Instrumenting HTTPD

[Yehuda Katz]

I am working on a research paper related to server configuration. I am
trying to collect some measurements or static analysis comparing the number
of system calls with overrides off vs. on and also with different path
lengths (i.e. what is the actual performance impact of checking .htaccess
files). Before I start from scratch, I was wondering if anyone has done
anything related to this before.

Thanks,
- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

Re: [GitHub] [httpd-site] rbowen merged pull request #7: Drops link to 1.3 docs, which are gone.

[Yehuda Katz]

Since 1.3 isn't supported, it would probably be better to remove the
entries from Wikipedia or point them to the Internet Archive. Happy to do
that.

On Sun, Jan 23, 2022 at 6:24 AM Graham Leggett  wrote:

> On 21 Jan 2022, at 19:48, GitBox  wrote:
>
> > rbowen merged pull request #7:
> > URL: https://github.com/apache/httpd-site/pull/7
>
> Can we put the 1.3 docs back?
>
> Pages like this make extensive reference to them:
> https://en.wikipedia.org/wiki/List_of_Apache_modules
>
> Regards,
> Graham
> —
>
>

Re: APLOGNO number range for vendors?

[Yehuda Katz]

Would a crazy option 4 be to add VENDOR_APLOGNO() which could add a prefix
to the log number to be used in any patches?

For example, V_APLOGNO('R', 123) could produce AHR123

This would make it clear that the error comes from a patch from another
distribution.

- Y


Sent from a device with a very small keyboard and hyperactive autocorrect.

On Tue, Dec 1, 2020, 9:33 AM Joe Orton  wrote:

> Very occasionally we backport patches to RHEL's httpd package in a way
> that introduces new or different logging output from 2.4/trunk.  I'm
> wondering if there is any opinion about vendors asking for for a small
> (say, 100?) reserved range of APLOGNO() space to use for such cases?
> Basically I'd just commit "next-number += 100" and use that range within
> downstream patches since they are then reserved upstream.
>
> 1) No, we should discourage vendors from such divergence.
>
> 2) Yes, they are just numbers, I don't care.
>
> 3) Yes, but commit to maintaining a public URL with documentation for
> each log message used or something similar.
>
> Thoughts?
>
> Regards, Joe
>
>

Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?

[Yehuda Katz]

2.4.44 and 2.4.45 were never released. Everything that was in 44 and 45 is
in 46.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Tue, Aug 11, 2020, 8:46 AM Pavel Lyalyakin wrote:

> Hello,
>
> The version 2.4 vulnerabilities page[1] tells that CVE-2020-9490,
> CVE-2020-11984 and CVE-2020-11993 were fixed in 2.4.44. But the version
> 2.4.46 changelog[2] tells that these vulnerabilities were fixed in version
> 2.4.46.
>
> So were they fixed in 2.4.44 or in 2.4.46?
>
> [1]: https://httpd.apache.org/security/vulnerabilities_24.html
> [2]: https://downloads.apache.org/httpd/CHANGES_2.4.46
>
> --
> With best regards,
> Pavel Lyalyakin
> VisualSVN Team
>

Re: "Forbid" directive in core?

[Yehuda Katz]

On Mon, Apr 27, 2020 at 11:37 AM Eric Covener  wrote:

> On Sat, Sep 28, 2013 at 12:21 PM Tim Bannister 
> wrote:
> > The second time in a few days, I'm going to suggest adding an optional
> parameter to a directive.
> >
> > Taking a leaf out of cascading stylesheets, how about “Forbidden On
> Level=Important” and perhaps “Forbidden On Level=Indelible”?
> >
> > (the idea being that the “Indelible” level can't be removed).
> >
> >
> > This lets distributions ship a fairly safe default configuration but
> gives users enough scope to hang themselves. With this, “forbidden OFF”
> isn't so risky and “Forbidden Off Level=Important” can carry a health
> warning (and perhaps an ErrorLog warning as well).
> >
> >
> > Too complex or worth having? What do people think? If there's appetite
> for it then I will have  a go at providing a patch.
>
> What do currently active people think of the original basic "Forbid"
> or the one with tags/levels?
>

Most CSS experts will tell you that "!important" is bad and if you are
using it, you didn't design your site properly. As someone who does a lot
of config support, I also think this is overly complicated.

- Y

Re: Use of [skip ci] in commit messages to avoid Travis builds

[Yehuda Katz]

On Sat, Feb 8, 2020 at 6:01 AM Luca Toscano  wrote:

> I didn't find a way to instruct Travis to avoid triggering a build if only
> certain file types are committed, so the only solution for the moment is to
> manually add the aforementioned sequence :(
>

For the record, this has been a really long-standing open issue with Travis:
https://github.com/travis-ci/travis-ci/issues/6301

- Y

Re: Help regarding an issue with Apache Tomcat

[Yehuda Katz]

This list is for Apache HTTPD. You can find support for Tomcat here:
http://tomcat.apache.org/lists.html#tomcat-users

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Fri, Feb 7, 2020, 2:35 AM Cheeneebash, P. 
wrote:

> Hello,
>
>  We need help regarding an issue with Apache Tomcat.
>
>
>
>  For security reasons, we have had to modify the configuration of our
>
> Siebel Application (Siebel Click through Daemon and Siebel Email Sending
>
> Daemon) to use tomcat 7.0.86 instead of 7.0.14.
>
>  After the modification, we have restarted our applications and we can
>
> see in the log files that they are using the version 7.0.86. However,
>
> while testing using 'myurl:8080/manager/status', it is still pointing to
>
> the 7.0.14 version.
>
>
>
> Can you please assist ?
>
>
>
> Please find the attached screenshot.
>
>
>
> Thanks and Regards/Cordialement
>
>
>
> Pritish Cheeneebash
>
> Application Development Analyst
>
> Accenture
>
> Office: +230 40 25 451
>
>
>
> [image: Picture 16]
>
>
>
> --
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> __
>
> www.accenture.com
>

