Re: [users@httpd] Apache24 - how to optimize httpd.conf
From Apache point of view...
* Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache has
to look for .htaccess files in the directory and any parent directories}
include AllowOverride None in httpd.conf
* Remove etags (Header unset Etag/FileETag None)
* Enable keepalive
* Turn on gzip encoding {mod_deflate} which you have done
* Auto set expiry dates into the future {mod_expires}:
ExpiresActive On / ExpiresDefault access plus 366 day / Header
append Cache-Control public
for static content...
Additionally...
* For images look at:optipng, jpegoptim advpng... {consider
spriting if useful}
* For minifying CSS/JS: look at yui compressor and google closure
compiler... (Use jshint to check your js to make sure that it will
merge/compress OK)
* Can use a number of build tools to do some of this auto-magically...
* Move (most) JS to the foot of the page
Watch out with minifying HTML - there is a minor bug with most of the
minifiers which which can't handle correctly ends of line after tags,
and if you have gzip encoding it usually doesn't make a difference!
Finally...
* Look at your code and try and optimize your HTML { put as much
presentation as possible into CSS }
* Look at your JS - don't use multiple library classes - I have seen
sites using jQuery, Scriptaculous and YUI at the same time!
*
On 08/06/2015 22:43, Motty Cruz wrote:
Hello,
I added this code on .htaccess
IfModule mod_mime.c
AddType application/x-javascript .js
AddType text/css .css
/IfModule
IfModule mod_deflate.c
*AddOutputFilterByType DEFLATE text/css application/x-javascript
text/x-component text/html text/richtext image/svg+xml text/plain text/xsd
text/xsl text/xml image/x-icon application/javascript*
IfModule mod_setenvif.c
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
/IfModule
IfModule mod_headers.c
Header append Vary User-Agent env=!dont-vary
/IfModule
/IfModule
does not seem to make a difference!
On 06/08/2015 02:38 PM, Emir Ibrahimbegovic wrote:
What have you tried?
On Mon, Jun 8, 2015 at 5:35 PM, Motty Cruz motty.c...@gmail.com
mailto:motty.c...@gmail.com wrote:
Hello,
I am getting the following suggestions from:
https://developers.google.com/speed/pagespeed/insights/
Should Fix:
Optimize images
Leverage browser caching
Consider Fixing:
Eliminate render-blocking JavaScript and CSS in above-the-fold
content
Minify CSS
Minify HTML
What is the best practice to solve errors above?
Thanks,
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
mailto:users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
mailto:users-h...@httpd.apache.org
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
RE: [users@httpd] Client Auth Retries
The documentation recommends a higher value for the sslsessioncache, probably
for performance reasons. I wonder if you can unset that ssl header variable
when your user hits the error page or before they try again, using mod_headers
unset directive, configured only on that directory or file?
From: mcgr...@nps.edu
To: users@httpd.apache.org
Date: Thu, 4 Jun 2015 19:32:33 +
Subject: Re: [users@httpd] Client Auth Retries
I think that’s part of it—SSLSessionCache on the server was set to five minutes.
Dialing it down to 10 seconds seems to have solved the problem
on Safari, but it persists on Chrome, even after a server restart.
It fixes itself after a Chrome restart, so clearly Chrome is doing some caching
of something, somewhere.
What are the consequences of having a low SSLSessionCache value on the server?
Further client diagnosis:
* Chrome 43 OS X renegotiates with the smart card if you open an incognito
window. The same behavior manifests itself in other incognito windows,
though, i.e. if you fail smart card auth it won’t go back and retry
smart card auth. This suggests to me that Chrome is doing some
client side SSLSessionCache, and they maintain different caches
for regular windows and incognito windows, but within each cache
the problem persists.
* Safari 8.0.6 OS X works as expected with the SSLSessionCache setting on the
server side. Dialing up the SSLSessionCache replicates the problem.
So it can be both a client and server side issue.
On Jun 3, 2015, at 5:16 PM, Scot Russell scotrussell...@hotmail.com wrote:
I don't have an answer for you, a couple thoughts though, are you using an SSL
cache that may be caching the info? I think there is a cache directive in mod
ssl. Or is there software on the client for handling the smart card that could
be set or configured
to renegotiate?
From: mcgr...@nps.edu
To: users@httpd.apache.org
Date: Wed, 3 Jun 2015 23:21:57 +
Subject: Re: [users@httpd] Client Auth Retries
This behavior is puzzling.
*Once the browser goes to the “mistake” page, it won’t renegotiate
the SSL connection with the smart card despite
- No open https connections to the server
- The behavior persists across a server restart
- The behavior persists across a “clear cache” on the client browser (Chrome)
The only way to force it to use the smart card auth appears to be quitting and
restarting
the browser.
On Jun 2, 2015, at 3:18 PM, McGregor, Donald (Don) (CIV) mcgr...@nps.edu
wrote:
I’m trying to set up client authentication using smart cards and be reasonably
polite about
auth failures. A typical failure mode is that the user doesn’t have the card
inserted; I
should send them to a warning page, then let them retry.
The relevant config file for the top level:
SSLVerifyClient optional
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS
RewriteRule .* /mistake/index.html [L]
Directory /var/www/html/mistake
SSLVerifyClient none
/Directory
Client auth is optional, but if it fails they see the informational
page telling them to use a smart card, in a directory
without smart card auth required.
This successfully rewrites to the informational page when they
don’t have the smart card inserted. The first time in If client auth fails for
some reason they see the error page, and if they do have
the card and authenticate, they see the expected content.
But if they see the error page, then insert the card, and then
try to go to the https://myhost/content, they continue to
see the error page. It seems as if the HTTPS connection
is not being renegotiated or that the SSL_CLIENT_VERIFY
is not being reset to SUCCESS on retry. Or is there a
better way to do this?
[users@httpd] Issue with Mutual SSL Authentication
Hi Team, we are facing issues while performing Mutual SSL Authentication between Apache HTTPD Proxy and Server (using BW as Server) Scenario is: HTTP Client --- (http connection)--- Apache HTTPD --- (https connection) ---HTTPS Server. Server side authentication is working fine on both Linux and Windows environment. However, Mutual SSL authentication is only working on Windows, and facing issues while implementing same logic on Linux. On Windows we are using the latest Apache HTTPD Proxy version 2.4.10. And for Linux we are using Apache HTTPD Proxy version 2.2.26. The problem appears to be that HTTPD does not include the issuer details while presenting its certificate to the server, so probably its failing chain verification. We have tried many options found on the net like including the flag SSLOptions +ExportCertData, but nothing seems to help. On Linux HTTPD is not sending the full certificate details back to the server Please find below the Logs for both Windows(success) and Linux(error) Environments: Windows Server version: Apache/2.4.10 (Win64) Apache Lounge VC11 Server built: Jul 17 2014 12:58:29 Logs: [Wed Jun 03 16:21:18.307618 2015] [ssl:debug] [pid 6580:tid 964] ssl_engine_kernel.c(1517): [remote 127.0.0.1:9099] AH02277: Proxy client certificate callback: (Proxy:hostname) AH02278: no acceptable CA list, sending [subject: CN=Proxy,OU=ITS,O=X,L=X,ST=X,C=X / issuer: CN=X,DC=testcore,DC=test,DC=dir,DC=X,DC=com / serial: 247B89560002890B / notbefore: Apr 19 04:24:18 2015 GMT / notafter: Apr 18 04:24:18 2017 GMT] [Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] ssl_engine_kernel.c(1836): [remote 127.0.0.1:9099] AH02041: Protocol: TLSv1, Cipher: X [Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] ssl_util_ssl.c(343): AH02412: [Proxy_Server:hostname] Cert matches for name 'Server' [subject: CN=Server,OU=ITS,O=X,L=X,ST=X,C=X / issuer: CN=XCA1,DC=testcore,DC=test,DC=dir,DC=X,DC=com / serial: 24884F6A0002890F / notbefore: Apr 19 04:38:15 2015 GMT / notafter: Apr 18 04:38:15 2017 GMT] Linux Server version: Apache/2.2.26 (Unix) Server built: Jul 18 2014 10:26:47 Logs: [Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //Server_URL [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(1513): [client 