Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success
On Tue, Aug 14, 2018 at 9:33 PM Jason Pitt wrote: > > Hello- > > I'm having an issue with trying to configure apache that I'm hoping someone > can help me address. I have several scripts located in the cgi-bin that I > want to control access to. I'm able to either put an .htaccess file in the > cgi-bin or modify the apache2.conf file to prompt for a username and password > when the url to the cgi script is entered into a browser, however...the > script executes and sends content to the browser window before the user > enters anything into the authorization dialog...furthermore the user can just > cancel the authorization dialog and can then interact with the cgi generated > content...the only thing getting blocked by apache is access to actual files > on the webserver. How do I prevent this behavior? > It sounds like you may not be protecting the right URL/files/directories. What's the relevant config and URL being accessed? What does the access log say? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] prevent cgi-bin script execution prior to authorization dialog success
Hello- I'm having an issue with trying to configure apache that I'm hoping someone can help me address. I have several scripts located in the cgi-bin that I want to control access to. I'm able to either put an .htaccess file in the cgi-bin or modify the apache2.conf file to prompt for a username and password when the url to the cgi script is entered into a browser, however...the script executes and sends content to the browser window before the user enters anything into the authorization dialog...furthermore the user can just cancel the authorization dialog and can then interact with the cgi generated content...the only thing getting blocked by apache is access to actual files on the webserver. How do I prevent this behavior? -Thanks J -- /* Jason Pitt PhD 206.616.1193 Kaeberlein Lab jnp...@uw.edu University of Washington Department of Pathology Health Sciences BuildingBox 357470 1989 NE Pacific Street Seattle, WA 98195 */
Re: [users@httpd] Re: [OT] bounced messages
On Tue, Aug 14, 2018 at 8:27 PM Good Guy wrote: > > On 13/08/2018 20:43, James Moe wrote: > > Hello, > >I received a note from the list manager complaining that our server > > has rejected an unconscionable number of message. > >Has there been some configuration change of the mailing list recently? > > > >T > > This list is also rejecting posts from users using Outlook.com or > hotmail.com domains as part of their eMails. None of my posts appear > here. I am posting this here but I doubt if it will ever show up. > > The new owners have killed this news-server. This mail made it just fine. I don't know what new owners or news-server you're referring to, maybe you're using some news gateway instead of the actual users@httpd.apache.org mailing list? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] memory caching with Apache 2.4
On Tue, Aug 14, 2018 at 2:10 PM Chuck Stein wrote: > > I am finally upgrading an Apache 2.2 server to 2.4 and caching has > changed. The Apache server is used in a confined area and is not on the > web. I was previously using mod_mem_cache to cache in memory responses > from my custom back-end tile server module which serves up tiles of data > from a larger "black box" file. I've been reading up on the 2.4 > mod_cache, mod_cache_socache, and mod_cache_disk but don't see anything > equivalent to the old 2.2 mod_mem_cache where I could allocate a > certain amount of RAM for the result of URL requests. I don't want a > disk cache. I want a memory cache for commonly requested URLs of the > form: http://server_ip/tile_server/GetTile?i=xx=xx=xx . I want to > be able to set up how much memory is used by the cache. Can you point > me in the right direction? It is really removed. You can get somewhat close via mod_cache_socache and mod_socache_shcmcb or one of the other providers + the corresponding backend like redis or distcache. mod_mem_cache was limiting (no variant support) and a bit fragile. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] memory caching with Apache 2.4
I am finally upgrading an Apache 2.2 server to 2.4 and caching has changed. The Apache server is used in a confined area and is not on the web. I was previously using mod_mem_cache to cache in memory responses from my custom back-end tile server module which serves up tiles of data from a larger "black box" file. I've been reading up on the 2.4 mod_cache, mod_cache_socache, and mod_cache_disk but don't see anything equivalent to the old 2.2 mod_mem_cache where I could allocate a certain amount of RAM for the result of URL requests. I don't want a disk cache. I want a memory cache for commonly requested URLs of the form: http://server_ip/tile_server/GetTile?i=xx=xx=xx . I want to be able to set up how much memory is used by the cache. Can you point me in the right direction? Thanks, Chuck - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hi, Zitat von Mahmood Naderan : what's in the logs of your httpd server? Any errors reported during httpd startup and/or your accesses? When I restart apache2 service, I see these lines in the syslog Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server... Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server. Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server... Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server. nothing that points to the root cause, then. OTOH, seems to be some special setup, defaulting to an address from the loopback network (127.0.1.1). However, apache/error.log and apache/access.log show nothing when I enter the IP address in the browser. As you seem to receive some resources via HTTP, the request should get logged somewhere. Another guess: what do you see in the browser if you try to access http://w.x.y.z:443 (so actually trying to access your "SSL site" via regular HTTP)? I believe to remember having seen that error when the server spat out regular HTTP. http://w.x.y.z:443 works. I mean I can see the page. However it is not https.https://w.x.y.z:443 says the same error as before. So your server (on port 443) is handing out http, not https. Seems to be some configuration issue then. The browser error (when using https://...) is just telling you "cannot interpret the server output as SSL/TLS traffic". As one more step of diagnosis, you might want to ask httpd for it's current (v)host setup (see "-S" option) and in your place, I'd try to find out where the accesses actually end up - there should be some logging somewhere. Another test would be to change the content of your html page (the one you believe to receive when reuqesting http://w.x.y.z:443) and double-check that the browser then receives the modified version. Because: Might it be that the request ends up in a totally different server/httpd process? You always tell you're accessing "w.x.y.z" and said "the server's page is reachble by an IP address", so I understand you're not using a host name, but IP address to connect. w.x.y.z reads like an IPv4 address, while your earlier report of open ports just gave an IPv6 port open for listening: root@webshub:~# netstat -tulpn | grep 443 tcp6 0 0 :::443 :::* LISTEN 14709/apache2 So there might be a chance your browser's requests doesn't even end up in *your* server. Regards, J - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem setting up ssl
Hi, Zitat von Mahmood Naderan : what's in the logs of your httpd server? Any errors reported during httpd startup and/or your accesses? When I restart apache2 service, I see these lines in the syslog Aug 13 22:19:36 webshub systemd[1]: Stopping The Apache HTTP Server... Aug 13 22:19:36 webshub apachectl[20543]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Stopped The Apache HTTP Server. Aug 13 22:19:37 webshub systemd[1]: Starting The Apache HTTP Server... Aug 13 22:19:37 webshub apachectl[20554]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Aug 13 22:19:37 webshub systemd[1]: Started The Apache HTTP Server. nothing that points to the root cause, then. OTOH, seems to be some special setup, defaulting to an address from the loopback network (127.0.1.1). However, apache/error.log and apache/access.log show nothing when I enter the IP address in the browser. As you seem to receive some resources via HTTP, the request should get logged somewhere. Another guess: what do you see in the browser if you try to access http://w.x.y.z:443 (so actually trying to access your "SSL site" via regular HTTP)? I believe to remember having seen that error when the server spat out regular HTTP. http://w.x.y.z:443 works. I mean I can see the page. However it is not https.https://w.x.y.z:443 says the same error as before. So your server (on port 443) is handing out http, not https. Seems to be some configuration issue then. The browser error (when using https://...) is just telling you "cannot interpret the server output as SSL/TLS traffic". As one more step of diagnosis, you might want to ask httpd for it's current (v)host setup (see "-S" option) and in your place, I'd try to find out where the accesses actually end up - there should be some logging somewhere. Another test would be to change the content of your html page (the one you believe to receive when reuqesting http://w.x.y.z:443) and double-check that the browser then receives the modified version. Because: Might it be that the request ends up in a totally different server/httpd process? You always tell you're accessing "w.x.y.z" and said "the server's page is reachble by an IP address", so I understand you're not using a host name, but IP address to connect. w.x.y.z reads like an IPv4 address, while your earlier report of open ports just gave an IPv6 port open for listening: root@webshub:~# netstat -tulpn | grep 443 tcp6 0 0 :::443 :::* LISTEN 14709/apache2 So there might be a chance your browser's requests doesn't even end up in *your* server. Regards, J - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: [OT] bounced messages
On 13 Aug 2018, at 13:43, James Moe wrote: > > I received a note from the list manager complaining that our server > has rejected an unconscionable number of message. > Has there been some configuration change of the mailing list recently? > > There are reasons for the rejections: our SPAM filter. It is not a good idea to spam filter list messages. -- What would be the point of cyphering messages that very clever enemies couldn't break? You'd end up not knowing what they thought you thought they were thinking... --The Fifth Elephant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org