Re: Load balancing and load determination

[Yehuda Katz]

HAProxy has a similar feature called agent-check (
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-agent-check)
although in their case, the backend server specifies it's own weight.
Either way - whether the frontend or backend determines the weight - it
would be useful.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Tue, Oct 30, 2018, 8:53 AM Jim Jagielski  wrote:

> As some of you know, one of my passions and area of focus is
> on the use of Apache httpd as a reverse proxy and, as such, load
> balancing, failover, etc are of vital interest to me.
>
> One topic which I have mulling over, off and on, has been the
> idea of some sort of universal load number, that could be used
> and agreed upon by web servers. Right now, the reverse proxy
> "guesses" the load on the backend servers which is OK, and
> works well enough, but it would be great if it actually "knew"
> the current loads on those servers. I already have code that
> shares basic architectural info, such as number of CPUs, available
> memory, loadavg, etc which can help, of course, but again, all
> this info can be used to *infer* the current status of those backend
> servers; it doesn't really provide what the current load actually
> *is*.
>
> So I was thinking maybe some sort of small, simple and "fast"
> benchmark which could be run by the backends as part of their
> "status" update to the front-end reverse proxy server... something
> that shows general capability at that point in time, like Hanoi or
> something similar. Or maybe some hash function. Some simple code
> that could be used to create that "universal" load number.
>
> Thoughts? Ideas? Comments? Suggestions? :)
>

On Oct 30, 2018 8:53 AM, "Jim Jagielski"  wrote:

As some of you know, one of my passions and area of focus is
on the use of Apache httpd as a reverse proxy and, as such, load
balancing, failover, etc are of vital interest to me.

One topic which I have mulling over, off and on, has been the
idea of some sort of universal load number, that could be used
and agreed upon by web servers. Right now, the reverse proxy
"guesses" the load on the backend servers which is OK, and
works well enough, but it would be great if it actually "knew"
the current loads on those servers. I already have code that
shares basic architectural info, such as number of CPUs, available
memory, loadavg, etc which can help, of course, but again, all
this info can be used to *infer* the current status of those backend
servers; it doesn't really provide what the current load actually
*is*.

So I was thinking maybe some sort of small, simple and "fast"
benchmark which could be run by the backends as part of their
"status" update to the front-end reverse proxy server... something
that shows general capability at that point in time, like Hanoi or
something similar. Or maybe some hash function. Some simple code
that could be used to create that "universal" load number.

Thoughts? Ideas? Comments? Suggestions? :)

Re: Revisit Versioning? (Was: 2.4.3x regression w/SSL vhost configs)

[Yehuda Katz]

On Sat, Apr 14, 2018 at 9:48 AM, Jim Jagielski  wrote:

> IMO, the below ignores the impacts on OS distributors who
> provide httpd. We have seen how long it takes for them
> to go from 2.2 to 2.4... I can't imagine the impact for our
> end user community if "new features" cause a minor
> bump all the time and we "force" distributions for
> 2.4->2.6->2.8->2.10...
>
> Just my 2c
>
>
That also assumes the OS distributions pick up the point releases. RedHat
certainly doesn't pick up the new features, only bug fixes.