10.75.19.54] proxy: https: found worker https://Server_URL for https://Server_URL [Thu Jun 04 13:00:49 2015] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(1974): proxy: HTTP: serving URL https://Server_URL [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2018): proxy: HTTPS: has acquired connection for (Server) [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2074): proxy: connecting https://Server_URL to Server:hostname [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2200): proxy: connected /WSDL-service0.serviceagent/PortTypeEndpoint0 to Server:hostname [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2451): proxy: HTTPS: fam 2 socket created to connect to Server [Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2583): proxy: HTTPS: connection complete to Server:hostname [Thu Jun 04 13:00:49 2015] [info] [client 10.75.19.54] Connection to child 0 established (Server:hostname) [Thu Jun 04 13:00:49 2015] [info] Seeding PRNG with 144 bytes of entropy [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1090): [client 0.0.0.0] SNI extension for SSL Proxy request set to 'Server' [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1915): OpenSSL: Handshake: start [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: before/connect initialization [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#7f1409de9600 [mem: 7f1409deebe0] (BIO dump follows) Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server hello A [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 3, subject: /CN=X X, issuer: /CN=X [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 2, subject: /CN=X, issuer: /CN=X [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 1, subject: /DC=com/DC=X/DC=dir/DC=test/DC=testcore/CN=X, issuer: /CN=X [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 0, subject: /C=X/ST=X/L=X/O=X/OU=ITS/CN=Server, issuer: /DC=com/DC=X/DC=dir/DC=test/DC=testcore/CN=X [Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server certificate A [Thu Jun 04
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Hi James, On 06/09/2015 03:59 PM, James Smith wrote: In many cases it will only be a few packets anyway so won't actually make that much difference! The point is that it is better to stop the request in the first place by setting the appropriate expires/cache control header... than use the etag mechanism... In case it wasn't clear, we very much agree on this one, my question was centered on the ETag in particular. Thanks for your reply! James On 09/06/2015 14:56, Frederik Nosi wrote: Hi James, On 06/09/2015 02:36 PM, James Smith wrote: Yes - it is the request over head - the client will still make the request at which point the server has got to decide has it changed before even - which for most static requests is the heaviest (slowest) part before returning the not-changed response - and then serving the content! But at this point the server in case of a positive match will send just a 304 reply with no content, thus saving bandwith and time (due to eventual roundtrips) no? You are better to: (a) set near future or mid future headers [ expires in a month or in a year] Sure, the best request is the one that does not even come :-) (b) alter filenames if you significantly change the file contents [ we use MD5 of content for js/css ] This only if you're in the posisition to decide the site layout though. Note this is hyper-tuning of Apache... some people may want to enable it - it was originally set up when most users were on 28K/33.6K modems (or slower) and the transfer of data was the slow part of the equation! James [...] Thanks, Frederik -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
Re: [users@httpd] Issue with Mutual SSL Authentication
On Tue, Jun 9, 2015 at 9:29 AM, Karan Mengi karan_me...@infosys.com wrote: The problem appears to be that HTTPD does not include the issuer details while presenting its certificate to the server, so probably its failing chain verification. We have tried many options found on the net like including the flag “SSLOptions +ExportCertData”, but nothing seems to help. Did you try SSLProxyMachineCertificateChainFile? http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxymachinecertificatechainfile - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] HOW TO APPLY TOMCAT UPGRADE
I need step-by-step to upgrade to apache v7.0.40, what to download and how to apply this on production environment. *SALAMI KEHINDE R*
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Thanks for your suggestions! Thanks, Motty On 06/09/2015 06:59 AM, James Smith wrote: In many cases it will only be a few packets anyway so won't actually make that much difference! The point is that it is better to stop the request in the first place by setting the appropriate expires/cache control header... than use the etag mechanism... James On 09/06/2015 14:56, Frederik Nosi wrote: Hi James, On 06/09/2015 02:36 PM, James Smith wrote: Yes - it is the request over head - the client will still make the request at which point the server has got to decide has it changed before even - which for most static requests is the heaviest (slowest) part before returning the not-changed response - and then serving the content! But at this point the server in case of a positive match will send just a 304 reply with no content, thus saving bandwith and time (due to eventual roundtrips) no? You are better to: (a) set near future or mid future headers [ expires in a month or in a year] Sure, the best request is the one that does not even come :-) (b) alter filenames if you significantly change the file contents [ we use MD5 of content for js/css ] This only if you're in the posisition to decide the site layout though. Note this is hyper-tuning of Apache... some people may want to enable it - it was originally set up when most users were on 28K/33.6K modems (or slower) and the transfer of data was the slow part of the equation! James [...] Thanks, Frederik -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE
On Tue, Jun 9, 2015 at 11:41 AM, Salami Kehinde Rasheed kennysal...@gmail.com wrote: I need step-by-step to upgrade to apache v7.0.40, what to download and how to apply this on production environment. *SALAMI KEHINDE R* This is the wrong mailing list; this list is for supporting Apache HTTP Server, not Apache Tomcat. Look here: http://tomcat.apache.org/lists.html -- Born in Roswell... married an alien... http://emptyhammock.com/
[users@httpd] mod_fcgid tmp dir issue
When using Sugar CRM under mod-fcgid, we encounter a problem after a few days
of running. The error logged by httpd is:
[Tue Jun 09 09:32:33.423239 2015] [fcgid:warn] [pid 5202:tid 140367450076928]
(20014)Internal error: [client 75.147.140.126:5] mod_fcgid: can't get tmp
dir, referer:
http://crm.ourdomain.com/index.php?module=Accountsaction=DetailViewrecord=7c77ce81-a854-7b8e-65d0-52fd384deacq
So, when this occurs, it keeps occurring forever until we restart httpd. It
will then work for 2-5 days, and, then happen again. Once it starts happening,
all users are affected, same mod_fcgid process or not. Only a restart of httpd
seems to matter to clear it.
This appears to be triggered in the mod_fcgid code:
641 rv = apr_temp_dir_get(tempdir, r-pool);
642 if (rv != APR_SUCCESS) {
643 ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r,
644 mod_fcgid: can't get tmp dir);
645 return HTTP_INTERNAL_SERVER_ERROR;
646 }
A df -h shows:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VGLSI-root 30G 6.7G 23G 23% /
devtmpfs32G 0 32G 0% /dev
tmpfs 32G 0 32G 0% /dev/shm
tmpfs 32G 50M 32G 1% /run
tmpfs 32G 0 32G 0% /sys/fs/cgroup
/dev/sda2 497M 207M 290M 42% /boot
/dev/mapper/VGLSI-solr 63G 11G 53G 17% /solr
/dev/mapper/VGLSI-backups 50G 245M 50G 1% /backups
/dev/mapper/VGLSI-home 1.5T 944G 521G 65% /home
/dev/mapper/VGLSI-var 489G 184G 305G 38% /var
Apache status shows:
mod_fcgid status:
Total FastCGI processes: 3
Process: php5.fcgi (/home/crm/fcgi-bin/php5.fcgi)
Pid Active IdleAccessesState
11573 217460 79 Ready
11574 217449 72 Ready
10713 290012 165 Ready
/tmp used to be on its own filesystem, on the off chance that has an effect, we
removed it to use root filesystem. No impact. Even if at the instant in time
the root filesystem was full, and it isn’t, it happens forever until we restart
Apache. Once it starts, all Sugar file uploads fail.
I know that mod_fcgid obtains it’s temp dir when a file is larger than some
threshold, a value set. Ours is default value, whatever that is. I am not sure
where this can be tuned, anyone know? Is it perhaps FcgidMaxRequestInMem? What
is the impact to the system if I change this to say 100MB? Will each process
consume that much more memory, or, is the memory freed? If I can increase it to
larger than anyone ever uploads, seems like I might avoid the problem as long
as I don’t lose all the memory permanently so to speak.
Here’s our mod_fcgid config:
FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
FcgidMaxRequestsPerProcess 500
FcgidMaxProcesses 100
FcgidMinProcessesPerClass 0
FcgidIOTimeout 121
FcgidIdleTimeout 600
FcgidErrorScanInterval 10
FcgidFixPathinfo 1
mod_fcgid version is Centos 7 standard 2.3.9 with Apache 2.4.6 as we use the
standard repository. The application used to be running on Centos 6 without
issue. That uses Apache 2.2.15 and mod_fcgid 2.3.7
Steve
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE
Hello Jeff, I need step-by-step to make apache-httpd-upgrade-2_2_29, what to download and how to apply this on production environment(Window Server 2008 and 2012R2) I want to close *Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)* vulnerability, I want to close *Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)* Vulnerability I got advice to upgrade to 2.2.29 of httpd and I am running on window server machine... Kindly assist on how I can handle this without causing disruption on this operation. I need your responce On Tue, Jun 9, 2015 at 5:36 PM, Jeff Trawick traw...@gmail.com wrote: On Tue, Jun 9, 2015 at 11:41 AM, Salami Kehinde Rasheed kennysal...@gmail.com wrote: I need step-by-step to upgrade to apache v7.0.40, what to download and how to apply this on production environment. *SALAMI KEHINDE R* This is the wrong mailing list; this list is for supporting Apache HTTP Server, not Apache Tomcat. Look here: http://tomcat.apache.org/lists.html -- Born in Roswell... married an alien... http://emptyhammock.com/ -- *[image: Inline image 2]* *SALAMI KEHINDE R* *+234-8056511120*
Re: [users@httpd] Apache24 restrict director access by IP
Thanks, seem to be blocking me when accesssing from a different IP now: here is the code am using: # defese agains brute force attacks Directory ~ /administrator order deny,allow Deny from all allow from 192.168.1.65 /Directory yes! I am using Apache 2.4 version. On 06/09/2015 02:18 PM, Richard wrote: Date: Tuesday, June 09, 2015 02:11:55 PM -0700 From: Motty Cruz motty.c...@gmail.com Hello, I am trying to restrict access to joomla Administrator directory by IP: # defese agains brute force attacks Directory /administrator order deny,allow Deny from all Require ip 192.168.1.65 /Directory this code on httpd.conf is not stopping me from logging onto www.site.com/administrator any ideas? I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html Thanks Motty What you are showing are apache 2.2 access control directives. These changed with 2.4, so if you are using 2.4, as implied by your subject line, see the Run-Time Configuration Changes section of: http://httpd.apache.org/docs/2.4/upgrading.html - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache24 restrict director access by IP
Hello, I am trying to restrict access to joomla Administrator directory by IP: # defese agains brute force attacks Directory /administrator order deny,allow Deny from all Require ip 192.168.1.65 /Directory this code on httpd.conf is not stopping me from logging onto www.site.com/administrator any ideas? I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html Thanks Motty - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 restrict director access by IP
Date: Tuesday, June 09, 2015 02:11:55 PM -0700 From: Motty Cruz motty.c...@gmail.com Hello, I am trying to restrict access to joomla Administrator directory by IP: # defese agains brute force attacks Directory /administrator order deny,allow Deny from all Require ip 192.168.1.65 /Directory this code on httpd.conf is not stopping me from logging onto www.site.com/administrator any ideas? I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html Thanks Motty What you are showing are apache 2.2 access control directives. These changed with 2.4, so if you are using 2.4, as implied by your subject line, see the Run-Time Configuration Changes section of: http://httpd.apache.org/docs/2.4/upgrading.html - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 restrict director access by IP
Thanks for your support; I changed my code to this: Directory ~ /administrator Require all denied Require ip 192.168.1.65 /Directory now is working fine. Thanks, Motty On 06/09/2015 02:27 PM, Richard wrote: Original Message Date: Tuesday, June 09, 2015 09:18:02 PM + From: Richard lists-apa...@listmail.innovate.net Date: Tuesday, June 09, 2015 02:11:55 PM -0700 From: Motty Cruz motty.c...@gmail.com Hello, I am trying to restrict access to joomla Administrator directory by IP: # defese agains brute force attacks Directory /administrator order deny,allow Deny from all Require ip 192.168.1.65 /Directory this code on httpd.conf is not stopping me from logging onto www.site.com/administrator any ideas? I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html Thanks Motty What you are showing are apache 2.2 access control directives. These changed with 2.4, so if you are using 2.4, as implied by your subject line, see the Run-Time Configuration Changes section of: http://httpd.apache.org/docs/2.4/upgrading.html Apologies (overlooked part of your directives) -- You have a mix of 2.2 and 2.4 directives. The order directives are 2.2, while require are 2.4, so I suspect your directives aren't being parsed correctly by your 2.4 environment. I think things are clearer in the upgrading document than the one you referenced. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 restrict director access by IP
Original Message Date: Tuesday, June 09, 2015 09:18:02 PM + From: Richard lists-apa...@listmail.innovate.net Date: Tuesday, June 09, 2015 02:11:55 PM -0700 From: Motty Cruz motty.c...@gmail.com Hello, I am trying to restrict access to joomla Administrator directory by IP: # defese agains brute force attacks Directory /administrator order deny,allow Deny from all Require ip 192.168.1.65 /Directory this code on httpd.conf is not stopping me from logging onto www.site.com/administrator any ideas? I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html Thanks Motty What you are showing are apache 2.2 access control directives. These changed with 2.4, so if you are using 2.4, as implied by your subject line, see the Run-Time Configuration Changes section of: http://httpd.apache.org/docs/2.4/upgrading.html Apologies (overlooked part of your directives) -- You have a mix of 2.2 and 2.4 directives. The order directives are 2.2, while require are 2.4, so I suspect your directives aren't being parsed correctly by your 2.4 environment. I think things are clearer in the upgrading document than the one you referenced. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Yes - it is the request over head - the client will still make the
request at which point the server has got to decide has it changed
before even - which for most static requests is the heaviest (slowest)
part before returning the not-changed response - and then serving the
content!
You are better to:
(a) set near future or mid future headers [ expires in a month or in a year]
(b) alter filenames if you significantly change the file contents [ we
use MD5 of content for js/css ]
Note this is hyper-tuning of Apache... some people may want to enable
it - it was originally set up when most users were on 28K/33.6K modems
(or slower) and the transfer of data was the slow part of the equation!
James
On 09/06/2015 13:27, Frederik Nosi wrote:
Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:
From Apache point of view...
* Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache
has to look for .htaccess files in the directory and any parent
directories}
include AllowOverride None in httpd.conf
* Remove etags (Header unset Etag/FileETag None)
Won't this disable conditional requests, ex. If-None-Match and
friends? Is your recomendation because of the header overhead or am I
missing something?
[...]
Thanks,
Frederik
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:
From Apache point of view...
* Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache
has to look for .htaccess files in the directory and any parent
directories}
include AllowOverride None in httpd.conf
* Remove etags (Header unset Etag/FileETag None)
Won't this disable conditional requests, ex. If-None-Match and friends?
Is your recomendation because of the header overhead or am I missing
something?
[...]
Thanks,
Frederik
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Remove etags (Header unset Etag/FileETag None) Won't this disable conditional requests, ex. If-None-Match and friends? Is your recomendation because of the header overhead or am I missing something? Just if-None-Match. If-Modified-Since would still work. I believe people recommend disabling ETags because they may cause problems with clusters (i.e. different inode numbers or modification times for otherwise identical files), or gzip content encoding (https://bz.apache.org/bugzilla/show_bug.cgi?id=45023). rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Hi Rainer, On 06/09/2015 02:53 PM, Rainer Canavan wrote: Remove etags (Header unset Etag/FileETag None) Won't this disable conditional requests, ex. If-None-Match and friends? Is your recomendation because of the header overhead or am I missing something? Just if-None-Match. If-Modified-Since would still work. I believe people recommend disabling ETags because they may cause problems with clusters (i.e. different inode numbers or modification times for otherwise identical files), or gzip content encoding (https://bz.apache.org/bugzilla/show_bug.cgi?id=45023). Well, if it's a static file i think the etag calculation should be quite fast, after all in the default apache setting it's computed using thre values: FileETag INode MTime Size which at least on linux should be cached in the dentry / filesystem cache. So intuitively should be less work then reading this values, the file content and sending it. It's not that i've done measurements on this though, just speculation. As for the cluster case (and for security reasons), i've been using: FileETag MTime Size Out of curiosity, does somebody have real misurements? rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 - how to optimize httpd.conf
It's not the etag calc it's actually the round tripping to the server that is the main over head - better to get the client to cache content... Apache will still have to touch the file system to see if the content has changed (however it is done) and on some filesystems just locating the file and making sure the user can read it is slower than serving it (especially high availability and virtual file systems)... James On 09/06/2015 14:51, Frederik Nosi wrote: Hi Rainer, On 06/09/2015 02:53 PM, Rainer Canavan wrote: Remove etags (Header unset Etag/FileETag None) Won't this disable conditional requests, ex. If-None-Match and friends? Is your recomendation because of the header overhead or am I missing something? Just if-None-Match. If-Modified-Since would still work. I believe people recommend disabling ETags because they may cause problems with clusters (i.e. different inode numbers or modification times for otherwise identical files), or gzip content encoding (https://bz.apache.org/bugzilla/show_bug.cgi?id=45023). Well, if it's a static file i think the etag calculation should be quite fast, after all in the default apache setting it's computed using thre values: FileETag INode MTime Size which at least on linux should be cached in the dentry / filesystem cache. So intuitively should be less work then reading this values, the file content and sending it. It's not that i've done measurements on this though, just speculation. As for the cluster case (and for security reasons), i've been using: FileETag MTime Size Out of curiosity, does somebody have real misurements? rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 - how to optimize httpd.conf
Hi James, On 06/09/2015 02:36 PM, James Smith wrote: Yes - it is the request over head - the client will still make the request at which point the server has got to decide has it changed before even - which for most static requests is the heaviest (slowest) part before returning the not-changed response - and then serving the content! But at this point the server in case of a positive match will send just a 304 reply with no content, thus saving bandwith and time (due to eventual roundtrips) no? You are better to: (a) set near future or mid future headers [ expires in a month or in a year] Sure, the best request is the one that does not even come :-) (b) alter filenames if you significantly change the file contents [ we use MD5 of content for js/css ] This only if you're in the posisition to decide the site layout though. Note this is hyper-tuning of Apache... some people may want to enable it - it was originally set up when most users were on 28K/33.6K modems (or slower) and the transfer of data was the slow part of the equation! James [...] Thanks, Frederik
Re: [users@httpd] Apache24 - how to optimize httpd.conf
In many cases it will only be a few packets anyway so won't actually make that much difference! The point is that it is better to stop the request in the first place by setting the appropriate expires/cache control header... than use the etag mechanism... James On 09/06/2015 14:56, Frederik Nosi wrote: Hi James, On 06/09/2015 02:36 PM, James Smith wrote: Yes - it is the request over head - the client will still make the request at which point the server has got to decide has it changed before even - which for most static requests is the heaviest (slowest) part before returning the not-changed response - and then serving the content! But at this point the server in case of a positive match will send just a 304 reply with no content, thus saving bandwith and time (due to eventual roundtrips) no? You are better to: (a) set near future or mid future headers [ expires in a month or in a year] Sure, the best request is the one that does not even come :-) (b) alter filenames if you significantly change the file contents [ we use MD5 of content for js/css ] This only if you're in the posisition to decide the site layout though. Note this is hyper-tuning of Apache... some people may want to enable it - it was originally set up when most users were on 28K/33.6K modems (or slower) and the transfer of data was the slow part of the equation! James [...] Thanks, Frederik -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE
On Tue, Jun 9, 2015 at 2:45 PM, Salami Kehinde Rasheed kennysal...@gmail.com wrote: I need step-by-step to make apache-httpd-upgrade-2_2_29, what to download and how to apply this on production environment(Window Server 2008 and 2012R2) I want to close *Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)* vulnerability, I want to close *Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)* Vulnerability I got advice to upgrade to 2.2.29 of httpd and I am running on window server machine... Kindly assist on how I can handle this without causing disruption on this operation. This depends greatly on where your current distribution of HTTPD is from. Did you build it yourself or did you download binaries from a website and if so, which site? How is HTTPD set up on your current system? Does it run as a service? What is the path to the executables and libraries? Are you using any non-standard modules? You should obtain the new version from the same place you obtained the old version from. I would make a backup copy of the entire HTTPD directory and then just overwrite all the files except the configuration with the new files you downloaded. That is probably as detailed as you can get without more information about your current environment. - Y
Re: [users@httpd] Apache24 - how to optimize httpd.conf
At 09:24 AM 6/9/2015 +0100, James Smith wrote:
[snip good advice]
* For minifying CSS/JS: look at yui compressor and google closure
compiler... (Use jshint to check your js to make sure that it will
merge/compress OK)
* Can use a number of build tools to do some of this auto-magically...
One possible caveat -- mod_pagespeed which is from Google dev (the start
of this thread.) We tried it in a pre-production 2.4 environment, and
while most of the output was well rewritten/minified/re-ordered, it put an
enormous hit on server CPU cycles (on a very fast machine) -- to the point
that end-user browser load times suffered. We had to drop it. (Note this
was for a fairly complex perl/js site, so YMMV. Note also that Google do
not *now* recommend it for 2.4, only 2.2, if I understand their notes
correctly.)
Best -- Paul
* Move (most) JS to the foot of the page
Watch out with minifying HTML - there is a minor bug with most of the
minifiers which which can't handle correctly ends of line after tags, and
if you have gzip encoding it usually doesn't make a difference!
Finally...
* Look at your code and try and optimize your HTML { put as much
presentation as possible into CSS }
* Look at your JS - don't use multiple library classes - I have seen
sites using jQuery, Scriptaculous and YUI at the same time!
On 08/06/2015 22:43, Motty Cruz wrote:
Hello,
I added this code on .htaccess
IfModule mod_mime.c
AddType application/x-javascript .js
AddType text/css .css
/IfModule
IfModule mod_deflate.c
AddOutputFilterByType DEFLATE text/css application/x-javascript
text/x-component text/html text/richtext image/svg+xml text/plain
text/xsd text/xsl text/xml image/x-icon application/javascript
IfModule mod_setenvif.c
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
/IfModule
IfModule mod_headers.c
Header append Vary User-Agent env=!dont-vary
/IfModule
/IfModule
does not seem to make a difference!
On 06/08/2015 02:38 PM, Emir Ibrahimbegovic wrote:
What have you tried?
On Mon, Jun 8, 2015 at 5:35 PM, Motty Cruz
mailto:motty.c...@gmail.commotty.c...@gmail.com wrote:
Hello,
I am getting the following suggestions from:
https://developers.google.com/speed/pagespeed/insights/https://developers.google.com/speed/pagespeed/insights/
Should Fix:
Optimize images
Leverage browser caching
Consider Fixing:
Eliminate render-blocking JavaScript and CSS in above-the-fold content
Minify CSS
Minify HTML
What is the best practice to solve errors above?
Thanks,
-
To unsubscribe, e-mail:
mailto:users-unsubscr...@httpd.apache.orgusers-unsubscr...@httpd.apache.org
For additional commands, e-mail:
mailto:users-h...@httpd.apache.orgusers-h...@httpd.apache.org
-- The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a company
registered in England with number 2742969, whose registered office is 215
Euston Road, London, NW1 2BE.
