Instrumenting HTTPD
I am working on a research paper related to server configuration. I am trying to collect some measurements or static analysis comparing the number of system calls with overrides off vs. on and also with different path lengths (i.e. what is the actual performance impact of checking .htaccess files). Before I start from scratch, I was wondering if anyone has done anything related to this before. Thanks, - Y Sent from a device with a very small keyboard and hyperactive autocorrect.
Re: [GitHub] [httpd-site] rbowen merged pull request #7: Drops link to 1.3 docs, which are gone.
Since 1.3 isn't supported, it would probably be better to remove the entries from Wikipedia or point them to the Internet Archive. Happy to do that. On Sun, Jan 23, 2022 at 6:24 AM Graham Leggett wrote: > On 21 Jan 2022, at 19:48, GitBox wrote: > > > rbowen merged pull request #7: > > URL: https://github.com/apache/httpd-site/pull/7 > > Can we put the 1.3 docs back? > > Pages like this make extensive reference to them: > https://en.wikipedia.org/wiki/List_of_Apache_modules > > Regards, > Graham > — > >
Re: APLOGNO number range for vendors?
Would a crazy option 4 be to add VENDOR_APLOGNO() which could add a prefix to the log number to be used in any patches? For example, V_APLOGNO('R', 123) could produce AHR123 This would make it clear that the error comes from a patch from another distribution. - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Tue, Dec 1, 2020, 9:33 AM Joe Orton wrote: > Very occasionally we backport patches to RHEL's httpd package in a way > that introduces new or different logging output from 2.4/trunk. I'm > wondering if there is any opinion about vendors asking for for a small > (say, 100?) reserved range of APLOGNO() space to use for such cases? > Basically I'd just commit "next-number += 100" and use that range within > downstream patches since they are then reserved upstream. > > 1) No, we should discourage vendors from such divergence. > > 2) Yes, they are just numbers, I don't care. > > 3) Yes, but commit to maintaining a public URL with documentation for > each log message used or something similar. > > Thoughts? > > Regards, Joe > >
Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
2.4.44 and 2.4.45 were never released. Everything that was in 44 and 45 is in 46. - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Tue, Aug 11, 2020, 8:46 AM Pavel Lyalyakin wrote: > Hello, > > The version 2.4 vulnerabilities page[1] tells that CVE-2020-9490, > CVE-2020-11984 and CVE-2020-11993 were fixed in 2.4.44. But the version > 2.4.46 changelog[2] tells that these vulnerabilities were fixed in version > 2.4.46. > > So were they fixed in 2.4.44 or in 2.4.46? > > [1]: https://httpd.apache.org/security/vulnerabilities_24.html > [2]: https://downloads.apache.org/httpd/CHANGES_2.4.46 > > -- > With best regards, > Pavel Lyalyakin > VisualSVN Team >
Re: "Forbid" directive in core?
On Mon, Apr 27, 2020 at 11:37 AM Eric Covener wrote: > On Sat, Sep 28, 2013 at 12:21 PM Tim Bannister > wrote: > > The second time in a few days, I'm going to suggest adding an optional > parameter to a directive. > > > > Taking a leaf out of cascading stylesheets, how about “Forbidden On > Level=Important” and perhaps “Forbidden On Level=Indelible”? > > > > (the idea being that the “Indelible” level can't be removed). > > > > > > This lets distributions ship a fairly safe default configuration but > gives users enough scope to hang themselves. With this, “forbidden OFF” > isn't so risky and “Forbidden Off Level=Important” can carry a health > warning (and perhaps an ErrorLog warning as well). > > > > > > Too complex or worth having? What do people think? If there's appetite > for it then I will have a go at providing a patch. > > What do currently active people think of the original basic "Forbid" > or the one with tags/levels? > Most CSS experts will tell you that "!important" is bad and if you are using it, you didn't design your site properly. As someone who does a lot of config support, I also think this is overly complicated. - Y
Re: Use of [skip ci] in commit messages to avoid Travis builds
On Sat, Feb 8, 2020 at 6:01 AM Luca Toscano wrote: > I didn't find a way to instruct Travis to avoid triggering a build if only > certain file types are committed, so the only solution for the moment is to > manually add the aforementioned sequence :( > For the record, this has been a really long-standing open issue with Travis: https://github.com/travis-ci/travis-ci/issues/6301 - Y
Re: Help regarding an issue with Apache Tomcat
This list is for Apache HTTPD. You can find support for Tomcat here: http://tomcat.apache.org/lists.html#tomcat-users - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Feb 7, 2020, 2:35 AM Cheeneebash, P. wrote: > Hello, > > We need help regarding an issue with Apache Tomcat. > > > > For security reasons, we have had to modify the configuration of our > > Siebel Application (Siebel Click through Daemon and Siebel Email Sending > > Daemon) to use tomcat 7.0.86 instead of 7.0.14. > > After the modification, we have restarted our applications and we can > > see in the log files that they are using the version 7.0.86. However, > > while testing using 'myurl:8080/manager/status', it is still pointing to > > the 7.0.14 version. > > > > Can you please assist ? > > > > Please find the attached screenshot. > > > > Thanks and Regards/Cordialement > > > > Pritish Cheeneebash > > Application Development Analyst > > Accenture > > Office: +230 40 25 451 > > > > [image: Picture 16] > > > > -- > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. Your privacy is important to us. > Accenture uses your personal data only in compliance with data protection > laws. For further information on how Accenture processes your personal > data, please see our privacy statement at > https://www.accenture.com/us-en/privacy-policy. > > __ > > www.accenture.com >