- Y



> > On Apr 13, 2018, at 2:28 PM, David Zuelke 
> wrote:
> >
> > Remember the thread I started on that quite a while ago? ;)
> >
> > IMO:
> >
> > - x.y.0 for new features
> > - x.y.z for bugfixes only
> > - stop the endless backporting
> > - make x.y.0 releases more often
> > - x.y.0 goes through alpha, beta, RC phases
> > - x.y.z goes through RC phases
> >
> > That's how PHP has been doing it for a few years, and it's amazing how
> > well it works, how few regressions there are, and how predictable the
> > cycle is (they cut an x.y.zRC1 every four weeks like clockwork, with
> > exceptions only around late December because of holiday season).
> >
> > This would also fix all the confusing cases where two or three faulty
> > releases get made, end up in the changelog, but ultimately are never
> > released.
> >
> >
> > On Fri, Apr 13, 2018 at 5:28 PM, William A Rowe Jr 
> wrote:
> >> Terrific analysis! But on the meta-question...
> >>
> >> Instead of changing the behavior of httpd on each and every subversion
> bump,
> >> is it time to revisit our revisioning discipline and hygiene?
> >>
> >> I promise to stay out of such discussion provided that one equally
> stubborn
> >> and intractable PMC member agrees to do the same, and let the balance
> of the
> >> PMC make our decision, moving forwards.
> >>
> >> On Fri, Apr 13, 2018, 06:11 Joe Orton  wrote:
> >>>
> >>> On Thu, Apr 12, 2018 at 09:38:46PM +0200, Ruediger Pluem wrote:
>  On 04/12/2018 09:28 AM, Joe Orton wrote:
> > But logged is:
> >
> > ::1 - - [12/Apr/2018:08:11:12 +0100] "GET /agag HTTP/1.1" 404 12
> > HTTPS=on SNI=localhost.localdomain
> > 127.0.0.1 - - [12/Apr/2018:08:11:15 +0100] "GET /agag HTTP/1.1" 404
> 12
> > HTTPS=- SNI=-
> >
> > Now mod_ssl only sees the "off" SSLSrvConfigRec in the second vhost
> so
> > the logging is wrong.
> 
>  What does the same test result in with 2.4.29?
> >>>
> >>> Excellent question, I should have checked that.  Long e-mail follows,
> >>> sorry.
> >>>
> >>> In fact it is the same with 2.4.29, because the SSLSrvConfigRec
> >>> associated with the vhost's server_rec is the same as the default/base
> >>> (non-SSL) server_rec, aka base_server passed to post_config hooks aka
> >>> the ap_server_conf global.
> >>>
> >>> So, maybe I understand this a bit better now.
> >>>
> >>> Config with three vhosts / server_rec structs:
> >>> a) base server config :80 non-SSL (<-- ap_server_conf/base_server)
> >>> b) alpha vhost :443, explicit SSLEngine on, SSLCertificateFile etc
> >>> c) beta vhost :443, no SSL*
> >>>
> >>> For 2.4.29 mod_ssl config derived is:
> >>> a) SSLSrvConfigRec for base_server = { whatever config at global scope
> }
> >>> b) SSLSrvConfigRec for alpha = { sc->enabled = TRUE, ... }
> >>> c) SSLSrvConfigRec pointer for beta == SSLSrvConfigRec for base_server
> >>>   in the lookup vector (pointer is copied prior to ALWAYS_MERGE flag)
> >>>
> >>> For 2.4.33 it is:
> >>> a) and b) exactly as before
> >>> c) separate SSLSrvConfigRec for beta = { merged copy of config at
> global }
> >>>   time because of the ALWAYS_MERGE flag, i.e. still sc->enabled = UNSET
> >>>
> >>> When running ssl_init_Module(post_config hook), with 2.4.29:
> >>> - SSLSrvConfig(base_server)->enabled = FALSE because UNSET previously
> >>> - SSLSrvConfig(base_server)->vhost_id gets overwritten with vhost_id
> >>>  for beta vhost because it's later in the loop and there's no check
> >>>
> >>> And with 2.4.33:
> >>> - SSLSrvConfig(beta)->enabled is UNSET but gets flipped to ENABLED,
> >>>  then startup fails (the issue in question)
> >>>
> >>> w/my patch for 2.4.33:
> >>> - SSLSrvConfig(beta)->enabled is FALSE and startup works
> >>>
> >>> At run-time a request via SSL which matches the beta vhost via
> SNI/Host:
> >>>
> >>> For 2.4.29:
> >>> - r->server is the beta vhost and mySrvConfig(r->server) still gives
> >>>  you the ***base_server*** SSLSrvConfigRec i.e. sc->enabled=FALSE
> >>> - thus e.g. ssl_hook_Fixup() does nada
> >>>
> >>> For 2.4.33 plus my patch:
> >>> - r->server is the beta vhost and mySrvConfig(r->server) gives
> >>>  you the SSLSrvConfigRec which is also sc->enabled = FALSE
> >>> - thus e.g. ssl_hook_Fixup() also does nada
> >>>
> >>> I was trying to convince myself whether mySrvConfig(r->server) is going
> >>> to change between 2.4.29 and .33+patch in this case, and I think it
> >>> 

Re: open tags - minimal example

[Yehuda Katz]

I only suggested a handler because the OP was comparing to PHP which, as
far as I know, uses a handler and not an output filter. Is there any
documentation about when to use one over the other?

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Jan 28, 2018 9:08 AM, "Nick Kew" <n...@apache.org> wrote:

On Sun, 2018-01-28 at 08:31 -0500, Yehuda Katz wrote:
> HTTPD doesn't see the tags in the file at all. The way the file is
> processed is determined by which Handler you set in the
> configuration:
> https://httpd.apache.org/docs/2.4/handler.html
>
>
> To have your  probably use your own file extension, for example index.mystuff, and
> in your configuration, add AddHandler mystuff-handler .mystuff

A handler to parse file contents is actually a poor choice.
You use an output filter.

Relevant examples in the current codebase include mod_includes,
which parses tags in a manner similar to what the OP seems to
envisage, and mod_proxy_html which uses a markup-aware parser
that feeds each <...> as an event to your registered callback.
Either of those modules would be a startingpoint to look at.

--
Nick Kew

Re: open tags - minimal example

[Yehuda Katz]

HTTPD doesn't see the tags in the file at all. The way the file is
processed is determined by which Handler you set in the configuration:
https://httpd.apache.org/docs/2.4/handler.html

To have your  wrote:

Hi Eric,

Thank you for the Link.
I mean: "writing module to interpret codes like PHP."

See:
If the Developer of a Script (called e.g. "test.script"), and he/she
insert a open-tag (called e.g. )
the end-tag is then ?>.

How to handle  It's not clear what you're asking.
>
> Are you asking about writing an Apache module that interprets PHP the
> same way mod_php does?
>
> A basic introduction to writing modules is available here:
> http://httpd.apache.org/docs/2.4/developer/modguide.html
>
> -- Eric Covener
>

Re: Tool to analyze and minimize loaded modules.

[Yehuda Katz]

The server-info handler can give you some of that information, but not 100%.
It lists each module and the relevant configuration, but mod_info itself is
an example of that not being enough:
SetHandler server-info is listed in core.c and for me there is no
configuration listed under mod_info.

I cut this down from the full config to show relevant parts.

