally facing website – there are other things you would need 
to do if you were running multiple ones

## Send all traffic on port 80 to the primary domain over SSL…


  RequestHeader unset X-is-ssl
  RewriteEngine on
  RewriteRule   ^(.*)$ https://www.example.com%{REQUEST_URI} 
[R=permanent,L,NE]


## Send all traffic on port 443 which isn't the primary domain to the primary 
domain
## This implicitly picks up the IP for the host, the actual hostname OR the 
unqualified domain name example.com


  RewriteEngine on
  RewriteRule   ^(.*)$ https://www.example.com/%{REQUEST_URI} [R,L,NE]



  Header always set Strict-Transport-Security "max-age=63072000; 
includeSubdomains; preload"
  ServerAdmin root@localhost
  ServerName www.example.com
  ## Do not use Server Alias here for alternative domains - only use for 
test/dev sites...
  DocumentRoot /var/www/wp
  
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
  

  ## Put the rest of your wordpress stuff here...


From: Jason Long 
Sent: 12 October 2020 16:39
To: users@httpd.apache.org
Subject: Re: [users@httpd] Forwarding IP to HTTPS. [EXT]

Excuse me,
Can you clean my configuration?

On Monday, October 12, 2020, 07:06:17 PM GMT+3:30, Frank 
mailto:thu...@apache.org>> wrote:


James,

Omitting an explicit ServerName in name-based vhosts is a bad idea as
well. You can create conflicts or ambiguities.

On 12/10/20 11:22 AM, James Smith wrote:
> This would be my set-up in your case - note as someone said it was too 
> complex I've removed the extra security bits I'd left in by accident...
>
> ## Port 80 && 443 default configs...
>
> 
>  RequestHeader unset X-is-ssl
>  RewriteEngineon
>  RewriteRule  ^(.*)$ https://www.mydomain.com% 
> [mydomain.com%]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com-25=DwMFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg=rP2yXyskai3avho4gNa3ivaQdP6NyvIGOONKga7UWLA=>{REQUEST_URI}
>  [R=permanent,L,NE]
> 
>
> 
>  RewriteEngineon
>  RewriteRule  ^(.*)$ https://www.mydomain.com/% 
> [mydomain.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_-25=DwMFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg=0xY2vrAmBv9NS93So6uL5BSAVrWQQPPc8fQe6cF_oHo=>{REQUEST_URI}
>  [R,L,NE]
> 
>
> ## Port 443 default - this is our main server.. so your main apache 
> config stuff should be in here with SSL configured correctly..
>
> 
>  ServerName www.mydomain.com<http://www.mydomain.com>
>  ...
>  ...
>  ...
>  ...
>  ...
> 
>
> If you have more than one domain then you will need to add rules on port 80 
> to preserve the hostname & also blocks for each additional domain
>
>
>

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: 
users-h...@httpd.apache.org<mailto:users-h...@httpd.apache.org>



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Forwarding IP to HTTPS. [EXT]

2020-10-12 Thread James Smith 
It's how you do a catchall... there is no other way of doing it - it doesn't 
cause any problems if you only have one.

I have many domains with wildcard DNS it is the clean way of handling those 
sub-domains I am not serving in a "nice" manner rather than just dropping the 
requests on the floor


-Original Message-
From: Frank  
Sent: 12 October 2020 16:36
To: users@httpd.apache.org
Subject: Re: [users@httpd] Forwarding IP to HTTPS. [EXT]

James,

Omitting an explicit ServerName in name-based vhosts is a bad idea as well. You 
can create conflicts or ambiguities.


On 12/10/20 11:22 AM, James Smith wrote:
> This would be my set-up in your case - note as someone said it was too 
> complex I've removed the extra security bits I'd left in by accident...
> 
> ## Port 80 && 443 default configs...
> 
> 
>   RequestHeader unset X-is-ssl
>   RewriteEngine on
>   RewriteRule   ^(.*)$ 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com-25-257BREQUEST-5FURI-257D=DwICaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=w8mNihZcLdPkrkWTFdVG6LmAT8UO_9FqLV_4Ywf19mc=47aeC7VpZqBNUbE_aKiS0JoffbV7H5FyjfM7UmoWTDI=
>   [R=permanent,L,NE]
> 
> 
> 
>   RewriteEngine on
>   RewriteRule   ^(.*)$ 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_-25-257BREQUEST-5FURI-257D=DwICaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=w8mNihZcLdPkrkWTFdVG6LmAT8UO_9FqLV_4Ywf19mc=aVlFo1DDVwr3tEOodTNO7ClXY1kSHj0WWY8i_gvHs-M=
>   [R,L,NE]
> 
> 
> ## Port 443 default - this is our main server.. so your main apache 
> config stuff should be in here with SSL configured correctly..
> 
> 
>   ServerName 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com=DwICaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=w8mNihZcLdPkrkWTFdVG6LmAT8UO_9FqLV_4Ywf19mc=szdN2RRM4IZr7J-1Pvimaja8Tgaxr2VdeFsiw-dixVU=
>  
>   ...
>   ...
>   ...
>   ...
>   ...
> 
>  
> If you have more than one domain then you will need to add rules on 
> port 80 to preserve the hostname & also blocks for each additional 
> domain
> 
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Forwarding IP to HTTPS. [EXT]

2020-10-12 Thread James Smith 
This would be my set-up in your case - note as someone said it was too complex 
I've removed the extra security bits I'd left in by accident...

## Port 80 && 443 default configs...


  RequestHeader unset X-is-ssl
  RewriteEngine on
  RewriteRule   ^(.*)$ https://www.mydomain.com%{REQUEST_URI} 
[R=permanent,L,NE]



  RewriteEngine on
  RewriteRule   ^(.*)$ https://www.mydomain.com/%{REQUEST_URI} [R,L,NE]


## Port 443 default - this is our main server.. so your main apache config 
stuff should be in here with SSL configured correctly..


  ServerName www.mydomain.com
  ...
  ...
  ...
  ...
  ...

 
If you have more than one domain then you will need to add rules on port 80 to 
preserve the hostname & also blocks for each additional domain



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Forwarding IP to HTTPS. [EXT]

2020-10-12 Thread James Smith 
Yes - with Apache you put a default virtual host which redirects all traffic to 
your https server


  RequestHeader unset X-is-ssl
  

  Require all denied

Require all granted
  
  ProxyPreserveHost on
  RewriteEngine on
  RewriteRule   ^(.*)$ https://myservername.com%{REQUEST_URI} 
[R=permanent,L,NE]


You can do something for 443 as well.

-Original Message-
From: Jason Long  
Sent: 12 October 2020 14:10
To: users@httpd.apache.org
Subject: Re: [users@httpd] Forwarding IP to HTTPS. [EXT]

Thank you.
I want when a user enter my server IP address in his\her browser then it 
forward to 
"https://urldefense.proofpoint.com/v2/url?u=https-3A__mywebsite.com=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=rK8vCBmQ5CHbZU9JjXzRNDNz8RofAv82ZlfXjYIEtgY=rt4c_6jtMKJiE15dKtx138HTXgpDRMPcmCGbZ0yYwZk=
 ".






On Monday, October 12, 2020, 12:14:31 PM GMT+3:30, Antony Stone 
 wrote: 





On Monday 12 October 2020 at 07:25:56, Jason Long wrote:

> Hello,
> Forwarding an IP address to HTTPS domain is the task of Apache or SSL?

What do you mean by "forwarding", and what protocol (presumably either HTTP or
HTTPS) is being used by the client application which starts the connection
(ie: a web browser or equivalent)?

Please give more details about your question so that we have a better idea what 
the correct answer might be.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] To Gzip or not? [EXT]

2020-10-10 Thread James Smith 
There are two sorts of compression - TLS and HTTP.

It is recommended not to compress the TLS traffic (as CRIME can then be used to 
guess cookies etc) - compresses the whole response.
But compressing HTTP traffic is OK - unless there is some secret stored in the 
body of the HTML page {it only compresses the HTML of the page}


-Original Message-
From: Antony Stone  
Sent: 10 October 2020 21:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] To Gzip or not? [EXT]

On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:

> I've been looking at ways to speed up my web services using 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org
> =DwICbA=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4o
> DX0XM7vQ=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss=tshPsEQ7bksjr
> YsoZ14lId3gKNLPIe14r5lCkak7ujU=  for analysis. One thing I've been 
> reading about is using mod_deflate to compress certain files but keep 
> seeing the warnings

Which warnings?  Where?

> about using compression with https due to certain known threats.

What threats?

> In my searches so far I've not found anything saying that threat has 
> been mitigated. Does anyone here use compression with TLS or have any 
> current advice about the issue?

Can you point us at any document about what this "issue" is, so that we know 
what "threat" you're concerned about?


Antony.

-- 
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
 The Wellcome Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Configuring KeepAliveTimeout to individual URIs [EXT]

2020-10-07 Thread James Smith 
This has nothing to do with keepalivetimeout – that is to do with keeping a 
connection open to send subsequent requests without re-negotiating the 
connection.

It is TimeOut which is the gap between sending packets of the response.

If your response is taking more than 1 minute to generate then you are hitting 
this problem which gives you the 503.

How can you get round this:


  *   Look for bottlenecks and speed up response;
  *   Look at how you serve the data?
 *   do you collect it altogether and return it as one big blob or can you 
stream the data as you generate it;
*   We have a script that generates many MB of data and can take 
upwards of an hour to generate the data – we simply stream that output 1 line 
at a time, memory usage is extremely small and there are no timeout issues;
 *   Can you look at a ticketing solution
*   The page generates a “ticket” which kicks of the data export job 
and returns saying data is being produced
*   You then create a unique URL which will fetch the data/or say 
comeback later
*   You then have a ticker in the page which retrieves the data via 
AJAX or just waits till ready and redirects


From: alchemist vk 
Sent: 07 October 2020 11:53
To: users@httpd.apache.org
Subject: [users@httpd] Configuring KeepAliveTimeout to individual URIs [EXT]

Hi All,
 I have a requirement where serving GET on few URIs whose payload is large 
takes more than 1min compared to our configured "KeepAliveTimeout 60" 
directive. And this is resulting in 503 error to clients.
Is there a way where I can group few URIs and increase KeepAliveTimeout to 300 
secs ?
Tried for locationmatch but cant configure KeepAliveTimeout directive inside 
the locationmatch.

Any help is appreciated .

WR
A



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

2020-10-05 Thread James Smith 
It’s probably the size of your SQLlite database – so I would look at reducing 
the size of that.

Still unclear what you are doing to know what the delay is – perhaps some 
sample code would be useful for us to look at – so we know what you parse & 
store; and also what you display if you display anything.

Another way of solving some of these issues is to use tell-tales – small images 
{blank gif/png} that are embedded into the HTML that are generated dynamically 
– this is the way google analytics/matamo etc do this sort of logging. Or just 
use AJAX.

James

From: Tom Browder 
Sent: 05 October 2020 12:16
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

On Sun, Oct 4, 2020 at 13:05 Scott A. Wozny 
mailto:sawo...@hotmail.com>> wrote:
IMHO, Web Sockets aren't going to get you any real benefit here.  The primary

Thanks, Scott. I do intend to look into the timing.

BTW, this website takes over eight seconds to load, and it uses the same CGI 
setup as my other sites:

https://psrr.info 
[psrr.info]

Cheers!

-Tom



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

2020-10-04 Thread James Smith 
Definitely SQLite will be a bottle neck in this system – not great for writing 
to – both Pg or MySQL would be an almost certainly better solution for repeated 
writing to.

You could get some simple gains by splitting the database up so that there is a 
database per site rather than a database for all 10 sites – unless there is 
data to be shared between them – as you would have less database lock 
contention on the individual databases. SQLlite is not designed to be used in a 
situation where there are lots of write locks. And does not scale very well as 
the database gets larger…

Also, just trying to get round what each visitor triggers in the CGI – and why 
it is a lot of work for the db – this is where you would need to make things 
easier for it & yourself, is the information you show useful to the user or 
could this just be processed some other way!


From: Tom Browder 
Sent: 03 October 2020 20:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

On Sat, Oct 3, 2020 at 13:46 Scott A. Wozny 
mailto:sawo...@hotmail.com>> wrote:
Sounds like a job for AJAX, but before throwing out the baby with the bath 
water I'd seriously consider turning up logging with timestamps on your 
existing CGI and

That's a good idea, Scott, I've just been too lazy and debugging CGI is such a 
pain.

The clients are mostly casual browsers, but every visitor triggers the CGI so 
that's a lot of work for the db. Regarding the db it's currently an SQLite 
instance but I'm running about 10+ virtual sites off the same db and needing 
writes so that alone may be part of the problem.

Also, I do have a good Pg db running I've intended to use but just haven't 
gotten a "round tuit" yet.

But, could a web socket setup help do you think?

Best,

-Tom



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

2020-10-04 Thread James Smith 
I frames have their use – but usually to include content from another site 
(e.g. google maps, you tube etc) – or to embed dynamic content that either 
needs to be dynamically updated and can’t do this with AJAX or you are 
struggling with CSS clashes as the iframe is a different document. Not sure if 
it would really help here – I think I would look at AJAX first – depends on 
what you are trying to do.

There are alternative ways you can do this – but depends on your server 
architecture – if you are using mod_perl for instances you can look at an 
output filter to add the data, if you are using PSGI you may be able to wrap 
additional layers around your code {won’t gain you much but would avoid 
additional calls to cgi scripts} and add the content into the page after the 
page has been rendered. With mod_perl you can do useful stuff with pnotes, in 
other cases you may be able to use environment variables if you are running in 
the same process {not easy if you are doing two separate calls}

The system we use is set up to do two stage caching – one which caches the 
content of the page with placeholders which then get processed with additional 
variables.

From: Tom Browder 
Sent: 04 October 2020 11:44
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

On Sun, Oct 4, 2020 at 04:38 Rob De Langhe 
mailto:rob.de.lan...@twistfare.be>> wrote:

I simply use (or dynamically construct) a page with iframes, in which each 
iframe gets loaded by a separate CGI results;
Hm, I've always thought that iframes were frowned upon in modern practice. I'll 
have to read up on them

Thanks, Rob.

Cheers,

-Tom




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

2020-10-04 Thread James Smith 
There are a number of things you can do:

1) Why are you doing what you are doing - i.e. why are you updating what is 
displayed to the user
2) Others have suggested using AJAX, another thing you can look at here is what 
and how you are retrieving the data.
You can look at using a cleanup handler (sorry mod_perl user here!) 
which does all the work for you and writes/updates the database, and then your 
ajax retrieves the data...
3) You can possibly speed up code by using a write-through cache to avoid a lot 
of read/writes to your database
4) From what you are saying it isn't clear what you are doing - perhaps an 
example URL or two would be useful for us to offer some support...

