Re: [Patch] Simplifying mod_alias

Am 22.12.2014 um 11:15 schrieb Graham Leggett: On 21 Dec 2014, at 10:48 PM, Eric Covener wrote: I don't see how adding expression or support as necessitating, or benefiting in a meaningful way, from the deprecation / movement of the "other" directives. I am assuming the *match directives cou

Re: [Patch] Simplifying mod_alias

Am 22.12.2014 um 14:26 schrieb Graham Leggett: On 22 Dec 2014, at 14:53, Reindl Harald wrote: as user i will tell you something about the "without any notable problems": if you use the new directives in the main configuration and somewhere below (vhost or even .htaccess) compat

Re: [VOTE] Release Apache httpd 2.4.12 as GA

Am 27.01.2015 um 21:41 schrieb William A. Rowe Jr.: On Mon, 26 Jan 2015 16:43:29 -0500 Jim Jagielski wrote: I'll give the vote another 24 hours... I don't consider the UTC/logging issue enough to hold the release, unless it appears a symptom of a more serious problem, but want to give us some

[core:warn] [pid 1120] (101)Network is unreachable: AH00056: connect to listener on [::]:80

what's the purpose of these warnings and listening on tcp6 in a environment with a completly dsiabled ipv6 stack? net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 tcp6 0 0 :::80 :::* LISTEN 1120/httpd ifconfig eth0: flags=67 mtu 1500

Re: Does Apache httpd server dynamically generate just-in-time (JIT) compiled code?

Am 17.04.2015 um 23:29 schrieb Yue Chen: Hi, In some OS's, the network stack would compile packet filters to the native code, like the Berkeley Packet Filter (BPF) apache and packet filter are completly different things at completly different layers signature.asc Description: OpenPGP di

Re: Version check idea

Am 21.04.2015 um 15:55 schrieb Jim Jagielski: For comment: What do people think about adding the capability that when httpd is started, it tries to access http://httpd.apache.org/doap.rdf to check its version number with the latest one referred to in that file and, if a newer one exists, it pri

Re: SSL/TLS best current practice

Am 10.05.2015 um 03:02 schrieb Noel Butler: Either way, using slackware on all my servers its trivial since the distro keeps pretty much up to date by design - unlike RH/debian and their kiddy versions who bring out new releases with 2+yo libs and other goodies, I'd just hesitate to drop them, w

Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file

Am 26.05.2015 um 10:33 schrieb Rainer Jung: Current mod_ssl code tries to read embedded DH and ECC parameters only from the first certificate file. Although this is documented "DH and ECDH parameters, however, are only read from the first SSLCertificateFile directive, as they are applied indepe

Re: 2.2 and 2.4 and 2.6/3.0

Am 28.05.2015 um 21:22 schrieb Rich Bowen: On 05/27/2015 05:38 PM, olli hauer wrote: - for long time there was no working mod_php module for 2.4, and changing to php-fpm was not for everyone a solution. In my experience, the only reason that php-fpm wasn't a solution for everyone is that

Re: [VOTE] Release Apache httpd 2.4.15 as GA

-1 just rebuilt my httpd rpm with the http://httpd.apache.org/dev/dist/httpd-2.4.15.tar.bz2 on my testserver and all vhosts are coming with a 404 page and nothing in the errorlog first i thought it's a https problem cause by a self signed wildcard certificate, but the same after remove the m

Re: [VOTE] Release Apache httpd 2.4.15 as GA

in fact RedirectMatch is *completly* broken RedirectMatch 404 ^\/something\/$ and *any* URI get a 404 response not just with the long list from my previous post Am 21.06.2015 um 18:57 schrieb Reindl Harald: -1 just rebuilt my httpd rpm with the http://httpd.apache.org/dev/dist/httpd-2.4.15

Re: [VOTE] Release Apache httpd 2.4.15 as GA

d outside rpmbuild to get a compareable setup On Jun 21, 2015 12:53 PM, "Reindl Harald" mailto:h.rei...@thelounge.net>> wrote: in fact RedirectMatch is *completly* broken RedirectMatch 404 ^\/something\/$ and *any* URI get a 404 response not just with the long list

Re: [VOTE] Release Apache httpd 2.4.15 as GA

URL the configuration is no longer re-useable on different machines On Sun, Jun 21, 2015 at 7:52 PM, Reindl Harald wrote: in fact RedirectMatch is *completly* broken RedirectMatch 404 ^\/something\/$ and *any* URI get a 404 response not just with the long list from my previous post Am 21

Re: [VOTE] Release Apache httpd 2.4.15 as GA

Am 21.06.2015 um 21:28 schrieb Yann Ylavic: On Sun, Jun 21, 2015 at 9:04 PM, Reindl Harald wrote: Am 21.06.2015 um 21:00 schrieb William A Rowe Jr: Reindl, Try reverting http://svn.apache.org/viewvc?view=revision&revision=1663259 and see if this resolves your observed defect. could

Re: [VOTE] Release Apache httpd 2.4.15 as GA

Am 21.06.2015 um 22:05 schrieb Yann Ylavic: On Sun, Jun 21, 2015 at 9:37 PM, Reindl Harald wrote: Am 21.06.2015 um 21:28 schrieb Yann Ylavic: On Sun, Jun 21, 2015 at 9:04 PM, Reindl Harald wrote: Am 21.06.2015 um 21:00 schrieb William A Rowe Jr: Reindl, Try reverting http

Re: [VOTE] Release Apache httpd 2.4.16 as GA

Am 10.07.2015 um 22:33 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.16 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.16 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Ro

Re: The show goes on - 2.4.16

Am 16.07.2015 um 15:03 schrieb Michael Felt: First little thing I ran into - that I did not have with 2.4.12 is this: root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start AH00534: httpd: Configuration error: More than one MPM loaded. Granted, I should perhaps change to pre-fo

Re: Force Apache server to use a same TCP sequence number for each TCP connection

Am 05.09.2015 um 19:32 schrieb Seyyed Hesamoddin Ghasemi: How can force Apache server to use a constant value sequence number in all the sessions? Is this possible? I'm an Msc computer engineering student and I need to do this in one of the steps of my thesis implementations. I would be happy to

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

Am 06.09.2015 um 15:06 schrieb Kaspar Brand: Taking into account that OCSP responders from the big players are running on fairly robust infrastructure these days (cf. the sr.symcd.com example, aka ocsp.verisign.net, aka ocsp.ws.symantec.com.edgekey.net), I'm not buying the "OCSP is unreliable"

SSLUseStapling: ssl handshake fails until httpd restart

is that by intention? firefox refused to open our adminpanel with the error below until i restarted httpd - i suggest the server should retry SSLUseStapling when a new client connects and it has failed for whatever reason SSLUseStapling On An error occurred during a connection to ***:844

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 29.09.2015 um 10:20 schrieb Reindl Harald: is that by intention? firefox refused to open our adminpanel with the error below until i restarted httpd - i suggest the server should retry SSLUseStapling when a new client connects and it has failed for whatever reason SSLUseStapling On An

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 29.09.2015 um 17:31 schrieb Jeff Trawick: On 09/29/2015 04:20 AM, Reindl Harald wrote: is that by intention? The default timeout before retrying an error seems to be 10 minutes (see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingerrorcachetimeout), which is pretty excessive

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 30.09.2015 um 08:42 schrieb Kaspar Brand: On 29.09.2015 18:24, Reindl Harald wrote: i just restarted the servers and disabled stapling since all our servcies where unreachable (before i write the second mail 5 different hosts with several sites where affected) in fact the error caching

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 01.10.2015 um 14:53 schrieb Plüm, Rüdiger, Vodafone Group: -Ursprüngliche Nachricht- Von: Reindl Harald [mailto:h.rei...@thelounge.net] The default for SSLStaplingReturnResponderErrors is relatively odd. Not sure why it has always defaulted to "on" (r829619), but setting

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 01.10.2015 um 15:08 schrieb Reindl Harald: Am 01.10.2015 um 14:53 schrieb Plüm, Rüdiger, Vodafone Group: not really, i had the error message just now again in FF, the difference was that now a "try again" loaded the page but with "SSLStaplingReturnResponderErrors&quo

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 01.10.2015 um 16:29 schrieb Plüm, Rüdiger, Vodafone Group: -Ursprüngliche Nachricht- Von: Reindl Harald [mailto:h.rei...@thelounge.net] Gesendet: Donnerstag, 1. Oktober 2015 15:18 An: dev@httpd.apache.org Betreff: Re: SSLUseStapling: ssl handshake fails until httpd restart Am

Re: SSLUseStapling: ssl handshake fails until httpd restart

Am 03.10.2015 um 11:16 schrieb Kaspar Brand: On 01.10.2015 16:32, Reindl Harald wrote: Am 01.10.2015 um 16:29 schrieb Plüm, Rüdiger, Vodafone Group: The question is: What happens on Firefox side. Of course it still tries to get to the OCSP server, but it should not cause an error on Firefox

Re: [VOTE] Release Apache httpd 2.4.17 as GA

Am 09.10.2015 um 19:40 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.17 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Ro

Re: [VOTE] Release Apache httpd 2.4.17 as GA

Am 11.10.2015 um 20:51 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:45 PM, Reindl Harald wrote: Am 09.10.2015 um 19:40 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.17 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm call

Re: [VOTE] Release Apache httpd 2.4.17 as GA

Am 11.10.2015 um 21:07 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:59 PM, Reindl Harald wrote: Google only showed discussions, Bugzilla and so on and finding the new directive is hard - maybe the hint should made it into the changelog for GA release Yes you're right, I should

Re: [VOTE] Release Apache httpd 2.4.17 as GA

Am 11.10.2015 um 21:25 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 9:14 PM, Reindl Harald wrote: "ab -c 100 -n 5 http://small-image.gif"; did not make me that happy after a short test on a quadcore machine, after some time httpd stopped to respond for a tinay statical image

Re: H2 compatible ciphers

Am 17.10.2015 um 11:18 schrieb Kaspar Brand: Another - quite radical - approach would consist of using a whitelist, which consists of a single cipher suite only: given that section 9.2 of RFC 7540 states "Implementations of HTTP/2 MUST use TLS version 1.2" and section 9.2.2 further says "dep

Re: [VOTE] Release Apache httpd 2.4.17 as GA

Am 11.10.2015 um 22:06 schrieb Rainer Jung: Am 11.10.2015 um 21:14 schrieb Reindl Harald: Am 11.10.2015 um 21:07 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:59 PM, Reindl Harald wrote: Google only showed discussions, Bugzilla and so on and finding the new directive is hard - maybe

Re: 2.4.18?

Am 17.11.2015 um 13:27 schrieb Noel Butler: On 17/11/2015 18:02, Stefan Eissing wrote: Am 17.11.2015 um 08:13 schrieb Noel Butler : On 17/11/2015 03:05, Jim Jagielski wrote: My plan is to T&R 2.4.18 sometime next week in hopes of a formal release the beginning of Dec. ??? We only had 2.4.1

Re: 2.4.18?

Am 18.11.2015 um 08:16 schrieb Noel Butler: On 17/11/2015 22:33, Reindl Harald wrote: 5 or 6 bloody weeks is a month - so what's the problem? any other software but httpd is allowed to have monthly updates? "I can accept" - seriously - you can just ignore a release when you

Re: 2.4.18?

Am 18.11.2015 um 08:11 schrieb Noel Butler: On 17/11/2015 22:31, Graham Leggett wrote: We’ve just released HTTP/2 support for the very first time. People want to use it, people want to see problems in it fixed. I don’t see the number of releases as excessive at all. You obviously dont manage

Re: Broken 2.4 ./configure

Am 02.12.2015 um 21:53 schrieb William A Rowe Jr: It seems nghttp2 1.2.1 is no longer supported? If we are missing an #include, let's fix, and if we want to drop support, that's fine too, but ./configure needs to reject the invalid version of nghttp2. This is the version shipping on FC22... n

Re: [VOTE] Release Apache httpd 2.4.18 as GA

Am 08.12.2015 um 21:38 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.18 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.18 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will R

Re: 256-bits cipher for HTTP/2 with Chrome

Am 15.01.2016 um 12:00 schrieb Jan Ehrhardt: No question or issue, just a quick note. On Apachelounge Mario Brandt (aka James Bond) once asked the question: "Is there any chance to have a 256 cipher instead of ECDHE-RSA-AES128-GCM-SHA256?" It turns out, that there is a 256-bits cipher which w

Re: httpd + systemd

Am 26.02.2016 um 10:57 schrieb Graham Leggett: Hi all, I am trying to come up with a vanilla systemd unit file so that our RPM packaging contains a sensible startup on systemd environments, but I’m struggling. With the unit file below the “systemctl restart httpd” command hangs. Usually th

BufferedLogs and docs

http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#bufferedlogs Context: server config is that a documentation error or a error in the module that "BufferedLogs Off" inside a vhost is accepted the config below at least gives no error and it's unclear if it disables the BufferedLogs from

Re: BufferedLogs and docs

Am 26.02.2016 um 15:01 schrieb Reindl Harald: http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#bufferedlogs Context: server config is that a documentation error or a error in the module that "BufferedLogs Off" inside a vhost is accepted the config below at least gives no

Re: httpd + systemd

Am 26.02.2016 um 17:11 schrieb Tim Bannister: On 26 February 2016, Reindl Harald wrote: in case of a SIGTERM the daemon is supposed to do a clean shutdown anyways [Service] Type=simple EnvironmentFile=-/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND ExecReload=/usr

Re: access control for dynamic hosts

Am 29.02.2016 um 07:16 schrieb fab...@apache.org: Maybe the reverse dns is working on your test address? I checked it and yes it does work that way. I never knew it did. Indeed. This feature makes sense because it allows to allow a full domain, say "apache.org", any host of which the inver

Re: [VOTE] Release Apache httpd 2.4.19 as GA

Am 22.03.2016 um 20:55 schrieb William A Rowe Jr: Can anyone get mod_lbmethod_rr.c to build? my Fedora 23 rpm-spec builds without any issue or change - most modules external sub-apckages and typically used ones static [root@srv-rhsoft:~]$ /bin/ls -1 /fileserver/yum-repo/fc23/x86_64/ | grep

Re: [VOTE] Release Apache httpd 2.4.19 as GA

Am 22.03.2016 um 20:59 schrieb William A Rowe Jr: On Tue, Mar 22, 2016 at 2:58 PM, Reindl Harald mailto:h.rei...@thelounge.net>> wrote: Am 22.03.2016 um 20:55 schrieb William A Rowe Jr: Can anyone get mod_lbmethod_rr.c to build? my Fedora 23 rpm-spec builds witho

Re: Status for 2.4.20

Am 26.03.2016 um 04:13 schrieb Noel Butler: On 25/03/2016 19:52, Graham Leggett wrote: On 23 Mar 2016, at 1:58 PM, Noel Butler wrote: as stated previously, this shit will happen when certain people push with a release often mentality AFAIK there is *ZERO* critical exploit bugs to be patched

Re: Status for 2.4.20

Am 26.03.2016 um 04:44 schrieb Noel Butler: On 26/03/2016 13:32, Reindl Harald wrote: Am 26.03.2016 um 04:13 schrieb Noel Butler: On 25/03/2016 19:52, Graham Leggett wrote: On 23 Mar 2016, at 1:58 PM, Noel Butler wrote: as stated previously, this shit will happen when certain people push

Re: Status for 2.4.20

Am 29.03.2016 um 09:37 schrieb Noel Butler: On 29/03/2016 01:06, William A Rowe Jr wrote: @Everyone on this thread - keep it civil. On Fri, Mar 25, 2016 at 10:13 PM, Noel Butler mailto:noel.but...@ausics.net>> wrote: On 25/03/2016 19:52, Graham Leggett wrote: On 23 Mar 2016, at 1:

Re: [VOTE] Release Apache httpd 2.4.20 as GA

Am 04.04.2016 um 18:20 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.20 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.20 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Ro

Re: [VOTE] Release Apache httpd 2.4.22 as GA

Am 20.06.2016 um 15:20 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.22 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.22 GA. [x] +1: Good to go [ ] +0: meh [ ] -1: Danger Will R

Re: Apache Benchmark SNI SSL

Am 30.06.2016 um 20:55 schrieb Yann Ylavic: On Thu, Jun 30, 2016 at 7:21 PM, Pietro Paolini wrote: I have built the httpd-2-.4.20 tarball but the problem is still there, has it been fixed in newer version ? is there a workaround for that ? SNI handling just added to ab in http://svn.apache

Re: Apache Benchmark SNI SSL

Am 01.07.2016 um 14:41 schrieb Yann Ylavic: On Fri, Jul 1, 2016 at 1:44 PM, Pietro Paolini wrote: On 1 July 2016 at 11:18, Pietro Paolini wrote: Is it correct ? It does not look good to me. -while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:" +

Re: Apache Benchmark SNI SSL

Am 01.07.2016 um 15:23 schrieb Yann Ylavic: On Fri, Jul 1, 2016 at 3:17 PM, Yann Ylavic wrote: On Fri, Jul 1, 2016 at 3:02 PM, Reindl Harald wrote: Am 01.07.2016 um 14:41 schrieb Yann Ylavic: The -I does not take any argument, it tells ab to use iether the -H "Host: ..." if a

Re: [users@httpd] rpmbuild for httpd-2.4.23 failed missing mod_proxy_fdpass.so

Am 17.07.2016 um 12:49 schrieb William A Rowe Jr: This is a dev@ level regression, sharing with that list. Please confirm you are using httpd's own rpm. If not, the specific --enable-modules provided for your rpm.spec file may be at issue. confirmed also here with the latest release, i just c

Re: [PATCH] Introducing mod_brotli

Am 16.09.2016 um 14:59 schrieb Stefan Eissing: Sweet! Am 16.09.2016 um 14:32 schrieb Evgeny Kotkov : Hi all, This patch adds a module for dynamic Brotli (RFC 7932) compression in httpd. The new compression format is supported by Mozilla Firefox since 44.0 and by Google Chrome since 50.0 [1

Re: [PATCH] Introducing mod_brotli

Am 19.09.2016 um 16:14 schrieb Evgeny Kotkov: Eric Covener writes: Wow! This is great stuff. Brotli support has been in my TODO queue for awhile. Thanks! +1, cool stuff and thanks! Glad to hear that, thanks everyone. I would be happy to continue the work on this module, for instance, b

Re: [PATCH] Introducing mod_brotli

Am 19.09.2016 um 19:56 schrieb Jacob Champion: On 09/19/2016 10:12 AM, Eric Covener wrote: I would prefer to keep them separate even if we have to teach something to coordinate them (a module, some new support in mod_filter, some kind of hook?) +1. (If it proves difficult to make separate c

how tu build httpd with profile-guided-optimization?

https://en.wikipedia.org/wiki/Profile-guided_optimization for PHP it's easy because the makefiles support it directly make %{?_smp_mflags} prof-gen /usr/bin/bash /rpmbuild/PHP-PGO/profile.sh --php_build $PWD make prof-clean make %{?_smp_mflags} prof-use __

Re: how to build httpd with profile-guided-optimization?

ore you can use this option, you must first generate profiling information. See Optimize Options, for information about the -fprofile-generate option. Am 11.10.2016 um 13:32 schrieb Reindl Harald: https://en.wikipedia.org/wiki/Profile-guided_optimization for PHP it's easy because the make

Re: PCRE 10 and puzzling edge cases

Am 12.12.2016 um 10:52 schrieb Petr Pisar: I made sure I have installed all Perl modules I found relevant, but I was unable to run the tests against SVN httpd sources. I played with LD_LIBRARY_PATH, apxs etc. but without any good result. At the end I reconfigured httpd sources and installed the

Re: [VOTE] Release Apache httpd 2.4.25 as GA

Am 16.12.2016 um 19:29 schrieb Jim Jagielski: At long, long last, the pre-release test tarballs for Apache httpd version 2.4.25 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.25 GA. [x] +1: Good to go [ ] +0

Re: Post 2.4.25

Am 29.12.2016 um 07:08 schrieb William A Rowe Jr: (Again, it's gmail, /shrug. I can attempt to undecorate but doubt I'm moving to a local client/mail store again. If anyone has good gmail formatting tips for their default settings, I'd love a pointer.) yes, setup thunderbird and gmail with IM

--enable-mods-shared don't work

what is the purpose of -enable-mods-shared=MODULE-LIST Space-separated list of shared modules to enable when --enable-mods-shared="cgi dav dav_fs dav_lock ext_filter http2 info mime_magic negotiation proxy proxy_fcgi proxy_http ssl status substitute" \ --enable-mods-static="alias allowmethods a

Re: --enable-mods-shared don't work

f socache_shmcb unique_id unixd version" \ Am 30.12.2016 um 14:51 schrieb Reindl Harald: what is the purpose of -enable-mods-shared=MODULE-LIST Space-separated list of shared modules to enable when --enable-mods-shared="cgi dav dav_fs dav_lock ext_filter http2 info mime_magic

Re: --enable-mods-shared don't work

/lib64/httpd/modules/mod_proxy_fdpass.so /usr/lib64/httpd/modules/mod_proxy_ftp.so /usr/lib64/httpd/modules/mod_proxy_scgi.so /usr/lib64/httpd/modules/mod_proxy_wstunnel.so Am 30.12.2016 um 15:00 schrieb Reindl Harald: and --enable-modules= don't work too none of the 3 options mentions "d

Re: --enable-mods-shared don't work

Am 30.12.2016 um 15:06 schrieb Yann Ylavic: On Fri, Dec 30, 2016 at 3:00 PM, Reindl Harald wrote: and --enable-modules= don't work too Doesn't setting --enable-modules=none first help? see my last post - only partially normally when i list explicit "this modules sh

how make backend applications aware about tls-offloading

* Apache Trafficserver in front * ATS configured for TLS-offloading * connection to backend-httpd on the LAN unencrypted * mod_remoteip correctly configured on backend httpd is there any way to make the backend php application aware that in fact $_SERVER['HTTPS'] and $_SERVER['REQUEST_SCHEME'] s

Re: how make backend applications aware about tls-offloading

entirely when don't have any clue - On Jan 7, 2017, at 3:30 AM, Reindl Harald h.rei...@thelounge.net wrote: * Apache Trafficserver in front * ATS configured for TLS-offloading * connection to backend-httpd on the LAN unencrypted * mod_remoteip correctly configured on backend http

Re: how make backend applications aware about tls-offloading

Am 07.01.2017 um 22:53 schrieb Yann Ylavic: On Sat, Jan 7, 2017 at 9:30 AM, Reindl Harald wrote: something like below where "X-TLS-Offloading" is only evaluated from "RemoteIPInternalProxy" pyhsical addressess RemoteIPHeader X-Forwarded-For RemoteTLSHeader

Re: how make backend applications aware about tls-offloading

Am 07.01.2017 um 23:53 schrieb Yann Ylavic: On Sat, Jan 7, 2017 at 11:25 PM, Reindl Harald wrote: Am 07.01.2017 um 22:53 schrieb Yann Ylavic: Wouldn't something like this work? RewriteRule on RewriteCond %{ENV:remoteip-proxy-ip-list} . RewriteCond %{HTTP:X-TLS-Offloading}

Re: how make backend applications aware about tls-offloading

Am 08.01.2017 um 00:31 schrieb Yann Ylavic: On Sun, Jan 8, 2017 at 12:22 AM, Reindl Harald wrote: ok, so we need to continue the code below and set the option in every tls-offloaded application - intention of this thread was maybe get this transparent which seems not to be possible It is

Re: how make backend applications aware about tls-offloading

ith a different proxy c) change this in your application when there is something you can detect in the application code when proxy / backend play in a more or less defined way together other proxies and backend servers could follow Am 07.01.2017 um 09:30 schrieb Reindl Harald : * Apache Trafficserver

Re: [proposed] 2.4 Maintenance SIG

Am 19.01.2017 um 08:22 schrieb Stefan Eissing: Distros seem to have realized the problem long ago and make their own httpd versions. First time I realized my "httpd 2.4.7" is not the 2.4.7 release was a WTF moment. no, that applies to LTS distros and in that case of nearly any piece of sof

Re: Reset out x.minor.z definition of 'minor' at httpd?

Am 19.01.2017 um 22:43 schrieb William A Rowe Jr: I think one of our disconnects with 2.4 -> 2.6 is that in any other framework, there would be no ABI breakage in 2.6. That breakage would be deferred to and shipped as 3.0 every PHP version in the past decade (5.3, 5.4, 5.6, 7.0, 7.1, 7.2) is

Re: [proposed] 2.4 Maintenance SIG

Am 23.01.2017 um 02:52 schrieb Noel Butler: Perhaps the only person who wont bend over and take it up the arse like some people here expect, if I have an opinion, i'll voice it no, you are just a hypocrite trying to forbid others voice their opinion in their weay but not follow your own rules

Re: URL scanning by bots

Am 30.04.2013 12:03, schrieb André Warnier: > As a general idea thus, anything which impacts the delay to obtain a 404 > response, should > impact these bots much more than it impacts legitimate users/clients. > > How much ? > > Let us imagine for a moment that this suggestion is implemented in

Re: URL scanning by bots

Am 30.04.2013 20:38, schrieb Ben Laurie: > On 30 April 2013 11:14, Reindl Harald wrote: >> no - this idea is very very bad and if you ever saw a >> DDOS-attack from 10 thousands of ip-addresses on a >> machine you maintain you would not consider anything >> which mak

Re: URL scanning by bots

Am 01.05.2013 11:37, schrieb Ben Laurie: >> Well, no, actually this is not accurate. You are assuming that these >> bots are written using blocking io semantics; that if a bot is delayed >> by 2 seconds when getting a 404 from your server, it is not able to do >> anything else in those 2 seconds.

Re: URL scanning by bots

Am 01.05.2013 13:14, schrieb Ben Laurie: > The fact you cannot explain the evidence does not invalidate the evidence what evidence has this thread? the whole idea of slow down 404 repsones is broken and must never be default on any setup nor should it be implemented at all - period signat

Re: URL scanning by bots

Am 01.05.2013 13:51, schrieb André Warnier: > There is so far one possible pitfall, which was identified by someone earlier > on this list : the fact that delaying > 404 responses might have a bad effect on some particular kind of usage by > legitimate clients/users. So far, I > believe that s

Re: URL scanning by bots

Am 01.05.2013 14:00, schrieb Reindl Harald: > here you have something to read and learn that more and more attacks > are done this way by exhausting ressources without high bandwith and > THIS are the real problems server-admins have to fight and not the noise > you see on you

Re: URL scanning by bots

Am 01.05.2013 14:09, schrieb Marian Marinov: > On 05/01/2013 03:00 PM, Reindl Harald wrote: >> and YES making DOS-attacks easier is treatet as security risk by any >> professional auditor and there where i work "threat middle" means >> "fix it or shut down

Re: URL scanning by bots

Am 02.05.2013 10:22, schrieb André Warnier: > These tools must be downloaded separately, installed, configured and > maintained, all by > someone who knows what he's doing. And this means that, in the end (and as > the evidence > shows), only a tiny minority of webservers on the Internet will

Re: URL scanning by bots

Am 03.05.2013 06:35, schrieb Ben Reser: > On Thu, May 2, 2013 at 4:53 PM, Guenter Knauf wrote: >> isnt that one of the core issues - that folks who dont know what they do run >> a webserver? And then, shouldnt these get punished with being hacked so that >> they try to learn and finally *know* wha

Re: URL scanning by bots

Am 03.05.2013 11:38, schrieb André Warnier: > I agree that 404's are legitimate responses. > And I agree that legitimate clients/users can expect to receive them. > But if they do receive them when appropriate, but receive them slower than > other kinds of responses, this is not > really "breaki

Fwd: [mod-security-users] Fwd: Availability of ModSecurity 2.7.3 > mod_remoteip :-(

May 2013 00:48:40 +0200 Von: Reindl Harald An: Mod Security well, this would be a workaround but better than nothing the right solution would be to check how "%a" and "%h" in the httpd-sorce for logging are specified because as httpd-upstream says "It is also up to t

Re: New SecRemoteAddrDefine (httpd-dev CCed)

Breno Silva: > Let's try this patch. Should work for Apache 2.4 + mod_remoteip and > Apache2.2 with the SecDefineRemoteAddr > > On Mon, May 6, 2013 at 9:19 AM, Reindl Harald <mailto:h.rei...@thelounge.net>> wrote: > > why do you refuse to understand that we

Re: New SecRemoteAddrDefine (httpd-dev CCed)

May 6, 2013 at 10:02 AM, Reindl Harald <mailto:h.rei...@thelounge.net>> wrote: > > thank you, this works exactly as expected with Apache 2.4 and > mod_remoteip / mod_security, how i tested is expplained at bottom > > PLEASE revisit the mod_security 2.7

Re: New SecRemoteAddrDefine (httpd-dev CCed)

es more harm as it helps because the overall behavior get's unpredictable however, please do not forget revisit "Fixed mod_security displaying wrong ip address in error.log using apache 2.4" from modsec 2.7.2! > On Mon, May 6, 2013 at 10:08 AM, Reindl Harald <mailto:h.rei...@

Re: New SecRemoteAddrDefine (httpd-dev CCed)

his is a really sensitive place and mistakes can do a lot of harm > On Mon, May 6, 2013 at 10:17 AM, Reindl Harald <mailto:h.rei...@thelounge.net>> wrote: > > > Am 06.05.2013 15:11, schrieb Breno Silva: > > Yes.. but we cannot assume all users is doing it r

mod_ratelimit design mistake

https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html > Provides a filter named RATE_LIMIT to limit client bandwidth. > The connection speed to be simulated is specified, in KiB/s compared with external "mod_bw.so" IMHO this is a design mistake * saying i have several virtual hosts * my line

Re: mod_ratelimit design mistake

Am 10.05.2013 22:38, schrieb Eric Covener: > On Fri, May 10, 2013 at 4:11 PM, Reindl Harald wrote: >> https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html >>> Provides a filter named RATE_LIMIT to limit client bandwidth. >>> The connection speed to be simul

Re: DOS-Protection: RequestReadTimeout-like option missing

_activity_timeout_in INT 60 [harry@srv-rhsoft:~/Desktop]$ ./http-timeout.php proxy proxy test with request: 60 seconds test without request: 3 seconds _ [harry@srv-rhsoft:~/Desktop]$ cat http-timeout.php #!/usr/bin/php Am 11.05.2013 15:08, schr

Re: DOS-Protection: RequestReadTimeout-like option missing

Am 11.05.2013 19:49, schrieb Eric Covener: >> localhost >> test with request: 10 seconds >> test without request: 41 seconds > > As the manual says: > > When an AcceptFilter is in use (usually the case on Linux and > FreeBSD), the socket is not sent to the server process before at least > one by

Re: DOS-Protection: RequestReadTimeout-like option missing

Am 11.05.2013 20:26, schrieb Eric Covener: >> "CONFIG proxy.config.net.defer_accept INT 1" of Trafficserver >> is a damned good idea in such cases - in real life it takes >> never longer than 1 second and even if - it's configureable > > Seems to have started that way: > > https://issues.apache.

Re: DOS-Protection: RequestReadTimeout-like option missing

Am 11.05.2013 21:14, schrieb Stefan Fritsch: > On Saturday 11 May 2013, Reindl Harald wrote: >> https://issues.apache.org/bugzilla/show_bug.cgi?id=41270 is most >> likely unrelated to the problem i see, but nobody and nothing >> needs 30 seconds to complete a TCP conn

Re: DOS-Protection: RequestReadTimeout-like option missing

Am 11.05.2013 21:22, schrieb Reindl Harald: > Am 11.05.2013 21:14, schrieb Stefan Fritsch: >> On Saturday 11 May 2013, Reindl Harald wrote: >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=41270 is most >>> likely unrelated to the problem i see, but nobody and n

Re: DOS-Protection: RequestReadTimeout-like option missing

Am 23.05.2013 15:14, schrieb Dirk-Willem van Gulik: > On 11 May 2013, at 20:26, Reindl Harald wrote: > >> after the connection is established and in case of connect >> you have already passed the TCP transmissions and kernel >> settings like >> >> net.

Re: unsubscribe

do it yourself like on any other mailing-list mail-headers are your friend list-unsubscribe: Am 30.05.2013 18:47, schrieb RONALD FARRIER: > Please unsubscribe > > On May 30, 2013, at 11:23 AM, "Richard Genthner" > wrote:

  1   2   3   >