[image: Inline image 2]

[image: Inline image 1]

- Y

On Mon, May 15, 2017 at 12:12 PM, Mike Rumph  wrote:

> Hello all,
>
> I was wondering is there is any tool available that can analyze the
> directives in an httpd instance's configuration files and determine which
> loaded module are not being used.
> If not, maybe such a tool could be quite useful for reducing the memory
> footprint.
>
> Thanks,
>
> Mike Rumph
>

Re: [users@httpd] URG:DocumentRoot relate query on WIndows

[Yehuda Katz]

Could this be a bug or feature in the Windows path handling?
I have never touched this part of the code, but I don't immediately see
where Windows paths would be handled differently.
I suspect it is in apr_filepath_root in apr file_io/win32/filepath.c

I am trying to get my Windows build environment working, but if someone has
seen this before, it might save me the time.

- Y

On Fri, Mar 10, 2017 at 11:27 AM, Yehuda Katz <yeh...@ymkatz.net> wrote:

> You can set the DocumentRoot to "C:/" (note the forward slash instead of
> the backslash).
> You can technically set it to just "/" also if you want the drive where
> HTTPD is located.
>
> When running HTTPD on Windows, it is good practice to use forward slashes
> even though backslashes work in some places.
> This is supposed to be inserted as a comment in the Windows httpd.conf (by
> httpd/branches/2.4.x/build/installwinconf.awk):
>
>
>> # NOTE: Where filenames are specified, you must use forward slashes
>> # instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
>> # If a drive letter is omitted, the drive on which httpd.exe is located
>> # will be used by default.  It is recommended that you always supply
>> # an explicit drive letter in absolute paths to avoid confusion.
>
>
> - Y
>
> On Fri, Mar 10, 2017 at 8:37 AM, Eric Covener <cove...@gmail.com> wrote:
>
>> On Fri, Mar 10, 2017 at 8:25 AM, Ishan Thakur
>> <ishanthaku...@yahoo.in.invalid> wrote:
>> > “We are setting the documentRoot as “web”(no complete absolute path).
>> This
>> > works fine for all the paths.
>> > The paths can be direct drive(D:\). But it fails only for C drive(C:\).
>> The
>> > same works fine for all other paths(D:\, C:\Program Files…etc)
>> >
>> > For C drive, we are getting following error:
>> >
>> > Syntax error on line 129 of C:/httpd.conf:
>> > DocumentRoot must be a directory
>> > “
>> > Is there any restriction for C drive on Windows for Apache httpd-2.2.31?
>>
>>
>> You'll have to provide some more detail. How does "web" work for
>> different drive letters?  Do you specify different server roots in
>> different configuration files?
>>
>> There's nothing special about the C drive when you specify a DocumentRoot.
>>
>> --
>> Eric Covener
>> cove...@gmail.com
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: The Version Bump fallacy [Was Re: Post 2.4.25]

[Yehuda Katz]

On Wed, Dec 28, 2016 at 12:35 AM, William A Rowe Jr 
wrote:

> Our adoption is *broadly* based on the OS distributions
> from vendors, not from people picking up our sources.
> Yes - some integrate directly from source, and others
> use a non-OS distribution.
>

I think a significant number of users of nginx add the official nginx
yum/apt sources and keep up to date that way (
http://nginx.org/en/linux_packages.html#mainline).
This is particularly true because the vendor-supplied version are so old.
You can see this in the w3techs data: nginx 1.10.2 came out in October and
already makes up 75% of all nginx 1.10 users. nginx 1.11.8 usage has
similar trends.

A possible solution to this would be to start publishing binaries in a
package-manager-accessible format.
I am confident it would see a much higher rate of adoption.

- Y

Re: Query on linking Apache Mailing list with GitHUub Commits

[Yehuda Katz]

HTTPD uses SVN, Github is just a nice mirror.

Each git commit should have a line that starts "git-svn-id". The SVN commit
number and canonical link is there.

- Y

On Mon, Nov 14, 2016 at 8:45 PM, Mehvish.Rashid 
wrote:

> I see code commits on this link: https://github.com/apache/httpd/commits
> But when I search for a svn commit, for example, "Re: svn commit: r1768245
> - " from mailing list: https://lists.apache.org/list.
> html?dev@httpd.apache.org:2016-11 on the above link I cannot find it. Am
> looking for a way to link the committers in svn and mails sent by them on
> the above mailing list.
>
> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: 15 November 2016 01:06
> To: Apache HTTP Server Development List
> Subject: Re: Query on linking Apache Mailing list with GitHUub Commits
>
> On Mon, Nov 14, 2016 at 7:58 PM, Mehvish.Rashid 
> wrote:
> > 1) I would like to know where do developers on Apache HTTP Server ask
> questions relating to code in inactive file.
> > Inactive file is a file on which there are no commit for some duration.
> When some developer starts to work on the code of such file where do they
> ask questions.
> > I see some communication on this link:
> > https://lists.apache.org/list.html?dev@httpd.apache.org
> > Are there any other places to find answers relevant to code.
>
> That's the right list, there are no other options.  modules-dev@ is for
> module development questions about modules that aren't a part of httpd.
>
> > 2) Can questions on mailing list in the above link be linked to
> > commits on: https://github.com/apache/httpd
>
> Anyone is free to send an email with a link to a github link, but they are
> more likely to address something in terms of its SVN revision or respond to
> the email generated during the commit.  For httpd, github is just a
> read/only mirror.
>
> --
> Eric Covener
> cove...@gmail.com
>

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

[Yehuda Katz]

On Mon, Mar 7, 2016 at 9:06 PM, William A Rowe Jr 
wrote:

> On Mar 7, 2016 13:54, "Jan Kaluža"  wrote:
> >
> > On 03/07/2016 04:17 PM, Jim Jagielski wrote:
> >>
> >> Intstead of adding YAD (yet another directive ;) ), would it
> >> be possible to somehow leverage Listen itself, maybe with some
> >> sort of flag?
> >
> >
> > Yes, that would be quite possible. I was thinking about that way, but I
> have chosen YAD as a first approach. If you think adding flag to Listen is
> better way, I can rework my patch.
> >
> > Regards,
> > Jan Kaluza
> >
>
Reviewing the behavior, an unadorned new directive makes more sense to me
> than cluttering Listen, which already takes one optional protocol behavior
> argument.
>
> The same handler can process both directives.
>
A benefit of using a flag is: what happens if the default changes at some
point? YAD would need to be created to go back to the old behavior - which
would make things more complicated.  Is it possible to use something like a
plus/minus or question mark symbol with each address:port which would allow
the default to be changed at some future point without requiring having
this discussion again?