James


-Original Message-
From: Tom Browder  
Sent: 03 October 2020 19:08
To: users@httpd.apache.org
Subject: [users@httpd] Re: Alternatives to SSI (server side includes)? [EXT]

On Sat, Oct 3, 2020 at 12:18 Tom Browder  wrote:
> I have been using server side includes since I started my websites on 
> Apache
...
> Any suggestions for SSI replacement with a more asynchronous method?

Let me be more specific about the data flow I'm using with the landing
(home) page of my websites:

+ the first SSI line executes a CGI program that extracts the CGI and
SSL variables and their values. Data of interest include: requesting IP, email 
address in the SSL client certificate, time of page load

+ the second line executes a CGI program that generates a link to a
page that presents the current and past statistics of the visitor based on the 
stats in the db updated with the first CGI program

-Tom

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Some questions about configuration Apache from a beginer. [EXT]

2020-09-07 Thread James Smith 
No neither of these are need for the SSL certificate - in fact often the 
externally facing hostnames on a server will usually be in the /etc/hostname, 
this will be the name that you having given to the box {this allows you to move 
the "public" domain to a different box}.. e.g. you may call it 
web-server-01.mydomain. Keep it something like this for simplicity.

So e.g. my /etc/hostname just contains "web-server-01",

My /etc/hosts contains:

127.0.0.1   localhost
127.0.1.1   web-server-01.mydomain web-server-01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

For SSL, you need to make sure the public facing URL you are using is in the 
certificate (either as name od SAN) then you are OK to use it on the server.

 -Original Message-
From: Jason Long  
Sent: 06 September 2020 12:22
To: users@httpd.apache.org; James Smith 
Subject: Re: [users@httpd] Some questions about configuration Apache from a 
beginer. [EXT]

Thank you for your help.
Is the content of "/etc/hosts" and "/etc/hostname" files important for get 
HTTPS certificate? For example, if I want to get a certificate for 
"example-net.net".





On Sunday, September 6, 2020, 01:45:08 AM GMT+4:30, James Smith 
 wrote: 








The first one doesn’t matter – but to be honest you shouldn’t do it – you 
should create two configurations – one for the www.domain and one for domain. 
Choose one as canonical (the one you really want users to see) and put the real 
configuration here.

Under the other domain – you include a rewrite rule to redirect to the 
canonical one…



  ServerName    mydomain.com

  ServerAlias   myotherdomain.com

  ServerAlias   www. myotherdomain.com

  Include   conf/ssl-conf/mydomain.com.conf

  RewriteEngine on

  RewriteRule   (.*) 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=WlzqNyBJfpmHzqV9DFcZiFKunu3z9QekSKu2nwfezTA=1eS30RBStZkbW9DD-qn6GydnlW43SI73tVloeHWECtA=
  $1 [R,L,NE]



Now which use as the canonical domain is up to you….There are arguments for 
both – there is trend to remove the WWW, but if you have multiple domains on 
the same server (we have around 120 at work for a front end proxy) – you can 
set the 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domain1.com=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=WlzqNyBJfpmHzqV9DFcZiFKunu3z9QekSKu2nwfezTA=fivYWxCJPAH9QsIMi_xkyoxTXvGY9bNlQAIOvUouEfI=
 ,  
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domain2.com=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=WlzqNyBJfpmHzqV9DFcZiFKunu3z9QekSKu2nwfezTA=_AYj8hms9bddedwzIZyX1xtxJWXBb9aTE24Am1kxZ_Y=
 , 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domain3.com=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=WlzqNyBJfpmHzqV9DFcZiFKunu3z9QekSKu2nwfezTA=dNf7xMoYD7m1ZIdG2nS155p47M7TKQPzkI31DZy5usE=
  to be CNAMEs in DNS so if you have to quickly move to another IP address you 
can just update the A record for the hostname the CNAMEs point to (for example 
if the primary machine fell over and you couldn’t get it back up and running)… 
If you use the unqualified domain domain1.com,  domain2.com etc you would have 
to change each A record separately. Now - there are three real reasons for 
using ServerAlias in my mind:

* Having a common code base across a different number of sites – which uses 
the URL of the request to determine a configuration – and consequently run 
different versions of the site….
* You have multiple aliases for a domain so you can use ServerAlias to 
redirect them to the canonical domain (see above)
* You have live, staging, dev and sandbox servers as part of the production 
cycle, so you set the ServerName to the URL of the live server and the 
staging/dev/sandbox URLs as ServerAlias – then you can use the same 
configuration on each of the servers {with a little bit of environment variable 
fudging to set root paths for the apache}

 



  ServerName    
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=WlzqNyBJfpmHzqV9DFcZiFKunu3z9QekSKu2nwfezTA=25bXr_pb_kTefHmhlh_8i1npwvzGILMAbRF7O4ZqXiA=
 

  ServerAlias   dev.mydomain.com

  ServerAlias   test.mydomain.com

  ServerAlias   my-sandbox-server.mydomain.com

  ServerAlias   freds-sandbox-server.mydomain.com

  Include   conf/ssl-conf/mydomain.com.conf


  … configuration …





From: Jason Long  Sent: 03 September 2020 22:43To: 
users@httpd.apache.orgSubject: [users@httpd] Some questions about configuration 
Apache from a beginer. [EXT]


 


Hello,


I have some questions about Apache configuration and I'm thankful if anyone 
help me.



 



1- In Apache configur

RE: [users@httpd] Some questions about configuration Apache from a beginer. [EXT]

2020-09-05 Thread James Smith 
The first one doesn’t matter – but to be honest you shouldn’t do it – you 
should create two configurations – one for the www.domain and one for domain. 
Choose one as canonical (the one you really want users to see) and put the real 
configuration here.

Under the other domain – you include a rewrite rule to redirect to the 
canonical one…


  ServerNamemydomain.com
  ServerAlias   myotherdomain.com
  ServerAlias   www. myotherdomain.com
  Include   conf/ssl-conf/mydomain.com.conf
  RewriteEngine on
  RewriteRule   (.*) https://www.mydomain.com/ $1 [R,L,NE]


Now which use as the canonical domain is up to you….

There are arguments for both – there is trend to remove the WWW, but if you 
have multiple domains on the same server (we have around 120 at work for a 
front end proxy) – you can set the www.domain1.com, 
www.domain2.com, 
www.domain3.com to be CNAMEs in DNS so if you have to 
quickly move to another IP address you can just update the A record for the 
hostname the CNAMEs point to (for example if the primary machine fell over and 
you couldn’t get it back up and running)… If you use the unqualified domain 
domain1.com,  domain2.com etc you would have to change each A record separately.

Now - there are three real reasons for using ServerAlias in my mind:

  *   Having a common code base across a different number of sites – which uses 
the URL of the request to determine a configuration – and consequently run 
different versions of the site….
  *   You have multiple aliases for a domain so you can use ServerAlias to 
redirect them to the canonical domain (see above)
  *   You have live, staging, dev and sandbox servers as part of the production 
cycle, so you set the ServerName to the URL of the live server and the 
staging/dev/sandbox URLs as ServerAlias – then you can use the same 
configuration on each of the servers {with a little bit of environment variable 
fudging to set root paths for the apache}


  ServerNamewww.mydomain.com
  ServerAlias   dev.mydomain.com
  ServerAlias   test.mydomain.com
  ServerAlias   my-sandbox-server.mydomain.com
  ServerAlias   freds-sandbox-server.mydomain.com
  Include   conf/ssl-conf/mydomain.com.conf

  … configuration …




From: Jason Long 
Sent: 03 September 2020 22:43
To: users@httpd.apache.org
Subject: [users@httpd] Some questions about configuration Apache from a 
beginer. [EXT]

Hello,
I have some questions about Apache configuration and I'm thankful if anyone 
help me.

1- In Apache configuration, both of "ServerName" and "ServerAlias" must be 
defined? Which one must have "www" prefix?

2- If "/etc/pki/tls/private/localhost.key" and
"/etc/ssl/certs/localhost.crt" files deleted then how can I regenerate them? Is 
below command OK?

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout 
/etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt

The "localhost" is the name of my host? If my hostname is "example-test" then 
these files name must be "example-test.key" and "example-test.crt" ?

3- By default, Linux use "localhost.localdomain" if I installed Apache and my 
web site is up too then can I change "localhost.localdomain" ?

4- For a web site with the name "example-test.net" and "192.168.1.2" IP 
address, what is the content of "/etc/hostname" and "/etc/hosts" files?

It is a great help if anyone answer my questions by number.

Thank you.




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Apache and nextcloud - insecure ? [EXT]

2020-09-03 Thread James Smith 
Not sure what Nextcloud is - but this is often common amongst "black-box" web 
apps that bootstrap themselves, and handle upgrades from the UI interface.

The webserver has to be able to re-write it's own files for the upgrades.

Scary and against all "normal" secure procedures if you manage your site from 
the command line


-Original Message-
From: Lentes, Bernd  
Sent: 01 September 2020 12:06
To: users Maillingsliste Apache 
Subject: [users@httpd] Apache and nextcloud - insecure ? [EXT]

Hi,

i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to me.

1. 
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4=
The recommendation is to change the owner of the DocumentRoot of the Nextcloud 
installation to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember 
https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI=
  "Permissions on ServerRoot Directories"
which is contradictory to that.

2. The second recommendation is even stranger:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE=
"mod_env and mod_rewrite must be installed on your webserver and the .htaccess 
must be writable by the HTTP user. Then you can set in the config.php two 
variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get 
pain in my stomach reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be more 
secure ?

Bernd
-- 

Bernd Lentes
Systemadministration
Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 
HelmholtzZentrum München bernd.len...@helmholtz-muenchen.de
phone: +49 89 3187 1241
phone: +49 89 3187 3827
fax: +49 89 3187 2294
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg=
  

stay healthy
Helmholtz Zentrum München

Helmholtz Zentrum München


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] How to Migrate Wordpress Website from 32-bit CentOS Linux 6.3 to 64-bit CentOS Linux 8.2 (2004) [EXT]

2020-09-02 Thread James Smith 
You will need to read up the difference between the 2.2 and 2.4 apache 
documents [there are some ugrade docs] - just copying the configuration over 
will not work...

e.g. LockFile -> Mutex; 

Order allow,deny / Deny from all -> Require all denied
Order allow,deny / Allow from all -> Require all granted
Include -> IncludeOptional If you may not have any files in the directory

-Original Message-
From: Turritopsis Dohrnii Teo En Ming  
Sent: 31 August 2020 14:39
To: users@httpd.apache.org
Cc: c...@teo-en-ming-corp.com
Subject: [users@httpd] How to Migrate Wordpress Website from 32-bit CentOS 
Linux 6.3 to 64-bit CentOS Linux 8.2 (2004) [EXT]

Subject: How to Migrate Wordpress Website from 32-bit CentOS Linux 6.3 to 
64-bit CentOS Linux 8.2 (2004)

Author of this Guide: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)

Country: Singapore

Date: 31 August 2020 Monday Singapore Time

Type of Publication: Plain Text

Document Version: 20200831.01

SECTION 1 Information Gathering Stage
=

Host operating system is Windows Server 2008 R2 Standard

Host Processor: Intel Xeon CPU E5620 @ 2.40 GHz

Host Memory: 24 GB RAM

Old Oracle VirtualBox version is 4.1.18

Upgrade to Virtualbox version 6.1.12 (COMPLETED SUCCESSFULLY AFTER RESTARTING 
WINDOWS SERVER)

Old CentOS Linux VM is version 6.3 (32-bit only)

Old Apache web server version 2.2.15

Old MySQL database server version 5.1.61

Old PHP version 5.6.40

Interface eth0: AAA.BBB.CCC.3/24 (ifconfig)
Gateway: AAA.BBB.CCC.2 (ip route) (Gateway is the next hop router which is also 
the Fortigate firewall) /etc/resolv.conf (for DNS Client):
nameserver AAA.BBB.CCC.1 (This is the Windows Server with DNS Server role 
installed)

How to login to OLD MySQL database server:

mysql -u root -p

Old hostname: centos63.teo-en-ming-corp.com

Old Virtual Machine Settings


4 GB RAM, 2 processors, 20 GB storage, network adapter: bridged to broadcom 
bcm5709c

NEW Virtual Machine Settings

 
4 GB RAM, 4 processors, 100 GB storage, network adapter: bridged to broadcom 
bcm5709c
 
After using Advanced IP scanner and checking DHCP scope in Microsoft DHCP 
server in Windows Server,
 
Unused IP address: AAA.BBB.CCC.4 (Use this IP address for new CentOS 8.2 Linux 
VM)

SECTION 2 Installation of NEW CentOS 8.2 Linux Virtual Machine 
==

New Hostname: centos82.teo-en-ming-corp.com

NEW IP: AAA.BBB.CCC.4
Subnet mask: 255.255.255.0 (Class C)
Gateway: AAA.BBB.CCC.2
DNS1: 8.8.8.8

Problem
===

CentOS 8.2 Linux 64-bit will not start and run because VirtualBox is too old 
(version 4.1.18). Intel Virtualization and VT-d already enabled in server BIOS 
previously.
So running 64-bit virtual machines is not an issue.

Solution


After upgrading to VirtualBox 6.1.12, CentOS 8.2 Linux 64-bit is able to start 
and run.

SECTION 3 Generate a Backup of ALL Databases in the Old VM 
===

Reference Guide: How to backup and restore MySQL databases using the mysqldump 
command

Link: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.sqlshack.com_how-2Dto-2Dbackup-2Dand-2Drestore-2Dmysql-2Ddatabases-2Dusing-2Dthe-2Dmysqldump-2Dcommand_=DwIFAw=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=CyFLmpPkmQdKvMYc66XYLmr2dLmTq_xlE4Fg_hXUdeY=c1Z06CMajwnvxE4U8RQQHpPLNGgFiNiVOCjh92_Iypw=
 

Reference Guide: How to Show Users in MySQL using Linux

Link: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.hostinger.com_tutorials_mysql-2Dshow-2Dusers_=DwIFAw=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=CyFLmpPkmQdKvMYc66XYLmr2dLmTq_xlE4Fg_hXUdeY=vfai-crfIXxCEi8lC3XbeEnm3YgWTiP5TU7dtDgsHyI=
 

# cd /root

# mysqldump -u root -p --all-databases > all-databases-20200829.sql

# du -h all-databases-20200829.sql

70M all-databases-20200829.sql

SECTION 4 Disable SELinux (Security Enhanced Linux) 
===

You MUST disable SELinux, otherwise Apache web server will not work.