Re: Load balancing and load determination
HAProxy has a similar feature called agent-check ( https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-agent-check) although in their case, the backend server specifies it's own weight. Either way - whether the frontend or backend determines the weight - it would be useful. - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Tue, Oct 30, 2018, 8:53 AM Jim Jagielski wrote: > As some of you know, one of my passions and area of focus is > on the use of Apache httpd as a reverse proxy and, as such, load > balancing, failover, etc are of vital interest to me. > > One topic which I have mulling over, off and on, has been the > idea of some sort of universal load number, that could be used > and agreed upon by web servers. Right now, the reverse proxy > "guesses" the load on the backend servers which is OK, and > works well enough, but it would be great if it actually "knew" > the current loads on those servers. I already have code that > shares basic architectural info, such as number of CPUs, available > memory, loadavg, etc which can help, of course, but again, all > this info can be used to *infer* the current status of those backend > servers; it doesn't really provide what the current load actually > *is*. > > So I was thinking maybe some sort of small, simple and "fast" > benchmark which could be run by the backends as part of their > "status" update to the front-end reverse proxy server... something > that shows general capability at that point in time, like Hanoi or > something similar. Or maybe some hash function. Some simple code > that could be used to create that "universal" load number. > > Thoughts? Ideas? Comments? Suggestions? :) > On Oct 30, 2018 8:53 AM, "Jim Jagielski" wrote: As some of you know, one of my passions and area of focus is on the use of Apache httpd as a reverse proxy and, as such, load balancing, failover, etc are of vital interest to me. One topic which I have mulling over, off and on, has been the idea of some sort of universal load number, that could be used and agreed upon by web servers. Right now, the reverse proxy "guesses" the load on the backend servers which is OK, and works well enough, but it would be great if it actually "knew" the current loads on those servers. I already have code that shares basic architectural info, such as number of CPUs, available memory, loadavg, etc which can help, of course, but again, all this info can be used to *infer* the current status of those backend servers; it doesn't really provide what the current load actually *is*. So I was thinking maybe some sort of small, simple and "fast" benchmark which could be run by the backends as part of their "status" update to the front-end reverse proxy server... something that shows general capability at that point in time, like Hanoi or something similar. Or maybe some hash function. Some simple code that could be used to create that "universal" load number. Thoughts? Ideas? Comments? Suggestions? :)
Re: Revisit Versioning? (Was: 2.4.3x regression w/SSL vhost configs)
On Sat, Apr 14, 2018 at 9:48 AM, Jim Jagielskiwrote: > IMO, the below ignores the impacts on OS distributors who > provide httpd. We have seen how long it takes for them > to go from 2.2 to 2.4... I can't imagine the impact for our > end user community if "new features" cause a minor > bump all the time and we "force" distributions for > 2.4->2.6->2.8->2.10... > > Just my 2c > > That also assumes the OS distributions pick up the point releases. RedHat certainly doesn't pick up the new features, only bug fixes. - Y > > On Apr 13, 2018, at 2:28 PM, David Zuelke > wrote: > > > > Remember the thread I started on that quite a while ago? ;) > > > > IMO: > > > > - x.y.0 for new features > > - x.y.z for bugfixes only > > - stop the endless backporting > > - make x.y.0 releases more often > > - x.y.0 goes through alpha, beta, RC phases > > - x.y.z goes through RC phases > > > > That's how PHP has been doing it for a few years, and it's amazing how > > well it works, how few regressions there are, and how predictable the > > cycle is (they cut an x.y.zRC1 every four weeks like clockwork, with > > exceptions only around late December because of holiday season). > > > > This would also fix all the confusing cases where two or three faulty > > releases get made, end up in the changelog, but ultimately are never > > released. > > > > > > On Fri, Apr 13, 2018 at 5:28 PM, William A Rowe Jr > wrote: > >> Terrific analysis! But on the meta-question... > >> > >> Instead of changing the behavior of httpd on each