Example:
Listen ?192.170.2.1:80  # Use IP_FREEBIND to listen when IP is available
(new behavior)
Listen +192.170.2.5:8000  # Require IP to be available (old behavior)
Listen [2001:db8::a00:20ff:fea7:ccea]:80  # Current default behavior (old)

- Y

Re: access control for dynamic hosts

[Yehuda Katz]

dyndns is a company name, but it seems to be synonymous for a lot of
systems with dynamic-dns.
That would make a recognizable option for a lot of people.

- Y

On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener  wrote:

> On Tue, Mar 1, 2016 at 9:53 AM,   wrote:
> > Maybe "Require ip" could be extended instead of using a new name:
> >
> >   "Require ip myserver.apache.org"
>
>
> Unfortunately I think you need to pick an awkward name here so it
> cannot be confused/misused.  Like "forward-dns"
>
> --
> Eric Covener
> cove...@gmail.com
>

[PATCH 58985] Add 451 status code

[Yehuda Katz]

Hello all,
I looked into the missing 451 status code because someone asked about it on
the users list. It seems like a simple enough patch - since it is just
copying an existing feature.
I am looking at possible contributing more and I am interested in feedback.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58985

- Y

APLOGNO() in mod_rewrite

[Yehuda Katz]

I noticed today that errors about invalid flags on rewrite rules do not
have APLOGNO() on them.
cmd_rewriterule calls cmd_rewriterule_setflag and if a string is returned,
prefixes "RewriteRule: " and returns that as an error.

Should these have APLOGNO()? They are errors, but they don't
use ap_log_rerror.
If those have APLOGNO() added, should each possible flag error have a
different one or are all flag errors the same and the code should be added
before the "RewriteRule:" prefix?

- Y

Broken Chunking with Fallback Resource

[Yehuda Katz]

I was asked to look at a FreeBSD server with HTTPD 2.4.18 (mod_php -
5.6.17). The site experiencing the issue is running WordPress.

There appears to be an issue with chunked responses not being delivered
properly when using FallbackResource. Chrome and the W3 Validator both
complain about missing chunks.
There are no errors in the server error log.

When we switched from FallbackResource to mod_rewrite, the problem
disappeared.
Has anyone seen this? If not, any debugging suggestions?

- Y

Re: Did someone take over my JIRA account?

[Yehuda Katz]

This mailing list is for HTTPD dev. I think you want to contact infra (
http://www.apache.org/dev/infra-contact) for Jira issues.
It is possible someone on this list has the necessary access to Jira to
help you, but HTTPD uses Bugzilla, not Jira, so you are not likely to get
help here.

- Y

On Sun, Jan 31, 2016 at 6:40 PM, Abhijit Sarkar 
wrote:

> Hi,
> I used to have a JIRA account and I went to check the status of a ticket I
> created in early 2015. However, the display name and the password seem to
> have been changed. Is this the result of someone taking over my JIRA
> account?
>
> https://issues.apache.org/jira/browse/MENFORCER-225
>
>
>
>

Re: Missing reference...

[Yehuda Katz]

On Wed, Jan 27, 2016 at 10:51 PM, William A Rowe Jr 
wrote:

> I noted that https://en.wikipedia.org/wiki/Apache_HTTP_Server
> doesn't contain a "References in Popular Culture" section...
>
> ... does anyone have the link to Bill's Foxtrot panels about
> Jason grabbing his copy of Apache 2.0 Beta?
>

The link: http://www.gocomics.com/foxtrot/2005/01/11/

Wikipedia was on a "References in Popular Culture" purge cycle recently, so
it might not stick.

See also: https://en.wikipedia.org/wiki/Wikipedia:Xkcd_in_popular_culture

- Y

Documentation: Chrome breaks localhost resolution

[Yehuda Katz]

I had several people contact me recently about broken Apache installation
where the issue was actually with Chrome (I think starting with 43).
When a system has IP-based vhosts on 127.0.0.0/8 besides 127.0.0.1 and uses
the hostname anything.localhost, Chrome will no longer load those pages.
This is their change:
https://code.google.com/p/chromium/issues/detail?id=455825

This is not an HTTPD-specific issue, but I could see it being included
either in the documentation or as a startup warning if there are vhosts
ending in .localhost.
Before I start writing/coding, I was wondering whether others think it is
worth it?

- Y

Fwd: [users@httpd] Looking for a new maintainer for FableTech Server Status for Apache

[Yehuda Katz]

Dev list is probably a better place to ask this.

-- Forwarded message --
From: Morten Shearman Kirkegaard m...@fabletech.com
Date: Tue, Feb 17, 2015 at 1:37 PM
Subject: [users@httpd] Looking for a new maintainer for FableTech Server
Status for Apache
To: us...@httpd.apache.org


Hi list,

A few years ago FableTech developed a tool which allows a sysadm to see
what his Apache httpd is serving, even if the server-status page is not
responding. It's relatively simple, but can be very useful.

Going forward we will not be able to maintain the project, so we are
looking for somebody to take over. Perhaps the Apache Software
Foundation would be interested in taking over this tiny project?

More information about the project:
http://fabletech.com/ftss

Kind regards,
Morten

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: MAJOR SECURITY-PROBLEM Apache 2.4.6

[Yehuda Katz]

On Wed, Oct 1, 2014 at 2:19 PM, Eric Covener cove...@gmail.com wrote:


 On Wed, Oct 1, 2014 at 2:16 PM, Eric Covener cove...@gmail.com wrote:

 To me, this does not exonerate mod_php, it implicates it.  I suspect your
 source code is served because PHP swallowed the LimitRequestBody​ and then
 passed control back to Apache.  I'm fairly certain I responded to you
 privately with similar information already.


 ​I should add that I don't understand your scenario completely, where the
 file is not processed.​ I think my own test result was the same as Yehuda
 ITT which is not the same as what I just described with the default handler
 taking over.


1. Is this result (PHP executed) still a bug (could be in mod_php)? If a
413 comes up, shouldn't no other content be returned?
I am considering setting up a new VM to do some testing, but I want to make
sure this is not the expected behavior (whether the PHP is executed or not).

2. Is there another module that hooks in with a similar way to mod_php that
might also show this behavior (mod_lua for example)?

- Y

Re: SSL and NPN

[Yehuda Katz]

I have not looked at the patches or ALPN in detail, but I think the
important question is how hard it would be to change this for (or add) ALPN
support. If Chrome is planning to remove NPN support, it does not seem very
useful to add the feature to HTTPD.

- Y


On Mon, Apr 28, 2014 at 5:56 PM, Tim Bannister is...@jellybaby.net wrote:

 On 28 Apr 2014, at 22:50, Jim Jagielski j...@jagunet.com wrote:

  Any reason to NOT include
 
http://svn.apache.org/viewvc?view=revisionrevision=1332643
http://svn.apache.org/viewvc?view=revisionrevision=1487772
 
  in 2.4??

 I don't think https://www.imperialviolet.org/2013/03/20/alpn.html is
 enough reason not to backport, but I'll mention it.

 --
 Tim Bannister – is...@jellybaby.net

Re: Configuration error handling after httpd restart

[Yehuda Katz]

Since this is up for discussion anyway, what if there was an option to set
a directive as ignore-able.

For example, PHP allows you to preface a function with `@` to ignore errors
(http://www.php.net/manual/en/language.operators.errorcontrol.php).

That way, if you restart and the error is Invalid command 'Xyzzy',, you
could make the decision to ignore it.

I am not sure how useful this would be in practice. The only thing that
comes to mind is with a module like mod_auth_mysql where you could ignore
errors about it being missing while still requiring some other type of
authentication with satisfy any.

- Y


On Mon, Apr 14, 2014 at 12:00 PM, Jim Riggs apache-li...@riggs.me wrote:

 On 14 Apr 2014, at 10:38, Eric Covener cove...@gmail.com wrote:

  On Mon, Apr 14, 2014 at 11:15 AM, Mike Rumph mike.ru...@oracle.com
 wrote:
  If there is an unknown directive in the config file, simply ignore it
 with a
  warning.
 
  You can't do that.  What if it was Reqiure?

 I agree with Eric. I would not want unknown directives to be ignored. It
 might be a typo of a really important directive like Eric describes. Or,
 what if a module I really, really need is accidentally disabled and we just
 ignore all of its directives? Not good.

 In this particular case, duplicating a Listen directive doesn't seem like
 it should bomb out the server.

 Listen 80
 ...
 Listen 80

 It's superfluous, but not really a critical error. So, my patch just
 ignores subsequent duplicate Listens.

Re: Need an example of a simple application and how to set it up on Apache 2.2

[Yehuda Katz]

This is more appropriate for the HTTPD Users list.
http://httpd.apache.org/userslist.html
The DEV list is for the server development.

You need to also include what language your application is.
By default Apache will only serve HTML unless you set up cgi or some other
language module.


On Tue, Dec 24, 2013 at 5:18 PM, Frederick Miller fjmille...@gmail.comwrote:

 I need an example of a simple application and how to set it up on Apache
 2.2.  I'm running Windows XP, and I've read all the documentation.  I've
 put some Web apps under the htdocs folder, but they just show the source
 html and don't actually run the application.  I'd like to see an example
 that is more than just HTML, what folder to copy it into, and what the
 expected output is.  I've done JSPs and Servlets with Tomcat, but I'm new
 to Apache Server 2.2.  Thanks.

 Frederick Miller

Re: Decrypting mod_session-created cookie

[Yehuda Katz]

Here is the actual procedure (in TRUNK, but last modified 3 months ago, I
did not look at what changed).
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_crypto.c?view=markup
Ignoring the apache-specific configuration, it looks pretty standard to me
(although I did not spend too long looking at it, but I did teach
college-senior crypto last semester and it looks similar to a project we
assigned).

- Y

On Mon, Jul 8, 2013 at 11:32 PM, Mikhail T. mi+t...@aldan.algebra.comwrote:

  08.07.2013 19:35, Graham Leggett wrote:

 Like Daniel said, you don't need to know.

  This is unhelpful. Do you *know* the answer? If you do, could you share
 it? If you are trying to avoid committing to a particular method -- because
 you foresee it changing in the future -- well, that does not seem right
 either. The cookies may already be stored by the browsers and invalidating
 them all by upgrading the server would not be proper.

  You can configure the decrypted session to be provided to php either via an 
 environment variable or a request header, your choice. You can then 
 optionally update the session with a response header. All encryption is 
 transparent to php.

  Only if the php is running on the same -- or similarly configured Apache
 server.

 And then there is the other aspect I mentioned -- the tests, which would
 require the session-cookie to be generated (correctly) inside JMeter.


 08.07.2013 19:33, Daniel Lescohier wrote:

 Perhaps your decryption code isn't handling the salt?

 Perhaps... But for now I'm just trying to decrypt the existing cookie
 myself -- if only to better understand, how it is constructed. I'd
 appreciate the description of the method used -- rather than a lecture on
 how I don't need to worry my pretty little head...

 I'm also curious, if the cookie is only encrypted, or if it is also
 signed. As well as whether it is possible to just have it signed without
 encrypting... Thanks,

 -mi

Re: Decrypting mod_session-created cookie

[Yehuda Katz]

Unfortunately not this week. Send me a reminder email next week and I
should be able to look at it.
- Y

On Tuesday, July 9, 2013, Mikhail T. wrote:

  08.07.2013 23:44, Yehuda Katz написав(ла):

 Ignoring the apache-specific configuration, it looks pretty standard to me
 (although I did not spend too long looking at it, but I did teach
 college-senior crypto last semester and it looks similar to a project we
 assigned).

 Would you be able to translate the calls to APR's crypto API into PHP's
 mcrypt http://www.php.net/manual/en/ref.mcrypt.php or 
 opensslhttp://www.php.net/manual/en/ref.openssl.phpfunctions? For 
 simplicity, let's assume the cipher is always the default --
 AES256.

 Thank you very much. Yours,

 -mi

Re: apache Binary called when php is run

[Yehuda Katz]

If you just run a PHP script, none.

If you mean that you go to a PHP script in the browser, then tt depends on
how you have PHP configured.
The choices are mod_php, fastcgi, cgi (and maybe other options that I am
not aware of).
If you can provide more information, you might get a better answer.

- Y


On Thu, May 9, 2013 at 5:20 AM, kalyan sita kalyansit...@gmail.com wrote:

 can you please tell what is the apache binary which gets invoked when we
 run a php script because I need to debug the source apache modules

 Thanks,
 kalyan

Re: URL scanning by bots

[Yehuda Katz]

On Tuesday, April 30, 2013, Christian Folini wrote:

 But you can try it out for yourself easily with
 2-3 ModSecurity rules and the pause directive.

Someone suggested the same idea to me and I tried it out on one of my
servers by setting PHP as the 404 handler and having it loop there. (which
saves you the trouble of setting up mod_security if you already have PHP).
I noticed increased server load and no decrease in bot requests.
- Y

Re: New RewriteMap Help/Suggestions

[Yehuda Katz]

On Thu, Apr 25, 2013 at 10:35 AM, Jim Riggs apache-li...@riggs.me wrote:

 So, I have created a crude, working proof-of-concept of this. It basically
 copies all of the functionality of the txt maps, including the cache, but
 in the lookup_map_regexpfile() function, it compiles the regexp for each
 line, attempts a match, and returns the backref-substituted replacement.
 (This pair gets cached.) This works beautifully as is, but it is horribly
 inefficient to have to compile the REs every time we come in with a new
 key/URL. So, I was thinking of precompiling all of them and see three
 options:

 1. Precompile and store all of the REs at config load time.

1a. Precompile and store all of the REs at config load time or when the map
file is updated.

 2. Compile and store all of the REs the first time we hit
 lookup_map_regexpfile() or when the map file is updated.
 3. Compile and store each RE as we read through the map file in
 lookup_map_regexpfile() until a match is found and bail (full list will be
 built over time).

 #1 is nice, because all of the work is done up front and will be fast from
 then on. The problem, though, is that I would like this map to
 reload/refresh if the map file gets changed like the other types do. #2 and
 #3 solve this. With #2 I worry about performance of compiling everything if
 the map file gets updated and we get a thundering herd. With #3 there is
 some coordination to manage with respect to which lines have been compiled
 and which ones haven't.

I think #3 is not a great idea for the same reason you mentioned.

I have actually seen the problem that you mention in #2 in a live
environment with a (poorly-designed) custom module. Each request tries to
clear the cached results and build them again, very quickly overloading the
server.

You could potentially use something like ap_hook_monitor to watch the file
for changes, paired with 1a (not sure how much load that might add). In my
regular apache module reference (Nick Kew's Apache Modules Book which I
keep on my office bookshelf) it is mentioned quickly (pages 67, 268, 337).

- Y

Re: [Discuss] Time to rewrite/rethink modules.apache.org?

[Yehuda Katz]

On Wed, Jan 23, 2013 at 4:04 AM, Daniel Gruno rum...@cord.dk wrote:

 If you find a bug, post it to me or on the list, whichever you think is
 appropriate.

OK. Bug I found seems to be fixed (since about 2300 EST).
When I clicked on the link to modules.lua on projects.lua, there was some
error.
Now it appears to be working. (and I just noticed that you sent me a
message indicating that.)

Several comments:
- Clicking remove project should probably prompt Are you sure?.
- It would be nice if the title would change based on the page you are on
so that it is easier to use the browser's back/forward and history.

- Y

Re: Win32 src bundles for Apache

[Yehuda Katz]

On Tue, Dec 18, 2012 at 11:24 AM, Andy Wang aw...@ptc.com wrote:

  This was brought up a while ago that the Apache 2.4.x and 2.2.23 builds
 were lacking the win32 source bundle.  There was some discussion about how
 to build these bundles:

 http://mail-archives.apache.org/mod_mbox/httpd-dev/201209.mbox/%3C506243E0.3050108%40apache.org%3E

 Is there anyway to make available the details of how these windows src
 bundles are built for those of us that need to build our own?  I imagine if
 I knew Windows better it may be more obvious but I'm really not a Windows
 developer and tend to just follow recipes when trying to make dev stuff
 work on Windows.