If you DO NOT want to disable SELinux, you must be an expert in SELinux to 
configure SELinux.

# nano /etc/selinux/config

SELINUX=disabled

# reboot

SECTION 5 Disable firewalld Software Firewall 
=

Because already protected by Fortigate firewall at the perimeter.

# systemctl disable firewalld

# reboot

SECTION 6 LAMP (Linux, Apache, MySQL and PHP) Installation 
==

I will be installing Apache web server 2.4.37-21, MariaDB server 3:10.3.17-1, 
PHP 7.2.24-1 and OpenSSL 1:1.1.1c-15 in 64-bit CentOS Linux 8.2 (2004). 

Sub-Section on Installing Apache Web Server 
===

# dnf install php php-fpm php-gd

You *MUST* install php-gd, otherwise Apache Web Server cannot execute PHP 
scripts.

# dnf

RE: [users@httpd] http-https [EXT]

2020-08-12 Thread James Smith 
Add also remember to add the HSTS headers

Header always set Strict-Transport-Security "max-age=63072000; 
includeSubDomains; preload"

{only put includeSubDomains & preload if you can} this stops the client sending 
further HTTP requests but only HTTPS {most web servers}

This can stop the plain text password issue...


From: Jim Albert 
Sent: 11 August 2020 15:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] http-https [EXT]

On 8/11/2020 3:00 AM, MEjaz wrote:
Hello,.

I have requirement to redirect the url. Whoever typed my site 
http://newtraffic.cyberia.net.sa 
[newtraffic.cyberia.net.sa]
 , it should redirect to https://newtraffic.cyberia.net.sa 
[newtraffic.cyberia.net.sa]

I am bit struggling to achieve this. please assit

Ejaz


As long as the request is staying on the same server, mod_rewrite is a good use 
for this and I believe avoids another request as in a redirect.
The following 3 lines would go in your httpd.conf file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) MailScanner has detected a possible fraud attempt from "%" 
claiming to be https://% 
[%]{SERVER_NAME}$1
 [L,R=302]

https://httpd.apache.org/docs/current/mod/mod_rewrite.html 
[httpd.apache.org]

This assumes you want all http traffic handled via https and not just the root 
of your site.

Change the 302 (temporary) to 301 (permanent) once you know things are working 
as you like.

Jim







-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Bizarre problem with Apache HTTPD, a number of Tomcats, mod_proxy_balancer and mod_jk - any ideas where to look for the root cause welcome [EXT]

2020-03-18 Thread Dr James Smith 
Do you see anything different between the users that work and the users 
that don't.. Do they use a different browser (useragent) or HTTP protocol?


On 18/03/2020 12:40, "Jürgen Göres" wrote:

Hi all,

we are currently observing a really bizarre problem on a customer system.
Our software runs a number of microservices on individual Tomcats, which we 
front with an Apache HTTPD (2.4.x) reverse proxy using mod_jk to route the 
requests by context. There is one exception, though: one of the microservices 
which we added to the stack at a later point in time uses websocksets, which 
are not supported through the AJP protocol, so we are using mod_proxy_balancer 
here.
We put the ProxyPass etc. rules for mod_proxy_balancer in front of the directives related to mod_jk 
and we have been mostly fine with this approach for a few years now. We have two sets of balancer 
specifications for mod_proxy_balancer and their associated rules, one for regular http traffic, the 
other for websocket traffic ("ws:" resp. "wss:").

Let's name the microservices that are handled by mod_jk A, B, and C,  and let's 
name the one handled by mod_proxy_balancer Z. Let's further assume that their 
request contexts are /a, /b, /c and /z, respectively.

Now about the current customer problem: the customer started experiencing very 
erratic system behaviour. In particular requests that were meant for one of the 
microservices A-C handled by mod_jk would randomly give 404 responses. Usually, 
this situation would persist for an affected user for a few seconds and 
reloading wouldn't resolve it. At the same time, other users accessing the very 
same microservice didn't have a problem. Pretty much all users were affected 
from time to time.

We did several troubleshooting sessions that turned up nothing. At some point, 
we started to monitor all kinds of traffic between HTTPD and the Tomcats with 
TCPdump, and here we found the bizarre thing:
When we ran TCP dump and filtered it to only show traffic between HTTPD and the 
microservice Z (handled by mod_proxy_balancer), we sometimes saw requests that 
were clearly meant for one of the OTHER microservices (A-C) based on the 
request URL (a, /b, /c) that would show up in the traffic to the microservice 
Z, and naturally microservice Z has no idea of what to do with these requests 
and responds with 404.

What else might be relevant:
- our microservices are stateless, so we an scale horizontally if we want. On 
that particular system, we have at least two instances of each microservice 
(A-C and Z)
- the installation is spread across multiple nodes
- the nodes run on Linux
- Docker is not used ;-)
- we have never seen this problem on any other system
- we haven't seen this problem on the customer's test system, but here usage 
patterns are different
- the requests with 404 responses wouldn't show up in the HTTPD's access log (where 
"normal" 404 requests DO show).
- the customer had recently updated from a version of our product that uses 
Apache 2.4.34 to one using 2.4.41
- disabling the microservice Z (= no more balancer workers for 
mod_proxy_balancer) would resolve the problem
- putting the rules for mod_proxy_balancer after those of mod_jk (and adding an 
exclusion for /z there, cause on of the other microservices is actually 
listening on the root context) would NOT change a thing

 From experience, we are pretty sure that the problem is somewhere on our side. 
;-)

- One thing we thought is that maybe a bug in microservice Z that is only 
triggered by this customer's use of our product causes the erratic behaviour of 
the HTTPD/MPB? Maybe something we do wrong messing up the connection keepalive 
between Apache and Tomcat, causing requests to go the wrong way?
- Or maybe it is related to the Apache version update (2.4.34 to 2.4.41)? But 
why are other installations with the same version not affected?

Any ideas where we should start looking?

Regards

J




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Complete list of Expires Headers for WordPress site? [EXT]

2020-02-18 Thread Dr James Smith 
Do you embed external resources (like fonts in) these don't tend to have 
the same headers set... I get this with one of my static sites - I have 
13 requests and three are for google fonts (nunito-sans) and these don't 
have decent headers set!


On 18/02/2020 19:00, edflecko . wrote:
I mention that I'm running a WP site only if that matters. The OS is 
CentOS 7 and I host the server.


When I test my site with https://tools.pingdom.com [tools.pingdom.com] 
 
, it scores me an 89 in the area of Expires Headers. I'm hoping 
someone can tell me what else I might want to add, so I have  a 
"complete" list of Expires Headers?


Here's what I have in my httpd.conf file:


# Enable cache expirations
ExpiresActive On
# Default directive
ExpiresDefault "access plus 1 month"
# My favicon
ExpiresByType image/x-icon "access plus 1 year"
# Media: images, video, audio
  ExpiresByType image/gif       "access plus 1 month"
  ExpiresByType image/png       "access plus 1 month"
  ExpiresByType image/jpg       "access plus 1 month"
  ExpiresByType image/jpeg      "access plus 1 month"
  ExpiresByType video/ogg       "access plus 1 month"
  ExpiresByType audio/ogg       "access plus 1 month"
  ExpiresByType video/mp4       "access plus 1 month"
  ExpiresByType video/webm      "access plus 1 month"
# Webfonts
  ExpiresByType font/truetype   "access plus 1 year"
  ExpiresByType font/opentype   "access plus 1 year"
  ExpiresByType application/x-font-woff "access plus 1 year"
  ExpiresByType image/svg+xml   "access plus 1 year"
  ExpiresByType application/vnd.ms-fontobject   "access plus 1 year"
# CSS and JavaScript
  ExpiresByType text/css        "access plus 1 year"
  ExpiresByType application/javascript  "access plus 1 year"
  ExpiresByType text/javascript "access plus 1 year"
  ExpiresByType text/x-javascript       "access plus 1 month"
# Misc. files
  ExpiresByType application/pdf "access plus 1 month"
  ExpiresByType application/x-shockwave-flash   "access plus 1 month"
  ExpiresDefault        "access plus 2 days"


    Header append Cache-Control "public"


Thank you,
Ed




--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] two servers and sites on single IP

2018-06-29 Thread Dr James Smith 

mod_proxy is the standard approach here..

Set up a second vhost on 192.168.0.1 and get that to proxy back to 
192.168.0.2


You will need to specify a small folder as doc root - basically to serve 
error pages! - our error directory has static pages for each error 
message we wont to handle + css/images


DocumentRoot /www/place-to-put-error-pages

  ServerName  foo.bar.com
  RewriteEngine   on
  ProxyPreserveHost   on
  ProxyPassReverse    / http://192.168.0.2/
  RewriteCond %{REQUEST_URI}  !^/errors
  RewriteRule (.*) http://192.168.0.2$1   [P,L]
  ErrorDocument 403   /errors/foo.html
  ErrorDocument 500   /errors/foo.html
  ErrorDocument 502   /errors/foo.html
  ErrorDocument 503   /errors/foo.html


To be honest I use this set up on a single box with a lightweight 
frontend that serves errors and a heavyweight backend which servers 
dynamic sites - so that when I need to restart the later (which can take 
2/3 seconds) we don't lose requests. The front end apache restarts 
really quickly because it is quite small...



On 29/06/2018 16:27, Louis wrote:

On 2018-06-29 10:26 AM, Jerry Arnold wrote:
Does bar.me.com have to run on 192.168.0.2?  There is no reason you 
can't run multiple domains on the same IP


Thanks -- but yes; two separate boxes with different o/s.

I have tried setting up a new "bar.conf" on"foo" -- but am having 
difficulties with directory root:


me@foo:/etc/apache2/sites-available$ apachectl -S
AH00112: Warning: DocumentRoot 
[/etc/apache2/192.168.0.2/usr/share/bar] does not exist

VirtualHost configuration:
192.168.0.2:80    bar.me.com (/etc/apache2/sites-enabled/bar.conf:1)
192.168.0.1:80    k318 (/etc/apache2/sites-enabled/k318.conf:6)
192.168.0.31:*    k318-admin 
(/etc/apache2/sites-enabled/k318-admin.conf:3)



Louis



https://httpd.apache.org/docs/2.4/vhosts/examples.html

VirtualHost Examples - Apache HTTP Server Version 2.4 


httpd.apache.org
Your server has multiple hostnames that resolve to a single address, 
and you want to respond differently for www.example.com and 
www.example.org. The above configuration is what you will want to use 
in almost all name-based virtual hosting situations. The only thing 
that this configuration will not ...


For https you can use SNI:


https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

NameBasedSSLVHostsWithSNI - Httpd Wiki 


wiki.apache.org
SSL with Virtual Hosts Using SNI. Summary. Using name-based virtual 
hosts with SSL adds another layer of complication. Without the SNI 
extension, it's not generally possible (though a subset of virtual 
host might work).






Jerry Arnold
Principal Engineer/Architect II
o: 1-913-663-9522



*From:* Louis 
*Sent:* Friday, June 29, 2018 9:15:19 AM
*To:* Apache list
*Subject:* [users@httpd] two servers and sites on single IP
Hopefully simple, but I'm now getting confused.  Currently, single
server1 192.168.0.1 (Apache 2.4) running single site foo.me.com on
single static IP. Rock solid for the last six years.

Need to add server2 192.168.0.2 (Apache 2.4) for site bar.me.com on the
same static IP.

What is the fastest, most efficient way for server1 to rewrite |
redirect | proxy  "bar" to 192.168.0.2 and still serve "foo" from
192.168.0.1? (Border router does not accept alpha commands, only
numerical, so I cannot redirect here.)

Many thanks -- Louis

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


--
This email is intended solely for the use of the
addressee and may contain information that is
confidential, proprietary, or both. If you receive
this email in error please immediately notify
the sender and delete the email.
--



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Trouble updating PHP version on MAMP on Mac

2017-06-01 Thread Dr James Smith 
Looks like you are using php5_module with a PHP7 so file - you should be 
using:


LoadModule php7_module /libphp7.0.so


On 01/06/2017 20:26, Roparzh Hemon wrote:

I am not on Apple here, and you don't say whether you are using php-fpm or
not, but assuming that you are, check the start up (sysctl or init.d) file
and be sure that the correct version of PHP is being started.

Thank you for your feedback.
I have no idea what php-fpm is, and my guess is that I'm not using it.
The way I see it, the php I'm using should be the php module inside
Apache, which I specified with the following line in httpd.conf :

LoadModule php5_module /usr/local/php5-7.1.4-20170506-100436/libphp7.so

Roparzh

On Thu, Jun 1, 2017 at 3:58 PM, John Iliffe  wrote:

I am not on Apple here, and you don't say whether you are using php-fpm or
not, but assuming that you are, check the start up (sysctl or init.d) file
and be sure that the correct version of PHP is being started.

John
=
On Wednesday 31 May 2017 03:56:45 Roparzh Hemon wrote:

I'm trying to update the PHP version used in the built-in MAMP on my
Mac, as indicated at
http://aerendir.me/2015/08/01/how-to-upgrade-php-built-in-your-mac-osx/.

After obediently completing all the steps, the "CLI" version is
updated allright :
the output of php- v in my terminal is

PHP 7.1.4 (cli) (built: May  6 2017 10:02:00) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
 with Zend OPcache v7.1.4, Copyright (c) 1999-2017, by Zend
Technologies with Xdebug v2.5.3, Copyright (c) 2002-2017, by Derick
Rethans

But I look at the phpInfo in my built-in MAMP, I still get the old PHP
version, with the old PHP location.
I tried restarting both Firefox and MAMP.

I'm using Apache2 and Firefox 53.0.2 on Mac OS 10.11.3.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirect all unconfigured sub-domains to specific sub-domain

2017-05-15 Thread James Smith 
You really only have one option at the moment and that is to pay for a 
wild card certificate which will do this {lets encrypt doesn't allow you 
yet}


It will probably set you back something like 100$ a year

o/w you will need to set your redirects up from xxx. to https:// 
individually and have a catch all that redirects the rest of the http 
request to a single https domain...




On 2017-05-15 05:03 PM, Torge Riedel wrote:

Hi,

I'm using Apache 2.2 and currently have the following configuration 
files:


00-default-> redirect non-https-URLs to https-URLs
00-default-ssl   -> default configuration for 
https://mydomain.de and https://www.mydomain.de


Then several files

20-sub.mydomain.de-> configuration for https://sub.mydomain.de

So what I want to do is if a user browses to my domain with an 
unconfigured sub domain, he is redirected to lets say 
https://www.mydomain.de


Reason: Currently he gets a certificate error, cause cert 
(letsencrypt) is only valid https://mydomain.de and 
https://www.mydomain.de


Any hints?

Thanks in advance

Torge


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] I need help figuring out a 500 response code

2017-05-03 Thread Dr James Smith 
Is there an error.log in the same directory? This is usually in the same 
directory this should contain some information about why the system failed.



On 03/05/2017 07:41, John Covici wrote:

Hi.  I am having major problems figuring out a 500 response code I am
getting  on my hserver.

I am using apache 2.4.25 on gentoo linux up to date as of a few days
ago.

So, I havinstalled owncloud which is a cloud server written in php and
it has worked for a long time, but for a few days I have gotten 500
when I try to access it.  Now, I am using https normally to access and
when I look at the error_log, I get just one line like this:

[Wed May 03 02:14:37.074791 2017] [ssl:info] [pid 22312] [client
192.168.0.2:56613] AH01964: Connection to child 0 established (server
ccs.covici.com:443)

If I change the loglevel to debug, I get all kinds of ssl information
and the lines saying that requireall was granted, but nothing about
the error.

Now, if I change to http access, on my access_log I get lines like the
following:

192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 -
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 -
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

Now, owncloud has theirownw log, but I get nothing in it.

So, my question is how to find out more about why I am getting the 500
response and what I can do about it.

Thanks in advance for any suggestions.





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] redirect port from 80 to 443

2017-02-18 Thread Dr James Smith 
As I only run HTTPS - I have the following on port 80 - (this can't be 
done with redirect)




  ...
  ...
  ...

  RewriteEngine on
  RewriteCond   %{REQUEST_URI} !^/.well-known/acme-challenge
  RewriteRule   ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} 
[R=permanent,L,NE]



So I only have one port 80 configuration - even tho' I'm running 
something like 30 sub-domains on one machine and 70 sub-domains on the 
other...


{There is some other stuff associated with this - and I've got HTST 
headers set - and preloaded where I can - so most browsers won't hit the 
port 80 anyway!}



On 18/02/2017 19:00, Daniel wrote:
Yes please, let's stay away of convoluted and most times innecessary 
mod_rewrite examples to do simpleton configurations.


If you are in virtualhost 80, you have specified servername correctly 
and you just want to redirect to ssl, why not a single Redirect statement?


As Yann's refered document says:
Redirect / https://something.example.com/

Most people here knows this but there are gazillions web pages 
refering to bad advice, duck and tape solutions and convolued ways of 
using mod_rewrite for a simple redirection when placed in proper 
context, we need to finish with that trend, and the best way is to 
give simple, straight to the point examples "first".


The mod_rewrite example given,lets slice it out:
> RewriteCond %{HTTP_HOST} =www.example.com 
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$https://www.example.com/$1 [R]

This clearly assumes it is a generic recipe in a .htaccess somewhere 
which can be read from a non-SSL virtualhost or non-SSL virtualhost 
(just to be ignored).


1º It checks the host name, but why? if you have defined a VirtualHost 
with that servername and there are no conflicts the request is already 
landing there.
2º It checks for port 80. But we are redirecting to SSL, so we are 
already on port 80, why check it?

3º Can be replaced with a Redirect as mentioned above.

So instead of giving out recipes for .htaccess thought out for an 
aging era or shared virtualhosting, lets recommend the ideal 
virtualhost context recipe first as Yann proposed earlier:


Define the virtualhost with the names you serve.

ServerName something.example.com 
Redirect / https://something.example.com/


There is no guessing here, no unnecessary directives and it's hard to 
miss or confuse with other directives and the context where it resides 
is crystal clear.


Later on, when things need to be complicated, then I guess we can use 
"If" or "mod_rewrite", and recommend it as needed.



2017-02-18 19:38 GMT+01:00 Richard >:




> Date: Saturday, February 18, 2017 11:04:34 -0700
> From: James Moe >
>
> On 02/18/2017 05:08 AM, Rodrigo Cunha wrote:
>> i want redirect all request from port 80 to 443.
>> what is better setting for fix this?
>>
>   Better than what?
>   Fix? Is it broken?
>
> RewriteCond %{HTTP_HOST} =www.example.com 
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$ https://www.example.com/$1 [R]

Perhaps, better than using a "rewrite"? See the documentation
reference, given in an earlier post:

  >

that has this as a specific example of when/why to use a "redirect"
rather than a "rewrite".



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org





--
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com 
linkedin es.linkedin.com/in/danielferradal 






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] hello

2017-01-19 Thread James Smith 
Debian 8 (Jessie?) Apache version is 2.4.10 which would suggest your 
error is in the Order Allow, Deny area..


Should just be:

Requireall granted


see:

https://httpd.apache.org/docs/2.4/upgrading.html
On 2017-01-19 04:34 PM, David Miranda Aragón wrote:


Good morning.
I am looking for help on apache2 in debian 8, as I am trying to mount 
a website, which in debian 7 worked bin, but now in debian 8 it does 
not work for me.

But below I leave the configuration of my virtualhost


 ServerName ftp.domain
 ServerAdmin webmaster @ domain
 DocumentRoot "/ srv / ftp"

 AddDefaultCharset UTF-8
 DirectoryIndex /httpdirindex/httpdirindex.php
 RemoveHandler .php .phps .pl .cgi

 ErrorLog logs / ftp.domain-error.log
 CustomLog logs / ftp.domain-access.log common
 ErrorDocument 404 /httpdirindex/httpdirindex.php

 
 Options FollowSymLinks MultiViews
 Order Allow, Deny
 Allow From All
 


Is that I want to beautify my ftp that is mounted in apache with a 
utility called httpdirindex that is written in php5



El 19/01/2017 a las 11:27 a. m., David Miranda Aragón escribió:

test
--
Documento sin título Nombre: Lic. David Miranda Aragón
Empresa: Unidad de Investigación para la Construcción Cienfuegos. 
ENIA - MICONS

Ocupación: Administrador de Red
Email: da...@eniacfg.co.cu
Jabber: da...@jabber.eniacfg.co.cu
Teléfono: (043) 525128
Dirección: Ave 56 # 5101 (Altos), Cienfuegos - CUBA


--
Documento sin título Nombre: Lic. David Miranda Aragón
Empresa: Unidad de Investigación para la Construcción Cienfuegos. ENIA 
- MICONS

Ocupación: Administrador de Red
Email: da...@eniacfg.co.cu
Jabber: da...@jabber.eniacfg.co.cu
Teléfono: (043) 525128
Dirección: Ave 56 # 5101 (Altos), Cienfuegos - CUBA





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Copyright notices in httpd source files

2016-12-28 Thread Dr James Smith 
At work all out software is open source - but we have to include a 
copyright notice in all source files where possible - as we then 
distribute the content under LGPL. The logic is that if we didn't claim 
copyright on the contents of the source - someone else might claim it 
and make it closed source.



On 28/12/2016 22:44, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Is it common to have a copyright notice in httpd C source files?

Jim committed a donation of code for HAProxy's PROXY protocol in
r1776076 and later. (Thanks, by the way: I've been hoping to get this
in 2.4 for a while so consider me a big (karma-less) +1 for back-port
of this module).

The C source
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup=1776076
file contains this copyright claim:

Copyright 2014 Cloudzilla Inc.

I haven't pulled the source to see if other such claims exist in other
source files, but I have never noticed a copyright claim in other ASF
projects.

Is this a simple oversight or should the copyright notice remain?

Thanks,
- -chris

PS Special thanks to Dan Ruggeri who was working on this independently
of the donation with me, and who missed his own commit of virtually
the same code by a few hours.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZEBhAAoJEBzwKT+lPKRYMTQQALHTwsO8Xba/UtAxKoh7lwhj
Uwh/J61NR21okbb+1Kl3I3kCXAqBs61gKkEAvVZYCVIPkO6tSFW/zSlVWsebC0GD
erM9BLAk8UHfD5gEI3i6JwP+umbYleLQJOcbGbLObG6sOfsdKHcMQJ3jl2mNCFCJ
QozZQy4BQBjCw9GA5n9QJBVA04vYBAG4IKCgD6UqtrKp+9AJzfNv0fjkAHx+X6Jo
Ec5YtRsvO7hj6341C3UxgBpw/+rPZxXWeJVvVekVfsFzjxvJGpnJQV/Yx3iGvaGn
uwdnLXLAgNFs82N/ip9GZNbv12jPFzUvu7WxXG9PXHZ5z9oL2y4s1m95RsVLPATn
zViFxZkGTF4h1rdqix2MNN7/q/hQmY6XsOo1fSlSAYhAMFQ1g43EMecLud3dCECw
ypjVVJO+T29JArCzyJb5skOr2lSdcf9ZYAhnStgHmRUw/bvwDhcMaCjsdqFdaUSD
fIqMdp7gAJ3/fou/AdARERxhR7UNDp7sNJcCpOo/hoHoJ8QSy5b7CBUGG3uemdjH
JBPYtYVilbvif7/EV9AAWwsKO/JX4smqctHrU2ZG/JHt0f4pQ+QxaTkys+jblXdu
83ROK+0DlX9KXcIOSBQ/SWqj/3UoPIgVxXgnf8RKztMuUUdFrPScWYpKFPpoeXPF
5+VNuOdIkoX+MalGusox
=wMXF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] resources prioritization/scheduler (app vs assets)

2016-12-10 Thread Dr James Smith 
Before you get into trying to resolve issues with load there are a few 
things to consider:


Your "model" of traffic is probably wrong...

 * Have you seen this traffic shape.. if a user requests a page - it
   will probably be a few milliseconds before the browser requests the
   first static file, they will usually limit themselves to something
   like 4, 6 or 8 parallel requests (pipelining) to minimize the
   DNS/connect/handshake/disconnect phases;
 * Even if you have large numbers of simultaneous users the amount of
   traffic won't be as bursty as you say - as they wont' all hit "go"
   at the same time;
 * The larger overheads are more likely to be up stream in network etc.

Now to reduce load ...

 * Look at a dedicated caching layer in front of apache. e.g. varnish
   which can cache the static content; get your headers right so that
   browsers + upstream caches cache your content;
 * Look at the apache event mpm - which is much lighter than the other
   mpms (prefork/threaded)
 * Do you need 40 assets or can you do optimization on these (e.g.
   merging css/js files) reducing images, icon fonts, css, spriting
   etc; I have taken a site requiring 100s of assets and gained by
   reducing these to 10-15...
 * If you are worried about performance on such a small box then
   redesign so that the site isn't heavy!
 * Look at offloading some resources to 3rd party CDNs (e.g. fonts core
   js-libraries etc)

Look at your hardware - if you are this worried - 1G is a very small box 
- look at getting a larger server - most are virtual anyway... then you 
need to look at the type of HDD etc..


 * 1G is a small server you would get gains by having a bigger server
   (and probably wouldn't cost much more!)

If you want this level of resiliance you probably need to look at load 
balancing over multiple serves - then you can dedicate some to static 
servers and some dynamic servers...


On 10/12/2016 14:22, Raphaël wrote:

Hi,

I've a question on how to prioritize traffic in order to optimize
the service in the case of traffic bursts:


Context:
* a server with finite resources (let's say 1 GB mem)
* a PHP application: initial page load needs 100 MB (index.php)
* for each page load (index.php) approx:
   * ~ 40 subsequent assets (static files) are needed
   * serving assets is, obviously, quicker than serving index.php
* I assume, and decide, that PHP-FPM must not use more than 700MB
* I want to avoid "broken" pages (missing assets/images/...) as much as possible


Thus PHP-FPM is configured to not allow no more than 7 children.
The Apache MaxRequestWorkers (worker MPM) is set to be strictly superior than
7*40 (lets say 350)


Now imagine a traffic burst with 200 distinct clients simultaneously
hitting the main page (wow!)
They now occupy 57% of the Apache workers, 193 of them waiting for a
PHP-FPM child. ( "max" default value being ThreadsPerChild)

... some hundreds milliseconds later...

The 7 first clients having been served, each one now requests 40 more assets.
And the situation is then as follows:

* 7 hits on index.php were already processed successfully
* 7 currently being processed by PHP-FPM (still occupying Apache workers)
* 186 queued Apache workers hits /index.php, waiting for PHP-FPM/proxy-fcgi
* 7*40 = 280 new hits for assets (subsequent resources needed by the 7 first 
clients)
* 157 of them immediately get an available Apache worker and can be
  served (157+186+7 == 350)
* >>>  123 assets will NOT get an available worker  <<< PROBLEM HERE


In the "best" case these 123 requests, which should have been served
*now*, will end up in the ListenBackLog and wait the 157 first assets to
be served first and liberate their workers.

The server works virtually *as* if only 350-200 = 150 workers were
available (150 being < 280, which is the typical workers implication
for 7 pages-load)

200 being the (unpredictable/variable) "intensity" of the burst, I would
like to know of a better way to handle such a situation.


The first ideas that come to mind is service shaping (prioritization/quotas):
How to make Apache only accept 1/40 of the traffic to the fcgi php-fpm proxy.
Sample heuristic:

If all worker are used (350/350), we "compute" which proportion is
dedicated to index.php. If it's superior to a given configurable
threshold, then free some of the workers dedicated to this resources
in order to accept assets-directed resources.


I'm curious about possible solutions.
Thank you for reading.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Mod_Substitute - Match the last occurrence of a string in the response

2016-11-23 Thread Dr James Smith 
Why are you attaching after the last meta tag - wouldn't it be easier 
just before the  tag or just after the  tag - you should 
have no other js in the header - except possibly an HTML 5 shim...



On 23/11/2016 08:08, Mayuresh wrote:


Any suggestions?


On Nov 22, 2016 11:32 AM, "Mayuresh" > wrote:


Is there a way to make a 2 pass substitution? 1st one removing all
the \n's and then using another one to substitute the string that
I want?

On Tue, Nov 22, 2016 at 11:15 AM, Mayuresh
> wrote:

Hi Jason,

I tried it:

Substitute "s%(]*>).*?$%$1window['start-time'] = new
Date().getTime();window['app-key'] = \"xxx\";%i"


However it still replaces each line that the meta tag appears on.


Regards,

Mayuresh


On Tue, Nov 22, 2016 at 11:12 AM, Mayuresh
> wrote:

Hi Jason,

Each meta tag is appearing on a separate line. Will it
work even then? Trying it out any ways.

Thanks,
Mayuresh

On Tue, Nov 22, 2016 at 10:41 AM, Jason Brooks
> wrote:

Hello,

According to the Apache Glossary page
,
it’s all PCRE  based. So you
should be able to use the “non-greedy” match.  So
instead of .* which will match all instances, use
.*?.  If you anchor it at the end of the string,
something like (text you are matching against).*?$,
then you can be certain of getting the last one.

—jason

Jason BrooksSystems Administrator
eROIPerformance is Art.

m:  505 nw couch #300   w:  eroi.com 

t:  503.290.3105f:  503.228.4249



fb: fb.com/eROI 










On Nov 22, 2016, at 8:50 AM, Mayuresh
> wrote:

Hi,

How can I check for the last occurrence of a string
in the response html and only replace the last
occurrence of it?

I want to search for the last "meta" tag in the
response and replace it with something.

How can I do this?

Thanks,
Mayuresh





-- 
-Mayuresh





-- 
-Mayuresh





-- 
-Mayuresh







--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Mod_Substitute - Match the last occurrence of a string in the response

2016-11-22 Thread Dr James Smith 
Never used mod_substitute - but the standard PCRE way is s/(.*)>/$1/mxs - the .* will capture greedily - so captures all but last 
meta...




On 22/11/2016 16:50, Mayuresh wrote:

Hi,

How can I check for the last occurrence of a string in the response 
html and only replace the last occurrence of it?


I want to search for the last "meta" tag in the response and replace 
it with something.


How can I do this?

Thanks,
Mayuresh





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Random Internal Server Error 500 after apache and system update

2016-10-02 Thread Dr James Smith 
Things you can do are trying to track down if there is any pattern - are 
these first request on a child, "nth" request on  child etc... we add 
additional variables to access logs which include things such as 
PID/request no in PID, memory usage before and after etc. This allows us 
sometimes to see patterns in errors which aren't normally easy to see..

Saying that it may not help you here...

Another thing you can do with ab is check to see if it is OK under lower 
load?


Finally I find "siege" better than "ab" when it comes to testing as it 
is more configurable - you can send it a list of URLs - run test for 
"n-seconds" rather than "n-requests" which is more useful if you don't 
know how long things take to return!


James

On 02/10/2016 09:02, Daniel wrote:
I would bet on your method of parsing php and the scripts being ran, 
in any case to be sure:


Try the strace approach:
strace -o /tmp/outputfile -s 5000 httpd -X or strace -ff -F -s200 -o 
/tmp/strace.out -p PID


to try to find out what's really going on.

2016-09-30 20:19 GMT+02:00 Fabio F.Gervasi >:


Hi!

I have additional information:

/var/log/httpd/error_log, at "crash time": [Fri Sep 30
19:09:03.897325 2016] [mpm_event:trace4] [pid 30339:tid
139796798162688] event.c(930): socket reached timeout in
lingering-close state

What do you think?



2016-09-30 14:47 GMT+02:00 Fabio F.Gervasi
>:

Hi!

Thank you for your reply. I tried the following tests.

*1) Using a little text file:*
*# ab -k -c 100 -n 2000 localhost/test.txt*
This is ApacheBench, Version 2.3 <$Revision: 1748469 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd,
http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests
Completed 1800 requests
Completed 2000 requests
Finished 2000 requests


Server Software:Apache/2.4.23
Server Hostname:localhost
Server Port:80

Document Path:  /test.txt
Document Length:52 bytes

Concurrency Level:  100
Time taken for tests:   2.521 seconds
Complete requests:  2000
*Failed requests:16*
   (Connect: 0, Receive: 0, Length: 16, Exceptions: 0)
Keep-Alive requests:1984
Total transferred:  950336 bytes
HTML transferred:   103168 bytes
Requests per second:793.45 [#/sec] (mean)
Time per request:   126.032 [ms] (mean)
Time per request:   1.260 [ms] (mean, across all
concurrent requests)
Transfer rate:  368.18 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:01   3.8  021
Processing: 1  123 126.5 83   772
Waiting:0  123 126.7 83   772
Total:  1  124 126.6 85   772

Percentage of the requests served within a certain time (ms)
  50% 85
  66%154
  75%201
  80%229
  90%303
  95%373
  98%452
  99%547
 100%772 (longest request)

/I obtain 16 failed requests, but if I run more again I obtain
a different number./

*2) Using a big gif file:*
*# ab -k -c 100 -n 2000 localhost/it-vis-animation.gif*
This is ApacheBench, Version 2.3 <$Revision: 1748469 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd,
http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests
Completed 1800 requests
Completed 2000 requests
Finished 2000 requests


Server Software:Apache/2.4.23
Server Hostname:localhost
Server Port:80

Document Path:  /it-vis-animation.gif
Document Length:8105309 bytes

Concurrency Level:  100
Time taken for tests:   26.294 seconds
Complete requests:  2000
*Failed requests:0*
Keep-Alive requests:2000
Total transferred:  16211484000 bytes
HTML

Re: [users@httpd] Apache losing its connection from Tomcat in few minutes

2016-09-06 Thread James Smith 



On 9/6/2016 3:55 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 9/4/16 5:16 AM, Dr James Smith wrote:

You don't give enough information about the setup to solve any of
your problems really.

Are the apache/tomcat/cms on the same box or different

We have seen big problems with mod_jk when there are firewalls
involved (so much so we don't use it any more but use mod_proxy
instead) - connections are severed by the firewall - you need to
look up "tcp keep alive" settings for your connections - but even
then that doesn't help - mod_jk doesn't handle this situation
well... (ditto nginx, mod_fcgi etc none of them really handle any
form of flakyness when it comes to network well)

I've been using mod_jk for quite a few years (both with and without
firewalls) and never had any problems. The trick is that you have you
have configure it correctly, just like you'd have to
properly-configure mod_proxy as well.

mod_jk uses a permanent-connection to the backend, and you have to
arrange to have those connections re-established if they drop. You
want to pair the connection_pool_timeout in mod_jk (in sec) with the
connectionTimeout in Tomcat (in ms) to make sure that both sides of
the channel will hang up the phone after an appropriate interval. Use
of CPING/CPONG can help ensure that the connection hasn't been dropped
by the firewall.
The problem is that when the firewall session is terminated (for the 
firewall we use) then it behaves
in an unusual way - in that both ends think the connection is open, but 
it isn't in fact open. This
means that timeouts/pings fail (no idea why - nor do Oracle - or the 
firewall manufacturer)
using mod_proxy (and database wrappers) we have a solution that gets 
round this by dropping
connections before the server is likely to get in this state 
(unfortunately you can't easily do this
with mod_jk or interestingly oracle!) We think the problem is actually 
to do with some nasty

pooling process going under the hood. Note ping fails in an unusual manner!

Interestingly we actually appear to get better performance under 
mod_proxy that mod_jk

(although we have to use an extra hop to deal with load balancing)


I suspect that Jayaram's problem is either a mismatched pair of
connection_pool_timeout/connectionTimeout settings, or a value that is
less than the idle-timeout on the firewall.
Still reverting to mod_proxy will almost certainly make the 
configuration easier, the debugging easier, and resolve his other issue...




Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXztjUAAoJEBzwKT+lPKRY8MwP/jA123QoWtrYgUSKoOF/8qy/
WPa32ZFhcM3zdpmT5+Im6z7yt7m/v8jGYugd1/hvCWFX2VSuqOAIdGxxwI2OC2eq
KRWvOgS0PgIwVWvzt7qPp5wILXcmWq0u9OuaXEpgVjKS7AZjPBcsbgi/54n65zkn
Ac3lRvSgodZzmNGR6sO+FoUgUF9QnVcXcYJhVJVEb7kzFRSfN32XsIGzB9Z4Q2I9
+WN1F57qcWQrWwsq0Sth+7+E8SnLEhcTuCqultun4tC8Klhh9D63FKMd5L1kgDfZ
cxqvxNwxcJUiRzrPjnBd7x9+R3GJ4chUgfq4a8DCXQntkochJEOtgsjOszqjAsl9
3vY3SwDeenzMpd0fwJ8aAhOShWDUSx3BoqV5PmfbrVCNGGA4BH0GIk6kqF37sh6p
lBGgW/DjBV8Qk0P4vkk7ieuzv/czMDcuCRgGAAdlHImu/Z9PaWGhckqy0o+35hRj
TtCoTlzHPyeAGFaqpD7kkUnHqbduv9QokhLE7xgRGUtaqk0/u0xCpNex208sR2oG
WIzBJbfgu5JeSzPXstNGZtvkNEZl+Y5NAvGcAM/2hhmjR405nilfyrSRl6XkH5Te
j2Vn4sRfpMxFe6gwe8KOqVHLaRVJk06GNhUUPrF6haATV2sDEC4B7kTCQYSXt2Oe
pWHH9rRs5IKKKRu7yeDK
=z0xI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache losing its connection from Tomcat in few minutes

2016-09-04 Thread Dr James Smith 
You don't give enough information about the setup to solve any of your 
problems really.


Are the apache/tomcat/cms on the same box or different

We have seen big problems with mod_jk when there are firewalls involved 
(so much so we don't use it any more but use mod_proxy instead) - 
connections are severed by the firewall - you need to look up "tcp keep 
alive" settings for your connections - but even then that doesn't help - 
mod_jk doesn't handle this situation well... (ditto nginx, mod_fcgi etc 
none of them really handle any form of flakyness when it comes to 
network well)


And also mod_proxy is a lot easier to set up that mod_jk - and the 
slight overhead of not-compressing the apache headers/possibly 
renogatiting connections will not be significant if your CMS is take 10 
seconds to return - which is already about 9 seconds to long anyway!


Other things - shared file systems are generally a bad idea in a web 
environment - (esp NFS) as overhead/stability issues can be critical in 
high volume webservers..


Now for mod_proxy for what you want to do!

ProxyPass /files !
ProxyPass / http://tomcatserver:port/
ProxyPassReverse / http://tomcatserver:port/

Caching probably isn't an issue now - or shouldn't be... as your static 
content is being server via Apache directly - but I would read up on web 
optimisation in general:


 * How to minimize number of resources in a web page;
 * Setting cache control, etag headers etc to stop the client
   re-requesting resources;
 * Using mod_deflate correctly [ Note turn off deflate on tomcat - DO
   NOT GET IT TO COMPRESS CONTENT!]
 * Look at avoiding redirects etc if possible

Only when you have resolved all those issues then will you want to look 
at setting up "dumb server" caching - because unless you understand it 
well it can cause more problems that it solves! and anyway getting the 
cache headers right will make it easier! Get servers closer to the user 
caching content is always the best way!!!


James


On 04/09/2016 09:48, Jayaram Ponnusamy wrote:

Dear All,

In our Environment we are using Apache HTTP and Tomcat as AppServer on 
J2EE based CMS System. and We are using AJP 1.3 connector (Apache 
HTTPD, Tomcat, CMS are in seperate systems)


Normally accessing the sites & pages through WebServer URL is very 
slow compare to use Tomcat URL.


The Wired behavior is Apache HTTP is losing connection with Tomcat in 
few minutes (eg 10-15minutes) then we have to hit the WebServer URL 
continuously or reboot httpd to resolve this issue.


In the MOD_JK Logs we could see below errors.

[Sun Sep 04 01:17:34 2016][7945:488081152] [info] 
ajp_connection_tcp_get_message::jk_ajp_common.c (1150): (prd_live_svr) 
can't receive the response header message from tomcat, network 
problems or tomcat (10.100.116.31:9009 ) is 
down (errno=110)
[Sun Sep 04 01:17:34 2016][7945:488081152] [error] 
ajp_get_reply::jk_ajp_common.c (1962): (prd_live_svr) Tomcat is down 
or refused connection. No response has been sent to the client (yet)
[Sun Sep 04 01:17:34 2016][7945:488081152] [info] 
ajp_service::jk_ajp_common.c (2447): (prd_live_svr) sending request to 
tomcat failed (recoverable),  (attempt=1)
[Sun Sep 04 03:35:02 2016]prd_live_svr cmsliv.com  
32.624815
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
ajp_process_callback::jk_ajp_common.c (1788): Writing to client 
aborted or client network problems
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
ajp_service::jk_ajp_common.c (2447): (prd_live_svr) sending request to 
tomcat failed (unrecoverable), because of client write error (attempt=1)
[Sun Sep 04 03:36:02 2016]prd_live_svr cmsliv.com  
39.879029
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
jk_handler::mod_jk.c (2608): Aborting connection for worker=prd_live_svr


Errors Log:
[Sun Sep 04 09:32:00 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:32:00 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24423 for (*)
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24513 for worker proxy:reverse
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24513 for (*)
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24514 for worker proxy:reverse
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24514 for (*)
[Sun Sep 04 10:01:48 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24563 for worker proxy:reverse
[Sun Sep 04 10:01:48 2016] [debug] proxy_util.c(1921):

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

2016-08-17 Thread Dr James Smith 
It may be possible to write your own auto-renewal script relatively 
easily for LetsEncrypt. I have done for Apache as (a) I don't use the 
standard paths and setup, (b) I wish to use HPKP on my servers for 
additional security and "Lets Encrypt" auto scripts generate a new key 
each time which breaks this (the signature changes and is unpredictable) 
- so my script generates a lets encrypt request with the appropriate key 
(either the same OR the backup key I've already generated) I now have a 
relatively simple script which reads my config file and generates keys 
accordingly if required (the only thing it doesn't do is restart the 
server for the new certificates to be read) but it does inform me this 
is happening. It shouldn't be to difficult for nginx to do similar





On 17/08/2016 20:23, R wrote:
It seemed like the auto-renewal process for ssl from LetsEncrypt is 
not supported yet for nginx, at least according to this article on its 
publication date:


https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

My needs are really simple and I wanted to go with whichever would be 
simpler to setup.


On Wed, Aug 17, 2016 at 2:50 PM, Dr James Smith <j...@sanger.ac.uk 
<mailto:j...@sanger.ac.uk>> wrote:


Depends on your backends - nginx is good if it is serving
primarily static files and or proxying back to quick responding
backends. It seems to be less well suited to slower/heavier
backends. Apache always seems to work - slower mind you - but
always seems to work... So if reliability is your requirement then
nginx may be a problem!



On 17/08/2016 19:41, Erik Dobák wrote:

why did not you use nginx anyway? should be faster and modern.
did not
have the chance to try that yet myself. still using apache
everywhere.

On 17 August 2016 at 03:18, R <bittransfer2...@gmail.com
<mailto:bittransfer2...@gmail.com>> wrote:

Ugh sorry, I had a test installation of nginx on the
machine, which was not
fully removed after doing "apt-get remove". Looks like it
would still start
up somehow. After I purged nginx, then apache2 started ok
after reboot.

Thanks

On Tue, Aug 16, 2016 at 8:57 PM, R
<bittransfer2...@gmail.com
<mailto:bittransfer2...@gmail.com>> wrote:

Hi, this is everything from cat
/var/log/apache2/error.log:

[Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
configured -- resuming
normal operations
[Mon Aug 15 13:42:17.138282 2016] [core:notice] [pid
26081:tid
139773925775232] AH00094: Command line:
'/usr/sbin/apache2'
[Mon Aug 15 14:55:14.003814 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing
graceful restart
AH00112: Warning: DocumentRoot
[/var/lib/letsencrypt/tls_sni_01_page/]
does not exist
AH00558: apache2: Could not reliably determine the
server's fully
qualified domain name, using 127.0.1.1. Set the
'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:14.054552 2016] [ssl:warn] [pid
26081:tid
139773925775232] AH01906:x:0 server certificate is a
CA certificate
(BasicConstraints: CA == TRUE !?)
[Mon Aug 15 14:55:14.054736 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:14.054747 2016] [core:notice] [pid
26081:tid
139773925775232] AH00094: Command line:
'/usr/sbin/apache2'
[Mon Aug 15 14:55:20.854353 2016 <tel:854353%202016>]
[mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing
graceful restart
AH00558: apache2: Could not reliably determine the
server's fully
qualified domain name, using 127.0.1.1. Set the
'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:20.865056 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
configured -- resuming
normal operations

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

2016-08-17 Thread Dr James Smith 
Depends on your backends - nginx is good if it is serving primarily 
static files and or proxying back to quick responding backends. It seems 
to be less well suited to slower/heavier backends. Apache always seems 
to work - slower mind you - but always seems to work... So if 
reliability is your requirement then nginx may be a problem!



On 17/08/2016 19:41, Erik Dobák wrote:

why did not you use nginx anyway? should be faster and modern. did not
have the chance to try that yet myself. still using apache everywhere.

On 17 August 2016 at 03:18, R  wrote:

Ugh sorry, I had a test installation of nginx on the machine, which was not
fully removed after doing "apt-get remove". Looks like it would still start
up somehow. After I purged nginx, then apache2 started ok after reboot.

Thanks

On Tue, Aug 16, 2016 at 8:57 PM, R  wrote:

Hi, this is everything from cat /var/log/apache2/error.log:

[Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured -- resuming
normal operations
[Mon Aug 15 13:42:17.138282 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:14.003814 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/]
does not exist
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:14.054552 2016] [ssl:warn] [pid 26081:tid
139773925775232] AH01906:x:0 server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Mon Aug 15 14:55:14.054736 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:14.054747 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:20.854353 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:20.865056 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured -- resuming
normal operations
[Mon Aug 15 14:55:20.865076 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:23.807722 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:23.840209 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:23.840217 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:31.995008 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:32.023059 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:32.023076 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:56:04.269625 2016] [ssl:error] [pid 29903:tid
139773645637376] [client 64.41.200.108:39890] AH02042: rejecting client
initiated renegotiation
[Mon Aug 15 18:40:58.774299 2016] [ssl:error] [pid 29904:tid
139773819877120] [client 64.41.200.105:34645] AH02042: rejecting client
initiated renegotiation
[Mon Aug 15 19:07:02.626527 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00491: caught SIGTERM, shutting down
[Mon Aug 15 19:07:03.939317 2016] [mpm_event:notice] [pid 2548:tid
140489013651328] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g-fips configured -- resuming normal operations
[Mon Aug 15 19:07:03.939444 2016] [core:notice] [pid 2548:tid
140489013651328] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 19:13:44.445770 2016] [mpm_event:notice] [pid 2548:tid
140489013651328] AH00491: caught SIGTERM, shutting down
[Mon Aug 15 19:13:45.265839 2016] [mpm_event:notice] [pid 2705:tid
140547327522688] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g-fips configured -- resuming normal operations
[Mon Aug 15 19:13:45.265879 2016]

Re: [users@httpd] Appache load blance

2016-07-27 Thread James Smith 

(Simple) You can use sticky sessions

(Better) Or re-write your code to use a shared memory layer such as 
memcached...


On 7/27/2016 9:58 AM, kaushalender shekhawat wrote:

HI All,

Please forgive me if this sound  very dump,as I am very new beginner 
to  apache load balancer, Following is the scenario. Pls help


I have 4 session based application  server  behind the Apache  load 
balancer .Whenever a request from short code  comes for the 
application. Application respond and copy some data into memory which 
is required  for replying again. So in one session 4 to 5 request and 
response happens.


If I configure load balance in round  robin then purpose fails because 
.If first request goes to server A  than next request goes to Server B 
and transection will fails


So I want to configure the load balancer in such manager, that if 
first request goes to server A than for that session all request 
should go to server A  and New or  fresh request for other session 
 can be distributed between B,C,D


Pls help and Thanks in advance







--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Run PHP Handler after running my handler Apache

2016-07-19 Thread Dr James Smith 
I use something similar - you should really be applying this in one of 
the AAA level of handlers (I use mod_perl rather than C handlers) but 
there are various places you can hook into the process


Usually (and slightly naughtily) I add this to the access handler within 
mod_perl {it does the user/ip identification and then performs the 
appropriate filters}


If you are doing complex access layers (e.g. checking permissions in a 
db) you may not be able to do this with Location/LocationMatch




On 19/07/2016 07:14, Nick Kew wrote:

On Tue, 2016-07-19 at 10:45 +0530, Amlaan Kar wrote:

I have created a handler in Apache

Sounds like your module's processing should be hooked up
earlier in the cycle.  It can then set the handler either
to PHP or to its own page according to the outcome of
whatever parsing it does.

But given that the server parses the URL, you can probably
dispense with that altogether, and use configuration to
deal with whatever your parser does.  If 
or  is not sufficient, then an  clause.
Or even the archaic tool of yesteryear, mod_rewrite.





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Help disabling weak ciphers.

2016-07-16 Thread Dr James Smith 

I use:

  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


as the setting for ciphers - this gets a A+ rating on the qualys SSL 
labs scoring (although Java 6 + IE 6 clients don't work but that is the 
compromise you need to take)


James

On 15/07/2016 22:49, Spork Schivago wrote:

Hello,

I think I figured it out.  I removed the DES-CBC3-SHA line from the 
SSL Cipher Suite list and now this is the output from nmap:


| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's 
Encrypt/countryName=US

| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-07-13T03:49:00
| Not valid after:  2016-10-11T03:49:00
| MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
|_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
| ssl-enum-ciphers:
|   TLSv1.0:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|   TLSv1.1:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|   TLSv1.2:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds


With the least strength being A, that's exactly what I want, right?   
That would mean the ciphers are very strong ones? I'm still trying to 
learn all of this and now I gotta figure out how to enable "Perfect" 
Forward Secrecy.   Thanks!




--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Strange access.log entry...

2016-07-09 Thread Dr James Smith 

Is the response the same as the response for / - thats' all I can assume...?


On 09/07/2016 14:00, Jonesy wrote:

On Fri, 8 Jul 2016 15:51:27 -0700, Red-Tail Books wrote:

--D86F2E214EC5EE5DBED2B3B9
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Wow Ken, Thanks for the thorough research. I just did a whois and
figured it wasn't an attack.

But being a complete rookie (no experience with linux or servers prior
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
and then I saw that the request was successful (status 200) instead of a
404. And what 11k of data did my server send in response...

In 13 days of logs this IP has only hit my server once and this is the
only time I've seen such a request... So no issue with their legitimate
research...

All well and good, I suppose.
I still wonder why the fetch resulted in a "200 OK".


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issues migrating Weblogic proxies from Sun One 6.1 to Apache 2.4

2016-06-18 Thread Dr James Smith 
How are you connecting between the web-proxies and web-logic application 
servers?


Having a firewall in place can be an issue - the firewall may drop idle 
connections silently (we see this with oracle, mod_jk/ajp/memcache and 
in some instances cached mysql connections; unfortunately neither end 
know the connection has been dropped and they still send packets down 
the broken connection.. - so any attempt to connect just hangs even 
doing a database ping!


We have dropped mod_jk in favour of using mod_proxy/mod_proxy_http as 
this doesn't have the same problem (but is slightly less efficietnt)


You can have some success with playing the the tcp keep alive settings:

echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_probes

But even these don't always seem to work - our more robust applications 
keep a track of when the connection was last used and will not 
re-connect to a connection which hasn't been used for 15 minutes

(using mod_perl this can happen!)

On 17/06/2016 15:30, Joe Muller wrote:

I am working on a project to migrate all our IPlanet 6.1 SP19 webserver proxies 
(formerly Sun One) to Apache 2.4, since IPlanet 6.1 does not support TLS 1.2 
and IPlanet 7.0 is being EOL. Our backend application servers are Weblogic 9.2 
/ Weblogic 12c. The IPlanet proxies have performed FLAWLESSLY for over 10 
years, despite the product being no longer supported and their WL Plug-in not 
officially supported with Weblogic 12c.

  However now that we are trying to use a more supported configuration 
(self-compiled Apache 2.4.18 running Weblogic Server Plugin 12.1.3) we are 
constantly seeing these errors, which results in performance degradation for 
our applications, and in some cases I think maybe even lost data.


  [Tue Jun 14 09:27:36.239682 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> Write to the client failed: 
calling URL::close at line 559 of BaseProxy.cpp, referer: 
https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM

  [Tue Jun 14 09:27:36.239747 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> **
  *Exception type [WRITE_ERROR_TO_CLIENT] raised at line 560 of 
BaseProxy.cpp, referer: 
https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM

  [Tue Jun 14 09:27:36.239952 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> request 
[/ALFA/servlet/DecryptDownload?linkName=al_o1mm_carr20150630.csv] did NOT process 
successfully.., 
referer:https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM



  Our topology is like this:

  Client Browser <--> Firewall <--> Load Balancer <--> Web Proxies <--> Firewall 
<--> Weblogic Application Servers

  Oracle support suggested as work around that we increase WLSocketsTimeOut in 
the plug-in, but I think that only masks the issue, as we still the errors.

  We did a network trace and it looks like the Apache plug-in is pre-maturely 
closing the connection to the WL server, but I can't be certain. We know that 
our firewall is not responsible.

  Any ideas ? I thought Apache would work better then Sun One, but this has 
been the opposite. Is there some fundamental webserver tunable parameter that 
is so different between out of the box Sun One and out of the box Apache that 
could be causing this ?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] One page hanging entire server

2016-05-10 Thread James Smith 
Setting up apache server-status module is always a good idea - as you 
can (try) and see the information about load/requests etc.


wp-cron.php is a wrapper script around a whole system of potentially 
complex functions which maintain the database (garbage collect etc) it 
depends on what modules you have enabled how this is effecting the rest 
of the server.


If it is locking every word press script you may find that every apache 
child eventually handles a word press request (99 after the cron job 
locked wordpress) and so there are no free apache children to handle 
requests for static content...


(e.g. with 5 children ... static requests return the child to allow it 
to accept another request - but when a wordpress request happens that 
locks that child out


: Request  : Children :
: /static.html : 1:
: /static.html : 1:
: /wp-cron.php : 1:
: /static.html : #2...:
: /wp.php  : #2...:
: /static.html : ##3..:
: /static.html : ##3..:
: /wp.php  : ##3..:
: /static.html : ###4.:
: /static.html : ###4.:
: /wp.php  : ###4.:
: /static.html : 5:
: /static.html : 5:
: /wp.php  : 5:
: /static.html : #:  <- hangs no free child

On 5/9/2016 9:26 PM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

D'arcy,

On 5/9/16 2:16 PM, D'Arcy J.M. Cain wrote:

This weekend at various times my server was brought down.  I saw
one process using over 99% of the CPU.  No pages could be served
while this was going on.  I found the culprit.  It was a Wordpress
site and the script was wp-cron.php.  I stopped it by adding a line
to wp-config.php as
http://geektnt.com/how-to-solve-wp-cron-php-high-cpu-usage.html
and other sites suggested.

However, I am still confused how this one process was able to block
all other pages.  I have MaxClients set to 100 and 15 other cores
that they can be run on.  Why didn't my server continue to serve
requests?

What kind of response were you getting from your server when you
connected with another client? Timeout? 503? 500?

If you tried to hit another WordPress page, it probably ALSO called
wp-cron.php which tried to hit the db to check for outstanding tasks,
and that call probably got blocked by a db record or table lock.

I'm guessing this is really a question for the WordPress community.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcw8msACgkQ9CaO5/Lv0PDhdwCfZQg66WfTk++WjLTsEBYMrnrD
QVEAnipEMAPXxPhYRlz5/zYzJ8iueHYd
=hyjH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make Apache react more graceful to SSL errors

2016-05-01 Thread Dr James Smith 

Agree with Michael,

My start/stop scripts all now do a configtest before trying to 
stop/start apache - this way I never have no service if something goes 
wrong!


I do have a forcestop which will stop an apache if the config is wrong - 
as a last resort!


James

On 01/05/2016 14:27, Michael A. Peters wrote:

On 05/01/2016 06:19 AM, Florian Lindner wrote:

Hello,

in my server configuration users can place their own SSL certificate in
predefined directories. A daily cron script detects them, updates the 
apache

config and restarts the server.

However, if there is a problem with the certificate or key file, the 
apache

refused to work altogether.

Is it possible to make apache disable only the problematic vhost 
instead of

refusing to start?


What you probably need to do is validate the certificates before 
updating the apache configuration file. The TLS library (e.g. openssl) 
probably can do that, though I'm not familiar with the specific 
argument you would need.


Apache also has a check that can test whether or not apache will 
successfully start, that you can run before restarting the server.


apachectl configtest

I believe is the command.

I'm not sure it tests all the TLS certs but if it doesn't, it is a bug 
in my mind.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What is wrong with my virtual host setting

2016-04-10 Thread Dr James Smith 



On 10/04/2016 15:31, Roland Szűcs wrote:

Hi folks,

I use Apache 2.4 and I installed a Glassfish application server behind 
it. I use mod_jk modul as the dynamic content has to be handled by 
Glassfish and my static content (wordpress blog) is handled by Abapche.


My test domain is: muveltnep.hu 

My conf file for virtual host looks like this:

ServerAdmin webmaster@localhost
ServerName muveltnep.hu 
ServerAlias www.muveltnep.hu 
DocumentRoot 
/home/glassfish/glassfish/domains/domain1/applications/muveltnepbasic

JkMount /* muvnepworker
JkUnMount /blog/* muvnepworker
/home/glassfish/glassfish/domains/domain1/applications/muveltnepbasic/blog>

Options Indexes FollowSymLinks MultiViews
Require all granted
AddHandler php5-script php

ErrorLog /home/glassfish/glassfish/domains/domain1/logs/error.log
CustomLog 
/home/glassfish/glassfish/domains/domain1/logs/access.log combined



The following erros are occured:
1. If I type muveltnep.hu  I got 404 response
Not sure how your tomcat/glassfish is configured to handle the toot 
level requests!
2. If I type muveltnep.hu/muveltnepbasic 
 I got the right index.xhtml and 
works properly
3. If I type muveltnep.hu/blog  where there 
is an index.php of my wordpress, I Got: /blog/index.xhtml Not Found in 
ExternalContext as a Resource.




For this you need to add index.php to the the document index ... or 
configure wordpress according to the standard instructions with a 
rewrite rule if you are doing fancy URLs - although this may not play 
nicely with having the jkmount/unmount stuff!

i.e.

|DirectoryIndexindex.php index.xhtml|


Anybody can help me to find my mistakes in the configuration?

 	Roland 
Szűcs 	 
Connect with me on Linkedin 
 


CEO Phone: +36 1 210 81 13
Bookandwalk.hu 






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Apache 2.2 End of life

2016-03-21 Thread James Smith 



On 3/21/2016 4:07 PM, Michael A. Peters wrote:

On 03/21/2016 08:51 AM, ismail berrada wrote:

Hi

Can someone tell me when Apache 2.2 EOL will occurs ?

Regards



I can't find anything official but 1.3 went EOL in 2010 and 2.0 went 
EOL in 2013.


Not enough data points to say there's a trend, but it wouldn't 
surprise me if 2.2 doesn't have much time left.


I doubt it will be EOL before the next major version (2.6 ??) is 
released.


If you are running 2.2.x I would recommend upgrading to 2.4.18 simply 
because HTTP/2 has a lot of advantages.


But make sure you read the documentation on how to set it up before you 
blindly switch as the there are some
major differences in the conf files from 2.2 to 2.4 (and some changes to 
coding if you are writing handlers/filters)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Address already in use in Apache on Mac

2016-03-19 Thread Dr James Smith 
Apache will have already started... try -k restart or -k stop followed 
by -k start


On 19/03/2016 07:21, Roparzh Hemon wrote:

Hello all, I get the following error message when I try to launch the
Apache server :

$ sudo ./bin/apachectl -k start
Password:
(48)Address already in use: AH00072: make_sock: could not bind to
address [::]:80
(48)Address already in use: AH00072: make_sock: could not bind to
address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Here is the output of sudo lsof -i:80 :

$ sudo lsof -i:80
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   40013 root5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)
httpd   40025 _www5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)
httpd   40031 _www5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)

Should I kill all those processes ? Will that harm my usual Internet browsing ?

I also looked for possible "Conflicting Listen declarations" in my .conf files.
There are nine .conf files in my Apache directory :

httpd-2.4.18/modules/lua/test/test_httpd.conf
httpd-2.4.18/modules/core/test/conf/test31.conf
httpd-2.4.18/modules/core/test/conf/test14.conf
httpd-2.4.18/docs/conf/httpd.conf
httpd-2.4.18/docs/conf/extra/httpd-ssl.conf
conf/original/httpd.conf
conf/original/extra/httpd-ssl.conf
conf/httpd.conf
conf/extra/httpd-ssl.conf

I only need look at the last two in the list, right ?

I found Listen 80 in the httpd.conf file and Listen 443 in the
httpd-ssl.conf file.
These are not conflicting, right ?
Any help appreciated.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

2016-02-19 Thread Dr James Smith 

Can you not just go into debug mode -X?


On 19/02/2016 12:52, Aurélien Terrestris wrote:
Richard, is this a config that you tried successfully ? On my server, 
"prefork MPM" will put requests in the backlog (waiting), and "event 
MPM" is not designed for such behaviours because of its 
multi-threading model (I did not try "hybrid MPM" since it is supposed 
to be multi-threaded as well)




2016-02-19 13:46 GMT+01:00 Richard >:




> Date: Friday, February 19, 2016 13:32:02 +0100
> From: Oliver Graute >
>
> On 19/02/16, Jim Jagielski wrote:
>> Just one connection? By that do you mean one concurrent user or
>> actually one request or actually one connection?
>>
>> A connection is a socket opened between the client and the server.
>> A request is a HTTP request on that connection.
>
> my requirement is:
>
>  "The Apache server listens on port 443i (https). It must accept
> only one connection at a time on this port"
>
> so its one socket opened between the client and the server.
>
> Best Regards,
>
> Oliver
>

Other than humoring a customer, who may not understand what they are
asking for, what is the goal of trying to do this?

I don't think the server will be very usable -- basically you want
to set "startservers" to 1, "spareservers" to 0 and "maxclients" to
1.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org








--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] How to solve ONE fixed IP serving multiple web-servers running on VMs

2015-12-27 Thread Dr James Smith 
You need to set up one webserver on the fixed IP as a proxy. (Look up 
docs for mod_proxy) and set up appropriate rules to proxy through to 
your back-end servers...


On 27/12/2015 18:28, Jim Paniagua wrote:

I dont even know how VM's work .. sorry no help

On Fri, Dec 25, 2015 at 7:11 AM, Stephen Liu 
> wrote:


Hi all,

I have following problem:

Host   Ubuntu 14.04 desktop
VMs   Ubuntu 14.04 desktop/server edition
VirtualBox

I have several web-servers running on VMs, each with its own
domain/subdomain and internal IP address.  But I have only one
Fixed IP/External IP.

All VMs are Apache server running WordPress.  I can create many
internal IPs on router.

Please advise how can I make all web-servers be browsed on Internet

Thanks in advance.

Regards
satimis







--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Hung thread

2015-08-17 Thread Dr James Smith 
Have you looked at installing apache server status code so you can see 
what the last request is on each of these hung threads...


Alternatively if you have something like mod_perl installed one thing 
that you can do is add a handler to warn the PID/request to the error 
logs at the start and end of the requests (with an appropriate tag) then 
you can look at the history of the hung threads to see if there is 
anything consistent with them...


Before I've had threads hang if it is the request after a particular 
request - or on a particular set of circumstances for a particular 
request (infinite loop or something similar)


HTH

James

On 17/08/2015 20:18, Mark Jacquet wrote:

Jeff/Community

Getting back to this thread after a long time. We tried many things 
since this initial issue: Moved to linux, tried latest 
apache/apr/aprutils bins, tried adjusting the configuration, etc. All 
this failed eventually in the same way: Multiple hung threads 
eventually overloading the server.


In our current environment we switched to pre-fork mpm thinking that 
maybe threading was killing us. This seemed to work well until day 20 
(which seems to be relevant as we got to day 20 a few times). Today 
all 200 procs (Max Servers) were launched, not one would die. All hung.


The root proc is in this state:

$sudo pstack 5362
#0  0x0039892e1353 in __select_nocancel () from /lib64/libc.so.6
#1  0x77989025 in apr_sleep () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libapr-1.so.0

#2  0x004325ec in ap_wait_or_timeout ()
#3  0x00469680 in prefork_run ()
#4  0x0043171e in ap_run_mpm ()
#5  0x0042b9e4 in main ()

Typical pstack from a hung proc is

$ sudo pstack 6100
#0  0x77dd4955 in move_block () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libaprutil-1.so.0
#1  0x77dd50a1 in apr_rmm_calloc () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libaprutil-1.so.0
#2  0x75f26c66 in util_ald_strdup () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#3  0x75f2628a in util_ldap_search_node_copy () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#4  0x75f27235 in util_ald_cache_insert () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#5  0x75f2352d in uldap_cache_checkuserid () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#6  0x76b459ae in authn_ldap_check_password () from 
/codeadm/http_servers/httpd/modules/mod_authnz_ldap.so
#7  0x7673ae4f in authenticate_basic_user () from 
/codeadm/http_servers/httpd/modules/mod_auth_basic.so

#8  0x00441c90 in ap_run_check_user_id ()
#9  0x004451d2 in ap_process_request_internal ()
#10 0x004627d8 in ap_process_async_request ()
#11 0x0046294f in ap_process_request ()
#12 0x0045ec9e in ap_process_http_connection ()
#13 0x004567f0 in ap_run_process_connection ()
#14 0x0046900e in child_main ()
#15 0x00469264 in make_child ()
#16 0x00469d87 in prefork_run ()
#17 0x0043171e in ap_run_mpm ()
#18 0x0042b9e4 in main ()
[jacquet@llbdub0009 logs]$

Running on Red Hat Enterprise Linux Server release 6.6 (Santiago) with 
httpd-2.4.16-prefork.


Killing off these hung procs only band-aides the situation. New procs 
also hang (building up slowly now).

I am going to have to do a full restart of the server.
My expectation is that the server will be find again for another 20 days.

Grasping at straws now. Any thoughts on this? Anything to try?

Thanks
Mj





On Thursday, June 18, 2015 7:56 AM, Jeff Trawick traw...@gmail.com 
wrote:



On Wed, Jun 17, 2015 at 8:51 PM, Mark Jacquet 
mark_jacq...@yahoo.com.invalid 
mailto:mark_jacq...@yahoo.com.invalid wrote:


Just another oddity to add to the issue.

Overnight several more hung threads appeared and the load on the
system had jumped into the mid 20's.
After killing these the load did not drop. Looking at the list of
running processes I found httpd's running,spawned from the
original root httpd process that *were not even displayed* in the
scoreboard!!  After killing these hidden zombies off the load
dropped again.


What's common about the processes?  Similar backtrace to the first one 
posted?




So now I have to catch and kill two types: Zombies on the
scoreboard and hidden zombies.

And this is cute. Some times the zombies hang around so long that
when the system gets back to creating a new process for slot #1,
if the zombie was originally in that slot it is displayed their
along with it's brothers for the new process:


scoreboard squatting


e.g. Note process 19597 below

*1-0*166310/33/1320_ 131.22202255280.01.6035.79
10.172.91.217newyahoo.oak.sap.corp:80NULL *1-0*166310/18/1087_
105.88340736980.00.6926.65
10.172.240.113www-dse.oak.sap.corp:80GET
/cgi-bin/websql/websql.dir/QTS/bugsheetcont.hts?bugid=74133
*1-0*166310/11/1178_

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith 



From Apache point of view...

 * Don't use .htaccess files... put everything in httpd.conf (or
   equivalent) there is a huge file system performance hit {Apache has
   to look for .htaccess files in the directory and any parent directories}
   include AllowOverride None in httpd.conf
 * Remove etags (Header unset Etag/FileETag None)
 * Enable keepalive
 * Turn on gzip encoding {mod_deflate} which you have done
 * Auto set expiry dates into the future {mod_expires}:
   ExpiresActive On / ExpiresDefault access plus 366 day / Header
   append Cache-Control public
   for static content...

Additionally...

 * For images look at:optipng, jpegoptim  advpng... {consider
   spriting if useful}
 * For minifying CSS/JS: look at yui compressor and google closure
   compiler...  (Use jshint to check your js to make sure that it will
   merge/compress OK)
 * Can use a number of build tools to do some of this auto-magically...
 * Move (most) JS to the foot of the page

Watch out with minifying HTML - there is a minor bug with most of the 
minifiers which which can't handle correctly ends of line after tags, 
and if you have gzip encoding it usually doesn't make a difference!


Finally...

 * Look at your code and try and optimize your HTML { put as much
   presentation as possible into CSS }
 * Look at your JS - don't use multiple library classes - I have seen
   sites using jQuery, Scriptaculous and YUI at the same time!
 *

On 08/06/2015 22:43, Motty Cruz wrote:

Hello,
I added this code on .htaccess
IfModule  mod_mime.c
  AddType application/x-javascript .js
  AddType text/css .css
/IfModule
IfModule  mod_deflate.c
  *AddOutputFilterByType DEFLATE text/css application/x-javascript 
text/x-component text/html text/richtext image/svg+xml text/plain text/xsd 
text/xsl text/xml image/x-icon application/javascript*
  IfModule  mod_setenvif.c
   BrowserMatch ^Mozilla/4 gzip-only-text/html
   BrowserMatch ^Mozilla/4\.0[678] no-gzip
   BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  /IfModule
  IfModule  mod_headers.c
   Header append Vary User-Agent env=!dont-vary
  /IfModule
/IfModule

does not seem to make a difference!



On 06/08/2015 02:38 PM, Emir Ibrahimbegovic wrote:

What have you tried?

On Mon, Jun 8, 2015 at 5:35 PM, Motty Cruz motty.c...@gmail.com 
mailto:motty.c...@gmail.com wrote:


Hello,
I am getting the following suggestions from:
https://developers.google.com/speed/pagespeed/insights/


Should Fix:
Optimize images
Leverage browser caching
Consider Fixing:
Eliminate render-blocking JavaScript and CSS in above-the-fold
content
Minify CSS
Minify HTML

What is the best practice to solve errors above?

Thanks,

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
mailto:users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
mailto:users-h...@httpd.apache.org









--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith 
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest (slowest) 
part before returning the not-changed response - and then serving the 
content!


You are better to:

(a) set near future or mid future headers [ expires in a month or in a year]
(b) alter filenames if you significantly change the file contents [ we 
use MD5 of content for js/css ]


Note this is hyper-tuning of Apache... some people may want to enable 
it - it was originally set up when most users were on 28K/33.6K modems 
(or slower) and the transfer of data was the slow part of the equation!


James

On 09/06/2015 13:27, Frederik Nosi wrote:


Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:



From Apache point of view...

  * Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache
has to look for .htaccess files in the directory and any parent
directories}
include AllowOverride None in httpd.conf
  * Remove etags (Header unset Etag/FileETag None)



Won't this disable conditional requests, ex. If-None-Match and 
friends? Is your recomendation because of the header overhead or am I 
missing something?


[...]


Thanks,
Frederik





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith 
It's not the etag calc it's actually the round tripping to the server 
that is the main over head - better to get the client to cache content...
Apache will still have to touch the file system to see if the content 
has changed (however it is done) and on some filesystems just
locating the file and making sure the user can read it is slower than 
serving it (especially high availability and virtual file systems)...


James

On 09/06/2015 14:51, Frederik Nosi wrote:

Hi Rainer,

On 06/09/2015 02:53 PM, Rainer Canavan wrote:

  Remove etags (Header unset Etag/FileETag None)
Won't this disable conditional requests, ex. If-None-Match and 
friends? Is
your recomendation because of the header overhead or am I missing 
something?

Just if-None-Match. If-Modified-Since would still work. I believe
people recommend disabling ETags because they may cause problems with
clusters (i.e. different inode numbers or modification times for
otherwise identical files), or gzip content encoding
(https://bz.apache.org/bugzilla/show_bug.cgi?id=45023).


Well, if it's a static file i think the etag calculation should be 
quite fast, after all in the default apache setting it's computed 
using thre values:


FileETag INode MTime Size

which at least on linux should be cached in the dentry / filesystem 
cache.


So intuitively should be less work then reading this values, the file 
content and sending it.

It's not that i've done measurements on this though, just speculation.

As for the cluster case (and for security reasons), i've been using:

FileETag MTime Size

Out of curiosity, does somebody have real misurements?




rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith 
In many cases it will only be a few packets anyway so won't actually 
make that much difference!


The point is that it is better to stop the request in the first place by 
setting the appropriate expires/cache control header... than use the 
etag mechanism...


James

On 09/06/2015 14:56, Frederik Nosi wrote:

Hi James,

On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest 
(slowest) part before returning the not-changed response - and then 
serving the content!


But at this point the server in case of a positive match will send 
just a 304 reply with no content, thus saving bandwith and time (due 
to eventual roundtrips) no?




You are better to:

(a) set near future or mid future headers [ expires in a month or in 
a year]


Sure, the best request is the one that does not even come :-)

(b) alter filenames if you significantly change the file contents [ 
we use MD5 of content for js/css ]




This only if you're in the posisition to decide the site layout though.

Note this is hyper-tuning of Apache... some people may want to 
enable it - it was originally set up when most users were on 
28K/33.6K modems (or slower) and the transfer of data was the slow 
part of the equation!


James


[...]


Thanks,
Frederik





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Random latency in reentrant calls (Bug 57916)

2015-05-12 Thread Dr James Smith 

You are probably hitting child spin up issues...

Out of the box apache uses a process per apache child... There is an 
overhead/delay when a child is initially spun up,

and that is what you are possibly seeing...

nginx works a different way - and can cope with a moderate number of 
light requests better than apache, but once
the numbers of requests get higher (or they get heavier) then nginx can 
start dropping requests in interesting ways!


Additionally there is a cleanup phase in the apache process which 
handles logging (and other potential custom
code) which happens after the request is finished - so although you 
think you have only two simultaneous requests
there are probably more in the process (after each request there will be 
a write to disk to write the access log)


IfModule mpm_prefork_module
   StartServers 5
   MinSpareServers  5
   MaxSpareServers 10
   MaxRequestWorkers  150
   MaxConnectionsPerChild   0
/IfModule

You can tune apache by increasing the first 3 values and this will 
likely remove the effect you are seeing at least

for the number of requests you are making...

HTH

On 12/05/2015 08:13, Luc Andre wrote:
This issue was first submitted as a bug report but I was advised to 
use this mailing list instead.


The problem occurs with an 'out of the box' configuration (tested on 
debian and windows)


Our php web site requires sometimes a reentrant call (i.e. it calls 
file_get_contents(http://127.0.0.1/reentrant.php).


Most of the times calls are really fast (1ms) but a few ones take 
over 0.5 secs.


We had a hard time reproducing the bug but we finally found a php 
script that calls itself (see enclosure).


To test it just try http://127.0.0.1/reentrant.php?count=10 where 10 
is the reentrancy level.


The script works fine with NGINX that's why we suspect apache rather 
than PHP.


Sample output with count=15
Each value of 'report' is the time spent between the http request and 
the execution of the first PHP line.


{
 microtime: 1431414304.2875,
 report: [
 0.0014371871948242,
 0.1552619934082,
 0.020139932632446,
 0.82674908638,
 0.5719690322876,
 0.00056719779968262,
 0.00065994262695312,
 0.00075387954711914,
 0.00066518783569336,
 0.00063514709472656,
 0.00071001052856445,
 0.00066900253295898,
 0.00063490867614746,
 0.00070381164550781,
 0.00070095062255859
 ]
}

You can see that 3 calls are ridiculously slow for a simple localhost 
request.


We don't believe in an misconfiguration issue since we reproduced it 
with an out of the box config.


Feel free to reopen the BR 57916 if you agree that it is a bug.

Regards,

Luc



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Apache24, Perl 5.010, MySQL 5.6 and Windows 8.1 - no database connection

2015-04-19 Thread Dr James Smith 

Dan,

The #! line has to be the first line - so it's being ignored... remove 
the ##! line at the start and see what happens.


James

On 19/04/2015 18:28, Dan Östberg wrote:
Dear Jeff:-) As you can see from the enclosed files I've changed the 
scriptinpretersource.
Are there any updates of httpd.conf that I shall do? DBIcreatetable.pl 
doesn't run but printenv.pl http://printenv.pl does



2015-04-19 18:22 GMT+02:00 Jeff Trawick traw...@gmail.com 
mailto:traw...@gmail.com:


On 04/19/2015 11:01 AM, Dan Östberg wrote:

Everything works (It works!) except for running cgi/pl-files
where database connection are involved. A typical Apache server
error message is

[Sun Apr 19 15:11:03.324060 2015] [cgi:error] [pid 3312:tid 1032]
(9)Bad file descriptor: [client ::1:49681] AH01222: don't know
how to spawn child process: C:/Apache24/cgi-bin/DBIcreatetable.pl

HELP!
/
/

Expect this to be a simple issue of running Perl scripts as CGIs,
and nothing to do with database connections.

Please have a look at this documentation and see if it helps:
http://httpd.apache.org/docs/2.4/mod/core.html#scriptinterpretersource





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Httpd Tomcat

2015-04-17 Thread James Smith 



On 17/04/2015 09:15, Bremser, Kurt (AMOS Austria GmbH) wrote:
Tomcat uses several ports. One of these is a standard HTML port that 
can be usefully accessed with a browser. Since tomcat itself listens 
on this port, DO NOT USE it in httpd!
If you want to serve tomcat content via your apache(httpd), you need 
to use a connector (ie mod_jk) and specify the correct connector port 
in workers.properties. You can find the example for this in the 
mod_jk.conf in the conf/extra subdirectory of your apache tree.

The ports of tomcat can be found in conf/server.xml in the tomcat tree.

You can also use mod_proxy to do this as well - depending on the 
frequency of connections you may find that the mod_proxy solution is better
- mod_jk isn't good at coping with network issues although this probably 
isn't a problem in your case...




--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Re: 2 web servers in load balancing

2015-03-17 Thread Dr James Smith 

On 17/03/2015 07:59, Alfredo De Luca wrote:


Hi all.
Any clue on this?

On 15/03/2015 9:30 PM, Alfredo De Luca alfredo.del...@gmail.com 
mailto:alfredo.del...@gmail.com wrote:


Hi all.
I ve never done this before so I am asking best practice/info/docs of
how to have 2 apache web servers in load balancing.

- Which httpd module do I have to load in the http conf?

Nothing unless you are using apache load balancer modules as a front end 
... (mod_proxy_balancer)


- I was reading that I have to have a web load balancer on top of
them? Is it necessary? Can they accept requests from a cisco /F5 load
 balancer?

I haven't played with F5 load balancers - but use the rival product 
Brocade/SteelApp/StingRay/Zeus
traffic managers - which I think the F5s do the same thing as (just not 
as user friendly)
so they should be able to do the job (I know we looked into it when we 
bought the ZTMs)


- What about persistent connection?

? HTTP is stateless - if you have poorly written backends which require 
requests to go the backend
you should be able to use sticky sessions - but this is bad as you lose 
resilience (one of the main

reason for load balancing backends!)


- Also we''ll have a mySQL server? Any more info about this?

Load balancing MySQL can be trickier - easier if mainly RO connections 
(you can round robin requests
to a large number of clones - or usually slaves to a single master) but 
harder if read/write

- you can look at mysql cluster or master-master MySQL (galera)

Read write you can use master + multiple slaves - but need to tag a 
process/session/user as
requiring access to master if a write happens for an unspecified length 
of time!



Thanks in advance
--
Alfredo





---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Decompress requests using mod_deflate and uset Content-Encoding header

2015-03-09 Thread James Smith 

Wrong header...

RequestHeader unset Accept-Encoding

is the way to stop the backend compressing the request...

On 09/03/2015 14:57, dennis.luna...@t-systems.com wrote:

Hi,

I have some problems using mod_deflate to decompress requests.

I am using a apache 2.4 as a reverse proxy on Red Hat Enterprise Linux Server 
release 6.4 (Santiago). Within this apache I have to decompress requests and 
compress the answers.
To do this for some specific requests I defined a location:
Location /web-services
   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  
/Location
I got the result, that the request have been decompressed, but the header 
Content-Encoding gzip is still set causing problems on the next server.

So I removed the Content-Encoding header using mod_headers:
Location /web-services
   RequestHeader unset Content-Encoding
   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  
   Header set Content-Encoding gzip
/Location
As a result in the request the Content-Encoding is not set anymore. But the 
request is still compressed.
The manual of mod_deflate says that only requests with the header 
Content-Encoding gzip are decompressed. So it seems that mod_headers is 
executed before mod_deflate.

So basically either the decompression is done and the header is not changed or 
the header is changed but the decompression is not done.
Is there any way to decompress the request and remove the Content-Encoding gzip 
header?

Regards,
Dennis

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache make fedora go into corner

2014-12-27 Thread Dr James Smith 

On 27/12/2014 13:21, georg chambert wrote:
Hi, have for a bit of time had trouble with my server PC running 
Fedora Os and Apache.
After some time it goes into non-communicatable mode, does not take 
any input whatsover,
hard shutdown is only way to get out. It can be 24hours and it can be 
14days of running before this happes.

While if  the httpd is not active the machine has no issues.
So where do I look to find answers; short look in access_log for 
servere does not give any specific clues to what
happens, possibly because the hard takedown of the machine the file 
is not closed properly ?
Have you checked top regularly to see if you are running the machine out 
of memory.



Any suggestions ?
Georg




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] Apache make fedora go into corner

2014-12-27 Thread Dr James Smith 
If you have root access you can look in /var/log and this might show up 
stuff in messages or syslog...


Sometimes Apache can leak little bits of memory with each request - 
along with other processes.


You could also write a simple cron job which does something like:

echo `date` `cat /proc/meminfo | grep Free | grep kB | cut -d : -f 2 | 
xargs`  ~/mem-free


which will give you a log file like:

Sat Dec 27 17:01:01 GMT 2014 80908 kB 3549440 kB
Sat Dec 27 17:02:01 GMT 2014 79760 kB 3549516 kB

and so you can check that the two numbers (mem free + swap free) are not 
both getting towards 0...


On 27/12/2014 15:52, georg chambert wrote:

Hi James,
well, no, traffic hasn't been very intense, and the machines only task 
is to be a server, the number  of accesses
(at least in logg) is quite limited, some hundred at maximum, is there 
a way to  check post-mortem ?


- Original Message -
*From:* Dr James Smith mailto:j...@sanger.ac.uk
*To:* users@httpd.apache.org mailto:users@httpd.apache.org
*Sent:* Saturday, December 27, 2014 3:49 PM
*Subject:* Re: [users@httpd] Apache make fedora go into corner

On 27/12/2014 13:21, georg chambert wrote:

Hi, have for a bit of time had trouble with my server PC running
Fedora Os and Apache.
After some time it goes into non-communicatable mode, does not
take any input whatsover,
hard shutdown is only way to get out. It can be 24hours and it
can be 14days of running before this happes.
While if  the httpd is not active the machine has no issues.
So where do I look to find answers; short look in access_log for
servere does not give any specific clues to what
happens, possibly because the hard takedown of the machine the
file is not closed properly ?

Have you checked top regularly to see if you are running the
machine out of memory.


Any suggestions ?
Georg





http://www.avast.com/   

This email has been checked for viruses by Avast antivirus software.
www.avast.com http://www.avast.com/



-- The Wellcome Trust Sanger Institute is operated by Genome
Research Limited, a charity registered in England with number
1021457 and a company registered in England with number 2742969,
whose registered office is 215 Euston Road, London, NW1 2BE.





---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

[users@httpd] Apache 2.4 failing to start as non-privileged user can't write to /var/lock /var/run

2014-12-17 Thread James Smith 

I have just upgraded from apache 2.2 to apache 2.4 - running apache2 as (me)
a non-privileged user... as part of a development server

When I start apache I get the following errors (to screen)..

mkdir: cannot create directory '/var/run/apache2': Permission denied
chown: changing ownership of '/var/lock/apache2.SflOHVQnC2': Operation 
not permitted

mkdir: cannot create directory '/var/run/apache2': Permission denied
chown: changing ownership of '/var/lock/apache2.LDivziHYgr': Operation 
not permitted


and in the error logs...

[Wed Dec 17 15:30:56.576419 2014] [core:info] [pid 6729] AH00096: 
removed PID file /www/tmp/js5/www-dev/logs/apache2.pid (pid=6729)
[Wed Dec 17 15:30:56.576451 2014] [mpm_prefork:notice] [pid 6729] 
AH00169: caught SIGTERM, shutting down
[Wed Dec 17 15:31:00.990415 2014] [core:emerg] [pid 6790] (13)Permission 
denied: AH00023: Couldn't create the proxy mutex (file 
/var/lock/apache2/proxy.6790)
[Wed Dec 17 15:31:00.990492 2014] [proxy:crit] [pid 6790] (13)Permission 
denied: AH02478: failed to create proxy mutex


I have configured:

PidFile   ${PAGESMITH_SERVER_LOGS}/apache2.pid
Mutex   file:${APACHE_LOCK_DIR} default

where these point to directories in /www/tmp/js5, additionally 
APACHE_RUN_DIR is set to

a path in /www/tmp/js5

so don't expect Apache to be trying to write to the /var/run and 
/var/lock directories,
are there any other locations/configuration directives that I need to 
change to stop

the site writing these files...

James


--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org