and every subversion > bump, > >> is it time to revisit our revisioning discipline and hygiene? > >> > >> I promise to stay out of such discussion provided that one equally > stubborn > >> and intractable PMC member agrees to do the same, and let the balance > of the > >> PMC make our decision, moving forwards. > >> > >> On Fri, Apr 13, 2018, 06:11 Joe Orton wrote: > >>> > >>> On Thu, Apr 12, 2018 at 09:38:46PM +0200, Ruediger Pluem wrote: > On 04/12/2018 09:28 AM, Joe Orton wrote: > > But logged is: > > > > ::1 - - [12/Apr/2018:08:11:12 +0100] "GET /agag HTTP/1.1" 404 12 > > HTTPS=on SNI=localhost.localdomain > > 127.0.0.1 - - [12/Apr/2018:08:11:15 +0100] "GET /agag HTTP/1.1" 404 > 12 > > HTTPS=- SNI=- > > > > Now mod_ssl only sees the "off" SSLSrvConfigRec in the second vhost > so > > the logging is wrong. > > What does the same test result in with 2.4.29? > >>> > >>> Excellent question, I should have checked that. Long e-mail follows, > >>> sorry. > >>> > >>> In fact it is the same with 2.4.29, because the SSLSrvConfigRec > >>> associated with the vhost's server_rec is the same as the default/base > >>> (non-SSL) server_rec, aka base_server passed to post_config hooks aka > >>> the ap_server_conf global. > >>> > >>> So, maybe I understand this a bit better now. > >>> > >>> Config with three vhosts / server_rec structs: > >>> a) base server config :80 non-SSL (<-- ap_server_conf/base_server) > >>> b) alpha vhost :443, explicit SSLEngine on, SSLCertificateFile etc > >>> c) beta vhost :443, no SSL* > >>> > >>> For 2.4.29 mod_ssl config derived is: > >>> a) SSLSrvConfigRec for base_server = { whatever config at global scope > } > >>> b) SSLSrvConfigRec for alpha = { sc->enabled = TRUE, ... } > >>> c) SSLSrvConfigRec pointer for beta == SSLSrvConfigRec for base_server > >>> in the lookup vector (pointer is copied prior to ALWAYS_MERGE flag) > >>> > >>> For 2.4.33 it is: > >>> a) and b) exactly as before > >>> c) separate SSLSrvConfigRec for beta = { merged copy of config at > global } > >>> time because of the ALWAYS_MERGE flag, i.e. still sc->enabled = UNSET > >>> > >>> When running ssl_init_Module(post_config hook), with 2.4.29: > >>> - SSLSrvConfig(base_server)->enabled = FALSE because UNSET previously > >>> - SSLSrvConfig(base_server)->vhost_id gets overwritten with vhost_id > >>> for beta vhost because it's later in the loop and there's no check > >>> > >>> And with 2.4.33: > >>> - SSLSrvConfig(beta)->enabled is UNSET but gets flipped to ENABLED, > >>> then startup fails (the issue in question) > >>> > >>> w/my patch for 2.4.33: > >>> - SSLSrvConfig(beta)->enabled is FALSE and startup works > >>> > >>> At run-time a request via SSL which matches the beta vhost via > SNI/Host: > >>> > >>> For 2.4.29: > >>> - r->server is the beta vhost and mySrvConfig(r->server) still gives > >>> you the ***base_server*** SSLSrvConfigRec i.e. sc->enabled=FALSE > >>> - thus e.g. ssl_hook_Fixup() does nada > >>> > >>> For 2.4.33 plus my patch: > >>> - r->server is the beta vhost and mySrvConfig(r->server) gives > >>> you the SSLSrvConfigRec which is also sc->enabled = FALSE > >>> - thus e.g. ssl_hook_Fixup() also does nada > >>> > >>> I was trying to convince myself whether mySrvConfig(r->server) is going > >>> to change between 2.4.29 and .33+patch in this case, and I think it > >>>
Re: open tags - minimal example
I only suggested a handler because the OP was comparing to PHP which, as far as I know, uses a handler and not an output filter. Is there any documentation about when to use one over the other? - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Jan 28, 2018 9:08 AM, "Nick Kew" <n...@apache.org> wrote: On Sun, 2018-01-28 at 08:31 -0500, Yehuda Katz wrote: > HTTPD doesn't see the tags in the file at all. The way the file is > processed is determined by which Handler you set in the > configuration: > https://httpd.apache.org/docs/2.4/handler.html > > > To have your probably use your own file extension, for example index.mystuff, and > in your configuration, add AddHandler mystuff-handler .mystuff A handler to parse file contents is actually a poor choice. You use an output filter. Relevant examples in the current codebase include mod_includes, which parses tags in a manner similar to what the OP seems to envisage, and mod_proxy_html which uses a markup-aware parser that feeds each <...> as an event to your registered callback. Either of those modules would be a startingpoint to look at. -- Nick Kew
Re: open tags - minimal example
HTTPD doesn't see the tags in the file at all. The way the file is processed is determined by which Handler you set in the configuration: https://httpd.apache.org/docs/2.4/handler.html To have your wrote: Hi Eric, Thank you for the Link. I mean: "writing module to interpret codes like PHP." See: If the Developer of a Script (called e.g. "test.script"), and he/she insert a open-tag (called e.g. ) the end-tag is then ?>. How to handle It's not clear what you're asking. > > Are you asking about writing an Apache module that interprets PHP the > same way mod_php does? > > A basic introduction to writing modules is available here: > http://httpd.apache.org/docs/2.4/developer/modguide.html > > -- Eric Covener >
Re: Tool to analyze and minimize loaded modules.
The server-info handler can give you some of that information, but not 100%. It lists each module and the relevant configuration, but mod_info itself is an example of that not being enough: SetHandler server-info is listed in core.c and for me there is no configuration listed under mod_info. I cut this down from the full config to show relevant parts. [image: Inline image 2] [image: Inline image 1] - Y On Mon, May 15, 2017 at 12:12 PM, Mike Rumphwrote: > Hello all, > > I was wondering is there is any tool available that can analyze the > directives in an httpd instance's configuration files and determine which > loaded module are not being used. > If not, maybe such a tool could be quite useful for reducing the memory > footprint. > > Thanks, > > Mike Rumph >
Re: [users@httpd] URG:DocumentRoot relate query on WIndows
Could this be a bug or feature in the Windows path handling? I have never touched this part of the code, but I don't immediately see where Windows paths would be handled differently. I suspect it is in apr_filepath_root in apr file_io/win32/filepath.c I am trying to get my Windows build environment working, but if someone has seen this before, it might save me the time. - Y On Fri, Mar 10, 2017 at 11:27 AM, Yehuda Katz <yeh...@ymkatz.net> wrote: > You can set the DocumentRoot to "C:/" (note the forward slash instead of > the backslash). > You can technically set it to just "/" also if you want the drive where > HTTPD is located. > > When running HTTPD on Windows, it is good practice to use forward slashes > even though backslashes work in some places. > This is supposed to be inserted as a comment in the Windows httpd.conf (by > httpd/branches/2.4.x/build/installwinconf.awk): > > >> # NOTE: Where filenames are specified, you must use forward slashes >> # instead of backslashes (e.g., "c:/apache" instead of "c:\apache"). >> # If a drive letter is omitted, the drive on which httpd.exe is located >> # will be used by default. It is recommended that you always supply >> # an explicit drive letter in absolute paths to avoid confusion. > > > - Y > > On Fri, Mar 10, 2017 at 8:37 AM, Eric Covener <cove...@gmail.com> wrote: > >> On Fri, Mar 10, 2017 at 8:25 AM, Ishan Thakur >> <ishanthaku...@yahoo.in.invalid> wrote: >> > “We are setting the documentRoot as “web”(no complete absolute path). >> This >> > works fine for all the paths. >> > The paths can be direct drive(D:\). But it fails only for C drive(C:\). >> The >> > same works fine for all other paths(D:\, C:\Program Files…etc) >> > >> > For C drive, we are getting following error: >> > >> > Syntax error on line 129 of C:/httpd.conf: >> > DocumentRoot must be a directory >> > “ >> > Is there any restriction for C drive on Windows for Apache httpd-2.2.31? >> >> >> You'll have to provide some more detail. How does "web" work for >> different drive letters? Do you specify different server roots in >> different configuration files? >> >> There's nothing special about the C drive when you specify a DocumentRoot. >> >> -- >> Eric Covener >> cove...@gmail.com >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
Re: The Version Bump fallacy [Was Re: Post 2.4.25]
On Wed, Dec 28, 2016 at 12:35 AM, William A Rowe Jrwrote: > Our adoption is *broadly* based on the OS distributions > from vendors, not from people picking up our sources. > Yes - some integrate directly from source, and others > use a non-OS distribution. > I think a significant number of users of nginx add the official nginx yum/apt sources and keep up to date that way ( http://nginx.org/en/linux_packages.html#mainline). This is particularly true because the vendor-supplied version are so old. You can see this in the w3techs data: nginx 1.10.2 came out in October and already makes up 75% of all nginx 1.10 users. nginx 1.11.8 usage has similar trends. A possible solution to this would be to start publishing binaries in a package-manager-accessible format. I am confident it would see a much higher rate of adoption. - Y
Re: Query on linking Apache Mailing list with GitHUub Commits
HTTPD uses SVN, Github is just a nice mirror. Each git commit should have a line that starts "git-svn-id". The SVN commit number and canonical link is there. - Y On Mon, Nov 14, 2016 at 8:45 PM, Mehvish.Rashidwrote: > I see code commits on this link: https://github.com/apache/httpd/commits > But when I search for a svn commit, for example, "Re: svn commit: r1768245 > - " from mailing list: https://lists.apache.org/list. > html?dev@httpd.apache.org:2016-11 on the above link I cannot find it. Am > looking for a way to link the committers in svn and mails sent by them on > the above mailing list. > > -Original Message- > From: Eric Covener [mailto:cove...