I think half the trouble was actually getting it to compile reliably on
Windows. (I have not tried too hard, but I know I have not been able to do
it.)
You can find instructions for x64 builds at
http://wiki.apache.org/httpd/Win64Compilation
I don't know how different the x86 build would be.

- Y

Re: [users@httpd] Apache HTTP Server 2.4.x for Windows?

[Yehuda Katz]

This arguement has been going on the HTTPD-dev list recently too.
Defining some terms should answer your question.

Binaries are provided by volunteers who have commit access to the HTTPD
project. They are not formally provided by the Apache Software Foundation.

There is ongoing discussion on the dev list about a way forward with regard
to Windows binary distribution. In the mean time, try the ApacheLounge
binaries. (if I was not using a mobile device, I would post a link, but it
should be easy enough to find anyway.)

That said, please do not email the dev list to complain about the lack of
official binaries. If you have any experience in automating the build
process on Windows, that might be appreciated.

- Y

On Sunday, December 16, 2012, Esmond Pitt wrote:

 I know this has been discussed before but is this a policy change? I've
 been
 downloading Apache 2 Windows binaries direct from the project for about ten
 years.

 EJP

 -Original Message-
 From: Tom Evans [mailto:tevans...@googlemail.com javascript:;]
 Sent: Thursday, 13 December 2012 11:31 PM
 To: us...@httpd.apache.org javascript:;
 Subject: Re: [users@httpd] Apache HTTP Server 2.4.x for Windows?

 On Tue, Dec 11, 2012 at 4:47 PM, Ben Johnson 
 b...@indietorrent.orgjavascript:;
 wrote:
  The Apache Software Foundation does not provide Windows binaries. You
  must compile the software from source (no simple matter on Windows) or
  obtain binaries from a third party. Apache Lounge is the best known
  source for such binaries: https://www.apachelounge.com/download/

 Just to clarify, this is not specific to Windows. The Apache httpd project
 doesn't provide any binaries for any platform.

 Cheers

 Tom



 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org javascript:;
 For additional commands, e-mail: users-h...@httpd.apache.orgjavascript:;



-- 
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.

Re: Volunteers to drive an MSI build

[Yehuda Katz]

On Wed, Nov 28, 2012 at 10:35 AM, André Malo n...@perlig.de wrote:

  You know that, and I know that. Jst as our Windows users know
  they have no use for source code.

 The discussion is moot. The ASF will not provide binary software.


Is that a new policy? ASF has provided (i.e. made available on
httpd.apache.org distribution mirrors) Windows binaries of HTTPD for (I can
say every release, since I did not check, but you get the idea).
The last one released was on 30-Jan-2012 of
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi (see
http://www.us.apache.org/dist//httpd/binaries/win32/).
There are *still* NetWare binaries being built.

Re: Volunteers to drive an MSI build

[Yehuda Katz]

On Sat, Nov 17, 2012 at 10:59 AM, Issac Goldstand mar...@beamartyr.netwrote:

 Why not go the IIS route and use a c:\wwwroot or the like for non
 program-file stuff (logs, cgi-bin, docs, htdocs, conf)?


That is similar to what the Debian package maintainers do (see
http://wiki.apache.org/httpd/DistrosDefaultLayout).
I just wonder if it is really a good idea to have the official builds put
the folders in a different place than building from source.
The only other official binary for 2.4 is for Netware and there is no
documentation on the wiki page if the layout is different.

If you are looking for the place for data, the correct place for conf,
logs, and maybe cgi-bin would be in a subfolder in %PROGRAMDATA%
(PROGRAMDATA is usually C:\ProgramData\).
(That is where MySQL builds appear to put their data too.)
I would say that htdocs should be in a subfolder %PUBLIC%.
See this MSDN blog post for more info:
http://blogs.msdn.com/b/cjacks/archive/2008/02/05/where-should-i-write-program-data-instead-of-program-files.aspx

Other notes about this proposal:

 The trick to this would be that some people enable mod_userdir in a way
 the will cause overlap and potential security issues:
 UserDir C:/Users/*/Website
 If htdocs is in C:\Users\Public\Website, then Location(Match) rules
 would proably not apply to it if accessed as ~public, which is a security
 problem)

Volunteers to drive an MSI build

[Yehuda Katz]

William Rowe said he was working on a new WiX-based installer (that is the
same installer that Microsoft now uses for Visual Studio).
http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3c5085fe9a@rowe-clan.net%3e

That should make the process significantly easier.

- Y

On Monday, November 12, 2012, Igor Galić wrote:


 Hi folks,

 At ApacheCon I discussed with the few httpd and Infra folks
 that it would be a Really Good Idea to have, once again, an
 MSI build for Windows.

 Of course we shouldn't be satisfied with the same arduous
 release process as we had for 2.2 - and instead strive to
 automate it!

 I have opened an INFRA ticket

https://issues.apache.org/jira/browse/INFRA-5509

 to setup a Windows Server VM/buildbot - and am now looking for
 volunteers to step forward. - Just raise your hand here and
 update the the above ticket with your Apache ID. (Yes, you need
 to be a committer already)

 You'll get a login on the machine once it's setup and can fiddle
 around and poke until you make it work - out of the box.


 o/~

 --
 Igor Galić

 Tel: +43 (0) 664 886 22 883
 Mail: i.ga...@brainsware.org
 URL: http://brainsware.org/
 GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE