Re: [users@httpd] Require paramater

[Daniel Gruno]

On 5/13/24 15:42, Chris me wrote:
The Apache docs recommend dong this to setup a default deny to file 
locations:




     Require all denied



Do I do that in httpd.conf or do I add that to each  entry?



If you do it in httpd.conf (which I assume would be a server-wide scope 
for you), it will be applied globally and thus within every virtualhost 
scope as well. You should then, within each virtualhost scope, 
explicitly allow access to the documentroot and other directories you 
wish to have open for reading.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

[Dave Wreski]

Hi,


The staging site is even protected with a RequireAll statement for the 
DocumentRoot based on the IP, which then results in a 404 and other errors in 
GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?


Yes, it does - my mistake.


The next steps I'd like to do is to redirect anyone not in that RequireAll 
statement to be redirected to the production site. Is this possible? Perhaps a 
RewriteCond that depends upon certain IPs, then otherwise redirects to the 
production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.


I used your rewritecond+rewriterule approach, and it worked perfectly in 
my tests. Thanks so much.

Re: [users@httpd] Directory Trailing Slash When Behind Load Balancer

[Rainer Canavan]

On Tue, May 14, 2024 at 6:07 PM Gavin Spomer  wrote:
>
> Hello,
>
> I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
> found an issue with URLs that point to a directory, but don't include the 
> trailing slash, when going through our institution's load balancer. If I 
> access directly (not going through the load balancer), everything works fine:
>
>http://mywebserver.example.com/application
>
>Above works as, from reading the mod_dir documentation, it redirects to
>http://mywebserver.example.com/application/ (adds the trailing slash) and 
> thus the application's index.php script
>is executed.
>
> My web server is fronted by our institution's load balancer which does SSL 
> termination and then sends the request to my web server on port 81. I am not 
> seeing the same behavior when accessing through our load balancer:
>
>https://loadbalancer.example.com/application
>
>The above doesn't work. It hangs, times out and then redirects to 
> http://loadbalancer.example.com:81/application/
>with a "This site can’t be reached" message. It does work if I explicitly 
> add the slash to the URL in my browser:

That's probably not the order that events are acutally happening. It
most likely redirects to
http://loadbalancer.example.com:81/application/ first.

[...]
> 
>ServerName mywebserver.example.com:81

Redirects require a complete URL, and mod_dir is probably assembling
that using the ServerName. Use the developer tools in your browser or
curl -v to see what's actually going on, particularly the "Location:"
response header, which is the URL the redirect is sending your browser
to.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

[Rainer Canavan]

On Thu, May 16, 2024 at 1:15 AM Dave Wreski
 wrote:
>
> Hi,
>
[...]
> The staging site is even protected with a RequireAll statement for the 
> DocumentRoot based on the IP, which then results in a 404 and other errors in 
> GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?

[...]
>
> The next steps I'd like to do is to redirect anyone not in that RequireAll 
> statement to be redirected to the production site. Is this possible? Perhaps 
> a RewriteCond that depends upon certain IPs, then otherwise redirects to the 
> production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

[gene heskett]

On 5/15/24 19:15, Dave Wreski wrote:

Hi,

Google insists that one of our staging sites needs to be indexed despite 
"disallow" in robots.txt and a half-dozen other methods for preventing 
Google from indexing it (including submitting it for removal from their 
index). The staging site is even protected with a RequireAll statement 
for the DocumentRoot based on the IP, which then results in a 404 and 
other errors in GSC. This impacts our SEO and also causes GSC to stop 
processing the rest of our site.


The next steps I'd like to do is to redirect anyone not in that 
RequireAll statement to be redirected to the production site. Is this 
possible? Perhaps a RewriteCond that depends upon certain IPs, then 
otherwise redirects to the production site?


Thanks,
Dave

The last time I ran into this was back in iptables days 20 years ago. 
Based on IP they were denied because my site at the time included my 
photo's and totalled about 13 gigabytes. This was in the days of 
bandwidth per month of 30 gigs. Because google has so many machines they 
used up all my allocation long before the month was up. I wound up 
putting another search engine in that database, mj12, so I wound up with 
an iptables file about 15k lines long. That continued until I had ported 
the whole thing to a couple new Seacrate 1t drives, both of which went 
tits down in the night within 2 weeks, just disappearing off the 
sata-III bus. I was so pi$$ed I didn't even warranty them. SSD's are it 
today. I have only one spinning rust drive in 8 machines here now, a 250 
gig that refuses to die. iptables worked but took about 10 hours a month 
to maintain it cuz they moved the machines to a new address.  Some of 
the iptables rules ended in /16, so I was blocking a goodly share of the 
ipv4 space when I had the gran crash.  I controlled it most of the time 
but it was several hours a week keeping even with them. You never get 
ahead. I still have a registered name but all you get is the apache test 
page.


Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Redirecting based on IP

[Dave Wreski]

Hi,

Google insists that one of our staging sites needs to be indexed despite 
"disallow" in robots.txt and a half-dozen other methods for preventing 
Google from indexing it (including submitting it for removal from their 
index). The staging site is even protected with a RequireAll statement 
for the DocumentRoot based on the IP, which then results in a 404 and 
other errors in GSC. This impacts our SEO and also causes GSC to stop 
processing the rest of our site.


The next steps I'd like to do is to redirect anyone not in that 
RequireAll statement to be redirected to the production site. Is this 
possible? Perhaps a RewriteCond that depends upon certain IPs, then 
otherwise redirects to the production site?


Thanks,
Dave

RE: [users@httpd] http ok, https Forbidden

[Marc]

> 
> we have a apache 2.4.59 running on windows for an internal page.
> Now we would like to use https instead of http
> 
> Opening the url via http works,
> when I use https I get
> 
> Forbidden
> You don't have permission to access this resource.
> 
> I activated the debug level and see this lines
> 

Not enough info, maybe you just lack the configuration of a https virtual host 
entry?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] http ok, https Forbidden

[Andreas . Moroder]

Hello,

we have a apache 2.4.59 running on windows for an internal page.
Now we would like to use https instead of http

Opening the url via http works,
when I use https I get

Forbidden
You don't have permission to access this resource.

I activated the debug level and see this lines

[Wed May 15 08:54:17.471598 2024] [authz_core:debug] [pid 8152:tid 1360] 
mod_authz_core.c(815): [client 10.26.2.32:54158] AH01626: authorization 
result of Require local : denied
[Wed May 15 08:54:17.471598 2024] [authz_core:debug] [pid 8152:tid 1360] 
mod_authz_core.c(815): [client 10.26.2.32:54158] AH01626: authorization 
result of : denied
[Wed May 15 08:54:17.471598 2024] [authz_core:error] [pid 8152:tid 1360] 
[client 10.26.2.32:54158] AH01630: client denied by server configuration: 
E:/wamp/www/itop/pages/UI.php


What I don't understand is why using https:// it is denied while it works 
with http://

the httpd-vhosts.conf contains this lines

# Virtual Hosts
#

  ServerName localhost
  ServerAlias localhost
  DocumentRoot "${INSTALL_DIR}/www"
  
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride None
Require all granted
  


while http.conf contains this lines


AllowOverride none
Require all denied




Can anyone please tell me why the behaviour changes and how to solve it?

Greetings
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14
wobi.bz.it   ipes.bz.it 





Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. 
Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten wir um Ihre 
diesbezügliche Benachrichtigung und um die Löschung der Nachricht. Eine 
Veröffentlichung oder Verbreitung des Inhaltes sowie jegliche anderweitige 
Verwendung sind untersagt.

Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci l’errata 
notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per qualsiasi 
altro scopo.

[users@httpd] Directory Trailing Slash When Behind Load Balancer

[Gavin Spomer]

Hello,

I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
found an issue with URLs that point to a directory, but don't include the 
trailing slash, when going through our institution's load balancer. If I access 
directly (not going through the load balancer), everything works fine:

   http://mywebserver.example.com/application

   Above works as, from reading the mod_dir documentation, it redirects to 
   http://mywebserver.example.com/application/ (adds the trailing slash) and 
thus the application's index.php script
   is executed.

My web server is fronted by our institution's load balancer which does SSL 
termination and then sends the request to my web server on port 81. I am not 
seeing the same behavior when accessing through our load balancer:

   https://loadbalancer.example.com/application

   The above doesn't work. It hangs, times out and then redirects to 
http://loadbalancer.example.com:81/application/
   with a "This site can’t be reached" message. It does work if I explicitly 
add the slash to the URL in my browser:

   https://loadbalancer.example.com/application/

   The above works and executes the application's index.php script.

I contacted the admin of the load balancer and asked if there had been any 
changes to the settings, but he indicated that there wasn't and that there was 
no inspection, rule processing or manipulation of the URL on the load balancer 
end.  When I had my web server on FreeBSD it worked, but I don't recall doing 
anything configuration-wise to make it work with our load balancer beyond 
making a virtual host that ran on port 81 and to listen on that same port. I 
don't have a copy of my config from my old FreeBSD host. :( My current virtual 
host config is pretty straight forward:


   ServerName mywebserver.example.com:81
   ServerAdmin usern...@example.com
   DocumentRoot /var/www/html
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined


I can share other parts of my Apache configuration if that helps. I spent my 
work day yesterday looking at Apache documentation, Google searches and testing 
various things in my configuration to resolve this issue. 

 - Gavin 
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache HTTP Server 2.4 EOL

[Yehuda Katz]

There is no planned EOL for 2.4, but you should always be on the most
recently released version - currently 2.4.59 - or possibly on a version
maintained by your OS distribution to keep up with the latest security
patches.

On Mon, May 13, 2024 at 10:50 PM Ehmann G  wrote:

> i tried searching on Google for the end-of-life support information for
> Apache HTTP Server 2.4 but couldn't find any useful results. I also checked
> the Apache website but didn't find any details on this topic. Does anyone
> have any relevant information?
>

[users@httpd] Apache HTTP Server 2.4 EOL

[Ehmann G]

i tried searching on Google for the end-of-life support information for
Apache HTTP Server 2.4 but couldn't find any useful results. I also checked
the Apache website but didn't find any details on this topic. Does anyone
have any relevant information?

[users@httpd] Require paramater

[Chris me]

The Apache docs recommend dong this to setup a default deny to file locations:


Require all denied


Do I do that in httpd.conf or do I add that to each  entry?

Re: [users@httpd] Multi site SSL problems

[Frank Gingras]

On Fri, May 10, 2024 at 5:53 PM Tatsuki Makino 
wrote:

> Hello.
>
> By the way, do you have the setting enabled to use the Host header used to
> switch NameVirtualHost during TLS negotiation?
> I don't know how to do that since the Japanese documentation is rarely
> updated :)
> Were those things implemented?
>
> Regards.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Tatsuki,

You're thinking of SNI, and it works out of the box with OpenSSL 0.9.8f or
later, and with NameVirtualHost *:443.

So, again, I highly recommend using *:PORT to define all your vhosts,
unless you know exactly what you are doing.

Re: [users@httpd] Multi site SSL problems

[Tatsuki Makino]

Hello.

By the way, do you have the setting enabled to use the Host header used to 
switch NameVirtualHost during TLS negotiation?
I don't know how to do that since the Japanese documentation is rarely updated 
:)
Were those things implemented?

Regards.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

[Frank Gingras]

On Fri, May 10, 2024 at 4:10 PM John  wrote:

> On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> > It was thus said that the Great Chris me once stated:
> > > I set up each entry with  but when I do that, the
> > > second site will complain that the cert is for site1. So if I go to
> > > site2.com, I get a browser error that the cert is for site1. It will
> show
> > > me the content for site1.
> >
> >   On my development server, I have the following:
> >
> > 
> >   ServerName  playground.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/playground/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
> >   ...
> > 
> >
> > 
> >   ServerName  wiki.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/wiki/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
> >   ...
> > 
> >
> > > I am not sure how to do this part:
> > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
> instead
> > > I am running Apache 2.2, does it still apply?
> > > It does not look like mod_access_compat is listed under mods-enabled
> >
> >   That I don't remember as I've been running Apache 2.4 for a couple of
> > years now.
> >
> >   -spc
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> Typo in the 2nd virtual host "1932.168.1.10:"  probably should be
> "192.168.1.10"
>
> John
> ==
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Show the apachectl -S output, and each vhost.  Make sure that every single
:443 vhost has SSLEngine on and SSLCertificateFile set.

Re: [users@httpd] Multi site SSL problems

[John]

On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> It was thus said that the Great Chris me once stated:
> > I set up each entry with  but when I do that, the
> > second site will complain that the cert is for site1. So if I go to
> > site2.com, I get a browser error that the cert is for site1. It will show
> > me the content for site1.
> 
>   On my development server, I have the following:
> 
> 
>   ServerName  playground.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/playground/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
>   ...
> 
> 
> 
>   ServerName  wiki.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/wiki/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
>   ...
> 
> 
> > I am not sure how to do this part:
> > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require 
> > instead
> > I am running Apache 2.2, does it still apply?
> > It does not look like mod_access_compat is listed under mods-enabled
> 
>   That I don't remember as I've been running Apache 2.4 for a couple of
> years now.
> 
>   -spc
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
Typo in the 2nd virtual host "1932.168.1.10:"  probably should be "192.168.1.10"

John
==

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

[Sean Conner]

It was thus said that the Great Chris me once stated:
> I set up each entry with  but when I do that, the
> second site will complain that the cert is for site1. So if I go to
> site2.com, I get a browser error that the cert is for site1. It will show
> me the content for site1.

  On my development server, I have the following:


ServerName  playground.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/playground/cert.pem
SSLCertificateKeyFile   /home/spc/web/playground/key.pem
...



ServerName  wiki.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/wiki/cert.pem
SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
...


> I am not sure how to do this part:
> Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
> I am running Apache 2.2, does it still apply?
> It does not look like mod_access_compat is listed under mods-enabled

  That I don't remember as I've been running Apache 2.4 for a couple of
years now.

  -spc


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Multi site SSL problems

[Chris me]

I found NameVirtualHost *:443 was commented out in ports.conf, I changed that.
Now I am back to the ssl protocol error for the second site.


From: Chris me 
Sent: Friday, May 10, 2024 8:40 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Multi site SSL problems

I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com




ServerName www.site2.com



I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras mailto:thu...@apache.org>>
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Multi site SSL problems



On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443

http://www.site1.com:443>>
ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt


http://www.site2.com:443>>
ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt



So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

RE: [users@httpd] Multi site SSL problems

[Chris me]

I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com




ServerName www.site2.com



I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras 
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Multi site SSL problems



On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443

http://www.site1.com:443>>
ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt


http://www.site2.com:443>>
ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt



So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

Re: [users@httpd] Multi site SSL problems

[Frank Gingras]

On Thu, May 9, 2024 at 6:54 PM Chris me  wrote:

> Hi, I am having an issue trying to get multiple sites with their own SSL
> cert. I purchased AlphaSSL certs for them.
>
> The strange thing, the first cert works, the second gives me an
> ERR_SSL_PROTOCOL_ERROR, but only on some systems.
>
>
>
> This is what I am using now:
>
>
>
> (
>
> Site1 is fine, Site2 gives me the error.
>
>
>
> I originally tried with NameVirtualHost *.443
>
> And then 
>
> But when I go to site2, it complains that the cert is invalid because it
> is using the cert from site1?
>
> )
>
>
>
>
>
> 
>
> NameVirtualHost 192.99.9.188:443
>
>
>
> 
>
> ServerName www.site1.com
>
> ServerAdmin webmas...@site1.com
>
> DocumentRoot /home/httpd/sites/site1
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site1.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt
>
> 
>
>
>
> 
>
> ServerName www.site2.com
>
> ServerAdmin webmas...@site2.com
>
> DocumentRoot /home/httpd/sites/site2
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site2.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt
>
> 
>
> 
>

So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you
are doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

[users@httpd] Multi site SSL problems

[Chris me]

Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443


ServerName www.site1.com
ServerAdmin webmas...@site1.com
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile/etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt



ServerName www.site2.com
ServerAdmin webmas...@site2.com
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile/etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt

[users@httpd] Re: How to Perform stateless restarts with checkpointing enabled

[Kartikey Pant]

Please ignore this thread, I wanted to post this to a different Apache
mailing list. Apologies.

On Thu, May 9, 2024 at 2:49 PM Kartikey Pant 
wrote:

> We have a source/sink mechanism which uses checkpoints for persistence and
> can operate in a minor data loss scenario. Is there a method to use
> checkpoints (to enable use of those source/sink operators) while disabling
> stateful recovery during restarts?
>
> Our setup uses Flink 1.16.1 alongside Flink Kubernetes Operator 1.5.0. We
> are also using stateless upgrades with the operator but while the job is
> restarting, it's still restoring from the last stable checkpoint. Is there
> any option in Flink or Flink Kubernetes Operator which could help us in
> this?
>

[users@httpd] How to Perform stateless restarts with checkpointing enabled

[Kartikey Pant]

We have a source/sink mechanism which uses checkpoints for persistence and
can operate in a minor data loss scenario. Is there a method to use
checkpoints (to enable use of those source/sink operators) while disabling
stateful recovery during restarts?

Our setup uses Flink 1.16.1 alongside Flink Kubernetes Operator 1.5.0. We
are also using stateless upgrades with the operator but while the job is
restarting, it's still restoring from the last stable checkpoint. Is there
any option in Flink or Flink Kubernetes Operator which could help us in
this?

[users@httpd] ap_trust_cgilike_cl changes in 2.4.59

[Sinus]

Hello.

The Apache httpd docs state that ap_trust_cgilike_cl was introduced in
2.4.59. However, changelogs for that version never make a mention of the
variable, and the underlying change not to trust, say, PHP scripts with
Content-Length headers, effectively disabling progress events on numerous
downloaders accessing dynamically generated content. Where can I find more
information on this change?

[users@httpd] RE: proxypass to next proxy

[Marc]

> 
> 
> On some production environment I am using this:
> 
> 
>  ProxyPass http://test.example.com/test
> 
> 

ProxyRemote "http://test.example.com/test " "http://proxy.local.net:5000;

 ProxyPass http://test.example.com/test

[users@httpd] proxypass to next proxy

[Marc]

On some production environment I am using this:


 ProxyPass http://test.example.com/test


But on development I can't access test.example.com, traffic needs to be routed 
through another proxy on a different port. How should I rewrite this so 
requests for /test -> test.example.com go via proxy.local.net on port 5000?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

On Wed, 17 Apr 2024 at 15:36, General Email
 wrote:
>
>
> Anyways, I looked more on google and I think that I have found what I was 
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
>


Few days ago, I configured SSL and enabled HTTPS on Apache 2.4. It is
working fine.

I am listing the steps below, in case it helps someone.

--
Enabling HTTPS and Configuring SSL in Apache 2.4 on Windows 10
Date: April, 2024
--


VERY IMPORTANT:

You should not follow this process for a production environment because
self-signed SSL certificate (that is being generated here) is a security risk.
You should follow this process only for the local development environment.


-
Please follow the steps listed below:
-

Step 1: Stop Apache web server if it is already running.

Step 2: Add "absolute_path_to_apache24_dir\bin" to the system environment
variable "Path". openssl.exe is in this folder.

Step 3: Open the Windows command prompt and change directory to
"absolute_path_to_apache24_dir\conf".

Step 4: On the command prompt, execute the following command:

set OPENSSL_CONF=absolute_path_to_apache24_dir\conf\openssl.cnf

If "absolute_path_to_apache24_dir" contains spaces then enclose the
path in quotes.

Step 5: Check that the OPENSSL_CONF variable is set to correct directory by
executing the following command on the command prompt:

echo %OPENSSL_CONF%

Step 6: On the command prompt, execute the following command
(openssl.exe is in "absolute_path_to_apache24_dir\bin" folder):

openssl genrsa -out cert.key 2048

Step 7: On the command prompt, execute the following command:

openssl req -new -key cert.key -out cert.csr

When you execute this command, you will be asked to give input for
some fields. I had given input for only one field (and for other fields,
I just hit "Enter" key):

Common Name (e.g. server FQDN or YOUR name) []:localhost

Step 8: On the command prompt, execute the following command:

openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt

Step 9: Change a few lines in the
"absolute_path_to_apache24_dir\conf\httpd.conf"
file. I am listing the lines after the changes. I am not listing the
original lines. You can search and change/replace the
original lines.

The changed lines are:

Define SRVROOT "absolute_path_to_apache24_dir"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
ServerName localhost:80
Include conf/extra/httpd-ssl.conf

Step 10: Change a few lines in the
  "absolute_path_to_apache24_dir\conf\extra\httpd-ssl.conf" file.
  I am listing the lines after the changes. I am not listing the
  original lines. You can search and change/replace the
original lines.

 The changed lines are:

 ServerName localhost:443
 ServerAdmin ad...@localhost.localdomain.com
 SSLCertificateFile "${SRVROOT}/conf/cert.crt"
 SSLCertificateKeyFile "${SRVROOT}/conf/cert.key"

Step 11 (Last Step): Now, you can start Apache web server and test.

 Since the security certificate that was generated here is self-signed,
 the browser may show you a warning that the connection/certificate,
 etc. is not trusted. But since this is your local development
 environment, you can ignore this warning and accept the risk and
 go ahead with the testing/development, etc.

 I do the same (ignore the warning and accept the risk).

 End 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping query string except from specific URL

[Dave Wreski]

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with
/index.php [INTERNAL REDIRECT]

If I don't involve the first RewriteCond, it successfully strips
off the start= from every URL I tried.

What does "INTERNAL REDIRECT" mean? Is that something done outside
of apache? Perhaps by joomla? I believe there are other relevant
redirects after these, but it's very difficult to isolate what's
relevant.

The internal redirect is the result of your rewrite rule, without a 
fully qualified URL as a target.


Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to 
contradict your RewriteCond logic, so increasing the verbosity of the 
logging and looking at the previous lines will help fix that.


I increased it to trace5, and it did reveal more useful info.

[Sun Apr 28 21:55:36.542349 2024] ...  RewriteCond: 
input='/resources/blog' pattern='!/resources/blog' => not-matched


It looks like after this it just moved on to the next rewriterule, not 
the next rewritecond as part of this block, of sorts. I was assuming it 
was more of an AND statement, like "if URI is NOT /resources/blog AND 
query string contains start=..., then apply the following rewrite rule, 
but that's apparently not how it works.


I only want the rewrite rule above to apply to URLs that don't involve 
our blog.


And because the first RewriteCond isn't matched, it doesn't check the 
second RewriteCond, and therefore treats the RewriteRule as a standalone 
and not part of the previous RewriteRule, so then just redirects to the 
root, apparently still with the start= query string attached.


How do I write the logic such that it applies to every URL EXCEPT those 
I specify?

Re: [users@httpd] Stripping query string except from specific URL

[Frank Gingras]

On Sun, Apr 28, 2024 at 4:05 PM Dave Wreski
 wrote:

> Hi,
>
> I'm really quite stuck and hoped you could help.
>
> My apologies - the output was from wget, as that's what I typically use.
>>
>> $ curl 'https://guardiandigital.com/resources/blog?start=48'
>> 
>> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved https://guardiandigital.com/index.php;
>> >here.
>> 
>>
>>
>>
> The next step is to find out where the 301 is coming from - your rules
> will generate a 302.
>
> That may have been the result of me trying many different things and
> getting a bit confused (again). Here's what I know - when I insert the
> following code into my virtual host config, it strips the query string off
> the pages that don't involve /resources/blog, but redirects to a 404 when
> attempting to access a page involving "/resources/blog" and the "?start="
> query string.
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=\d+$
> RewriteRule (.*)   /$1?[L,R=301,QSD]
>
> [Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
> 'index.php'
> [Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php
> [INTERNAL REDIRECT]
>
> If I don't involve the first RewriteCond, it successfully strips off the
> start= from every URL I tried.
>
> What does "INTERNAL REDIRECT" mean? Is that something done outside of
> apache? Perhaps by joomla? I believe there are other relevant redirects
> after these, but it's very difficult to isolate what's relevant.
>
>
>
The internal redirect is the result of your rewrite rule, without a fully
qualified URL as a target.

Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to
contradict your RewriteCond logic, so increasing the verbosity of the
logging and looking at the previous lines will help fix that.

Re: [users@httpd] Stripping query string except from specific URL

[Dave Wreski]

Hi,

I'm really quite stuck and hoped you could help.


My apologies - the output was from wget, as that's what I
typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved https://guardiandigital.com/index.php;
>here.




The next step is to find out where the 301 is coming from - your rules 
will generate a 302.


That may have been the result of me trying many different things and 
getting a bit confused (again). Here's what I know - when I insert the 
following code into my virtual host config, it strips the query string 
off the pages that don't involve /resources/blog, but redirects to a 404 
when attempting to access a page involving "/resources/blog" and the 
"?start=" query string.


RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' -> 
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php 
[INTERNAL REDIRECT]


If I don't involve the first RewriteCond, it successfully strips off the 
start= from every URL I tried.


What does "INTERNAL REDIRECT" mean? Is that something done outside of 
apache? Perhaps by joomla? I believe there are other relevant redirects 
after these, but it's very difficult to isolate what's relevant.

Re: [users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

[Daniel Ferradal Márquez]

On 18/04/2024 16:50, Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1) wrote:

Hello,
...

My requirement is treating one of the services, specifically Service4, 
differently.


Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.


Meanwhile, the remaining three services should continue behaving as 
before, initially spawning five instances and adjusting based on load.


My question is whether it is feasible to achieve this mixed treatment 
within a single Apache server through configuration changes.

>...

Only achievable with two different service instances, as in an Apache Farm.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

[Priyanshi Shah]

Hi,

We have defined this pattern in httpd.conf file globally. And all other
access logs and error logs are converting properly with the defined format.
Only below log is not converting to JSON

*[Tue Apr 16 06:06:20.902697 2024] [proxy_ajp:error] [pid 11056:tid 38644]
(OS 10054)An existing connection was forcibly closed by the remote host. :
AH01030: ajp_ilink_receive() can't receive header*

Thanks,
Priyanshi Pancholi

On Sun, Apr 21, 2024 at 5:42 PM Eric Covener  wrote:

> On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
>  wrote:
> >
> > Hi,
> >
> > We have converted our Apache error logs to JSON format by defining the
> format in httpd.conf file
> >
> > ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m",
> "level":"%l", "ApacheProcessId": "%P", "ApacheThreadId": "%T",
> "ApacheSourceFile":"%7F", "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage"
> : "%M"}"
>
> Is it defined globally or in a virtual host?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Thanks,
Priyanshi Shah

Re: [users@httpd] Stripping query string except from specific URL

[Frank Gingras]

On Wed, Apr 24, 2024 at 7:05 PM Dave Wreski
 wrote:

>
> 13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
>> HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
>> 573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200
>>
>
> It did exactly what you asked, yes.
>
> Further, I asked you to use curl to see if you get redirected from
> https://guardiandigital.com/index.php to another URL, but you seem to
> have ignored that part of the answer.
>
> My apologies - the output was from wget, as that's what I typically use.
>
> $ curl 'https://guardiandigital.com/resources/blog?start=48'
> 
> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved https://guardiandigital.com/index.php;
> >here.
> 
>
>
>
The next step is to find out where the 301 is coming from - your rules will
generate a 302.

Re: [users@httpd] Stripping query string except from specific URL

[Dave Wreski]

13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200


It did exactly what you asked, yes.

Further, I asked you to use curl to see if you get redirected from 
https://guardiandigital.com/index.php to another URL, but you seem to 
have ignored that part of the answer.


My apologies - the output was from wget, as that's what I typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved href="https://guardiandigital.com/index.php;>here.

Re: [users@httpd] Stripping query string except from specific URL

[Frank Gingras]

On Wed, Apr 24, 2024 at 4:58 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>>> except ones matching a particular pattern. However, when I try the rules
>>> below, it redirects to the homepage for some reason.
>>>
>>> In this example, I'd like to strip off the query string from all URLs
>>> except those involving /resources/blog:
>>>
>>> RewriteCond %{REQUEST_URI} !/resources/blog
>>> RewriteCond %{QUERY_STRING} ^start=
>>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>>
>>> What am I missing?
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>>>
>> To remove the query string, see the QSD flag, or append a ? at the end of
>> the target.
>>
>> That's what I'm doing, I think. What am I missing? It just redirects to
>> the homepage somehow.
>>
>> Shouldn't I be able to stack RewriteConds in this way, followed by a
>> RewriteRule?
>>
>> I have no idea what could be wrong.
>>
>
> Test with curl, and see if you get redirected after the fact.
>
> I've enabled trace3 to try and figure this out. But line 8 says
> "discarding query string, no parse from substitution" and I don't know why
> or what really that means.
>
> 1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> init rewrite engine with requested uri /resources/blog
>
> 2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> pass through /resources/blog
>
> 3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] applying pattern '.*' to uri 'resources/blog'
>
> 4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] rewrite 'resources/blog' -> 'index.php'
>
> 5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] internal redirect with /index.php [INTERNAL
> REDIRECT]
>
> 6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> applying pattern '(.*)' to uri '/index.php'
>
> 7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> rewrite '/index.php' -> 'https://guardiandigital.com/index.php'
>
> 8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> discarding query string, no parse from substitution
>
> 9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> explicitly forcing redirect with https://guardiandigital.com/index.php
>
> 10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> escaping https://guardiandigital.com/index.php for redirect
>
> 11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> 

Re: [users@httpd] Stripping query string except from specific URL

[Dave Wreski]

Hi,


We have a situation where we need to strip a query string
from all URLs except ones matching a particular pattern.
However, when I try the rules below, it redirects to the
homepage for some reason.

In this example, I'd like to strip off the query string from
all URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at
the end of the target.


That's what I'm doing, I think. What am I missing? It just
redirects to the homepage somehow.