@gmail.com] > Sent: 15 November 2016 01:06 > To: Apache HTTP Server Development List > Subject: Re: Query on linking Apache Mailing list with GitHUub Commits > > On Mon, Nov 14, 2016 at 7:58 PM, Mehvish.Rashid > wrote: > > 1) I would like to know where do developers on Apache HTTP Server ask > questions relating to code in inactive file. > > Inactive file is a file on which there are no commit for some duration. > When some developer starts to work on the code of such file where do they > ask questions. > > I see some communication on this link: > > https://lists.apache.org/list.html?dev@httpd.apache.org > > Are there any other places to find answers relevant to code. > > That's the right list, there are no other options. modules-dev@ is for > module development questions about modules that aren't a part of httpd. > > > 2) Can questions on mailing list in the above link be linked to > > commits on: https://github.com/apache/httpd > > Anyone is free to send an email with a link to a github link, but they are > more likely to address something in terms of its SVN revision or respond to > the email generated during the commit. For httpd, github is just a > read/only mirror. > > -- > Eric Covener > cove...@gmail.com >
Re: [PATCH] Add "FreeListen" to support IP_FREEBIND
On Mon, Mar 7, 2016 at 9:06 PM, William A Rowe Jrwrote: > On Mar 7, 2016 13:54, "Jan Kaluža" wrote: > > > > On 03/07/2016 04:17 PM, Jim Jagielski wrote: > >> > >> Intstead of adding YAD (yet another directive ;) ), would it > >> be possible to somehow leverage Listen itself, maybe with some > >> sort of flag? > > > > > > Yes, that would be quite possible. I was thinking about that way, but I > have chosen YAD as a first approach. If you think adding flag to Listen is > better way, I can rework my patch. > > > > Regards, > > Jan Kaluza > > > Reviewing the behavior, an unadorned new directive makes more sense to me > than cluttering Listen, which already takes one optional protocol behavior > argument. > > The same handler can process both directives. > A benefit of using a flag is: what happens if the default changes at some point? YAD would need to be created to go back to the old behavior - which would make things more complicated. Is it possible to use something like a plus/minus or question mark symbol with each address:port which would allow the default to be changed at some future point without requiring having this discussion again? Example: Listen ?192.170.2.1:80 # Use IP_FREEBIND to listen when IP is available (new behavior) Listen +192.170.2.5:8000 # Require IP to be available (old behavior) Listen [2001:db8::a00:20ff:fea7:ccea]:80 # Current default behavior (old) - Y
Re: access control for dynamic hosts
dyndns is a company name, but it seems to be synonymous for a lot of systems with dynamic-dns. That would make a recognizable option for a lot of people. - Y On Tue, Mar 1, 2016 at 10:00 AM, Eric Covenerwrote: > On Tue, Mar 1, 2016 at 9:53 AM, wrote: > > Maybe "Require ip" could be extended instead of using a new name: > > > > "Require ip myserver.apache.org" > > > Unfortunately I think you need to pick an awkward name here so it > cannot be confused/misused. Like "forward-dns" > > -- > Eric Covener > cove...@gmail.com >
[PATCH 58985] Add 451 status code
Hello all, I looked into the missing 451 status code because someone asked about it on the users list. It seems like a simple enough patch - since it is just copying an existing feature. I am looking at possible contributing more and I am interested in feedback. https://bz.apache.org/bugzilla/show_bug.cgi?id=58985 - Y
APLOGNO() in mod_rewrite
I noticed today that errors about invalid flags on rewrite rules do not have APLOGNO() on them. cmd_rewriterule calls cmd_rewriterule_setflag and if a string is returned, prefixes "RewriteRule: " and returns that as an error. Should these have APLOGNO()? They are errors, but they don't use ap_log_rerror. If those have APLOGNO() added, should each possible flag error have a different one or are all flag errors the same and the code should be added before the "RewriteRule:" prefix? - Y
Broken Chunking with Fallback Resource
I was asked to look at a FreeBSD server with HTTPD 2.4.18 (mod_php - 5.6.17). The site experiencing the issue is running WordPress. There appears to be an issue with chunked responses not being delivered properly when using FallbackResource. Chrome and the W3 Validator both complain about missing chunks. There are no errors in the server error log. When we switched from FallbackResource to mod_rewrite, the problem disappeared. Has anyone seen this? If not, any debugging suggestions? - Y
Re: Did someone take over my JIRA account?
This mailing list is for HTTPD dev. I think you want to contact infra ( http://www.apache.org/dev/infra-contact) for Jira issues. It is possible someone on this list has the necessary access to Jira to help you, but HTTPD uses Bugzilla, not Jira, so you are not likely to get help here. - Y On Sun, Jan 31, 2016 at 6:40 PM, Abhijit Sarkarwrote: > Hi, > I used to have a JIRA account and I went to check the status of a ticket I > created in early 2015. However, the display name and the password seem to > have been changed. Is this the result of someone taking over my JIRA > account? > > https://issues.apache.org/jira/browse/MENFORCER-225 > > > >
Re: Missing reference...
On Wed, Jan 27, 2016 at 10:51 PM, William A Rowe Jrwrote: > I noted that https://en.wikipedia.org/wiki/Apache_HTTP_Server > doesn't contain a "References in Popular Culture" section... > > ... does anyone have the link to Bill's Foxtrot panels about > Jason grabbing his copy of Apache 2.0 Beta? > The link: http://www.gocomics.com/foxtrot/2005/01/11/ Wikipedia was on a "References in Popular Culture" purge cycle recently, so it might not stick. See also: https://en.wikipedia.org/wiki/Wikipedia:Xkcd_in_popular_culture - Y
Documentation: Chrome breaks localhost resolution
I had several people contact me recently about broken Apache installation where the issue was actually with Chrome (I think starting with 43). When a system has IP-based vhosts on 127.0.0.0/8 besides 127.0.0.1 and uses the hostname anything.localhost, Chrome will no longer load those pages. This is their change: https://code.google.com/p/chromium/issues/detail?id=455825 This is not an HTTPD-specific issue, but I could see it being included either in the documentation or as a startup warning if there are vhosts ending in .localhost. Before I start writing/coding, I was wondering whether others think it is worth it? - Y
Fwd: [users@httpd] Looking for a new maintainer for FableTech Server Status for Apache
Dev list is probably a better place to ask this. -- Forwarded message -- From: Morten Shearman Kirkegaard m...@fabletech.com Date: Tue, Feb 17, 2015 at 1:37 PM Subject: [users@httpd] Looking for a new maintainer for FableTech Server Status for Apache To: us...@httpd.apache.org Hi list, A few years ago FableTech developed a tool which allows a sysadm to see what his Apache httpd is serving, even if the server-status page is not responding. It's relatively simple, but can be very useful. Going forward we will not be able to maintain the project, so we are looking for somebody to take over. Perhaps the Apache Software Foundation would be interested in taking over this tiny project? More information about the project: http://fabletech.com/ftss Kind regards, Morten - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
On Wed, Oct 1, 2014 at 2:19 PM, Eric Covener cove...@gmail.com wrote: On Wed, Oct 1, 2014 at 2:16 PM, Eric Covener cove...@gmail.com wrote: To me, this does not exonerate mod_php, it implicates it. I suspect your source code is served because PHP swallowed the LimitRequestBody and then passed control back to Apache. I'm fairly certain I responded to you privately with similar information already. I should add that I don't understand your scenario completely, where the file is not processed. I think my own test result was the same as Yehuda ITT which is not the same as what I just described with the default handler taking over. 1. Is this result (PHP executed) still a bug (could be in mod_php)? If a 413 comes up, shouldn't no other content be returned? I am considering setting up a new VM to do some testing, but I want to make sure this is not the expected behavior (whether the PHP is executed or not). 2. Is there another module that hooks in with a similar way to mod_php that might also show this behavior (mod_lua for example)? - Y
Re: SSL and NPN
I have not looked at the patches or ALPN in detail, but I think the important question is how hard it would be to change this for (or add) ALPN support. If Chrome is planning to remove NPN support, it does not seem very useful to add the feature to HTTPD. - Y On Mon, Apr 28, 2014 at 5:56 PM, Tim Bannister is...@jellybaby.net wrote: On 28 Apr 2014, at 22:50, Jim Jagielski j...@jagunet.com wrote: Any reason to NOT include http://svn.apache.org/viewvc?view=revisionrevision=1332643 http://svn.apache.org/viewvc?view=revisionrevision=1487772 in 2.4?? I don't think https://www.imperialviolet.org/2013/03/20/alpn.html is enough reason not to backport, but I'll mention it. -- Tim Bannister – is...@jellybaby.net
Re: Configuration error handling after httpd restart
Since this is up for discussion anyway, what if there was an option to set a directive as ignore-able. For example, PHP allows you to preface a function with `@` to ignore errors (http://www.php.net/manual/en/language.operators.errorcontrol.php). That way, if you restart and the error is Invalid command 'Xyzzy',, you could make the decision to ignore it. I am not sure how useful this would be in practice. The only thing that comes to mind is with a module like mod_auth_mysql where you could ignore errors about it being missing while still requiring some other type of authentication with satisfy any. - Y On Mon, Apr 14, 2014 at 12:00 PM, Jim Riggs apache-li...@riggs.me wrote: On 14 Apr 2014, at 10:38, Eric Covener cove...@gmail.com wrote: On Mon, Apr 14, 2014 at 11:15 AM, Mike Rumph mike.ru...@oracle.com wrote: If there is an unknown directive in the config file, simply ignore it with a warning. You can't do that. What if it was Reqiure? I agree with Eric. I would not want unknown directives to be ignored. It might be a typo of a really important directive like Eric describes. Or, what if a module I really, really need is accidentally disabled and we just ignore all of its directives? Not good. In this particular case, duplicating a Listen directive doesn't seem like it should bomb out the server. Listen 80 ... Listen 80 It's superfluous, but not really a critical error. So, my patch just ignores subsequent duplicate Listens.
Re: Need an example of a simple application and how to set it up on Apache 2.2
This is more appropriate for the HTTPD Users list. http://httpd.apache.org/userslist.html The DEV list is for the server development. You need to also include what language your application is. By default Apache will only serve HTML unless you set up cgi or some other language module. On Tue, Dec 24, 2013 at 5:18 PM, Frederick Miller fjmille...@gmail.comwrote: I need an example of a simple application and how to set it up on Apache 2.2. I'm running Windows XP, and I've read all the documentation. I've put some Web apps under the htdocs folder, but they just show the source html and don't actually run the application. I'd like to see an example that is more than just HTML, what folder to copy it into, and what the expected output is. I've done JSPs and Servlets with Tomcat, but I'm new to Apache Server 2.2. Thanks. Frederick Miller
Re: Decrypting mod_session-created cookie
Here is the actual procedure (in TRUNK, but last modified 3 months ago, I did not look at what changed). http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_crypto.c?view=markup Ignoring the apache-specific configuration, it looks pretty standard to me (although I did not spend too long looking at it, but I did teach college-senior crypto last semester and it looks similar to a project we assigned). - Y On Mon, Jul 8, 2013 at 11:32 PM, Mikhail T. mi+t...@aldan.algebra.comwrote: 08.07.2013 19:35, Graham Leggett wrote: Like Daniel said, you don't need to know. This is unhelpful. Do you *know* the answer? If you do, could you share it? If you are trying to avoid committing to a particular method -- because you foresee it changing in the future -- well, that does not seem right either. The cookies may already be stored by the browsers and invalidating them all by upgrading the server would not be proper. You can configure the decrypted session to be provided to php either via an environment variable or a request header, your choice. You can then optionally update the session with a response header. All encryption is transparent to php. Only if the php is running on the same -- or similarly configured Apache server. And then there is the other aspect I mentioned -- the tests, which would require the session-cookie to be generated (correctly) inside JMeter. 08.07.2013 19:33, Daniel Lescohier wrote: Perhaps your decryption code isn't handling the salt? Perhaps... But for now I'm just trying to decrypt the existing cookie myself -- if only to better understand, how it is constructed. I'd appreciate the description of the method used -- rather than a lecture on how I don't need to worry my pretty little head... I'm also curious, if the cookie is only encrypted, or if it is also signed. As well as whether it is possible to just have it signed without encrypting... Thanks, -mi
Re: Decrypting mod_session-created cookie
Unfortunately not this week. Send me a reminder email next week and I should be able to look at it. - Y On Tuesday, July 9, 2013, Mikhail T. wrote: 08.07.2013 23:44, Yehuda Katz написав(ла): Ignoring the apache-specific configuration, it looks pretty standard to me (although I did not spend too long looking at it, but I did teach college-senior crypto last semester and it looks similar to a project we assigned). Would you be able to translate the calls to APR's crypto API into PHP's mcrypt http://www.php.net/manual/en/ref.mcrypt.php or opensslhttp://www.php.net/manual/en/ref.openssl.phpfunctions? For simplicity, let's assume the cipher is always the default -- AES256. Thank you very much. Yours, -mi
Re: apache Binary called when php is run
If you just run a PHP script, none. If you mean that you go to a PHP script in the browser, then tt depends on how you have PHP configured. The choices are mod_php, fastcgi, cgi (and maybe other options that I am not aware of). If you can provide more information, you might get a better answer. - Y On Thu, May 9, 2013 at 5:20 AM, kalyan sita kalyansit...@gmail.com wrote: can you please tell what is the apache binary which gets invoked when we run a php script because I need to debug the source apache modules Thanks, kalyan
Re: URL scanning by bots
On Tuesday, April 30, 2013, Christian Folini wrote: But you can try it out for yourself easily with 2-3 ModSecurity rules and the pause directive. Someone suggested the same idea to me and I tried it out on one of my servers by setting PHP as the 404 handler and having it loop there. (which saves you the trouble of setting up mod_security if you already have PHP). I noticed increased server load and no decrease in bot requests. - Y
Re: New RewriteMap Help/Suggestions
On Thu, Apr 25, 2013 at 10:35 AM, Jim Riggs apache-li...@riggs.me wrote: So, I have created a crude, working proof-of-concept of this. It basically copies all of the functionality of the txt maps, including the cache, but in the lookup_map_regexpfile() function, it compiles the regexp for each line, attempts a match, and returns the backref-substituted replacement. (This pair gets cached.) This works beautifully as is, but it is horribly inefficient to have to compile the REs every time we come in with a new key/URL. So, I was thinking of precompiling all of them and see three options: 1. Precompile and store all of the REs at config load time. 1a. Precompile and store all of the REs at config load time or when the map file is updated. 2. Compile and store all of the REs the first time we hit lookup_map_regexpfile() or when the map file is updated. 3. Compile and store each RE as we read through the map file in lookup_map_regexpfile() until a match is found and bail (full list will be built over time). #1 is nice, because all of the work is done up front and will be fast from then on. The problem, though, is that I would like this map to reload/refresh if the map file gets changed like the other types do. #2 and #3 solve this. With #2 I worry about performance of compiling everything if the map file gets updated and we get a thundering herd. With #3 there is some coordination to manage with respect to which lines have been compiled and which ones haven't. I think #3 is not a great idea for the same reason you mentioned. I have actually seen the problem that you mention in #2 in a live environment with a (poorly-designed) custom module. Each request tries to clear the cached results and build them again, very quickly overloading the server. You could potentially use something like ap_hook_monitor to watch the file for changes, paired with 1a (not sure how much load that might add). In my regular apache module reference (Nick Kew's Apache Modules Book which I keep on my office bookshelf) it is mentioned quickly (pages 67, 268, 337). - Y
Re: [Discuss] Time to rewrite/rethink modules.apache.org?
On Wed, Jan 23, 2013 at 4:04 AM, Daniel Gruno rum...@cord.dk wrote: If you find a bug, post it to me or on the list, whichever you think is appropriate. OK. Bug I found seems to be fixed (since about 2300 EST). When I clicked on the link to modules.lua on projects.lua, there was some error. Now it appears to be working. (and I just noticed that you sent me a message indicating that.) Several comments: - Clicking remove project should probably prompt Are you sure?. - It would be nice if the title would change based on the page you are on so that it is easier to use the browser's back/forward and history. - Y
Re: Win32 src bundles for Apache
On Tue, Dec 18, 2012 at 11:24 AM, Andy Wang aw...@ptc.com wrote: This was brought up a while ago that the Apache 2.4.x and 2.2.23 builds were lacking the win32 source bundle. There was some discussion about how to build these bundles: http://mail-archives.apache.org/mod_mbox/httpd-dev/201209.mbox/%3C506243E0.3050108%40apache.org%3E Is there anyway to make available the details of how these windows src bundles are built for those of us that need to build our own? I imagine if I knew Windows better it may be more obvious but I'm really not a Windows developer and tend to just follow recipes when trying to make dev stuff work on Windows. I think half the trouble was actually getting it to compile reliably on Windows. (I have not tried too hard, but I know I have not been able to do it.) You can find instructions for x64 builds at http://wiki.apache.org/httpd/Win64Compilation I don't know how different the x86 build would be. - Y
Re: [users@httpd] Apache HTTP Server 2.4.x for Windows?
This arguement has been going on the HTTPD-dev list recently too. Defining some terms should answer your question. Binaries are provided by volunteers who have commit access to the HTTPD project. They are not formally provided by the Apache Software Foundation. There is ongoing discussion on the dev list about a way forward with regard to Windows binary distribution. In the mean time, try the ApacheLounge binaries. (if I was not using a mobile device, I would post a link, but it should be easy enough to find anyway.) That said, please do not email the dev list to complain about the lack of official binaries. If you have any experience in automating the build process on Windows, that might be appreciated. - Y On Sunday, December 16, 2012, Esmond Pitt wrote: I know this has been discussed before but is this a policy change? I've been downloading Apache 2 Windows binaries direct from the project for about ten years. EJP -Original Message- From: Tom Evans [mailto:tevans...@googlemail.com javascript:;] Sent: Thursday, 13 December 2012 11:31 PM To: us...@httpd.apache.org javascript:; Subject: Re: [users@httpd] Apache HTTP Server 2.4.x for Windows? On Tue, Dec 11, 2012 at 4:47 PM, Ben Johnson b...@indietorrent.orgjavascript:; wrote: The Apache Software Foundation does not provide Windows binaries. You must compile the software from source (no simple matter on Windows) or obtain binaries from a third party. Apache Lounge is the best known source for such binaries: https://www.apachelounge.com/download/ Just to clarify, this is not specific to Windows. The Apache httpd project doesn't provide any binaries for any platform. Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org javascript:; For additional commands, e-mail: users-h...@httpd.apache.orgjavascript:; -- Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
Re: Volunteers to drive an MSI build
On Wed, Nov 28, 2012 at 10:35 AM, André Malo n...@perlig.de wrote: You know that, and I know that. Jst as our Windows users know they have no use for source code. The discussion is moot. The ASF will not provide binary software. Is that a new policy? ASF has provided (i.e. made available on httpd.apache.org distribution mirrors) Windows binaries of HTTPD for (I can say every release, since I did not check, but you get the idea). The last one released was on 30-Jan-2012 of httpd-2.2.22-win32-x86-openssl-0.9.8t.msi (see http://www.us.apache.org/dist//httpd/binaries/win32/). There are *still* NetWare binaries being built.
Re: Volunteers to drive an MSI build
On Sat, Nov 17, 2012 at 10:59 AM, Issac Goldstand mar...@beamartyr.netwrote: Why not go the IIS route and use a c:\wwwroot or the like for non program-file stuff (logs, cgi-bin, docs, htdocs, conf)? That is similar to what the Debian package maintainers do (see http://wiki.apache.org/httpd/DistrosDefaultLayout). I just wonder if it is really a good idea to have the official builds put the folders in a different place than building from source. The only other official binary for 2.4 is for Netware and there is no documentation on the wiki page if the layout is different. If you are looking for the place for data, the correct place for conf, logs, and maybe cgi-bin would be in a subfolder in %PROGRAMDATA% (PROGRAMDATA is usually C:\ProgramData\). (That is where MySQL builds appear to put their data too.) I would say that htdocs should be in a subfolder %PUBLIC%. See this MSDN blog post for more info: http://blogs.msdn.com/b/cjacks/archive/2008/02/05/where-should-i-write-program-data-instead-of-program-files.aspx Other notes about this proposal: The trick to this would be that some people enable mod_userdir in a way the will cause overlap and potential security issues: UserDir C:/Users/*/Website If htdocs is in C:\Users\Public\Website, then Location(Match) rules would proably not apply to it if accessed as ~public, which is a security problem)
Volunteers to drive an MSI build
William Rowe said he was working on a new WiX-based installer (that is the same installer that Microsoft now uses for Visual Studio). http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3c5085fe9a@rowe-clan.net%3e That should make the process significantly easier. - Y On Monday, November 12, 2012, Igor Galić wrote: Hi folks, At ApacheCon I discussed with the few httpd and Infra folks that it would be a Really Good Idea to have, once again, an MSI build for Windows. Of course we shouldn't be satisfied with the same arduous release process as we had for 2.2 - and instead strive to automate it! I have opened an INFRA ticket https://issues.apache.org/jira/browse/INFRA-5509 to setup a Windows Server VM/buildbot - and am now looking for volunteers to step forward. - Just raise your hand here and update the the above ticket with your Apache ID. (Yes, you need to be a committer already) You'll get a login on the machine once it's setup and can fiddle around and poke until you make it work - out of the box. o/~ -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE