Re: [users@httpd] Removing single question mark?

2024-06-20 Thread Eric Covener 
On Thu, Jun 20, 2024 at 7:08 PM Dave Wreski
 wrote:

> Hi, I should add that I wrote the following to remove an errant question
> mark from the end of another URL, but it doesn't appear to work for the
> homepage.
>
> RewriteCond %{THE_REQUEST} /features\? [NC]
>
RewriteRule ^ %{REQUEST_URI} [L,R=302,NE,QSD]
>

I think %{THE_REQUEST} is the way to go. But what do you mean about "the
homepage" and how does it relate to /features in your regex?
Maybe you want something closer to this for a request with a trailing ?
and no actual query:
RewriteCond %{THE_REQUEST} "? HTTP/" [NC]

If it doesn't work, post rewrite:trace8 output.

Re: [users@httpd] Removing single question mark?

2024-06-20 Thread Dave Wreski 
Hi, I should add that I wrote the following to remove an errant question 
mark from the end of another URL, but it doesn't appear to work for the 
homepage.


RewriteCond %{THE_REQUEST} /features\? [NC]
RewriteRule ^ %{REQUEST_URI} [L,R=302,NE,QSD]

Thanks,
Dave

On 6/20/24 7:01 PM, Dave Wreski wrote:


Hi,

I have another challenging rewrite rule request, please. I'm trying to 
remove a single question mark from a URL:


https://example.com/?

I've tried the following:

RewriteRule ^/\?$ / [L,R=301,QSD]
RewriteRule ^/\? /? [L,R=301]

RewriteCond %{REQUEST_URI} ^$
RewriteRule ^ /? [L,R=301,QSD]

But it seems to ignore all of them. Ideas greatly appreciated.

Thanks,
Dave



--

Profile Photo



Dave Wreski

Chief Executive Officer



Guardian Digital Logo 

*We Make Email Safe For Business*



Guardian Digital Facebook  Guardian 
Digital Twitter  Guardian Digital Linkedin 



Phone Icon 



(640)-800-9446 



Email Security

Web Icon 



www.guardiandigital.com 



Sender Fraud Protection

Email Icon 



dwre...@guardiandigital.com



Training & Awareness

Location Icon 



103 Godwin Ave, Suite 314, Midland Park, NJ 07432

[users@httpd] Removing single question mark?

2024-06-20 Thread Dave Wreski 

Hi,

I have another challenging rewrite rule request, please. I'm trying to 
remove a single question mark from a URL:


https://example.com/?

I've tried the following:

RewriteRule ^/\?$ / [L,R=301,QSD]
RewriteRule ^/\? /? [L,R=301]

RewriteCond %{REQUEST_URI} ^$
RewriteRule ^ /? [L,R=301,QSD]

But it seems to ignore all of them. Ideas greatly appreciated.

Thanks,
Dave

[users@httpd] output buffer php ProxySet

2024-06-20 Thread Marc 
I am experimenting a bit with output buffering with php-fpm[1]. In my default 
setup I can't get this to work. Currently I am only getting this to work when I 
add this to my virtualhost config:


ProxySet enablereuse=on flushpackets=on


I assume this will impact the rest of the website. Is there a way to limit this 
to a directory or file? I prefer to have this done in a .htaccess file because 
I am not sure if I will be able to access httpd conf files.




[1]
header( 'Content-type: text/html; charset=utf-8' );
echo 'Begin ...';
for( $i = 0 ; $i < 10 ; $i++ )
{
echo $i . '';
flush();
ob_flush();
sleep(1);
}
echo 'End ...';
?>

Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread M Foster 
Ah, that works! Great suggestion. I've never encountered this behavior
before because previous iterations had the backends for each ProxyPass
directive pointing to the same (Docker) host.

Thank you so much!

On Fri, Jun 14, 2024 at 12:25 PM Daniel Gruno  wrote:

> On 6/14/24 12:41, M Foster wrote:
> > Hello,
> >
> > I'm struggling a bit with an issue when using Apache as a reverse proxy
> > when needing to use differing Authentication. I've searched for a couple
> > of days now, but nothing matching what I'm seeing has come up.
> >
> > The scenario is that I am using Apache as a reverse proxy, but sending a
> > sub-path to different backend like so (extremely simplified):
> >
> > 
> >ProxyPass http://host2:8080/foo/bar 
> > 
> > 
> >ProxyPass http://host1.example.com/foo 
> > 
>
> One is overriding the other, so you get an arbitrary result. You can
> exclude /foo/bar from your second pass by using something like
> LocationMatch instead:
>
> 
>.. things here for /foo/bar
> 
> 
>  .. things here for /foo/baz but not /foo/bar
>  ProxyPass "http://host1.example.com/$1;
> 
>
> Do note that if the Auth realm is the same, you can get the wrong
> credentials showing up if they differ. These should be unique if the
> credentials are.
>
> >
> > This works without issue. However, as soon as I try to put
> > authentication on the second location (or more accurately different
> > authentication directives), any request to "/foo/bar" triggers auth:
> >
> > Example:
> > 
> >ProxyPass http://host2:8080/foo/bar 
> > 
> > 
> >AuthType basic
> >AuthName "Restricted"
> >AuthUserFile /usr/local/apache2/.htpasswd
> >Require valid-user
> >ProxyPass http://host1.example.com/foo 
> > 
> >
> > In the logs, set to trace8, I see that now apache is matching the
> > REQUEST_URI to the wrong proxy handler:
> >
> > "attempting to match URI path '/foo/bar' against prefix '/foo' for
> proxying
> > "URI path /foo/bar' matches proxy handler 'proxy:http://
> > host1.example.com/foo/bar '"
> > "authorization result of Require valid-user : denied (no authenticated
> > user)"
> >
> > Without any auth, the logs correctly show the request to `/foo/bar`
> > being routed to the correct proxy handler 'proxy:http://host2:8080/foo/
> > bar '.
> >
> > If anyone has any ideas on why adding auth completely blows up the proxy
> > routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> > servers, just to handle each case.
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread Daniel Gruno 

On 6/14/24 12:41, M Foster wrote:

Hello,

I'm struggling a bit with an issue when using Apache as a reverse proxy 
when needing to use differing Authentication. I've searched for a couple 
of days now, but nothing matching what I'm seeing has come up.


The scenario is that I am using Apache as a reverse proxy, but sending a 
sub-path to different backend like so (extremely simplified):



   ProxyPass http://host2:8080/foo/bar 


   ProxyPass http://host1.example.com/foo 



One is overriding the other, so you get an arbitrary result. You can 
exclude /foo/bar from your second pass by using something like 
LocationMatch instead:



  .. things here for /foo/bar


.. things here for /foo/baz but not /foo/bar
ProxyPass "http://host1.example.com/$1;


Do note that if the Auth realm is the same, you can get the wrong 
credentials showing up if they differ. These should be unique if the 
credentials are.




This works without issue. However, as soon as I try to put 
authentication on the second location (or more accurately different 
authentication directives), any request to "/foo/bar" triggers auth:


Example:

   ProxyPass http://host2:8080/foo/bar 


   AuthType basic
   AuthName "Restricted"
   AuthUserFile /usr/local/apache2/.htpasswd
   Require valid-user
   ProxyPass http://host1.example.com/foo 


In the logs, set to trace8, I see that now apache is matching the 
REQUEST_URI to the wrong proxy handler:


"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:http:// 
host1.example.com/foo/bar '"
"authorization result of Require valid-user : denied (no authenticated 
user)"


Without any auth, the logs correctly show the request to `/foo/bar` 
being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ 
bar '.


If anyone has any ideas on why adding auth completely blows up the proxy 
routing, I'd appreciate it. Otherwise, I'll have to create two proxy 
servers, just to handle each case.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread M Foster 
I forgot to add I'm using Docker image http:2.4.59.

On Fri, Jun 14, 2024 at 11:41 AM M Foster  wrote:

> Hello,
>
> I'm struggling a bit with an issue when using Apache as a reverse proxy
> when needing to use differing Authentication. I've searched for a couple of
> days now, but nothing matching what I'm seeing has come up.
>
> The scenario is that I am using Apache as a reverse proxy, but sending a
> sub-path to different backend like so (extremely simplified):
>
> 
>   ProxyPass http://host2:8080/foo/bar
> 
> 
>   ProxyPass http://host1.example.com/foo
> 
>
> This works without issue. However, as soon as I try to put authentication
> on the second location (or more accurately different authentication
> directives), any request to "/foo/bar" triggers auth:
>
> Example:
> 
>   ProxyPass http://host2:8080/foo/bar
> 
> 
>   AuthType basic
>   AuthName "Restricted"
>   AuthUserFile /usr/local/apache2/.htpasswd
>   Require valid-user
>   ProxyPass http://host1.example.com/foo
> 
>
> In the logs, set to trace8, I see that now apache is matching the
> REQUEST_URI to the wrong proxy handler:
>
> "attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
> "URI path /foo/bar' matches proxy handler 'proxy:
> http://host1.example.com/foo/bar'"
> "authorization result of Require valid-user : denied (no authenticated
> user)"
>
> Without any auth, the logs correctly show the request to `/foo/bar` being
> routed to the correct proxy handler 'proxy:http://host2:8080/foo/bar'.
>
> If anyone has any ideas on why adding auth completely blows up the proxy
> routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> servers, just to handle each case.
>
>

[users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread M Foster 
Hello,

I'm struggling a bit with an issue when using Apache as a reverse proxy
when needing to use differing Authentication. I've searched for a couple of
days now, but nothing matching what I'm seeing has come up.

The scenario is that I am using Apache as a reverse proxy, but sending a
sub-path to different backend like so (extremely simplified):


  ProxyPass http://host2:8080/foo/bar


  ProxyPass http://host1.example.com/foo


This works without issue. However, as soon as I try to put authentication
on the second location (or more accurately different authentication
directives), any request to "/foo/bar" triggers auth:

Example:

  ProxyPass http://host2:8080/foo/bar


  AuthType basic
  AuthName "Restricted"
  AuthUserFile /usr/local/apache2/.htpasswd
  Require valid-user
  ProxyPass http://host1.example.com/foo


In the logs, set to trace8, I see that now apache is matching the
REQUEST_URI to the wrong proxy handler:

"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:
http://host1.example.com/foo/bar'"
"authorization result of Require valid-user : denied (no authenticated
user)"

Without any auth, the logs correctly show the request to `/foo/bar` being
routed to the correct proxy handler 'proxy:http://host2:8080/foo/bar'.

If anyone has any ideas on why adding auth completely blows up the proxy
routing, I'd appreciate it. Otherwise, I'll have to create two proxy
servers, just to handle each case.

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Eric Covener 
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,END]
>
> I've also set logging to trace5 (even though none of the entries were above 
> trace4) - shouldn't it provide me with enough info to determine where/why 
> it's looping?

I think it loops because it redirects https://linuxsecurity.com/ to
https://linuxsecurity.com which the browser treats as
https://linuxsecurity.com/

You'll need to handle / with a condition or a slightly different regex.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Dave Wreski 



Some time ago I requested help with a rewrite rule to strip
trailing slash(es) from all URLs in our joomla website, but I'm
still having problems. This is the rule I am currently working with:

RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]

It works fine for any URL other than the homepage. Somehow for the
homepage it creates an infinite loop, despite using "L", so
perhaps I don't understand what it's doing. The (.*) is supposed
to match any character, but there wouldn't be any preceding
elements for the homepage.

The problem as I see it is that, for the homepage, (.*) would be
null, so $1 would also be null? This then creates the same URL as
the one we're trying to fix.

First it appears to work properly (trimmed for legibility):

init rewrite engine with requested uri /
applying pattern '^(.*)/+$' to uri '/'
rewrite '/' -> 'https://linuxsecurity.com'
explicitly forcing redirect with https://linuxsecurity.com
escaping https://linuxsecurity.com for redirect
redirect to https://linuxsecurity.com [REDIRECT/301]

then it looks like it inits the rewrite engine again?

init rewrite engine with requested uri /, referer:
https://linuxsecurity.com/
applying pattern '^(.*)/+$' to uri '/', referer:
https://linuxsecurity.com/
rewrite '/' -> 'https://linuxsecurity.com', referer:
https://linuxsecurity.com/
explicitly forcing redirect with https://linuxsecurity.com,
referer: https://linuxsecurity.com/
escaping https://linuxsecurity.com for redirect, referer:
https://linuxsecurity.com/
redirect to https://linuxsecurity.com [REDIRECT/301], referer:
https://linuxsecurity.com/

This just loops repeatedly until it dies. I've also made sure
there's only one "RewriteEngine on" in the virtual host config and
the .htaccess. Would that even matter?

What am I doing wrong? I've tried a thousand variations of this to
no avail.

You will need to stop using .htaccess files to prevent looping, as a 
first step.  Edit your vhost.


I've removed the .htaccess in the document root and there are no other 
Includes in the vhost. I've also tried adding [END] but none of it has 
made any difference.


RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,END]

I've also set logging to trace5 (even though none of the entries were 
above trace4) - shouldn't it provide me with enough info to determine 
where/why it's looping?


If I remove the one RewriteEngine statement in my vhost config, it's 
clear that it does not process any RewriteRules at all.


dave

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Eric Covener 
>  despite using "L",

Looked at [END] ?

On Thu, Jun 13, 2024 at 10:41 AM Dave Wreski
 wrote:
>
> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing 
> slash(es) from all URLs in our joomla website, but I'm still having problems. 
> This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the homepage 
> it creates an infinite loop, despite using "L", so perhaps I don't understand 
> what it's doing. The (.*) is supposed to match any character, but there 
> wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so $1 
> would also be null? This then creates the same URL as the one we're trying to 
> fix.
>
> First it appears to work properly (trimmed for legibility):
>
> init rewrite engine with requested uri /
> applying pattern '^(.*)/+$' to uri '/'
> rewrite '/' -> 'https://linuxsecurity.com'
> explicitly forcing redirect with https://linuxsecurity.com
> escaping https://linuxsecurity.com for redirect
> redirect to https://linuxsecurity.com [REDIRECT/301]
>
> then it looks like it inits the rewrite engine again?
>
> init rewrite engine with requested uri /, referer: https://linuxsecurity.com/
> applying pattern '^(.*)/+$' to uri '/', referer: https://linuxsecurity.com/
> rewrite '/' -> 'https://linuxsecurity.com', referer: 
> https://linuxsecurity.com/
> explicitly forcing redirect with https://linuxsecurity.com, referer: 
> https://linuxsecurity.com/
> escaping https://linuxsecurity.com for redirect, referer: 
> https://linuxsecurity.com/
> redirect to https://linuxsecurity.com [REDIRECT/301], referer: 
> https://linuxsecurity.com/
>
> This just loops repeatedly until it dies. I've also made sure there's only 
> one "RewriteEngine on" in the virtual host config and the .htaccess. Would 
> that even matter?
>
> What am I doing wrong? I've tried a thousand variations of this to no avail.
>
>
>
>


-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Frank Gingras 
On Thu, Jun 13, 2024 at 10:41 AM Dave Wreski
 wrote:

> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing
> slash(es) from all URLs in our joomla website, but I'm still having
> problems. This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the
> homepage it creates an infinite loop, despite using "L", so perhaps I don't
> understand what it's doing. The (.*) is supposed to match any character,
> but there wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so
> $1 would also be null? This then creates the same URL as the one we're
> trying to fix.
>
> First it appears to work properly (trimmed for legibility):
>
> init rewrite engine with requested uri /
> applying pattern '^(.*)/+$' to uri '/'
> rewrite '/' -> 'https://linuxsecurity.com'
> explicitly forcing redirect with https://linuxsecurity.com
> escaping https://linuxsecurity.com for redirect
> redirect to https://linuxsecurity.com [REDIRECT/301]
>
> then it looks like it inits the rewrite engine again?
>
> init rewrite engine with requested uri /, referer:
> https://linuxsecurity.com/
> applying pattern '^(.*)/+$' to uri '/', referer:
> https://linuxsecurity.com/
> rewrite '/' -> 'https://linuxsecurity.com', referer:
> https://linuxsecurity.com/
> explicitly forcing redirect with https://linuxsecurity.com, referer:
> https://linuxsecurity.com/
> escaping https://linuxsecurity.com for redirect, referer:
> https://linuxsecurity.com/
> redirect to https://linuxsecurity.com [REDIRECT/301], referer:
> https://linuxsecurity.com/
>
> This just loops repeatedly until it dies. I've also made sure there's only
> one "RewriteEngine on" in the virtual host config and the .htaccess. Would
> that even matter?
>
> What am I doing wrong? I've tried a thousand variations of this to no
> avail.
>
>
>
>
>
You will need to stop using .htaccess files to prevent looping, as a first
step.  Edit your vhost.

[users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Dave Wreski 

Hi,

Some time ago I requested help with a rewrite rule to strip trailing 
slash(es) from all URLs in our joomla website, but I'm still having 
problems. This is the rule I am currently working with:


RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]

It works fine for any URL other than the homepage. Somehow for the 
homepage it creates an infinite loop, despite using "L", so perhaps I 
don't understand what it's doing. The (.*) is supposed to match any 
character, but there wouldn't be any preceding elements for the homepage.


The problem as I see it is that, for the homepage, (.*) would be null, 
so $1 would also be null? This then creates the same URL as the one 
we're trying to fix.


First it appears to work properly (trimmed for legibility):

init rewrite engine with requested uri /
applying pattern '^(.*)/+$' to uri '/'
rewrite '/' -> 'https://linuxsecurity.com'
explicitly forcing redirect with https://linuxsecurity.com
escaping https://linuxsecurity.com for redirect
redirect to https://linuxsecurity.com [REDIRECT/301]

then it looks like it inits the rewrite engine again?

init rewrite engine with requested uri /, referer: 
https://linuxsecurity.com/

applying pattern '^(.*)/+$' to uri '/', referer: https://linuxsecurity.com/
rewrite '/' -> 'https://linuxsecurity.com', referer: 
https://linuxsecurity.com/
explicitly forcing redirect with https://linuxsecurity.com, referer: 
https://linuxsecurity.com/
escaping https://linuxsecurity.com for redirect, referer: 
https://linuxsecurity.com/
redirect to https://linuxsecurity.com [REDIRECT/301], referer: 
https://linuxsecurity.com/


This just loops repeatedly until it dies. I've also made sure there's 
only one "RewriteEngine on" in the virtual host config and the 
.htaccess. Would that even matter?


What am I doing wrong? I've tried a thousand variations of this to no avail.

[users@httpd] How is Apache Http Server architecture?

2024-06-11 Thread anlex N 
How is Apache Http Server architecture?
I value your feedback very much

Nice to meet you, My name is anlex N .

I am a verified google maintainer of popular open source projects.

I am reviewing system-design-primer
. I can not find
"Apache Http Server architecture" docs in the Apache Http Server website.
Where can I find these docs?

By the way, system-design-primer just demonstrates NGINX architecture and
HAProxy architecture, Is Apache Http Server not better than NGINX and
HAProxy?

The Apache Http Server website says "event" (not "worker") mode supports
big scale. Is it OK?

Re: [users@httpd] Compatible version with openjdk21

2024-06-10 Thread Eric Covener 
https://hc.apache.org/mail.html

On Mon, Jun 10, 2024 at 3:42 AM Sahil Sharma D
 wrote:
>
> Hello team,
>
>
>
> Which version of https client and Core is compatible with openjdk21?
>
>
>
> Regards,
>
> Sahil
>
>



-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Compatible version with openjdk21

2024-06-10 Thread Sahil Sharma D 
Hello team,

Which version of https client and Core is compatible with openjdk21?

Regards,
Sahil

Re: [users@httpd] Redirecting based on IP

2024-06-06 Thread Dave Wreski 

Hi,


The next steps I'd like to do is to redirect anyone not in that RequireAll 
statement to be redirected to the production site. Is this possible? Perhaps a 
RewriteCond that depends upon certain IPs, then otherwise redirects to the 
production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.


I'm back to trying to work on this, and hoped you could assist further. 
Is this along the lines of what I should be doing?


  SetEnvIf user-agent "(?i:Googlebot)" stayout=1
      RewriteCond %{HTTP_USER_AGENT}    Googlebot
      RewriteRule (.*) https://linuxsecurity.com$1 [E=stayout:1]

I'm also not sure about the Vary:User-Agent - we are using cloudflare, 
but that appears related to triggering googlebot to also scan as another 
user agent, such as its mobile bot?


dave

Re: [users@httpd] Require paramater

2024-05-19 Thread Daniel Gruno 

On 5/13/24 15:42, Chris me wrote:
The Apache docs recommend dong this to setup a default deny to file 
locations:




     Require all denied



Do I do that in httpd.conf or do I add that to each  entry?



If you do it in httpd.conf (which I assume would be a server-wide scope 
for you), it will be applied globally and thus within every virtualhost 
scope as well. You should then, within each virtualhost scope, 
explicitly allow access to the documentroot and other directories you 
wish to have open for reading.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-17 Thread Dave Wreski 

Hi,


The staging site is even protected with a RequireAll statement for the 
DocumentRoot based on the IP, which then results in a 404 and other errors in 
GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?


Yes, it does - my mistake.


The next steps I'd like to do is to redirect anyone not in that RequireAll 
statement to be redirected to the production site. Is this possible? Perhaps a 
RewriteCond that depends upon certain IPs, then otherwise redirects to the 
production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.


I used your rewritecond+rewriterule approach, and it worked perfectly in 
my tests. Thanks so much.

Re: [users@httpd] Directory Trailing Slash When Behind Load Balancer

2024-05-17 Thread Rainer Canavan 
On Tue, May 14, 2024 at 6:07 PM Gavin Spomer  wrote:
>
> Hello,
>
> I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
> found an issue with URLs that point to a directory, but don't include the 
> trailing slash, when going through our institution's load balancer. If I 
> access directly (not going through the load balancer), everything works fine:
>
>http://mywebserver.example.com/application
>
>Above works as, from reading the mod_dir documentation, it redirects to
>http://mywebserver.example.com/application/ (adds the trailing slash) and 
> thus the application's index.php script
>is executed.
>
> My web server is fronted by our institution's load balancer which does SSL 
> termination and then sends the request to my web server on port 81. I am not 
> seeing the same behavior when accessing through our load balancer:
>
>https://loadbalancer.example.com/application
>
>The above doesn't work. It hangs, times out and then redirects to 
> http://loadbalancer.example.com:81/application/
>with a "This site can’t be reached" message. It does work if I explicitly 
> add the slash to the URL in my browser:

That's probably not the order that events are acutally happening. It
most likely redirects to
http://loadbalancer.example.com:81/application/ first.

[...]
> 
>ServerName mywebserver.example.com:81

Redirects require a complete URL, and mod_dir is probably assembling
that using the ServerName. Use the developer tools in your browser or
curl -v to see what's actually going on, particularly the "Location:"
response header, which is the URL the redirect is sending your browser
to.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-16 Thread Rainer Canavan 
On Thu, May 16, 2024 at 1:15 AM Dave Wreski
 wrote:
>
> Hi,
>
[...]
> The staging site is even protected with a RequireAll statement for the 
> DocumentRoot based on the IP, which then results in a 404 and other errors in 
> GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?

[...]
>
> The next steps I'd like to do is to redirect anyone not in that RequireAll 
> statement to be redirected to the production site. Is this possible? Perhaps 
> a RewriteCond that depends upon certain IPs, then otherwise redirects to the 
> production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-15 Thread gene heskett 

On 5/15/24 19:15, Dave Wreski wrote:

Hi,

Google insists that one of our staging sites needs to be indexed despite 
"disallow" in robots.txt and a half-dozen other methods for preventing 
Google from indexing it (including submitting it for removal from their 
index). The staging site is even protected with a RequireAll statement 
for the DocumentRoot based on the IP, which then results in a 404 and 
other errors in GSC. This impacts our SEO and also causes GSC to stop 
processing the rest of our site.


The next steps I'd like to do is to redirect anyone not in that 
RequireAll statement to be redirected to the production site. Is this 
possible? Perhaps a RewriteCond that depends upon certain IPs, then 
otherwise redirects to the production site?


Thanks,
Dave

The last time I ran into this was back in iptables days 20 years ago. 
Based on IP they were denied because my site at the time included my 
photo's and totalled about 13 gigabytes. This was in the days of 
bandwidth per month of 30 gigs. Because google has so many machines they 
used up all my allocation long before the month was up. I wound up 
putting another search engine in that database, mj12, so I wound up with 
an iptables file about 15k lines long. That continued until I had ported 
the whole thing to a couple new Seacrate 1t drives, both of which went 
tits down in the night within 2 weeks, just disappearing off the 
sata-III bus. I was so pi$$ed I didn't even warranty them. SSD's are it 
today. I have only one spinning rust drive in 8 machines here now, a 250 
gig that refuses to die. iptables worked but took about 10 hours a month 
to maintain it cuz they moved the machines to a new address.  Some of 
the iptables rules ended in /16, so I was blocking a goodly share of the 
ipv4 space when I had the gran crash.  I controlled it most of the time 
but it was several hours a week keeping even with them. You never get 
ahead. I still have a registered name but all you get is the apache test 
page.


Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Redirecting based on IP

2024-05-15 Thread Dave Wreski 

Hi,

Google insists that one of our staging sites needs to be indexed despite 
"disallow" in robots.txt and a half-dozen other methods for preventing 
Google from indexing it (including submitting it for removal from their 
index). The staging site is even protected with a RequireAll statement 
for the DocumentRoot based on the IP, which then results in a 404 and 
other errors in GSC. This impacts our SEO and also causes GSC to stop 
processing the rest of our site.


The next steps I'd like to do is to redirect anyone not in that 
RequireAll statement to be redirected to the production site. Is this 
possible? Perhaps a RewriteCond that depends upon certain IPs, then 
otherwise redirects to the production site?


Thanks,
Dave

RE: [users@httpd] http ok, https Forbidden

2024-05-15 Thread Marc 
> 
> we have a apache 2.4.59 running on windows for an internal page.
> Now we would like to use https instead of http
> 
> Opening the url via http works,
> when I use https I get
> 
> Forbidden
> You don't have permission to access this resource.
> 
> I activated the debug level and see this lines
> 

Not enough info, maybe you just lack the configuration of a https virtual host 
entry?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] http ok, https Forbidden

2024-05-15 Thread Andreas . Moroder 
Hello,

we have a apache 2.4.59 running on windows for an internal page.
Now we would like to use https instead of http

Opening the url via http works,
when I use https I get

Forbidden
You don't have permission to access this resource.

I activated the debug level and see this lines

[Wed May 15 08:54:17.471598 2024] [authz_core:debug] [pid 8152:tid 1360] 
mod_authz_core.c(815): [client 10.26.2.32:54158] AH01626: authorization 
result of Require local : denied
[Wed May 15 08:54:17.471598 2024] [authz_core:debug] [pid 8152:tid 1360] 
mod_authz_core.c(815): [client 10.26.2.32:54158] AH01626: authorization 
result of : denied
[Wed May 15 08:54:17.471598 2024] [authz_core:error] [pid 8152:tid 1360] 
[client 10.26.2.32:54158] AH01630: client denied by server configuration: 
E:/wamp/www/itop/pages/UI.php


What I don't understand is why using https:// it is denied while it works 
with http://

the httpd-vhosts.conf contains this lines

# Virtual Hosts
#

  ServerName localhost
  ServerAlias localhost
  DocumentRoot "${INSTALL_DIR}/www"
  
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride None
Require all granted
  


while http.conf contains this lines


AllowOverride none
Require all denied




Can anyone please tell me why the behaviour changes and how to solve it?

Greetings
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14
wobi.bz.it   ipes.bz.it 





Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. 
Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten wir um Ihre 
diesbezügliche Benachrichtigung und um die Löschung der Nachricht. Eine 
Veröffentlichung oder Verbreitung des Inhaltes sowie jegliche anderweitige 
Verwendung sind untersagt.

Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci l’errata 
notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per qualsiasi 
altro scopo.

[users@httpd] Directory Trailing Slash When Behind Load Balancer

2024-05-14 Thread Gavin Spomer 
Hello,

I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
found an issue with URLs that point to a directory, but don't include the 
trailing slash, when going through our institution's load balancer. If I access 
directly (not going through the load balancer), everything works fine:

   http://mywebserver.example.com/application

   Above works as, from reading the mod_dir documentation, it redirects to 
   http://mywebserver.example.com/application/ (adds the trailing slash) and 
thus the application's index.php script
   is executed.

My web server is fronted by our institution's load balancer which does SSL 
termination and then sends the request to my web server on port 81. I am not 
seeing the same behavior when accessing through our load balancer:

   https://loadbalancer.example.com/application

   The above doesn't work. It hangs, times out and then redirects to 
http://loadbalancer.example.com:81/application/
   with a "This site can’t be reached" message. It does work if I explicitly 
add the slash to the URL in my browser:

   https://loadbalancer.example.com/application/

   The above works and executes the application's index.php script.

I contacted the admin of the load balancer and asked if there had been any 
changes to the settings, but he indicated that there wasn't and that there was 
no inspection, rule processing or manipulation of the URL on the load balancer 
end.  When I had my web server on FreeBSD it worked, but I don't recall doing 
anything configuration-wise to make it work with our load balancer beyond 
making a virtual host that ran on port 81 and to listen on that same port. I 
don't have a copy of my config from my old FreeBSD host. :( My current virtual 
host config is pretty straight forward:


   ServerName mywebserver.example.com:81
   ServerAdmin usern...@example.com
   DocumentRoot /var/www/html
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined


I can share other parts of my Apache configuration if that helps. I spent my 
work day yesterday looking at Apache documentation, Google searches and testing 
various things in my configuration to resolve this issue. 

 - Gavin 
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache HTTP Server 2.4 EOL

2024-05-13 Thread Yehuda Katz 
There is no planned EOL for 2.4, but you should always be on the most
recently released version - currently 2.4.59 - or possibly on a version
maintained by your OS distribution to keep up with the latest security
patches.

On Mon, May 13, 2024 at 10:50 PM Ehmann G  wrote:

> i tried searching on Google for the end-of-life support information for
> Apache HTTP Server 2.4 but couldn't find any useful results. I also checked
> the Apache website but didn't find any details on this topic. Does anyone
> have any relevant information?
>

[users@httpd] Apache HTTP Server 2.4 EOL

2024-05-13 Thread Ehmann G 
i tried searching on Google for the end-of-life support information for
Apache HTTP Server 2.4 but couldn't find any useful results. I also checked
the Apache website but didn't find any details on this topic. Does anyone
have any relevant information?

[users@httpd] Require paramater

2024-05-13 Thread Chris me 
The Apache docs recommend dong this to setup a default deny to file locations:


Require all denied


Do I do that in httpd.conf or do I add that to each  entry?

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Frank Gingras 
On Fri, May 10, 2024 at 5:53 PM Tatsuki Makino 
wrote:

> Hello.
>
> By the way, do you have the setting enabled to use the Host header used to
> switch NameVirtualHost during TLS negotiation?
> I don't know how to do that since the Japanese documentation is rarely
> updated :)
> Were those things implemented?
>
> Regards.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Tatsuki,

You're thinking of SNI, and it works out of the box with OpenSSL 0.9.8f or
later, and with NameVirtualHost *:443.

So, again, I highly recommend using *:PORT to define all your vhosts,
unless you know exactly what you are doing.

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Tatsuki Makino 
Hello.

By the way, do you have the setting enabled to use the Host header used to 
switch NameVirtualHost during TLS negotiation?
I don't know how to do that since the Japanese documentation is rarely updated 
:)
Were those things implemented?

Regards.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Frank Gingras 
On Fri, May 10, 2024 at 4:10 PM John  wrote:

> On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> > It was thus said that the Great Chris me once stated:
> > > I set up each entry with  but when I do that, the
> > > second site will complain that the cert is for site1. So if I go to
> > > site2.com, I get a browser error that the cert is for site1. It will
> show
> > > me the content for site1.
> >
> >   On my development server, I have the following:
> >
> > 
> >   ServerName  playground.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/playground/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
> >   ...
> > 
> >
> > 
> >   ServerName  wiki.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/wiki/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
> >   ...
> > 
> >
> > > I am not sure how to do this part:
> > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
> instead
> > > I am running Apache 2.2, does it still apply?
> > > It does not look like mod_access_compat is listed under mods-enabled
> >
> >   That I don't remember as I've been running Apache 2.4 for a couple of
> > years now.
> >
> >   -spc
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> Typo in the 2nd virtual host "1932.168.1.10:"  probably should be
> "192.168.1.10"
>
> John
> ==
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Show the apachectl -S output, and each vhost.  Make sure that every single
:443 vhost has SSLEngine on and SSLCertificateFile set.

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread John 
On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> It was thus said that the Great Chris me once stated:
> > I set up each entry with  but when I do that, the
> > second site will complain that the cert is for site1. So if I go to
> > site2.com, I get a browser error that the cert is for site1. It will show
> > me the content for site1.
> 
>   On my development server, I have the following:
> 
> 
>   ServerName  playground.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/playground/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
>   ...
> 
> 
> 
>   ServerName  wiki.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/wiki/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
>   ...
> 
> 
> > I am not sure how to do this part:
> > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require 
> > instead
> > I am running Apache 2.2, does it still apply?
> > It does not look like mod_access_compat is listed under mods-enabled
> 
>   That I don't remember as I've been running Apache 2.4 for a couple of
> years now.
> 
>   -spc
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
Typo in the 2nd virtual host "1932.168.1.10:"  probably should be "192.168.1.10"

John
==

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Sean Conner 
It was thus said that the Great Chris me once stated:
> I set up each entry with  but when I do that, the
> second site will complain that the cert is for site1. So if I go to
> site2.com, I get a browser error that the cert is for site1. It will show
> me the content for site1.

  On my development server, I have the following:


ServerName  playground.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/playground/cert.pem
SSLCertificateKeyFile   /home/spc/web/playground/key.pem
...



ServerName  wiki.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/wiki/cert.pem
SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
...


> I am not sure how to do this part:
> Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
> I am running Apache 2.2, does it still apply?
> It does not look like mod_access_compat is listed under mods-enabled

  That I don't remember as I've been running Apache 2.4 for a couple of
years now.

  -spc


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Multi site SSL problems

2024-05-10 Thread Chris me 
I found NameVirtualHost *:443 was commented out in ports.conf, I changed that.
Now I am back to the ssl protocol error for the second site.


From: Chris me 
Sent: Friday, May 10, 2024 8:40 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Multi site SSL problems

I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com




ServerName www.site2.com



I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras mailto:thu...@apache.org>>
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Multi site SSL problems



On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443

http://www.site1.com:443>>
ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt


http://www.site2.com:443>>
ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt



So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

RE: [users@httpd] Multi site SSL problems

2024-05-10 Thread Chris me 
I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com




ServerName www.site2.com



I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras 
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Multi site SSL problems



On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443

http://www.site1.com:443>>
ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt


http://www.site2.com:443>>
ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt



So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

Re: [users@httpd] Multi site SSL problems

2024-05-09 Thread Frank Gingras 
On Thu, May 9, 2024 at 6:54 PM Chris me  wrote:

> Hi, I am having an issue trying to get multiple sites with their own SSL
> cert. I purchased AlphaSSL certs for them.
>
> The strange thing, the first cert works, the second gives me an
> ERR_SSL_PROTOCOL_ERROR, but only on some systems.
>
>
>
> This is what I am using now:
>
>
>
> (
>
> Site1 is fine, Site2 gives me the error.
>
>
>
> I originally tried with NameVirtualHost *.443
>
> And then 
>
> But when I go to site2, it complains that the cert is invalid because it
> is using the cert from site1?
>
> )
>
>
>
>
>
> 
>
> NameVirtualHost 192.99.9.188:443
>
>
>
> 
>
> ServerName www.site1.com
>
> ServerAdmin webmas...@site1.com
>
> DocumentRoot /home/httpd/sites/site1
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site1.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt
>
> 
>
>
>
> 
>
> ServerName www.site2.com
>
> ServerAdmin webmas...@site2.com
>
> DocumentRoot /home/httpd/sites/site2
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site2.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt
>
> 
>
> 
>

So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you
are doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

[users@httpd] Multi site SSL problems

2024-05-09 Thread Chris me 
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443


ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt



ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt

[users@httpd] Re: How to Perform stateless restarts with checkpointing enabled

2024-05-09 Thread Kartikey Pant 
Please ignore this thread, I wanted to post this to a different Apache
mailing list. Apologies.

On Thu, May 9, 2024 at 2:49 PM Kartikey Pant 
wrote:

> We have a source/sink mechanism which uses checkpoints for persistence and
> can operate in a minor data loss scenario. Is there a method to use
> checkpoints (to enable use of those source/sink operators) while disabling
> stateful recovery during restarts?
>
> Our setup uses Flink 1.16.1 alongside Flink Kubernetes Operator 1.5.0. We
> are also using stateless upgrades with the operator but while the job is
> restarting, it's still restoring from the last stable checkpoint. Is there
> any option in Flink or Flink Kubernetes Operator which could help us in
> this?
>

[users@httpd] How to Perform stateless restarts with checkpointing enabled

2024-05-09 Thread Kartikey Pant 
We have a source/sink mechanism which uses checkpoints for persistence and
can operate in a minor data loss scenario. Is there a method to use
checkpoints (to enable use of those source/sink operators) while disabling
stateful recovery during restarts?

Our setup uses Flink 1.16.1 alongside Flink Kubernetes Operator 1.5.0. We
are also using stateless upgrades with the operator but while the job is
restarting, it's still restoring from the last stable checkpoint. Is there
any option in Flink or Flink Kubernetes Operator which could help us in
this?

[users@httpd] ap_trust_cgilike_cl changes in 2.4.59

2024-05-08 Thread Sinus 
Hello.

The Apache httpd docs state that ap_trust_cgilike_cl was introduced in
2.4.59. However, changelogs for that version never make a mention of the
variable, and the underlying change not to trust, say, PHP scripts with
Content-Length headers, effectively disabling progress events on numerous
downloaders accessing dynamically generated content. Where can I find more
information on this change?

[users@httpd] RE: proxypass to next proxy

2024-05-06 Thread Marc 
> 
> 
> On some production environment I am using this:
> 
> 
>  ProxyPass http://test.example.com/test
> 
> 

ProxyRemote "http://test.example.com/test " "http://proxy.local.net:5000;

 ProxyPass http://test.example.com/test

[users@httpd] proxypass to next proxy

2024-05-06 Thread Marc 


On some production environment I am using this:


 ProxyPass http://test.example.com/test


But on development I can't access test.example.com, traffic needs to be routed 
through another proxy on a different port. How should I rewrite this so 
requests for /test -> test.example.com go via proxy.local.net on port 5000?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-05-05 Thread General Email 
On Wed, 17 Apr 2024 at 15:36, General Email
 wrote:
>
>
> Anyways, I looked more on google and I think that I have found what I was 
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
>


Few days ago, I configured SSL and enabled HTTPS on Apache 2.4. It is
working fine.

I am listing the steps below, in case it helps someone.

--
Enabling HTTPS and Configuring SSL in Apache 2.4 on Windows 10
Date: April, 2024
--


VERY IMPORTANT:

You should not follow this process for a production environment because
self-signed SSL certificate (that is being generated here) is a security risk.
You should follow this process only for the local development environment.


-
Please follow the steps listed below:
-

Step 1: Stop Apache web server if it is already running.

Step 2: Add "absolute_path_to_apache24_dir\bin" to the system environment
variable "Path". openssl.exe is in this folder.

Step 3: Open the Windows command prompt and change directory to
"absolute_path_to_apache24_dir\conf".

Step 4: On the command prompt, execute the following command:

set OPENSSL_CONF=absolute_path_to_apache24_dir\conf\openssl.cnf

If "absolute_path_to_apache24_dir" contains spaces then enclose the
path in quotes.

Step 5: Check that the OPENSSL_CONF variable is set to correct directory by
executing the following command on the command prompt:

echo %OPENSSL_CONF%

Step 6: On the command prompt, execute the following command
(openssl.exe is in "absolute_path_to_apache24_dir\bin" folder):

openssl genrsa -out cert.key 2048

Step 7: On the command prompt, execute the following command:

openssl req -new -key cert.key -out cert.csr

When you execute this command, you will be asked to give input for
some fields. I had given input for only one field (and for other fields,
I just hit "Enter" key):

Common Name (e.g. server FQDN or YOUR name) []:localhost

Step 8: On the command prompt, execute the following command:

openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt

Step 9: Change a few lines in the
"absolute_path_to_apache24_dir\conf\httpd.conf"
file. I am listing the lines after the changes. I am not listing the
original lines. You can search and change/replace the
original lines.

The changed lines are:

Define SRVROOT "absolute_path_to_apache24_dir"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
ServerName localhost:80
Include conf/extra/httpd-ssl.conf

Step 10: Change a few lines in the
  "absolute_path_to_apache24_dir\conf\extra\httpd-ssl.conf" file.
  I am listing the lines after the changes. I am not listing the
  original lines. You can search and change/replace the
original lines.

 The changed lines are:

 ServerName localhost:443
 ServerAdmin ad...@localhost.localdomain.com
 SSLCertificateFile "${SRVROOT}/conf/cert.crt"
 SSLCertificateKeyFile "${SRVROOT}/conf/cert.key"

Step 11 (Last Step): Now, you can start Apache web server and test.

 Since the security certificate that was generated here is self-signed,
 the browser may show you a warning that the connection/certificate,
 etc. is not trusted. But since this is your local development
 environment, you can ignore this warning and accept the risk and
 go ahead with the testing/development, etc.

 I do the same (ignore the warning and accept the risk).

 End 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Dave Wreski 



RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with
/index.php [INTERNAL REDIRECT]

If I don't involve the first RewriteCond, it successfully strips
off the start= from every URL I tried.

What does "INTERNAL REDIRECT" mean? Is that something done outside
of apache? Perhaps by joomla? I believe there are other relevant
redirects after these, but it's very difficult to isolate what's
relevant.

The internal redirect is the result of your rewrite rule, without a 
fully qualified URL as a target.


Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to 
contradict your RewriteCond logic, so increasing the verbosity of the 
logging and looking at the previous lines will help fix that.


I increased it to trace5, and it did reveal more useful info.

[Sun Apr 28 21:55:36.542349 2024] ...  RewriteCond: 
input='/resources/blog' pattern='!/resources/blog' => not-matched


It looks like after this it just moved on to the next rewriterule, not 
the next rewritecond as part of this block, of sorts. I was assuming it 
was more of an AND statement, like "if URI is NOT /resources/blog AND 
query string contains start=..., then apply the following rewrite rule, 
but that's apparently not how it works.


I only want the rewrite rule above to apply to URLs that don't involve 
our blog.


And because the first RewriteCond isn't matched, it doesn't check the 
second RewriteCond, and therefore treats the RewriteRule as a standalone 
and not part of the previous RewriteRule, so then just redirects to the 
root, apparently still with the start= query string attached.


How do I write the logic such that it applies to every URL EXCEPT those 
I specify?

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Frank Gingras 
On Sun, Apr 28, 2024 at 4:05 PM Dave Wreski
 wrote:

> Hi,
>
> I'm really quite stuck and hoped you could help.
>
> My apologies - the output was from wget, as that's what I typically use.
>>
>> $ curl 'https://guardiandigital.com/resources/blog?start=48'
>> 
>> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved https://guardiandigital.com/index.php;
>> >here.
>> 
>>
>>
>>
> The next step is to find out where the 301 is coming from - your rules
> will generate a 302.
>
> That may have been the result of me trying many different things and
> getting a bit confused (again). Here's what I know - when I insert the
> following code into my virtual host config, it strips the query string off
> the pages that don't involve /resources/blog, but redirects to a 404 when
> attempting to access a page involving "/resources/blog" and the "?start="
> query string.
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=\d+$
> RewriteRule (.*)   /$1?[L,R=301,QSD]
>
> [Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
> 'index.php'
> [Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php
> [INTERNAL REDIRECT]
>
> If I don't involve the first RewriteCond, it successfully strips off the
> start= from every URL I tried.
>
> What does "INTERNAL REDIRECT" mean? Is that something done outside of
> apache? Perhaps by joomla? I believe there are other relevant redirects
> after these, but it's very difficult to isolate what's relevant.
>
>
>
The internal redirect is the result of your rewrite rule, without a fully
qualified URL as a target.

Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to
contradict your RewriteCond logic, so increasing the verbosity of the
logging and looking at the previous lines will help fix that.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Dave Wreski 

Hi,

I'm really quite stuck and hoped you could help.


My apologies - the output was from wget, as that's what I
typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved https://guardiandigital.com/index.php;
>here.




The next step is to find out where the 301 is coming from - your rules 
will generate a 302.


That may have been the result of me trying many different things and 
getting a bit confused (again). Here's what I know - when I insert the 
following code into my virtual host config, it strips the query string 
off the pages that don't involve /resources/blog, but redirects to a 404 
when attempting to access a page involving "/resources/blog" and the 
"?start=" query string.


RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' -> 
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php 
[INTERNAL REDIRECT]


If I don't involve the first RewriteCond, it successfully strips off the 
start= from every URL I tried.


What does "INTERNAL REDIRECT" mean? Is that something done outside of 
apache? Perhaps by joomla? I believe there are other relevant redirects 
after these, but it's very difficult to isolate what's relevant.

Re: [users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

2024-04-27 Thread Daniel Ferradal Márquez 

On 18/04/2024 16:50, Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1) wrote:

Hello,
...

My requirement is treating one of the services, specifically Service4, 
differently.


Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.


Meanwhile, the remaining three services should continue behaving as 
before, initially spawning five instances and adjusting based on load.


My question is whether it is feasible to achieve this mixed treatment 
within a single Apache server through configuration changes.

>...

Only achievable with two different service instances, as in an Apache Farm.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

2024-04-24 Thread Priyanshi Shah 
Hi,

We have defined this pattern in httpd.conf file globally. And all other
access logs and error logs are converting properly with the defined format.
Only below log is not converting to JSON

*[Tue Apr 16 06:06:20.902697 2024] [proxy_ajp:error] [pid 11056:tid 38644]
(OS 10054)An existing connection was forcibly closed by the remote host. :
AH01030: ajp_ilink_receive() can't receive header*

Thanks,
Priyanshi Pancholi

On Sun, Apr 21, 2024 at 5:42 PM Eric Covener  wrote:

> On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
>  wrote:
> >
> > Hi,
> >
> > We have converted our Apache error logs to JSON format by defining the
> format in httpd.conf file
> >
> > ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m",
> "level":"%l", "ApacheProcessId": "%P", "ApacheThreadId": "%T",
> "ApacheSourceFile":"%7F", "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage"
> : "%M"}"
>
> Is it defined globally or in a virtual host?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Thanks,
Priyanshi Shah

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras 
On Wed, Apr 24, 2024 at 7:05 PM Dave Wreski
 wrote:

>
> 13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
>> HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
>> 573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200
>>
>
> It did exactly what you asked, yes.
>
> Further, I asked you to use curl to see if you get redirected from
> https://guardiandigital.com/index.php to another URL, but you seem to
> have ignored that part of the answer.
>
> My apologies - the output was from wget, as that's what I typically use.
>
> $ curl 'https://guardiandigital.com/resources/blog?start=48'
> 
> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved https://guardiandigital.com/index.php;
> >here.
> 
>
>
>
The next step is to find out where the 301 is coming from - your rules will
generate a 302.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski 



13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200


It did exactly what you asked, yes.

Further, I asked you to use curl to see if you get redirected from 
https://guardiandigital.com/index.php to another URL, but you seem to 
have ignored that part of the answer.


My apologies - the output was from wget, as that's what I typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved href="https://guardiandigital.com/index.php;>here.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras 
On Wed, Apr 24, 2024 at 4:58 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>>> except ones matching a particular pattern. However, when I try the rules
>>> below, it redirects to the homepage for some reason.
>>>
>>> In this example, I'd like to strip off the query string from all URLs
>>> except those involving /resources/blog:
>>>
>>> RewriteCond %{REQUEST_URI} !/resources/blog
>>> RewriteCond %{QUERY_STRING} ^start=
>>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>>
>>> What am I missing?
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>>>
>> To remove the query string, see the QSD flag, or append a ? at the end of
>> the target.
>>
>> That's what I'm doing, I think. What am I missing? It just redirects to
>> the homepage somehow.
>>
>> Shouldn't I be able to stack RewriteConds in this way, followed by a
>> RewriteRule?
>>
>> I have no idea what could be wrong.
>>
>
> Test with curl, and see if you get redirected after the fact.
>
> I've enabled trace3 to try and figure this out. But line 8 says
> "discarding query string, no parse from substitution" and I don't know why
> or what really that means.
>
> 1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> init rewrite engine with requested uri /resources/blog
>
> 2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> pass through /resources/blog
>
> 3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] applying pattern '.*' to uri 'resources/blog'
>
> 4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] rewrite 'resources/blog' -> 'index.php'
>
> 5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] internal redirect with /index.php [INTERNAL
> REDIRECT]
>
> 6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> applying pattern '(.*)' to uri '/index.php'
>
> 7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> rewrite '/index.php' -> 'https://guardiandigital.com/index.php'
>
> 8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> discarding query string, no parse from substitution
>
> 9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> explicitly forcing redirect with https://guardiandigital.com/index.php
>
> 10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> escaping https://guardiandigital.com/index.php for redirect
>
> 11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
>

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski 

Hi,


We have a situation where we need to strip a query string
from all URLs except ones matching a particular pattern.
However, when I try the rules below, it redirects to the
homepage for some reason.

In this example, I'd like to strip off the query string from
all URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at
the end of the target.


That's what I'm doing, I think. What am I missing? It just
redirects to the homepage somehow.

Shouldn't I be able to stack RewriteConds in this way, followed by
a RewriteRule?

I have no idea what could be wrong.


Test with curl, and see if you get redirected after the fact.


I've enabled trace3 to try and figure this out. But line 8 says 
"discarding query string, no parse from substitution" and I don't know 
why or what really that means.


1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] init 
rewrite engine with requested uri /resources/blog


2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] pass 
through /resources/blog


3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] applying pattern '.*' to uri 'resources/blog'


4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] rewrite 'resources/blog' -> 'index.php'


5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] internal redirect with /index.php [INTERNAL REDIRECT]


6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
applying pattern '(.*)' to uri '/index.php'


7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
rewrite '/index.php' -> 'https://guardiandigital.com/index.php'


8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
discarding query string, no parse from substitution


9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
explicitly forcing redirect with https://guardiandigital.com/index.php


10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
escaping https://guardiandigital.com/index.php for redirect


11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
redirect to https://guardiandigital.com/index.php [REDIRECT/301]


12 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET 
/resources/blog?start=48 HTTP/1.1" 301 245 r:"-" "Wget/1.21.4" 
X:"SAMEORIGIN" 0/9647 1183/6254/245 H:HTTP/1.1 U:/resources/blog gd443 s:301


... more checks against our rewrites ...

13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php 
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431 
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras 
On Wed, Apr 24, 2024 at 12:43 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>> except ones matching a particular pattern. However, when I try the rules
>> below, it redirects to the homepage for some reason.
>>
>> In this example, I'd like to strip off the query string from all URLs
>> except those involving /resources/blog:
>>
>> RewriteCond %{REQUEST_URI} !/resources/blog
>> RewriteCond %{QUERY_STRING} ^start=
>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>
>> What am I missing?
>>
>> Thanks,
>> Dave
>>
>>
>>
> To remove the query string, see the QSD flag, or append a ? at the end of
> the target.
>
> That's what I'm doing, I think. What am I missing? It just redirects to
> the homepage somehow.
>
> Shouldn't I be able to stack RewriteConds in this way, followed by a
> RewriteRule?
>
> I have no idea what could be wrong.
>
>
>
Test with curl, and see if you get redirected after the fact.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski 

Hi,


We have a situation where we need to strip a query string from all
URLs except ones matching a particular pattern. However, when I
try the rules below, it redirects to the homepage for some reason.

In this example, I'd like to strip off the query string from all
URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at the end 
of the target.


That's what I'm doing, I think. What am I missing? It just redirects to 
the homepage somehow.


Shouldn't I be able to stack RewriteConds in this way, followed by a 
RewriteRule?


I have no idea what could be wrong.

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-23 Thread Yann Ylavic 
On Mon, Apr 22, 2024 at 3:51 PM Daiya, Devendra singh
 wrote:
>
> SSLVerifyCLient require
> SSLVerifyDepth 10

These directives apply to the client/browser connection, so you are
effectively enabling mtls on the client side too, hence the error
messages ("AH02008: SSL library error 1 in handshake (server
hostname:port)" and "SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a
certificate") if the client isn't providing a certificate.

You should probably remove them if you only want mtls with the backend server.


Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-22 Thread Daiya, Devendra singh 
Hi Frank,

My vhost looks as below. Anything incorrect set? I do have proxy.conf file but 
nothing related to SSL set in there. I will test apachectl -S and share you the 
result.



SSLEngine on
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyVerify on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLVerifyCLient require
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLOptions +ExportCertData
SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem"
SSLProxyCACertificateFile "/path/to/certs/trustedca.pem"
SSLCertificateFile "/path/to/hostname.crt"
SSLCertificateKeyFile "/path/to/hostname.key"
SSLCertificateChainFile "/path/to/hostname.crt"
SSLCACertificateFile "/path/to/trustedca.pem"


SSLProtocol -All +TLSv1.2 +TLSv1.1


SSLOptions +StdEnvVars


BrowserMatch "MSIE [2-5]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0



Regards,
Devendra


From: Frank Gingras 
Sent: Thursday, April 18, 2024 7:19 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

On Thu, Apr 18, 2024 at 3: 22 AM Daiya, Devendra singh  wrote: Hi Team, Need help in setting up MTLS between 
Apache HTTP server and Weblogic server (App Server). I have gone through few 
links but



On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh 
mailto:devendra.s.da...@wellsfargo.com.invalid>>
 wrote:
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Rough guess:

 
http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have misconfigured / 
overlapping vhosts, as well.

Re: [users@httpd] No more message

2024-04-21 Thread Gillis J. de Nijs 
To unsubscribe, please follow the steps outlined here:
https://httpd.apache.org/userslist.html

On Sun, Apr 21, 2024 at 9:44 PM Dalibor Medvedović <
dalibor.medvedo...@gmail.com> wrote:

> I'm out of discussion
>

[users@httpd] No more message

2024-04-21 Thread Dalibor Medvedović 
I'm out of discussion

[users@httpd] No more message

2024-04-21 Thread Dalibor Medvedović 
Thx.

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

2024-04-21 Thread Eric Covener 
On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
 wrote:
>
> Hi,
>
> We have converted our Apache error logs to JSON format by defining the format 
> in httpd.conf file
>
> ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m", "level":"%l", 
> "ApacheProcessId": "%P", "ApacheThreadId": "%T", "ApacheSourceFile":"%7F", 
> "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage" : "%M"}"

Is it defined globally or in a virtual host?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

2024-04-21 Thread Priyanshi Shah 
Hi,

We have converted our Apache error logs to JSON format by defining the
format in httpd.conf file

ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m", "level":"%l",
"ApacheProcessId": "%P", "ApacheThreadId": "%T", "ApacheSourceFile":"%7F",
"ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage" : "%M"}"

After defining above format all the logs are printed in JSON format despite
one proxy_ajp module error

*[Tue Apr 16 06:06:20.902697 2024] [proxy_ajp:error] [pid 11056:tid 38644]
(OS 10054)An existing connection was forcibly closed by the remote host. :
AH01030: ajp_ilink_receive() can't receive header*

Other logs of the proxy_ajp module are also successfully converted to JSON.

We have changed the format and just kept *ErrorLogFormat %M* . still above
mentioned log is not converting to any format

I believe this particular log has no effect of *ErrorLogFormat* defined in
httpd.conf file

Please help me to convert this log to JSON

Re: [users@httpd] Stripping query string except from specific URL

2024-04-19 Thread Frank Gingras 
On Fri, Apr 19, 2024 at 11:16 AM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
> except ones matching a particular pattern. However, when I try the rules
> below, it redirects to the homepage for some reason.
>
> In this example, I'd like to strip off the query string from all URLs
> except those involving /resources/blog:
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=
> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>
> What am I missing?
>
> Thanks,
> Dave
>
>
>
To remove the query string, see the QSD flag, or append a ? at the end of
the target.

[users@httpd] Stripping query string except from specific URL

2024-04-19 Thread Dave Wreski 

Hi,

We have a situation where we need to strip a query string from all URLs 
except ones matching a particular pattern. However, when I try the rules 
below, it redirects to the homepage for some reason.


In this example, I'd like to strip off the query string from all URLs 
except those involving /resources/blog:


RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1    [L,QSD]

What am I missing?

Thanks,
Dave

[users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

2024-04-18 Thread Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1) 
Hello,

I require a specific configuration for managing my Dynamic Shared Object (DSO) 
module within Apache.
Currently, I have multiple services deployed on a RHEL7 Apache server, e.g. 
Service1, Service2, Service3, and Service4.
Each service is implemented as a separate .so file: libService1.so, 
libService2.so, libService3.so, and libService4.so.
Among these, Service1 and Service2 offer SOAP interfaces, while Service3 and 
Service4 offer REST interfaces.

At present, Apache treats all services uniformly, spawning five worker 
processes initially.
Consequently, all four services also have five instances running concurrently, 
with Apache dynamically adjusting worker processes based on system load.

My requirement is treating one of the services, specifically Service4, 
differently.
Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.
Meanwhile, the remaining three services should continue behaving as before, 
initially spawning five instances and adjusting based on load.

My question is whether it is feasible to achieve this mixed treatment within a 
single Apache server through configuration changes.
If not, what alternative options exist within the Apache framework?
One potential solution could running two Apache server instances, one for the 
first three services and another dedicated to the fourth service.

I would appreciate any suggestions on how to fulfill this functionality.

Mit freundlichen Grüßen / Best regards

Tarun Kumar Sarkar
ETAS-SEC/XPC-Bo1

Tel. +49 234 43870-308 | Mobile +49 172 6994124
​

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-18 Thread Frank Gingras 
On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh
 wrote:

> Hi Team,
>
>
>
> Need help in setting up MTLS between Apache HTTP server and Weblogic
> server (App Server).
>
>
>
> I have gone through few links but those are not working. Post following
> suggested steps I was able to start Apache HTTP server but Application is
> not working. Getting below messages in the Error while accessing the
> application.
>
>
>
> *Could anyone please look at it and share some suggestion on how we should
> setup MTLS b/w Web and App server. Please let me know if any additional
> info needed.*
>
>
>
> *Error message: -*
>
>
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : },
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
> "message" : "AH01998: Connection closed to child 138 with abortive
> shutdown (server hostname:port , "referer" : }
>
> "message" : "AH01964: Connection to child 24 established (server
> hostname:port)" , "referer" : }
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : }
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
>
>
> *SSL.conf file has below directives set.*
>
>
>
> SSLEngine on
>
> ProxyRequests Off
>
> RewriteEngine on
>
> SSLProxyEngine on
>
> SSLProxyVerify on
>
> SSLProxyCheckPeerCN off
>
> SSLProxyCheckPeerName off
>
> SSLProxyCheckPeerExpire off
>
> SSLVerifyCLient require
>
> SSLVerifyDepth 10
>
> SSLProxyVerifyDepth 10
>
>
>
> SSLOptions +ExportCertData
>
>
>
> SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"
>
> SSLProxyCACertificateFile "/apps/certs/trustedca.pem"
>
>
>
> SSLCertificateFile "/path/to/hostname.crt"
>
> SSLCertificateKeyFile "/path/to/hostname.key"
>
> SSLCertificateChainFile "/path/to/hostname.crt"
>
> SSLCACertificateFile "/path/to/trustedca.pem"
>
>
>
>
>
> Thanks.
>
>
>
> *Regards,*
>
> *Devendra*
>

Rough guess:

 http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have
misconfigured / overlapping vhosts, as well.

[users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-18 Thread Daiya, Devendra singh 
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Re: [users@httpd] better configtest

2024-04-17 Thread Eric Covener 
> What is the point of not starting httpd if there is an issue with a single 
> virtual host?

This gives the best feedback to the user that the config couldn't be honored.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] better configtest

2024-04-17 Thread Marc 
> >
> > 1.
> > what is the point of having a apachectl configtest, when a restart can
> still fail? It can't be to difficult to include cert checks here, can it?
> This is now becoming a significant part.
> 
> The bar is useful, not perfect.  configtest checks for _syntax_ validity.
> 
> > 2.
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> >
> > This is useless, why not list config line or cert name?
> 
> This error means post-configuration failed. This is when the collected
> config is acted upon, which is not really within line-by-line mode.
> Normally there's a preceding error message with more details, maybe in
> a vhost-specific error log?

Maybe, I would have to look through quite a lot. 

Can't the development team re-think about this? What is the point of not 
starting httpd if there is an issue with a single virtual host? Why not have 
that specific virtual host fail only? I would like to have this config syntax 
check expanded to cert content or some other way of validating that I can test 
if I can restart httpd safely.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email 
On Wed, Apr 17, 2024, 3:27 PM General Email <
general.email.12341...@gmail.com> wrote:

>
>
>> > If people are asking for advice on PHP then advise them on PHP or don't
>> say anything.
>> > Don't start advising them about Java.
>>
>> Please... I am not even making remarks about you asking openssl questions
>> at httpd.
>>
>
>
> So, is this wrong forum for asking about openssl commands required for
> generating certificates for enabling https on apache?
>
> I can easily look at openssl website or other websites and look how to
> create self signed certificates. However, I was not sure if that would work
> on apache. That's why I asked here.
>
> Most of the websites showed how to generate .pem certificates, but after
> reading about ssl/https on apache website, I saw that apache requires .crt
> certificates.
>
> Obviously, I can figure out this whole thing if I read whole openssl
> manual and apache ssl configs, etc. but I don't want to invest time in that
> and I was looking for a quick solution and that's why I posted here.
>
>
>
>> I think most people will understand that I try to make you see the
>> difference between developing an application and how it is hosted/used what
>> ever, operate within your area of expertise.
>>
>
> I know this and I told you that I want to hard code https. Now, please
> tell me how can my idea go wrong?
>
> Please don't tell me how other people's unrelated ideas went wrong.
>
> Let's have a meaningful discussion.
>
> I don't work for any company.
>
> I do freelancing. I am doing this project for a real estate client. So,
> its only me who will do everything and decide everything - development,
> testing, maintenance hosting, hard coding, migration, https, ssl, etc.
>
> I would really like to know how my idea of hardcoding https can go wrong?
>

Anyways, I looked more on google and I think that I have found what I was
looking for on this page:
https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc 

> 
>   So, is this wrong forum for asking about openssl commands required
> for generating certificates for enabling https on apache?
>

Mostly you will be notified. The only thing you need to add to your virtual 
host for https is this:

SSLEngine on
SSLCertificateFile 
SSLCertificateChainFile 
SSLCertificateKeyFile 

It really does not matter how keys / crts have been generated. Just choose 
something that is quick and easy. 

> 
>   Most of the websites showed how to generate .pem certificates, but
> after reading about ssl/https on apache website, I saw that apache
> requires .crt certificates.

pem, crt, cer check if they start like this

-BEGIN CERTIFICATE-

check apache log file for start up errors.

>   Obviously, I can figure out this whole thing if I read whole
> openssl manual and apache ssl configs, etc. but I don't want to invest
> time in that and I was looking for a quick solution and that's why I
> posted here.
> 

Just choose a tool that can quickly generate key and crt. Does not matter which 
tool. Someone send you already reply to something.


>   I would really like to know how my idea of hardcoding https can go
> wrong?
> 

It can be anything, it is just unexpected application behaviour to someone who 
might work with it in the future. Maybe internal health check url? Cron? 
Debugging? Personally I find it sometimes annoying with testing container 
images. In my own development environment I am constantly switching between 
development and production certs.

I would always opt for having this at least configured as an option.

> 
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
> 

Forget about going specific for openssl, it is just a tool. Choose the simplest 
solution for your development environment. If you are doing hosting yourself. 
Your going to end up with automated certs on your hosting environment any way, 
you will never see an openssl command.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc 
> I don't know what you are trying to prove by your points + you are
> insulting people for no reason.

I am insulting no one, mostly stating what is common.


> If you insult people, they may insult you back.
> 
> Russia attacked Ukraine and Ukraine/NATO hit Russia back.

I think you are the only one on this planet that would dare to summarize this 
conflict like this. But it proves my point, stick just to what you know, with 
development.


> The original discussion was about openssl commands and I think that since
> you don't know openssl commands, you should not have said anything.
> 

You wrote it was for a local development environment. I just thought why bother 
with the openssl? Obviously I should not have made assumptions. You could also 
be cryptographer working on mod_ssl.


> Let other people do what they want to do. If they want to hardcode
> something, why are you bothered.

I am just pointing out there multiple roads that lead to Rome. Some of which 
are known to be less troublesome than others. If you get stuck on some dirt 
track to Rome, others will be required to come and help.


> I will hard code https, its my choice. It has nothing to do with you.
> 

Obviously, I am just stating it is not really what most experienced 
professionals do. 


> Now, you are saying to hard code root name servers, etc. which doesn't
> make sense.

Because you do not know about it. That is the point I am trying to make. Just 
separate it from application development.


> You are taking this discussion in all sorts of directions and I don't
> know what you want to prove.

Really? I thought I made my point numerous times.


> If people are asking for advice on PHP then advise them on PHP or don't say 
> anything.
> Don't start advising them about Java.

Please... I am not even making remarks about you asking openssl questions at 
httpd.


> 
> By the way, if you insult me, I will insult you back.
> 

I think most people will understand that I try to make you see the difference 
between developing an application and how it is hosted/used what ever, operate 
within your area of expertise.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email 
>
> > If people are asking for advice on PHP then advise them on PHP or don't
> say anything.
> > Don't start advising them about Java.
>
> Please... I am not even making remarks about you asking openssl questions
> at httpd.
>


So, is this wrong forum for asking about openssl commands required for
generating certificates for enabling https on apache?

I can easily look at openssl website or other websites and look how to
create self signed certificates. However, I was not sure if that would work
on apache. That's why I asked here.

Most of the websites showed how to generate .pem certificates, but after
reading about ssl/https on apache website, I saw that apache requires .crt
certificates.

Obviously, I can figure out this whole thing if I read whole openssl manual
and apache ssl configs, etc. but I don't want to invest time in that and I
was looking for a quick solution and that's why I posted here.



> I think most people will understand that I try to make you see the
> difference between developing an application and how it is hosted/used what
> ever, operate within your area of expertise.
>

I know this and I told you that I want to hard code https. Now, please tell
me how can my idea go wrong?

Please don't tell me how other people's unrelated ideas went wrong.

Let's have a meaningful discussion.

I don't work for any company.

I do freelancing. I am doing this project for a real estate client. So, its
only me who will do everything and decide everything - development,
testing, maintenance hosting, hard coding, migration, https, ssl, etc.

I would really like to know how my idea of hardcoding https can go wrong?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email 
On Wed, Apr 17, 2024, 1:17 PM Marc  wrote:

>
> >
> >   http is an insecure protocol. I don't want my website to run on
> > http. So, I am hardcoding https in links in my website that refer to
> > pages in my website.
> >
> >
> >   Now, I know that you will write why not redirect http to https by
> > default.
>
> No because that is not relevant to me and what I would like to address. I
> am even deploying https on tasks in private air-gapped environments. This
> is not a discussion about whether or not https should be used and when.
>
>
> > The problem with this is that if the website gets migrated to
> > different provider and if people forget to redirect http to https in new
> > setup then it will become a security problem.
>
> I know there are many idiots out there and your concern is very valid.
> Most of the security breaches you read about is about such issues.
> However, can you imagine the apache dev team thinking like you? Hard
> coding everything to https? Can you imagine all http ports of tomcat,
> httpd, jboss etc. being dropped? These people have been making rock solid
> applications for decades they don't lecture others how to use or not use
> https.
> You will never match them in any way, why not follow their lead?
>
>
> >   Hardcoding https solves all issues.
> >
>
> A few years back I had an argument with apple developers. They were having
> in the build process of the calendar server openssl. The developers thought
> for security purposes it would be better to include it in the build. This
> resulted in that calenderservers were always having an old insecure
> openssl, because the openssl updated by the distribution was not used. (and
> nobody is going to build the application frequently) This is what happens
> when application developers think they are security geniuses.
>
> The point I am trying to make is that you as an application developer
> should be focussed on developing your application it is not your business
> how this application is hosted. You should not concern yourself with things
> you are not experienced in/with. Especially when it comes to something as
> crucial as security. You are not removing ca certs from the trust store,
> your are not setting secure ciphers, you are not setting limits on key
> sizes etc. Why would you then even bother with https or http?
>
> With your argument you might as well hard code the domain name in your
> application (like wordpress) and hardcode root name servers etc.
> If you buy an egg in the store, it does not come with any requirement that
> it should be used only for making cakes. Grasp this concept.
>


Marc,

I don't know what you are trying to prove by your points + you are
insulting people for no reason.

If you insult people, they may insult you back.

Russia attacked Ukraine and Ukraine/NATO hit Russia back.

The original discussion was about openssl commands and I think that since
you don't know openssl commands, you should not have said anything.

Let other people do what they want to do. If they want to hardcode
something, why are you bothered.

I will hard code https, its my choice. It has nothing to do with you.

Now, you are saying to hard code root name servers, etc. which doesn't make
sense.

You are taking this discussion in all sorts of directions and I don't know
what you want to prove.

If you want to prove that you are a very smart person and other people are
fools then for that you need to play chess with all other people and win
all the games. You can invite wordpress idiots to play chess with you and
then if you win then probably you can tell that person that he/she is an
idiot.

There are many people in this world who are very smart but they don't say
that other people are fools - for example, Steve Wozniak, Larry Page,
Knuth, etc.

If people are asking for advice on PHP then advise them on PHP or don't say
anything. Don't start advising them about Java.

By the way, if you insult me, I will insult you back.

GE

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc 

> 
>   http is an insecure protocol. I don't want my website to run on
> http. So, I am hardcoding https in links in my website that refer to
> pages in my website.
>
>
>   Now, I know that you will write why not redirect http to https by
> default. 

No because that is not relevant to me and what I would like to address. I am 
even deploying https on tasks in private air-gapped environments. This is not a 
discussion about whether or not https should be used and when.


> The problem with this is that if the website gets migrated to
> different provider and if people forget to redirect http to https in new
> setup then it will become a security problem.

I know there are many idiots out there and your concern is very valid. Most of 
the security breaches you read about is about such issues. 
However, can you imagine the apache dev team thinking like you? Hard coding 
everything to https? Can you imagine all http ports of tomcat, httpd, jboss 
etc. being dropped? These people have been making rock solid applications for 
decades they don't lecture others how to use or not use https. 
You will never match them in any way, why not follow their lead?


>   Hardcoding https solves all issues.
> 

A few years back I had an argument with apple developers. They were having in 
the build process of the calendar server openssl. The developers thought for 
security purposes it would be better to include it in the build. This resulted 
in that calenderservers were always having an old insecure openssl, because the 
openssl updated by the distribution was not used. (and nobody is going to build 
the application frequently) This is what happens when application developers 
think they are security geniuses.

The point I am trying to make is that you as an application developer should be 
focussed on developing your application it is not your business how this 
application is hosted. You should not concern yourself with things you are not 
experienced in/with. Especially when it comes to something as crucial as 
security. You are not removing ca certs from the trust store, your are not 
setting secure ciphers, you are not setting limits on key sizes etc. Why would 
you then even bother with https or http?

With your argument you might as well hard code the domain name in your 
application (like wordpress) and hardcode root name servers etc. 
If you buy an egg in the store, it does not come with any requirement that it 
should be used only for making cakes. Grasp this concept.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Yehuda Katz 
I have always had issues with OpenSSL on Windows, so I gave up and started
using xca (https://hohnstaedt.de/xca/). I created a root certificate that I
imported into the Windows trust store and I create new certificates for
each website in my dev environment.