Shouldn't I be able to stack RewriteConds in this way, followed by
a RewriteRule?

I have no idea what could be wrong.


Test with curl, and see if you get redirected after the fact.


I've enabled trace3 to try and figure this out. But line 8 says 
"discarding query string, no parse from substitution" and I don't know 
why or what really that means.


1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] init 
rewrite engine with requested uri /resources/blog


2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] pass 
through /resources/blog


3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] applying pattern '.*' to uri 'resources/blog'


4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] rewrite 'resources/blog' -> 'index.php'


5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] internal redirect with /index.php [INTERNAL REDIRECT]


6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
applying pattern '(.*)' to uri '/index.php'


7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
rewrite '/index.php' -> 'https://guardiandigital.com/index.php'


8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
discarding query string, no parse from substitution


9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
explicitly forcing redirect with https://guardiandigital.com/index.php


10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
escaping https://guardiandigital.com/index.php for redirect


11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
redirect to https://guardiandigital.com/index.php [REDIRECT/301]


12 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET 
/resources/blog?start=48 HTTP/1.1" 301 245 r:"-" "Wget/1.21.4" 
X:"SAMEORIGIN" 0/9647 1183/6254/245 H:HTTP/1.1 U:/resources/blog gd443 s:301


... more checks against our rewrites ...

13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php 
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431 
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200

Re: [users@httpd] Stripping query string except from specific URL

[Frank Gingras]

On Wed, Apr 24, 2024 at 12:43 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>> except ones matching a particular pattern. However, when I try the rules
>> below, it redirects to the homepage for some reason.
>>
>> In this example, I'd like to strip off the query string from all URLs
>> except those involving /resources/blog:
>>
>> RewriteCond %{REQUEST_URI} !/resources/blog
>> RewriteCond %{QUERY_STRING} ^start=
>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>
>> What am I missing?
>>
>> Thanks,
>> Dave
>>
>>
>>
> To remove the query string, see the QSD flag, or append a ? at the end of
> the target.
>
> That's what I'm doing, I think. What am I missing? It just redirects to
> the homepage somehow.
>
> Shouldn't I be able to stack RewriteConds in this way, followed by a
> RewriteRule?
>
> I have no idea what could be wrong.
>
>
>
Test with curl, and see if you get redirected after the fact.

Re: [users@httpd] Stripping query string except from specific URL

[Dave Wreski]

Hi,


We have a situation where we need to strip a query string from all
URLs except ones matching a particular pattern. However, when I
try the rules below, it redirects to the homepage for some reason.

In this example, I'd like to strip off the query string from all
URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at the end 
of the target.


That's what I'm doing, I think. What am I missing? It just redirects to 
the homepage somehow.


Shouldn't I be able to stack RewriteConds in this way, followed by a 
RewriteRule?


I have no idea what could be wrong.

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

[Yann Ylavic]

On Mon, Apr 22, 2024 at 3:51 PM Daiya, Devendra singh
 wrote:
>
> SSLVerifyCLient require
> SSLVerifyDepth 10

These directives apply to the client/browser connection, so you are
effectively enabling mtls on the client side too, hence the error
messages ("AH02008: SSL library error 1 in handshake (server
hostname:port)" and "SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a
certificate") if the client isn't providing a certificate.

You should probably remove them if you only want mtls with the backend server.


Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

[Daiya, Devendra singh]

Hi Frank,

My vhost looks as below. Anything incorrect set? I do have proxy.conf file but 
nothing related to SSL set in there. I will test apachectl -S and share you the 
result.



SSLEngine on
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyVerify on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLVerifyCLient require
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLOptions +ExportCertData
SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem"
SSLProxyCACertificateFile "/path/to/certs/trustedca.pem"
SSLCertificateFile "/path/to/hostname.crt"
SSLCertificateKeyFile "/path/to/hostname.key"
SSLCertificateChainFile "/path/to/hostname.crt"
SSLCACertificateFile "/path/to/trustedca.pem"


SSLProtocol -All +TLSv1.2 +TLSv1.1


SSLOptions +StdEnvVars


BrowserMatch "MSIE [2-5]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0



Regards,
Devendra


From: Frank Gingras 
Sent: Thursday, April 18, 2024 7:19 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

On Thu, Apr 18, 2024 at 3: 22 AM Daiya, Devendra singh  wrote: Hi Team, Need help in setting up MTLS between 
Apache HTTP server and Weblogic server (App Server). I have gone through few 
links but



On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh 
mailto:devendra.s.da...@wellsfargo.com.invalid>>
 wrote:
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Rough guess:

 
http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have misconfigured / 
overlapping vhosts, as well.

Re: [users@httpd] No more message

[Gillis J. de Nijs]

To unsubscribe, please follow the steps outlined here:
https://httpd.apache.org/userslist.html

On Sun, Apr 21, 2024 at 9:44 PM Dalibor Medvedović <
dalibor.medvedo...@gmail.com> wrote:

> I'm out of discussion
>

[users@httpd] No more message

[Dalibor Medvedović]

I'm out of discussion

[users@httpd] No more message

[Dalibor Medvedović]

Thx.

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

[Eric Covener]

On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
 wrote:
>
> Hi,
>
> We have converted our Apache error logs to JSON format by defining the format 
> in httpd.conf file
>
> ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m", "level":"%l", 
> "ApacheProcessId": "%P", "ApacheThreadId": "%T", "ApacheSourceFile":"%7F", 
> "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage" : "%M"}"

Is it defined globally or in a virtual host?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

[Priyanshi Shah]

Hi,

We have converted our Apache error logs to JSON format by defining the
format in httpd.conf file

ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m", "level":"%l",
"ApacheProcessId": "%P", "ApacheThreadId": "%T", "ApacheSourceFile":"%7F",
"ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage" : "%M"}"

After defining above format all the logs are printed in JSON format despite
one proxy_ajp module error

*[Tue Apr 16 06:06:20.902697 2024] [proxy_ajp:error] [pid 11056:tid 38644]
(OS 10054)An existing connection was forcibly closed by the remote host. :
AH01030: ajp_ilink_receive() can't receive header*

Other logs of the proxy_ajp module are also successfully converted to JSON.

We have changed the format and just kept *ErrorLogFormat %M* . still above
mentioned log is not converting to any format

I believe this particular log has no effect of *ErrorLogFormat* defined in
httpd.conf file

Please help me to convert this log to JSON

Re: [users@httpd] Stripping query string except from specific URL

[Frank Gingras]

On Fri, Apr 19, 2024 at 11:16 AM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
> except ones matching a particular pattern. However, when I try the rules
> below, it redirects to the homepage for some reason.
>
> In this example, I'd like to strip off the query string from all URLs
> except those involving /resources/blog:
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=
> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>
> What am I missing?
>
> Thanks,
> Dave
>
>
>
To remove the query string, see the QSD flag, or append a ? at the end of
the target.

[users@httpd] Stripping query string except from specific URL

[Dave Wreski]

Hi,

We have a situation where we need to strip a query string from all URLs 
except ones matching a particular pattern. However, when I try the rules 
below, it redirects to the homepage for some reason.


In this example, I'd like to strip off the query string from all URLs 
except those involving /resources/blog:


RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1    [L,QSD]

What am I missing?

Thanks,
Dave

[users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

[Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1)]

Hello,

I require a specific configuration for managing my Dynamic Shared Object (DSO) 
module within Apache.
Currently, I have multiple services deployed on a RHEL7 Apache server, e.g. 
Service1, Service2, Service3, and Service4.
Each service is implemented as a separate .so file: libService1.so, 
libService2.so, libService3.so, and libService4.so.
Among these, Service1 and Service2 offer SOAP interfaces, while Service3 and 
Service4 offer REST interfaces.

At present, Apache treats all services uniformly, spawning five worker 
processes initially.
Consequently, all four services also have five instances running concurrently, 
with Apache dynamically adjusting worker processes based on system load.

My requirement is treating one of the services, specifically Service4, 
differently.
Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.
Meanwhile, the remaining three services should continue behaving as before, 
initially spawning five instances and adjusting based on load.

My question is whether it is feasible to achieve this mixed treatment within a 
single Apache server through configuration changes.
If not, what alternative options exist within the Apache framework?
One potential solution could running two Apache server instances, one for the 
first three services and another dedicated to the fourth service.

I would appreciate any suggestions on how to fulfill this functionality.

Mit freundlichen Grüßen / Best regards

Tarun Kumar Sarkar
ETAS-SEC/XPC-Bo1

Tel. +49 234 43870-308 | Mobile +49 172 6994124
​

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

[Frank Gingras]

On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh
 wrote:

> Hi Team,
>
>
>
> Need help in setting up MTLS between Apache HTTP server and Weblogic
> server (App Server).
>
>
>
> I have gone through few links but those are not working. Post following
> suggested steps I was able to start Apache HTTP server but Application is
> not working. Getting below messages in the Error while accessing the
> application.
>
>
>
> *Could anyone please look at it and share some suggestion on how we should
> setup MTLS b/w Web and App server. Please let me know if any additional
> info needed.*
>
>
>
> *Error message: -*
>
>
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : },
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
> "message" : "AH01998: Connection closed to child 138 with abortive
> shutdown (server hostname:port , "referer" : }
>
> "message" : "AH01964: Connection to child 24 established (server
> hostname:port)" , "referer" : }
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : }
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
>
>
> *SSL.conf file has below directives set.*
>
>
>
> SSLEngine on
>
> ProxyRequests Off
>
> RewriteEngine on
>
> SSLProxyEngine on
>
> SSLProxyVerify on
>
> SSLProxyCheckPeerCN off
>
> SSLProxyCheckPeerName off
>
> SSLProxyCheckPeerExpire off
>
> SSLVerifyCLient require
>
> SSLVerifyDepth 10
>
> SSLProxyVerifyDepth 10
>
>
>
> SSLOptions +ExportCertData
>
>
>
> SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"
>
> SSLProxyCACertificateFile "/apps/certs/trustedca.pem"
>
>
>
> SSLCertificateFile "/path/to/hostname.crt"
>
> SSLCertificateKeyFile "/path/to/hostname.key"
>
> SSLCertificateChainFile "/path/to/hostname.crt"
>
> SSLCACertificateFile "/path/to/trustedca.pem"
>
>
>
>
>
> Thanks.
>
>
>
> *Regards,*
>
> *Devendra*
>

Rough guess:

 http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have
misconfigured / overlapping vhosts, as well.

[users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

[Daiya, Devendra singh]

Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Re: [users@httpd] better configtest

[Eric Covener]

> What is the point of not starting httpd if there is an issue with a single 
> virtual host?

This gives the best feedback to the user that the config couldn't be honored.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] better configtest

[Marc]

> >
> > 1.
> > what is the point of having a apachectl configtest, when a restart can
> still fail? It can't be to difficult to include cert checks here, can it?
> This is now becoming a significant part.
> 
> The bar is useful, not perfect.  configtest checks for _syntax_ validity.
> 
> > 2.
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> >
> > This is useless, why not list config line or cert name?
> 
> This error means post-configuration failed. This is when the collected
> config is acted upon, which is not really within line-by-line mode.
> Normally there's a preceding error message with more details, maybe in
> a vhost-specific error log?

Maybe, I would have to look through quite a lot. 

Can't the development team re-think about this? What is the point of not 
starting httpd if there is an issue with a single virtual host? Why not have 
that specific virtual host fail only? I would like to have this config syntax 
check expanded to cert content or some other way of validating that I can test 
if I can restart httpd safely.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

On Wed, Apr 17, 2024, 3:27 PM General Email <
general.email.12341...@gmail.com> wrote:

>
>
>> > If people are asking for advice on PHP then advise them on PHP or don't
>> say anything.
>> > Don't start advising them about Java.
>>
>> Please... I am not even making remarks about you asking openssl questions
>> at httpd.
>>
>
>
> So, is this wrong forum for asking about openssl commands required for
> generating certificates for enabling https on apache?
>
> I can easily look at openssl website or other websites and look how to
> create self signed certificates. However, I was not sure if that would work
> on apache. That's why I asked here.
>
> Most of the websites showed how to generate .pem certificates, but after
> reading about ssl/https on apache website, I saw that apache requires .crt
> certificates.
>
> Obviously, I can figure out this whole thing if I read whole openssl
> manual and apache ssl configs, etc. but I don't want to invest time in that
> and I was looking for a quick solution and that's why I posted here.
>
>
>
>> I think most people will understand that I try to make you see the
>> difference between developing an application and how it is hosted/used what
>> ever, operate within your area of expertise.
>>
>
> I know this and I told you that I want to hard code https. Now, please
> tell me how can my idea go wrong?
>
> Please don't tell me how other people's unrelated ideas went wrong.
>
> Let's have a meaningful discussion.
>
> I don't work for any company.
>
> I do freelancing. I am doing this project for a real estate client. So,
> its only me who will do everything and decide everything - development,
> testing, maintenance hosting, hard coding, migration, https, ssl, etc.
>
> I would really like to know how my idea of hardcoding https can go wrong?
>

Anyways, I looked more on google and I think that I have found what I was
looking for on this page:
https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
>   So, is this wrong forum for asking about openssl commands required
> for generating certificates for enabling https on apache?
>

Mostly you will be notified. The only thing you need to add to your virtual 
host for https is this:

SSLEngine on
SSLCertificateFile 
SSLCertificateChainFile 
SSLCertificateKeyFile 

It really does not matter how keys / crts have been generated. Just choose 
something that is quick and easy. 

> 
>   Most of the websites showed how to generate .pem certificates, but
> after reading about ssl/https on apache website, I saw that apache
> requires .crt certificates.

pem, crt, cer check if they start like this

-BEGIN CERTIFICATE-

check apache log file for start up errors.

>   Obviously, I can figure out this whole thing if I read whole
> openssl manual and apache ssl configs, etc. but I don't want to invest
> time in that and I was looking for a quick solution and that's why I
> posted here.
> 

Just choose a tool that can quickly generate key and crt. Does not matter which 
tool. Someone send you already reply to something.


>   I would really like to know how my idea of hardcoding https can go
> wrong?
> 

It can be anything, it is just unexpected application behaviour to someone who 
might work with it in the future. Maybe internal health check url? Cron? 
Debugging? Personally I find it sometimes annoying with testing container 
images. In my own development environment I am constantly switching between 
development and production certs.

I would always opt for having this at least configured as an option.

> 
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
> 

Forget about going specific for openssl, it is just a tool. Choose the simplest 
solution for your development environment. If you are doing hosting yourself. 
Your going to end up with automated certs on your hosting environment any way, 
you will never see an openssl command.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> I don't know what you are trying to prove by your points + you are
> insulting people for no reason.

I am insulting no one, mostly stating what is common.


> If you insult people, they may insult you back.
> 
> Russia attacked Ukraine and Ukraine/NATO hit Russia back.

I think you are the only one on this planet that would dare to summarize this 
conflict like this. But it proves my point, stick just to what you know, with 
development.


> The original discussion was about openssl commands and I think that since
> you don't know openssl commands, you should not have said anything.
> 

You wrote it was for a local development environment. I just thought why bother 
with the openssl? Obviously I should not have made assumptions. You could also 
be cryptographer working on mod_ssl.


> Let other people do what they want to do. If they want to hardcode
> something, why are you bothered.

I am just pointing out there multiple roads that lead to Rome. Some of which 
are known to be less troublesome than others. If you get stuck on some dirt 
track to Rome, others will be required to come and help.


> I will hard code https, its my choice. It has nothing to do with you.
> 

Obviously, I am just stating it is not really what most experienced 
professionals do. 


> Now, you are saying to hard code root name servers, etc. which doesn't
> make sense.

Because you do not know about it. That is the point I am trying to make. Just 
separate it from application development.


> You are taking this discussion in all sorts of directions and I don't
> know what you want to prove.

Really? I thought I made my point numerous times.


> If people are asking for advice on PHP then advise them on PHP or don't say 
> anything.
> Don't start advising them about Java.

Please... I am not even making remarks about you asking openssl questions at 
httpd.


> 
> By the way, if you insult me, I will insult you back.
> 

I think most people will understand that I try to make you see the difference 
between developing an application and how it is hosted/used what ever, operate 
within your area of expertise. 

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

>
> > If people are asking for advice on PHP then advise them on PHP or don't
> say anything.
> > Don't start advising them about Java.
>
> Please... I am not even making remarks about you asking openssl questions
> at httpd.
>


So, is this wrong forum for asking about openssl commands required for
generating certificates for enabling https on apache?

I can easily look at openssl website or other websites and look how to
create self signed certificates. However, I was not sure if that would work
on apache. That's why I asked here.

Most of the websites showed how to generate .pem certificates, but after
reading about ssl/https on apache website, I saw that apache requires .crt
certificates.

Obviously, I can figure out this whole thing if I read whole openssl manual
and apache ssl configs, etc. but I don't want to invest time in that and I
was looking for a quick solution and that's why I posted here.



> I think most people will understand that I try to make you see the
> difference between developing an application and how it is hosted/used what
> ever, operate within your area of expertise.
>

I know this and I told you that I want to hard code https. Now, please tell
me how can my idea go wrong?

Please don't tell me how other people's unrelated ideas went wrong.

Let's have a meaningful discussion.

I don't work for any company.

I do freelancing. I am doing this project for a real estate client. So, its
only me who will do everything and decide everything - development,
testing, maintenance hosting, hard coding, migration, https, ssl, etc.

I would really like to know how my idea of hardcoding https can go wrong?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

On Wed, Apr 17, 2024, 1:17 PM Marc  wrote:

>
> >
> >   http is an insecure protocol. I don't want my website to run on
> > http. So, I am hardcoding https in links in my website that refer to
> > pages in my website.
> >
> >
> >   Now, I know that you will write why not redirect http to https by
> > default.
>
> No because that is not relevant to me and what I would like to address. I
> am even deploying https on tasks in private air-gapped environments. This
> is not a discussion about whether or not https should be used and when.
>
>
> > The problem with this is that if the website gets migrated to
> > different provider and if people forget to redirect http to https in new
> > setup then it will become a security problem.
>
> I know there are many idiots out there and your concern is very valid.
> Most of the security breaches you read about is about such issues.
> However, can you imagine the apache dev team thinking like you? Hard
> coding everything to https? Can you imagine all http ports of tomcat,
> httpd, jboss etc. being dropped? These people have been making rock solid
> applications for decades they don't lecture others how to use or not use
> https.
> You will never match them in any way, why not follow their lead?
>
>
> >   Hardcoding https solves all issues.
> >
>
> A few years back I had an argument with apple developers. They were having
> in the build process of the calendar server openssl. The developers thought
> for security purposes it would be better to include it in the build. This
> resulted in that calenderservers were always having an old insecure
> openssl, because the openssl updated by the distribution was not used. (and
> nobody is going to build the application frequently) This is what happens
> when application developers think they are security geniuses.
>
> The point I am trying to make is that you as an application developer
> should be focussed on developing your application it is not your business
> how this application is hosted. You should not concern yourself with things
> you are not experienced in/with. Especially when it comes to something as
> crucial as security. You are not removing ca certs from the trust store,
> your are not setting secure ciphers, you are not setting limits on key
> sizes etc. Why would you then even bother with https or http?
>
> With your argument you might as well hard code the domain name in your
> application (like wordpress) and hardcode root name servers etc.
> If you buy an egg in the store, it does not come with any requirement that
> it should be used only for making cakes. Grasp this concept.
>


Marc,

I don't know what you are trying to prove by your points + you are
insulting people for no reason.

If you insult people, they may insult you back.

Russia attacked Ukraine and Ukraine/NATO hit Russia back.

The original discussion was about openssl commands and I think that since
you don't know openssl commands, you should not have said anything.

Let other people do what they want to do. If they want to hardcode
something, why are you bothered.

I will hard code https, its my choice. It has nothing to do with you.

Now, you are saying to hard code root name servers, etc. which doesn't make
sense.

You are taking this discussion in all sorts of directions and I don't know
what you want to prove.

If you want to prove that you are a very smart person and other people are
fools then for that you need to play chess with all other people and win
all the games. You can invite wordpress idiots to play chess with you and
then if you win then probably you can tell that person that he/she is an
idiot.

There are many people in this world who are very smart but they don't say
that other people are fools - for example, Steve Wozniak, Larry Page,
Knuth, etc.

If people are asking for advice on PHP then advise them on PHP or don't say
anything. Don't start advising them about Java.

By the way, if you insult me, I will insult you back.

GE

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
>   http is an insecure protocol. I don't want my website to run on
> http. So, I am hardcoding https in links in my website that refer to
> pages in my website.
>
>
>   Now, I know that you will write why not redirect http to https by
> default. 

No because that is not relevant to me and what I would like to address. I am 
even deploying https on tasks in private air-gapped environments. This is not a 
discussion about whether or not https should be used and when.


> The problem with this is that if the website gets migrated to
> different provider and if people forget to redirect http to https in new
> setup then it will become a security problem.

I know there are many idiots out there and your concern is very valid. Most of 
the security breaches you read about is about such issues. 
However, can you imagine the apache dev team thinking like you? Hard coding 
everything to https? Can you imagine all http ports of tomcat, httpd, jboss 
etc. being dropped? These people have been making rock solid applications for 
decades they don't lecture others how to use or not use https. 
You will never match them in any way, why not follow their lead?


>   Hardcoding https solves all issues.
> 

A few years back I had an argument with apple developers. They were having in 
the build process of the calendar server openssl. The developers thought for 
security purposes it would be better to include it in the build. This resulted 
in that calenderservers were always having an old insecure openssl, because the 
openssl updated by the distribution was not used. (and nobody is going to build 
the application frequently) This is what happens when application developers 
think they are security geniuses.

The point I am trying to make is that you as an application developer should be 
focussed on developing your application it is not your business how this 
application is hosted. You should not concern yourself with things you are not 
experienced in/with. Especially when it comes to something as crucial as 
security. You are not removing ca certs from the trust store, your are not 
setting secure ciphers, you are not setting limits on key sizes etc. Why would 
you then even bother with https or http?

With your argument you might as well hard code the domain name in your 
application (like wordpress) and hardcode root name servers etc. 
If you buy an egg in the store, it does not come with any requirement that it 
should be used only for making cakes. Grasp this concept.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Yehuda Katz]

I have always had issues with OpenSSL on Windows, so I gave up and started
using xca (https://hohnstaedt.de/xca/). I created a root certificate that I
imported into the Windows trust store and I create new certificates for
each website in my dev environment.

- Y

On Tue, Apr 16, 2024 at 9:26 PM General Email <
general.email.12341...@gmail.com> wrote:

>
> This is also not relevant to what I am stating. If you develop, do it
>> regardless of http/https that is convenient for everyone. It will be to
>> your own benefit. If you have to host the application on your own server,
>> so be it. It will be easier with choosing your https solution. You could
>> already be developing it now, and later you can check how to use openssl.
>> Last thing you want, is an application that forces https or http.
>>
>
>
> http is an insecure protocol. I don't want my website to run on http. So,
> I am hardcoding https in links in my website that refer to pages in my
> website.
>
> Now, I know that you will write why not redirect http to https by default.
> The problem with this is that if the website gets migrated to different
> provider and if people forget to redirect http to https in new setup then
> it will become a security problem.
>
> Hardcoding https solves all issues.
>
>
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

> This is also not relevant to what I am stating. If you develop, do it
> regardless of http/https that is convenient for everyone. It will be to
> your own benefit. If you have to host the application on your own server,
> so be it. It will be easier with choosing your https solution. You could
> already be developing it now, and later you can check how to use openssl.
> Last thing you want, is an application that forces https or http.
>


http is an insecure protocol. I don't want my website to run on http. So, I
am hardcoding https in links in my website that refer to pages in my
website.

Now, I know that you will write why not redirect http to https by default.
The problem with this is that if the website gets migrated to different
provider and if people forget to redirect http to https in new setup then
it will become a security problem.

Hardcoding https solves all issues.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 18:57:13, Marc wrote:

> 15 years ago people were not writing about gays.
>
> Maybe it takes another 15 years to be allowed to write about idiots.

Don't be silly.

Gay people identify themselves as gay, and talking about them as such is not a 
pejorative term.

If you can find someone who identifies themselves as an idiot, then perhaps 
you're allowed to refer to them as such, but if it's just your own opinion 
that they're an idiot, you're being anti-social and unpleasant.

I think all Frank was trying to say was "please let's keep to the technical 
support of people who are trying to use Apache, and stop throwing insults at 
them, because it's not constructive to the conversation".


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 18:42:09, Marc wrote:

> This is more about the ability to host an application regardless if it is
> on http or https. How https is enforced/applied is up to the manager of
> the server, why would you even care as a developer of an application?

I often develop applications on servers which I manage.

Please stop trying to enforce your opinion of the demarcation between 
disciplines on other people.

Not every developer is only a developer.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Will Fatherley]

Pardon me- have 443 redirect to 80 of the environment variable is true.
Alternatively, have a completely different 443 vhost declared for
development purposes

On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley 
wrote:

>
> But should your development be not protocol independent? If your code
>> works on http it should also work on https. I am getting sick of these
>> wordpress idiots where they still have hardcoded links everywhere and I
>> can't even convert a website from http to https.
>>
> TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.
>
> For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the development
> environment
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Will Fatherley]

> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>
TLS is not in the application layer as HTTP is, so it’s just a complication
that has to be managed in development. I don’t know how Wordpress works,
but there are solutions beyond its configuration.

For example, if you just need to verify your HTTP-based application
functions as desired, but there is commingling of HTTPS and HTTP in
application HREFs then use the `if` directive with a development-only
environment variable in your virtual hosts. If the client follows a HTTPS
link that isn’t going to work for keying material reasons, have the 443
virtual host redirect to 80 if the development variable in the development
environment

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Frank Gingras]

On Tue, Apr 16, 2024 at 11:11 AM Marc  wrote:

> >
> >
> >   But should your development be not protocol independent? If your
> > code works on http it should also work on https. I am getting sick of
> > these wordpress idiots where they still have hardcoded links everywhere
> > and I can't even convert a website from http to https.
> >
> >
> >
> > Are you saying that I am a wordpress idiot?
> >
>
> No :) Development/management team of wordpress are idiots. They are still
> advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you care
> if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


Marc, let's try to be friendly towards users and adopt a more neutral
tone.  New users have questions, and it's normal. Calling folks "idiots"
isn't helping here.

Thanks.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Antony Stone]

On Tuesday 16 April 2024 at 16:07:09, Marc wrote:

> A developer should just do developing.

Some people, especially in smaller organisations, have to be multi-skilled.

> A dentist is also not telling an ophthalmologist what to do.

No, but a dentist might have some valuable advice on diet.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> 
>   But should your development be not protocol independent? If your
> code works on http it should also work on https. I am getting sick of
> these wordpress idiots where they still have hardcoded links everywhere
> and I can't even convert a website from http to https.
> 
> 
> 
> Are you saying that I am a wordpress idiot?
> 

No :) Development/management team of wordpress are idiots. They are still 
advising people incorrectly to upgrade eg while distributions are backporting 
security stuff. A developer should just do developing. A dentist is also not 
telling an ophthalmologist what to do. Why do you care if you are using http or 
https? Unless you are developing something specific to the https protocol (eg. 
sni) forget about it.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

>
> Here’s a possible SO question that might help you:
>
> https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
>

Thanks Will. I will look look into it.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>

Are you saying that I am a wordpress idiot?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Will Fatherley]

> Can someone please give me exact openssl command(s) to use.
>

Command parameters can vary, and encryption technology is regulated by
national laws. You should consult with your IT security staff on this
matter if possible.

What you are probably looking for is “how to self-sign my TLS public key”.
Here’s a basic sketch of what this looks like in production:

You as subject have generated for your server a public/private key-pair
already with, eg, openssl. Now you need a certificate authority, ca, to
sign the public key, rendering your public key certificate. This is
achieved by creating a certificate signature request or csr with, eg,
openssl, and giving it to ca. Then ca may render the certificate to you for
you to distribute how you like. These steps can be achieved by you acting
both as subject and ca, by self-signing.

Here’s a possible SO question that might help you:
https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl

>

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> Windows is my development environment. Later the website will be hosted
> on linux and the linux hosting provider will provide SSL certificate.
> 

But should your development be not protocol independent? If your code works on 
http it should also work on https. I am getting sick of these wordpress idiots 
where they still have hardcoded links everywhere and I can't even convert a 
website from http to https.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

> I think you need to search for setting up your own CA and sign certs.


Windows is my development environment. Later the website will be hosted on
linux and the linux hosting provider will provide SSL certificate.

I had looked at
https://stackoverflow.com/questions/4221874/how-do-i-allow-https-for-apache-on-localhost

But it looks like many answers on this page are obsolete now.


I don't think openssl commands are any differnt on windows.


Yeah, they are not. But I don't know what all arguments to give to openssl.

Maybe easier to get an existing cert and use that, and just ignore the
> warning?
> Maybe there are even easier to use tools on windows that do this all for
>

I actually want to use openssl. openssl.exe comes with apache 2.4
distribution.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> I was looking for openssl command(s) to generate server side certificate
> and key so that https start working on my apache 2.4 web server on
> windows.
> 
> I looked on Internet but found few commands but they all used different
> arguments to openssl.
> 
> Can someone please give me exact openssl command(s) to use.
> 
> I will appreciate it.

I think you need to search for setting up your own CA and sign certs. I don't 
think openssl commands are any differnt on windows. Maybe easier to get an 
existing cert and use that, and just ignore the warning?
Maybe there are even easier to use tools on windows that do this all for you? 
Microsoft certool?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[General Email]

Hi,

I was looking for openssl command(s) to generate server side certificate
and key so that https start working on my apache 2.4 web server on windows.

I looked on Internet but found few commands but they all used different
arguments to openssl.

Can someone please give me exact openssl command(s) to use.

I will appreciate it.

Regards,
GE

Re: [users@httpd] better configtest

[Eric Covener]

On Tue, Apr 16, 2024 at 4:42 AM Marc  wrote:
>
>
> With the forced upon us 90 day certificate renewal crap, my httpd was down 
> today although I have a 'restart procedure' that verifies a bit for errors 
> with apachectl configtest.
>
> 1.
> what is the point of having a apachectl configtest, when a restart can still 
> fail? It can't be to difficult to include cert checks here, can it? This is 
> now becoming a significant part.

The bar is useful, not perfect.  configtest checks for _syntax_ validity.

> 2.
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
>
> This is useless, why not list config line or cert name?

This error means post-configuration failed. This is when the collected
config is acted upon, which is not really within line-by-line mode.
Normally there's a preceding error message with more details, maybe in
a vhost-specific error log?

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] better configtest

[Xavier Belanger]

Hi,

Marc  wrote:

> With the forced upon us 90 day certificate renewal crap, my httpd
> was down today although I have a 'restart procedure' that verifies
> a bit for errors with apachectl configtest.

Regardless of the certificate duration I would recommend to use
some monitoring tool to check on the status of the web service and
get an alert when the certificate is close from its expiration date.

I personally use Monit [1], but there is probably plenty of other
tools that could fullfill the same purpose.

Sincerely,

1: https://mmonit.com/monit/
-- 
Xavier Belanger

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] better configtest

[Marc]

With the forced upon us 90 day certificate renewal crap, my httpd was down 
today although I have a 'restart procedure' that verifies a bit for errors with 
apachectl configtest.

1. 
what is the point of having a apachectl configtest, when a restart can still 
fail? It can't be to difficult to include cert checks here, can it? This is now 
becoming a significant part.

2.
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed

This is useless, why not list config line or cert name?

RE: [users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

> >
> > [1]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html
> >
> > [2]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> You could also use
> https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to
> split up your logs or discard/silence certain entries.
> 

Thanks! that is indeed also a nice option. I would not be surprised if I would 
want to manage this a bit more in the near future. 

Re: [users@httpd] RE: pipe logs to somethings that resembles a curl post

[Daniel Gruno]

On 4/10/24 07:22, Marc wrote:


Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name.

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats


You could also use 
https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to 
split up your logs or discard/silence certain entries.






Currently I have modified some rust application that does this to
satisfaction. But piping to a 60MB binary for quite a few virtual hosts
does not really seem efficient to me.
Is there not some apache module that can offer a "global" access to
logging and 'clones' all logging to some tcp socket? (I prefer not to
route first to syslog)




I was wondering how I could use piped logs to redirect some logs,
comparable to curl post requests.

[1]
https://httpd.apache.org/docs/current/logs.html


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

%v sorry for polluting this list

PS. If it is any consolation, I have registered myself at a retirement home

> -Original Message-
> From: Marc 
> Sent: Wednesday, 10 April 2024 14:22
> To: users@httpd.apache.org
> Subject: [users@httpd] RE: pipe logs to somethings that resembles a curl
> post
> 
> 
> Oops I was mislead by some old posts. GlobalLog[1] does this for
> everything. However I have not found what value[2] has the requested
> virtual host name.
> 
> [1]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html
> 
> [2]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> >
> > Currently I have modified some rust application that does this to
> > satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> > does not really seem efficient to me.
> > Is there not some apache module that can offer a "global" access to
> > logging and 'clones' all logging to some tcp socket? (I prefer not to
> > route first to syslog)
> >
> > >
> > >
> > > I was wondering how I could use piped logs to redirect some logs,
> > > comparable to curl post requests.
> > >
> > > [1]
> > > https://httpd.apache.org/docs/current/logs.html
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name. 

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats

> 
> Currently I have modified some rust application that does this to
> satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> does not really seem efficient to me.
> Is there not some apache module that can offer a "global" access to
> logging and 'clones' all logging to some tcp socket? (I prefer not to
> route first to syslog)
> 
> >
> >
> > I was wondering how I could use piped logs to redirect some logs,
> > comparable to curl post requests.
> >
> > [1]
> > https://httpd.apache.org/docs/current/logs.html
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

Currently I have modified some rust application that does this to satisfaction. 
But piping to a 60MB binary for quite a few virtual hosts does not really seem 
efficient to me. 
Is there not some apache module that can offer a "global" access to logging and 
'clones' all logging to some tcp socket? (I prefer not to route first to 
syslog) 

> 
> 
> I was wondering how I could use piped logs to redirect some logs,
> comparable to curl post requests.
> 
> [1]
> https://httpd.apache.org/docs/current/logs.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] pipe logs to somethings that resembles a curl post

[Marc]

I was wondering how I could use piped logs to redirect some logs, comparable to 
curl post requests. 

[1]
https://httpd.apache.org/docs/current/logs.html

RE: [users@httpd] Re: Apache server v2.4.58 - suexec issue

[j...@k6ccc.org]

2.4.59 was released a few days ago to address these...

Jim




-Original Message-
From: "Christophe JAILLET" 
Sent: Monday, April 8, 2024 13:26
To: users@httpd.apache.org, "Abdullah Adnan" 
Subject: [users@httpd] Re: Apache server v2.4.58 - suexec issue

Le 07/04/2024 à 19:55, Abdullah Adnan a écrit :
> Good day dears,
> 
> Recently we have installed Apache server v2.4.58 in our CentOS 9, when 
> make vulnerability scan with Nessus on the server the Nessus shows this 
> vulnerability:
> 
> The remote host appears to be running Apache and is potentially
> 
> affected by the following vulnerabilities:
> 
>    - Multiple race conditions exist in suexec between the
> 
>      validation and usage of directories and files. Under
> 
>      certain conditions local users are able to escalate
> 
>      privileges and execute arbitrary code through the
> 
>      renaming of directories or symlink attacks.
> 
>      (CVE-2007-1741)
> 
>    - Apache's suexec module only performs partial
> 
>      comparisons on paths, which could result in privilege
> 
>      escalation. (CVE-2007-1742)
> 
>    - Apache's suexec module does not properly verify user
> 
>      and group IDs on the command line. When the '/proc'
> 
>      filesystem is mounted, a local user can utilize suexec
> 
>      to escalate privileges. (CVE-2007-1743)
> 
> Note that this plugin only checks for the presence of Apache, and does
> 
> not actually check the configuration.

Hi,

looking at theses CVE, they all include "the vendor disputes the issue 
because "the attacks described rely on an insecure server configuration" 
in which the user "has write access to the document root.""

So considering them as security issues is up to you.

> 
> So we need your support to disable suexec in the server.

Disabling a module in Apache looks like a really basic task.
(just comment the corresponding line in the conf file)

CJ

> 
> Thanks,
> 
> Best regards
> 
>   
> 
> *Abdullah Adnan *
> 
> *IT System Administrator|**Arab Payment Services*
> 
> Mobile:   00964-7735387734
> 
> Ext.:   74
> 
> Email: a.ad...@aps.iq 
> 
> Skype:  Abdullah Adnan
> 
> Website: www.aps.iq 
> 
> Address:Iraq *| *Baghdad*| *Abu Nuwas*| *District (102) *|*Street (26) 
> *|*BLDG.(13/66)
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Apache server v2.4.58 - suexec issue

[Christophe JAILLET]

Le 07/04/2024 à 19:55, Abdullah Adnan a écrit :

Good day dears,

Recently we have installed Apache server v2.4.58 in our CentOS 9, when 
make vulnerability scan with Nessus on the server the Nessus shows this 
vulnerability:


The remote host appears to be running Apache and is potentially

affected by the following vulnerabilities:

   - Multiple race conditions exist in suexec between the

     validation and usage of directories and files. Under

     certain conditions local users are able to escalate

     privileges and execute arbitrary code through the

     renaming of directories or symlink attacks.

     (CVE-2007-1741)

   - Apache's suexec module only performs partial

     comparisons on paths, which could result in privilege

     escalation. (CVE-2007-1742)

   - Apache's suexec module does not properly verify user

     and group IDs on the command line. When the '/proc'

     filesystem is mounted, a local user can utilize suexec

     to escalate privileges. (CVE-2007-1743)

Note that this plugin only checks for the presence of Apache, and does

not actually check the configuration.


Hi,

looking at theses CVE, they all include "the vendor disputes the issue 
because "the attacks described rely on an insecure server configuration" 
in which the user "has write access to the document root.""


So considering them as security issues is up to you.



So we need your support to disable suexec in the server.


Disabling a module in Apache looks like a really basic task.
(just comment the corresponding line in the conf file)

CJ



Thanks,

Best regards



*Abdullah Adnan *

*IT System Administrator|**Arab Payment Services*

Mobile:   00964-7735387734

Ext.:   74

Email: a.ad...@aps.iq 

Skype:  Abdullah Adnan

Website: www.aps.iq 

Address:Iraq *| *Baghdad*| *Abu Nuwas*| *District (102) *|*Street (26) 
*|*BLDG.(13/66)





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Request for Assistance: Apache mod_slotmem_shm POC

[Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1)]

Dear Members,

I hope this email finds you well. I am currently working on a Proof of Concept 
(POC) project where I aim to utilize Apache's mod_slotmem_shm module for 
caching data in the shared memory of Apache and subsequently accessing this 
cached data across all Apache workers. However, I have encountered some 
challenges and would greatly appreciate your assistance in resolving them.

Specifically, I am attempting to implement the functionalities described in the 
mod_slotmem_shm documentation found at the following link: 
https://httpd.apache.org/docs/trunk/mod/mod_slotmem_shm.html

My objective is to create a POC that demonstrates the effective caching of data 
within Apache shared memory and its retrieval across multiple Apache worker 
processes.

I have already reviewed the documentation provided by Apache, but I am facing 
difficulties in correctly implementing the functionality in my environment.

Below are some specific areas where I am seeking assistance:


  1.  Initialization and configuration of mod_slotmem_shm within Apache.
  2.  Writing code to cache data in the shared memory using mod_slotmem_shm.
  3.  Retrieving cached data from the shared memory across multiple Apache 
worker processes.

If any of you have experience or expertise in working with mod_slotmem_shm or 
have implemented similar solutions in the past, I would greatly appreciate any 
guidance, code examples, or best practices that you can share.

Additionally, if there are any specific configurations, considerations, or 
potential pitfalls that I should be aware of when working with mod_slotmem_shm, 
I would be grateful for your insights.

Thank you very much for taking the time to read this email, and I look forward 
to any assistance or advice you can provide.

Mit freundlichen Grüßen / Best regards

Tarun Kumar Sarkar

Cross-Functional People and Competence - People Lead Bochum (ETAS-SEC/XPC-Bo1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | 
www.bosch.com
Tel. +49 234 43870-308 | Mobile +49 172 6994124 | Fax +49 234 43870-211 | 
tarunkumar.sar...@etas.com

Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 
14000;
Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer;
Managing Directors: Dr. Stefan Hartung, Dr. Christian Fischer, Dr. Markus 
Forschner,
Stefan Grosch, Dr. Markus Heyn, Dr. Frank Meyer, Dr. Tanja Rückert
​

[users@httpd] Apache server v2.4.58 - suexec issue

[Abdullah Adnan]

Good day dears,

Recently we have installed Apache server v2.4.58 in our CentOS 9, when make 
vulnerability scan with Nessus on the server the Nessus shows this 
vulnerability:

The remote host appears to be running Apache and is potentially
affected by the following vulnerabilities:

  - Multiple race conditions exist in suexec between the
validation and usage of directories and files. Under
certain conditions local users are able to escalate
privileges and execute arbitrary code through the
renaming of directories or symlink attacks.
(CVE-2007-1741)

  - Apache's suexec module only performs partial
comparisons on paths, which could result in privilege
escalation. (CVE-2007-1742)

  - Apache's suexec module does not properly verify user
and group IDs on the command line. When the '/proc'
filesystem is mounted, a local user can utilize suexec
to escalate privileges. (CVE-2007-1743)

Note that this plugin only checks for the presence of Apache, and does
not actually check the configuration.

So we need your support to disable suexec in the server.

Thanks,


Best regards


[cid:image001.jpg@01DA892D.DD9ABC10]

Abdullah Adnan

IT System Administrator | Arab Payment Services


Mobile:   00964-7735387734
Ext.:   74

Email:a.ad...@aps.iq

Skype:   Abdullah Adnan

Website: www.aps.iq

Address: Iraq | Baghdad | Abu Nuwas | District (102) | Street (26) | 
BLDG.(13/66)

Re: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

[Otis Dewitt - NOAA Affiliate]

https://nvd.nist.gov/vuln/detail/CVE-2023-38909

MEDIUM

Otis DeWitt
Contractor with Concept Plus, LLC in support of
NOAA Fisheries NMFS / ST6  |  U.S. Department of Commerce
Office: ‪(302) 648-7481 | otis.dew...@noaa.gov


"If there is no struggle, there is no progress."



On Thu, Apr 4, 2024 at 1:46 PM Mcalexander, Jon J.
 wrote:

> Is there a severity level for this one?
>
>
>
> *Dream * Excel * Explore * Inspire*
>
> Jon McAlexander
>
> Senior Infrastructure Engineer
>
> Asst. Vice President
>
> He/His
>
>
>
> Middleware Product Engineering
>
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
>
> Tel 515-988-2508 | Cell 515-988-2508
>
>
>
> jonmcalexan...@wellsfargo.com
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
>
> *From:* Eric Covener 
> *Sent:* Thursday, April 4, 2024 8:57 AM
> *To:* annou...@apache.org; users@httpd.apache.org
> *Subject:* [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP
> response splitting
>
>
>
> Affected versions: - Apache HTTP Server through 2. 4. 58 Description:
> Faulty input validation in the core of Apache allows malicious or
> exploitable backend/content generators to split HTTP responses. This issue
> affects Apache HTTP Server: through
>
>
>
> Affected versions:
>
>
>
> - Apache HTTP Server through 2.4.58
>
>
>
> Description:
>
>
>
> Faulty input validation in the core of Apache allows malicious or exploitable 
> backend/content generators to split HTTP responses.
>
>
>
> This issue affects Apache HTTP Server: through 2.4.58.
>
>
>
> Credit:
>
>
>
> Orange Tsai (@orange_8361) from DEVCORE (finder)
>
>
>
> References:
>
>
>
> https://urldefense.com/v3/__https://httpd.apache.org/__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBvVc3Bys$
>  
> 
>
> https://urldefense.com/v3/__https://www.cve.org/CVERecord?id=CVE-2023-38709__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBt4tO_xM$
>  
> 
>
>
>
>
>
> -
>
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>

RE: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

[Mcalexander, Jon J.]

Is there a severity level for this one?

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Eric Covener 
Sent: Thursday, April 4, 2024 8:57 AM
To: annou...@apache.org; users@httpd.apache.org
Subject: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response 
splitting

Affected versions: - Apache HTTP Server through 2. 4. 58 Description: Faulty 
input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses. This issue affects Apache 
HTTP Server: through




Affected versions:



- Apache HTTP Server through 2.4.58



Description:



Faulty input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses.



This issue affects Apache HTTP Server: through 2.4.58.



Credit:



Orange Tsai (@orange_8361) from DEVCORE (finder)



References:



https://urldefense.com/v3/__https://httpd.apache.org/__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBvVc3Bys$

https://urldefense.com/v3/__https://www.cve.org/CVERecord?id=CVE-2023-38709__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBt4tO_xM$





-

To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org

For additional commands, e-mail: 
users-h...@httpd.apache.org

[users@httpd] CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules

[Eric Covener]

Severity: low

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.58

Description:

HTTP Response splitting in multiple modules in Apache HTTP Server allows an 
attacker that can inject malicious response headers into backend applications 
to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Credit:

Keran Mu, Tsinghua University and Zhongguancun Laboratory. (finder)
Jianjun Chen, Tsinghua University and Zhongguancun Laboratory. (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-24795

Timeline:

2023-09-06: Reported to security team


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

[Eric Covener]

Affected versions:

- Apache HTTP Server through 2.4.58

Description:

Faulty input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses.

This issue affects Apache HTTP Server: through 2.4.58.

Credit:

Orange Tsai (@orange_8361) from DEVCORE (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-38709


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

[Eric Covener]

Severity: moderate

Affected versions:

- Apache HTTP Server 2.4.17 through 2.4.58

Description:

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 
in order to generate an informative HTTP 413 response. If a client does not 
stop sending headers, this leads to memory exhaustion.

Credit:

Bartek Nowotarski (https://nowotarski.info/)  (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27316

Timeline:

2024-02-22: Reported to security team


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD Github latest release

[Aditya Shastri]

Sounds good. I'll ignore it.

On Wed, Apr 3, 2024 at 10:08 AM Eric Covener  wrote:
>
> On Wed, Apr 3, 2024 at 1:06 PM Aditya Shastri
>  wrote:
> >
> > Hello,
> >
> > One of my pipelines triggered when the github apache httpd tags were
> > created for 2.4.59-rc1-candidate (the next one on the list after the
> > previous 2.4.59) and 2.4.55.
> >
> > I wonder if there was an issue with the 2.4.55 release or if it was
> > created accidentally?
>
> The 2.4.55 tag was inadvertently modified during the 2.4.59 candidate
> processing this morning.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD Github latest release

[Eric Covener]

On Wed, Apr 3, 2024 at 1:06 PM Aditya Shastri
 wrote:
>
> Hello,
>
> One of my pipelines triggered when the github apache httpd tags were
> created for 2.4.59-rc1-candidate (the next one on the list after the
> previous 2.4.59) and 2.4.55.
>
> I wonder if there was an issue with the 2.4.55 release or if it was
> created accidentally?

The 2.4.55 tag was inadvertently modified during the 2.4.59 candidate
processing this morning.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] HTTPD Github latest release

[Aditya Shastri]

Hello,

One of my pipelines triggered when the github apache httpd tags were
created for 2.4.59-rc1-candidate (the next one on the list after the
previous 2.4.59) and 2.4.55.

I wonder if there was an issue with the 2.4.55 release or if it was
created accidentally?

The repo in question: https://github.com/apache/httpd/tags

Please let me know.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Out-Of-Office

[Sivaramakrishna Polepalli]

Hello, I will be OOO traveling from 03/28 to 05/06 returning back on 06/07. 
Please expect delays in my email responses.

Please contact Aurus support prodsupp...@aurusinc.com / Yogesh Baviskar 
ybavis...@aurusinc.com  for any support needs.

Thanks
Siva Polepalli
+1 575-404-3272

[users@httpd] Participate in the ASF 25th Anniversary Campaign

[Brian Proffitt]

Hi everyone,

As part of The ASF’s 25th anniversary campaign[1], we will be celebrating
projects and communities in multiple ways.

We invite all projects and contributors to participate in the following
ways:

* Individuals - submit your first contribution:
https://news.apache.org/foundation/entry/the-asf-launches-firstasfcontribution-campaign
* Projects - share your public good story:
https://docs.google.com/forms/d/1vuN-tUnBwpTgOE5xj3Z5AG1hsOoDNLBmGIqQHwQT6k8/viewform?edit_requested=true
* Projects - submit a project spotlight for the blog:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=278466116
* Projects - contact the Voice of Apache podcast (formerly Feathercast) to
be featured: https://feathercast.apache.org/help/
*  Projects - use the 25th anniversary template and the #ASF25Years hashtag
on social media:
https://docs.google.com/presentation/d/1oDbMol3F_XQuCmttPYxBIOIjRuRBksUjDApjd8Ve3L8/edit#slide=id.g26b0919956e_0_13

If you have questions, email the Marketing & Publicity team at
mark...@apache.org.

Peace,
BKP

[1] https://apache.org/asf25years/

[NOTE: You are receiving this message because you are a contributor to an
Apache Software Foundation project. The ASF will very occasionally send out
messages relating to the Foundation to contributors and members, such as
this one.]

Brian Proffitt
VP, Marketing & Publicity
VP, Conferences