- Y

On Tue, Apr 16, 2024 at 9:26 PM General Email <
general.email.12341...@gmail.com> wrote:

>
> This is also not relevant to what I am stating. If you develop, do it
>> regardless of http/https that is convenient for everyone. It will be to
>> your own benefit. If you have to host the application on your own server,
>> so be it. It will be easier with choosing your https solution. You could
>> already be developing it now, and later you can check how to use openssl.
>> Last thing you want, is an application that forces https or http.
>>
>
>
> http is an insecure protocol. I don't want my website to run on http. So,
> I am hardcoding https in links in my website that refer to pages in my
> website.
>
> Now, I know that you will write why not redirect http to https by default.
> The problem with this is that if the website gets migrated to different
> provider and if people forget to redirect http to https in new setup then
> it will become a security problem.
>
> Hardcoding https solves all issues.
>
>
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> This is also not relevant to what I am stating. If you develop, do it
> regardless of http/https that is convenient for everyone. It will be to
> your own benefit. If you have to host the application on your own server,
> so be it. It will be easier with choosing your https solution. You could
> already be developing it now, and later you can check how to use openssl.
> Last thing you want, is an application that forces https or http.
>


http is an insecure protocol. I don't want my website to run on http. So, I
am hardcoding https in links in my website that refer to pages in my
website.

Now, I know that you will write why not redirect http to https by default.
The problem with this is that if the website gets migrated to different
provider and if people forget to redirect http to https in new setup then
it will become a security problem.

Hardcoding https solves all issues.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 18:57:13, Marc wrote:

> 15 years ago people were not writing about gays.
>
> Maybe it takes another 15 years to be allowed to write about idiots.

Don't be silly.

Gay people identify themselves as gay, and talking about them as such is not a 
pejorative term.

If you can find someone who identifies themselves as an idiot, then perhaps 
you're allowed to refer to them as such, but if it's just your own opinion 
that they're an idiot, you're being anti-social and unpleasant.

I think all Frank was trying to say was "please let's keep to the technical 
support of people who are trying to use Apache, and stop throwing insults at 
them, because it's not constructive to the conversation".


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 18:42:09, Marc wrote:

> This is more about the ability to host an application regardless if it is
> on http or https. How https is enforced/applied is up to the manager of
> the server, why would you even care as a developer of an application?

I often develop applications on servers which I manage.

Please stop trying to enforce your opinion of the demarcation between 
disciplines on other people.

Not every developer is only a developer.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
Pardon me- have 443 redirect to 80 of the environment variable is true.
Alternatively, have a completely different 443 vhost declared for
development purposes

On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley 
wrote:

>
> But should your development be not protocol independent? If your code
>> works on http it should also work on https. I am getting sick of these
>> wordpress idiots where they still have hardcoded links everywhere and I
>> can't even convert a website from http to https.
>>
> TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.
>
> For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the development
> environment
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>
TLS is not in the application layer as HTTP is, so it’s just a complication
that has to be managed in development. I don’t know how Wordpress works,
but there are solutions beyond its configuration.

For example, if you just need to verify your HTTP-based application
functions as desired, but there is commingling of HTTPS and HTTP in
application HREFs then use the `if` directive with a development-only
environment variable in your virtual hosts. If the client follows a HTTPS
link that isn’t going to work for keying material reasons, have the 443
virtual host redirect to 80 if the development variable in the development
environment

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Frank Gingras 
On Tue, Apr 16, 2024 at 11:11 AM Marc  wrote:

> >
> >
> >   But should your development be not protocol independent? If your
> > code works on http it should also work on https. I am getting sick of
> > these wordpress idiots where they still have hardcoded links everywhere
> > and I can't even convert a website from http to https.
> >
> >
> >
> > Are you saying that I am a wordpress idiot?
> >
>
> No :) Development/management team of wordpress are idiots. They are still
> advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you care
> if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


Marc, let's try to be friendly towards users and adopt a more neutral
tone.  New users have questions, and it's normal. Calling folks "idiots"
isn't helping here.

Thanks.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 16:07:09, Marc wrote:

> A developer should just do developing.

Some people, especially in smaller organisations, have to be multi-skilled.

> A dentist is also not telling an ophthalmologist what to do.

No, but a dentist might have some valuable advice on diet.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> 
>   But should your development be not protocol independent? If your
> code works on http it should also work on https. I am getting sick of
> these wordpress idiots where they still have hardcoded links everywhere
> and I can't even convert a website from http to https.
> 
> 
> 
> Are you saying that I am a wordpress idiot?
> 

No :) Development/management team of wordpress are idiots. They are still 
advising people incorrectly to upgrade eg while distributions are backporting 
security stuff. A developer should just do developing. A dentist is also not 
telling an ophthalmologist what to do. Why do you care if you are using http or 
https? Unless you are developing something specific to the https protocol (eg. 
sni) forget about it.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
>
> Here’s a possible SO question that might help you:
>
> https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
>

Thanks Will. I will look look into it.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>

Are you saying that I am a wordpress idiot?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
> Can someone please give me exact openssl command(s) to use.
>

Command parameters can vary, and encryption technology is regulated by
national laws. You should consult with your IT security staff on this
matter if possible.

What you are probably looking for is “how to self-sign my TLS public key”.
Here’s a basic sketch of what this looks like in production:

You as subject have generated for your server a public/private key-pair
already with, eg, openssl. Now you need a certificate authority, ca, to
sign the public key, rendering your public key certificate. This is
achieved by creating a certificate signature request or csr with, eg,
openssl, and giving it to ca. Then ca may render the certificate to you for
you to distribute how you like. These steps can be achieved by you acting
both as subject and ca, by self-signing.

Here’s a possible SO question that might help you:
https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl

>

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> Windows is my development environment. Later the website will be hosted
> on linux and the linux hosting provider will provide SSL certificate.
> 

But should your development be not protocol independent? If your code works on 
http it should also work on https. I am getting sick of these wordpress idiots 
where they still have hardcoded links everywhere and I can't even convert a 
website from http to https.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> I think you need to search for setting up your own CA and sign certs.


Windows is my development environment. Later the website will be hosted on
linux and the linux hosting provider will provide SSL certificate.

I had looked at
https://stackoverflow.com/questions/4221874/how-do-i-allow-https-for-apache-on-localhost

But it looks like many answers on this page are obsolete now.


I don't think openssl commands are any differnt on windows.


Yeah, they are not. But I don't know what all arguments to give to openssl.

Maybe easier to get an existing cert and use that, and just ignore the
> warning?
> Maybe there are even easier to use tools on windows that do this all for
>

I actually want to use openssl. openssl.exe comes with apache 2.4
distribution.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> I was looking for openssl command(s) to generate server side certificate
> and key so that https start working on my apache 2.4 web server on
> windows.
> 
> I looked on Internet but found few commands but they all used different
> arguments to openssl.
> 
> Can someone please give me exact openssl command(s) to use.
> 
> I will appreciate it.

I think you need to search for setting up your own CA and sign certs. I don't 
think openssl commands are any differnt on windows. Maybe easier to get an 
existing cert and use that, and just ignore the warning?
Maybe there are even easier to use tools on windows that do this all for you? 
Microsoft certool?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
Hi,

I was looking for openssl command(s) to generate server side certificate
and key so that https start working on my apache 2.4 web server on windows.

I looked on Internet but found few commands but they all used different
arguments to openssl.

Can someone please give me exact openssl command(s) to use.

I will appreciate it.

Regards,
GE

Re: [users@httpd] better configtest

2024-04-16 Thread Eric Covener 
On Tue, Apr 16, 2024 at 4:42 AM Marc  wrote:
>
>
> With the forced upon us 90 day certificate renewal crap, my httpd was down 
> today although I have a 'restart procedure' that verifies a bit for errors 
> with apachectl configtest.
>
> 1.
> what is the point of having a apachectl configtest, when a restart can still 
> fail? It can't be to difficult to include cert checks here, can it? This is 
> now becoming a significant part.

The bar is useful, not perfect.  configtest checks for _syntax_ validity.

> 2.
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
>
> This is useless, why not list config line or cert name?

This error means post-configuration failed. This is when the collected
config is acted upon, which is not really within line-by-line mode.
Normally there's a preceding error message with more details, maybe in
a vhost-specific error log?

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] better configtest

2024-04-16 Thread Xavier Belanger 
Hi,

Marc  wrote:

> With the forced upon us 90 day certificate renewal crap, my httpd
> was down today although I have a 'restart procedure' that verifies
> a bit for errors with apachectl configtest.

Regardless of the certificate duration I would recommend to use
some monitoring tool to check on the status of the web service and
get an alert when the certificate is close from its expiration date.

I personally use Monit [1], but there is probably plenty of other
tools that could fullfill the same purpose.

Sincerely,

1: https://mmonit.com/monit/
-- 
Xavier Belanger

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] better configtest

2024-04-16 Thread Marc 

With the forced upon us 90 day certificate renewal crap, my httpd was down 
today although I have a 'restart procedure' that verifies a bit for errors with 
apachectl configtest.

1. 
what is the point of having a apachectl configtest, when a restart can still 
fail? It can't be to difficult to include cert checks here, can it? This is now 
becoming a significant part.

2.
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed

This is useless, why not list config line or cert name?

RE: [users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc 
> >
> > [1]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html
> >
> > [2]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> You could also use
> https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to
> split up your logs or discard/silence certain entries.
> 

Thanks! that is indeed also a nice option. I would not be surprised if I would 
want to manage this a bit more in the near future.

Re: [users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Daniel Gruno 

On 4/10/24 07:22, Marc wrote:


Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name.

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats


You could also use 
https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to 
split up your logs or discard/silence certain entries.






Currently I have modified some rust application that does this to
satisfaction. But piping to a 60MB binary for quite a few virtual hosts
does not really seem efficient to me.
Is there not some apache module that can offer a "global" access to
logging and 'clones' all logging to some tcp socket? (I prefer not to
route first to syslog)




I was wondering how I could use piped logs to redirect some logs,
comparable to curl post requests.

[1]
https://httpd.apache.org/docs/current/logs.html


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc 
%v sorry for polluting this list

PS. If it is any consolation, I have registered myself at a retirement home

> -Original Message-
> From: Marc 
> Sent: Wednesday, 10 April 2024 14:22
> To: users@httpd.apache.org
> Subject: [users@httpd] RE: pipe logs to somethings that resembles a curl
> post
> 
> 
> Oops I was mislead by some old posts. GlobalLog[1] does this for
> everything. However I have not found what value[2] has the requested
> virtual host name.
> 
> [1]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html
> 
> [2]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> >
> > Currently I have modified some rust application that does this to
> > satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> > does not really seem efficient to me.
> > Is there not some apache module that can offer a "global" access to
> > logging and 'clones' all logging to some tcp socket? (I prefer not to
> > route first to syslog)
> >
> > >
> > >
> > > I was wondering how I could use piped logs to redirect some logs,
> > > comparable to curl post requests.
> > >
> > > [1]
> > > https://httpd.apache.org/docs/current/logs.html
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org

  1   2   3   4   5   6   7   8   9   10   >