Re: [users@httpd] Apache2 listening on 80(http) and 443(https)
On 04/01/2016 09:00 PM, Brandon L. Wisenburg wrote: > Hi Everyone! > I have converted my website to SSL, and I go the virtual host setup > and SSL working in Apache. When someone uses http://domain.com they > get a connection refused, because of course the server isn't listening > on 80, as i have it setup for SSL (443) > > How would I make apache listen on http(80), but re-direct anyone that > hits http to https. > > Is it possible to have apache listen on both 80 and 443? Yes, absolutely. I do this routinely for all my sites. I have a highly compartmentalized configuration but hopefully you'll get the gist of it. This is what I use at the top level for parts-unknown.org: Listen 50.250.218.163:80 Listen 50.250.218.163:443 Includesites-available/parts-unknown.org-common Include sites-available/force-ssl-common Include sites-available/parts-unknown.org-log-common Includesites-available/parts-unknown.org-common Include sites-available/ssl-common Include sites-available/parts-unknown.org-log-common As you can see, I have multiple Listen declarations and multiple virtual hosts. But the real magic (which probably isn't so magical if you actually understand this stuff) is in force-ssl-common: RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] I don't use SNI basically because I started hosting these sites before SNI was widely available and even when it started becoming widely available it seemed broken (I gather this is no longer the case). I don't know how or if that would change this configuration. -- David Benfell, Ph.D. benf...@parts-unknown.org signature.asc Description: OpenPGP digital signature
[users@httpd] file exists, wget succeeds, but firefox gets 404
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, I haven't a clue what even to think about this. I have a working drupal installation. In its files subdirectory, I have subdirectories which work. Except for this directory: % ls -al parts-unknown.org/drupal7/sites/default/files/dissertation-2015/ total 5664 drwxr-xr-x2 www www 512 Feb 18 22:39 . drwxrwxr-x 798 www www35328 Feb 18 00:00 .. - -rw-r--r--1 www www 2841671 Nov 20 20:53 2015-11-20-without-markup.pdf - -rw-r--r--1 www www 2734572 Dec 24 09:37 Benfell dissertation.pdf - -rw-r--r--1 www www86557 Feb 18 22:39 ProQuest.pdf wget succeeds in downloading files from this directory. But firefox gets a 404. I tested both Benfell dissertation.pdf and ProQuest.pdf. If it makes any difference, this is FreeBSD: 10.2-RELEASE-p12 FreeBSD home-desktop.parts-unknown.org 10.2-RELEASE-p9 FreeBSD 10.2-RELEASE-p9 #0: Thu Jan 14 01:32:46 UTC 2016 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Thanks! - -- David Benfell, Ph.D. benf...@parts-unknown.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJWxr2wAAoJEOoml8Ul4D7WcsUP/jX/PzDulc6LsT9xkFWZZELZ 6AGZZAUSW47FRgcC4GcgCLXXZbnwebbNBme5G+J1oUMwK8Elnn1CExnPBcf2+Dxr 27iklDESIWMrbJGL30vvu09FtsRTlUWEmkWo+fPpBEDw27tGQX7S1jH4e2bsOYch uLm1e02xA3MLCWiYW3Rcbk+NyTQmOoDh2An3GWfmq2nfwP8oxrbrDGr2uOLRs0h5 R2UcLoFbWfy+17IltFCNyolewXVZBcpcg4QOYP8kPQSMGxeG+7DEoRDWkx8s7Ocf jouuakHdfg3yLGkRvrAW+rs777J7jV+yhhcbNkfERgUwRiIAm9OZr7/Vw1Jk4UJK ZRvBmtmSSZ3B2ek75mOsYJI7gNw4APxovlJaVTf99+wDWSXhA5KXH3r2AXct1oic ABpXqs46wMMkjklJ0Gu8IbOCeLXm7c1cFadLXe4URlNgr/R7ukX0kx7nOMDUqe8p l/wMzUptmSzpObk3d2/eq3iw15LS8UzNOQoXIJuKtCwWuVpvTEkUMHTrO3fOQhSz aMlpy2RO6d4vPquxmBGj2xkXvPzzaANUmmUciSL/+I1iY4JZeGb9lF2A4qA3Fr6I tSOLdnEdL7i7GY+XLyNis0ZOo0aP3SZFwPYMKSUEuFPlmYIm4PNnGowRG1Wsl9fi SAkF8Taky/P6d5HeZ90k =b3qW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 06, 2014 at 09:21:20AM -0500, Tom Browder wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? Ping! Anyone? The site that seems authoritative for testing SSL is https://www.ssllabs.com/ssltest/ -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpBQIAAdUWuE.pgp Description: PGP signature
Re: [users@httpd] undefined symbol: apr_crypto_init
On Thu, Apr 10, 2014 at 06:07:53PM -0600, Jeff Trawick wrote: On Thu, Apr 10, 2014 at 3:33 PM, David Benfell I unfortunately missed your clear, earlier statement that you are using the provided RPM specs which install apr + apr-util as system libraries. IMO that is not a good idea for most people, in case you want to install arbitrary software from your system package repository and have it use the apr + apr-util it is built with and at the same time have your httpd use the apr + apr-util you selected for that particular purpose. I don't use the RPM builds myself, never install into system directories, and don't really know what the considerations are. Sorry. I think more seriously, I was trying to get too far ahead of my distribution (Contabo 6.5). This became apparent when, having found a way around this problem, I tackled php. Recall that modules, including the one for php, need to be rebuilt for the new version of apache. Taking this on, I rapidly found even more ratholes. I decided it was time for a distribution change. I apologize for my delay in responding to this message. I'm now running on Fedora 20, which comes with apache 2.4. But, just at the stage where I lose mail every time, this seems to be going fairly smoothly. (We'll see when I try sending this message.) I have encountered problems on Fedora, but I think they're related to Fedora's packaging. And I'm trying to get a question in on their community about it. (Their forum server seems to have gone down.) snip Same error as before, or something different? Can you copy and paste the exact message? It was the same error. I don't think your current LD_LIBRARY_PATH actually changes anything. A reasonable suspicion. I'm unable to test it now. Sorry. I'm thinking I ought to be able to substitute apachectl for the start script with a symbolic link. Would this work? Any reason I shouldn't? Where did you get /etc/init.d/httpd? Is that from an RPM build you did of httpd 2.4? Yes, incredibly, the spec file seems to do everything including instructing rpmbuild how to build that script. Was I surprised? Yes. But it seems to me to be a strong argument in general for using rpmbuild. That is, if you aren't trying to get too far ahead of your distribution. CentOS 6.5 is just too 'stable' and this isn't the only security-related issue I've had with it (I want Apache 2.4 for perfect forwared secrecy). -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpZAd9aRp301.pgp Description: PGP signature
[users@httpd] undefined symbol: apr_crypto_init
Hi all, I gather this is an apr-util problem: At apache 2.4 startup, I get undefined symbol: apr_crypto_init I built apr-util with rpmbuild. I checked the .spec file and it *does* specify the crypto option (and the other options for ssl and nss that seem to be related). (I hope) I'm so close to finding my way through this upgrade from 2.2. But I'm not finding anything helpful (at least at 3:30 in the morning). What do I need to do? Thanks! -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpL6d4MwGnln.pgp Description: PGP signature
Re: [users@httpd] Apache 2.4 - non adoption reasons??
On Thu, Apr 10, 2014 at 12:43:17PM -0500, Joey J wrote: Apache 2.4 has had a stable release out for over 2 years but is only used by 2.5% of active Apache sites. Why is the adoption so low?? The Apache foundation has been recommending upgrading to 2.4 for some time and looking at the improvements I see significant value in several. I don't see any reason why anybody wouldn't want to use it but the community seems to think it's bad. I'm actually fighting my way through this upgrade now. It's not that I think 2.4 is bad. Not at all. It's just that the upgrade is difficult and I have other things I need to be working on. -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpbdNzQu8usm.pgp Description: PGP signature
Re: [users@httpd] Apache 2.4 - non adoption reasons??
On Thu, Apr 10, 2014 at 12:55:47PM -0600, Eric Covener wrote: Latest GA RHEL, SLES, and LTS ubuntu don't yet include it Likely because they don't want to put their users through configuration hell. I think the apache folks are assuming that these upgrades are simple. But from what I can see, most people are using recipes for their configurations--that's certainly what I do--because the configuration is too complicated as it is. Upgrading means breakage. And even if you fight your way through the configuration upgrade, if you run into other problems, as I have, it seems like you're on your own. I may very well be forced to abandon this project because I simply don't know how to fix what's wrong. (See my other pending thread.) -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpBCls6xN3XF.pgp Description: PGP signature
Re: [users@httpd] undefined symbol: apr_crypto_init
On Thu, Apr 10, 2014 at 01:38:00PM -0600, Eric Covener wrote: On Thu, Apr 10, 2014 at 4:35 AM, David Benfell benf...@parts-unknown.org wrote: apr_crypto_init This phrase alone in a search engine gets you a number of hits saying to upgrade APR. http://stackoverflow.com/questions/22048378/undefined-symbol-apr-crypto-init-during-apache-restart I have done so. It, and apr-util are the latest version. -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpiGZRZwzT6J.pgp Description: PGP signature
Re: [users@httpd] undefined symbol: apr_crypto_init
On Thu, Apr 10, 2014 at 02:14:02PM -0600, Jeff Trawick wrote: On Thu, Apr 10, 2014 at 2:05 PM, David Benfell [1]benf...@parts-unknown.org wrote: On Thu, Apr 10, 2014 at 01:38:00PM -0600, Eric Covener wrote: On Thu, Apr 10, 2014 at 4:35 AM, David Benfell [2]benf...@parts-unknown.org wrote: apr_crypto_init Maybe you built with the up-to-date apr-util (so httpd or some module thinks apr_crypto_init() exists) but an older level apr-util (system-provided?) is being used when you try to start httpd. As a test, try export LD_LIBRARY_PATH=/path/to/new/httpd/lib (or wherever you installed new apr-util) before starting httpd and see if that works. Progress of a sort: There was definitely some cruft lying about from a previous 2.2 build. I deleted it. I set the environment variable LD_LIBRARY_PATH=/usr/lib64/apr-util-1 and apachectl start at least starts the server (I have other problems but I think they're related to php). /etc/init.d/httpd start does not, even when I set the environment variable in the script right before the line that starts the daemon. I'm thinking I ought to be able to substitute apachectl for the start script with a symbolic link. Would this work? Any reason I shouldn't? Thanks! -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpeQpQSV4Frz.pgp Description: PGP signature
[users@httpd] 2.4 authn problem
Hi all, Thanks especially to the heartbleed bug, I'm trying to make the jump to 2.4. I'm trying to adapt my old 2.2 configuration. I've run into this: httpd: Syntax error on line 173 of /usr/local/apache2.4/conf/httpd.conf: Can't locate API module structure `authn_alias_module' in file /usr/local/apache2.4/modules/mod_authn_core.so: /usr/local/apache2.4/modules/mod_authn_core.so: undefined symbol: authn_alias_module What does it want? I'm definitely no apache guru but this sounds to me like a missing prerequisite. Is that right? What do I need to do? Thanks! -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgplhuukM5CUJ.pgp Description: PGP signature
Re: [users@httpd] 2.4 authn problem
On Wed, Apr 09, 2014 at 12:07:25AM -0600, Eric Covener wrote: On Wed, Apr 9, 2014 at 12:00 AM, David Benfell benf...@parts-unknown.org wrote: Hi all, It looks like your first and second parameter to LoadModule don't match. Change the second parameter to authn_core_module to match the first. Thank you! I now have a clean syntax check. And yes, that was an idiot error on just about the level I expected. ;-) -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpdo7ig35QtN.pgp Description: PGP signature
Re: [users@httpd] Apache won't start, strace output enclosed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/16/2014 11:46 PM, Mathijs Schmittmann wrote: - Original Message - Hi all, Ack! This is apache 2.2.25 compiled from source but on a CentOS 6.5 system. Notably, I included all modules in the build. You might want to start to build with a minimal set of modules, to exclude any of them from being the cause. Why did you compile with all modules to start with? This is a build that *was* working. I've been using it--I see (see below) since December. I was trying to add a subdomain, ran into memory allocation problems and so tweaked the settings accordingly. Here are the current settings and I have no idea how sensible they are: IfModule prefork.c StartServers 4 MinSpareServers4 MaxSpareServers 64 ServerLimit 512 MaxClients512 MaxRequestsPerChild 512 /IfModule IfModule worker.c StartServers 4 MaxClients 512 MinSpareThreads 32 MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild 0 /IfModule This depends on which MPM you are currently running, see your httpd -V output for this information. Obviously the specific settings will be different in each usecase, depending on load and resources available. This returns: Server version: Apache/2.2.25 (Unix) Server built: Dec 2 2013 08:47:03 Server's Module Magic Number: 20051115:33 Server loaded: APR 1.4.8, APR-Util 1.5.2 Compiled using: APR 1.4.8, APR-Util 1.5.2 Architecture: 64-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/usr/local/apache2 -D SUEXEC_BIN=/usr/local/apache2/bin/suexec -D DEFAULT_PIDLOG=logs/httpd.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=logs/accept.lock -D DEFAULT_ERRORLOG=logs/error_log -D AP_TYPES_CONFIG_FILE=conf/mime.types -D SERVER_CONFIG_FILE=conf/httpd.conf So I can ditch the worker section? The last write call shows that its logging an error to the errorlog, are you sure you have looked at the right errorlog? You might want to try to 'strace -s 4096 ...' so the entire message is captured in the trace. Thanks for the strace trick: = 0 munmap(0x7fbfdc208000, 4096)= 0 write(43, [Thu Jan 16 23:57:11 2014] [error] Unable to configure verify locations for client authentication\n, 98) = 98 exit_group(1) = ? I gather this is an SSL problem. Here is the section of that configuration that is changed. It is a new certificate (that includes the new subdomain): Include /etc/httpd/conf/sites-available/all-ssl-common SSLCertificateFile /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.crt SSLCertificateKeyFile /big/www/ssl/parts-unknown.org/munich/parts-unknown.org.key SSLCertificateChainFile /big/www/ssl/parts-unknown.org/munich/sub.class2.server.ca.pem SSLCACertificateFile /big/www/ssl/parts-unknown.org/munich/ca.pem These files all exist. all-ssl-common is unchanged. It contains: SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; SSLHonorCipherOrder on SSLCompression Off #SSLCipherSuite RC4-SHA:HIGH:!ADH SSLInsecureRenegotiation off SSLOptions StdEnvVars BrowserMatch MSIE [2-6] \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch MSIE [17-9] ssl-unclean-shutdown Thanks! - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJS2OhYAAoJEKrN0Ha7pkCOK1QP/RdU5wyvOeyjOzhDWUoMvnZP VrDdNQuMViND5h85q6emi2EfjRjpogWyzXSSA9KL0vagXHen3HWppqUMzkZTv6xf t1ZnAFGoe+a4YRUNX/f7VaQzBgAnnFeazKnsqfTy8l55yk1G/y4DzlW1Q2MPKG10 vzTz0s/dtUWmB1+DVeCDMypymp22Ttekn0v+XhtB28a8Us8hOCSWsOEmzR48PAad OucOYHZm/NY/kvjVu/y5dLnxEX2XRWpqQ/gjownFOpeQInSIXZS/LnGdpJgjFlYW Cu2mV8op1trrvbz2XtHMDARIfnIeUrxV76lUqbxMraSyA4jTrD/8jr+oNqvypKEE Oh2sRW7sbWPXBgsNbaa4UTugrLyF7xtlWctLw/ll3e328iJXX40/v6/B7jTNoGJS cwelFYEiONFZEsWq09+Iny+sQA/sEWvT1SkTDEsdQ389pqQQt8jjXCIfwSs0n3Us IkFyXuXhvOJf5T3BnOuALrol006VZL/3VLka8VXudJFuBeAfCAG/2Pxuq6KKThBE qgEvGthK/48eTxGEFaRJHdiqCeeNVGrv4c483QfbVwVjDsPLXpI6gXKq+2qyOrks oNKJiMmleFwl+P9BdtfS6cwDIaIwsUvLZm7kKxqsdz15BjPlcP6NRaSIr+uXTJik IMiw/mH
[users@httpd] Apache won't start, strace output enclosed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, Ack! This is apache 2.2.25 compiled from source but on a CentOS 6.5 system. Notably, I included all modules in the build. I was trying to add a subdomain, ran into memory allocation problems and so tweaked the settings accordingly. Here are the current settings and I have no idea how sensible they are: IfModule prefork.c StartServers 4 MinSpareServers4 MaxSpareServers 64 ServerLimit 512 MaxClients512 MaxRequestsPerChild 512 /IfModule IfModule worker.c StartServers 4 MaxClients 512 MinSpareThreads 32 MaxSpareThreads 64 ThreadsPerChild 16 MaxRequestsPerChild 0 /IfModule Now it won't start at all and writes nothing to the error log. So I managed to get strace going on it. These are the last few lines of the output: open(/etc/localtime, O_RDONLY)= 82 fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 fstat(82, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fce20292000 read(82, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0..., 4096) = 2819 lseek(82, -1802, SEEK_CUR) = 1017 read(82, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0..., 4096) = 1802 close(82) = 0 munmap(0x7fce20292000, 4096)= 0 write(43, [Thu Jan 16 19:49:38 2014] [erro..., 98) = 98 exit_group(1) As you might imagine, I'm in a bit of a panic. What's going wrong? Thanks! - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJS2K3RAAoJEKrN0Ha7pkCOWP8P/23HK4h3KQ0ERVn5LN8l85t+ c+ZbjWsc3G+5LsU8sRhgx6724ZFi4Mo3v2pq1UAXpeGToa0QqUfteXFtepLz5X++ 0gJUy84gphrz3P5XZEHO51l1tH4RhBovVOUoWpQiZMRG06UapuLqHqmM33RB275+ IMKfem8KukTOaUCr5ByKxWSNi3aA/2P5wP21ah9t7LMCvp668PKFyMUI8nbq1nyQ ZM2sFfulEjHel+6KpmrxEZ/QaMK4ElGCnmhNExz1sRicYaLNrk/kgOZBEAqI7esV EHe8L3KO7IqRrCgCUEC4ovFYh+THnrlGvNZU3seQNKzocQ64bR+zRViHNaR0jzXr GZKIAyKhaEutpPqjvcfTYtF/HRsIS3FkOlXPKPq0xonyJtQ0SWPsR6e74Lj3x2aq OqD2FdnCEqy8+GlQ1nh1kOaI14N6b5uzRWacNNDmwRYD0Dr8V1Du+F/LF33mpH9p 3WkiKtXJ7bvSxAtdA1+DJc+DaQnMOjpoAdzMX0VQCdkJURdvNcCVmIkj6LO6z1Qy oNf9pg0b6oLN6BDJuBM7AKneT61K5EwBmcHVW5Jq+jSBJHGbzumWPy7OUyzedfNM DPl7ZoxrFY9CH+piRMTXSh9se0uBIunJFc3hHBIxFv3HeKBj7AEXwA387PPuMDOh 97UgbIOS5IdZ4OppgXue =NgHk -END PGP SIGNATURE- attachment: dbenfell.vcf - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] undefined reference to tls client method
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/30/2013 04:51 AM, Igor Cicimov wrote: Hi David, I have exactly the same problem on CentOS-5.10 with openssl1.0.1e. It seams you are indicating your openssl installation from source went wrong somewhere. This is how I compiled and installed openssl from source: $ ./Configure --prefix=/usr/local --openssldir=/usr/local/openssl enable-tlsext linux-x86_64 threads zlib enable-idea enable-rc5 enable-mdc2 enable-ec shared $ make depend $ make $ sudo make install still apache ab tool seams linking to wrong library during compile although I have given --with-ssl=/usr/local/openssl as location in the configure step. Can you provide more details on how did you exactly solve the problem? I have it posted here: https://disunitedstates.org/wiki/index.php/Openssl To build openssl, I do: ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib64 \ make make test sudo make install This overwrites the CentOS version and you will want to tell yum to ignore openssl. - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSmkhUAAoJEKrN0Ha7pkCOx90P/RYFYtPANiDe5J1sUC6qMRke rQTDNozioH8nqtVFkxjHDO07u2PfDePOzIyfHeI2z+58mcj+tsZ3tJFLsYySkrbk qSEZGOCHH29Jh0mACf7DoZrNrqGldVdKDk3F6kZFWB8VS0Bj5h6PW9tWyTTDSIUv APJgIMu3tXG5ODhURm4a9PF4uZZZHnC1GZrXCzeZlUkzbHv5m3TaTooc5KC1o9PC OLD4YU7aI47WLYzCcrewi0KY4CyqnnGPJzdxFg7bEsx2RnYs0o+3mGEX7lCPUOLF q23OXTdWx5vEZvxccwKC5eZUzc+KZRqGxRoRM5HgDWvVU7lcY37yfgsmFbE0jgSy N+85vAQNgujvGV+sTDyo3o6ji34zzbzvKKVjquzuIP+kEzQmlX+ia7l3lGDRTt9+ N+hm6g6ft0cw23dP5a2yFE3s63d7j1wSgcNRjVaoRJiykuiFdNv5Dz43vvGcS2sP PlkCn3GVt1ABpmvr6hgHdJkziJ5mxW5wNbo1v/1Qeo6z+Mxrl+/xmkF+u83iZ005 Ez+TGhqZwDxEYJD1ZIDa6h3YzkPQS8KMtLiiusISCKyYnAnKi+WhSiGXlIhExPY5 GX427u0H8wStLOmZaWHsa0w43r5ca86Rvr5dUwAukv8OKvseqSN72Pyx531N2Hr2 4rQhpCo945lcWpf7rHDJ =o3bU -END PGP SIGNATURE- attachment: benfell.vcf - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] undefined reference to tls client method
Hi all, I'm trying to build apache-2.2.25 and I'm getting: .libs/ab.o: In function `main': /home/benfell/httpd-2.2.25/support/ab.c:2239: undefined reference to `TLSv1_1_client_method' /home/benfell/httpd-2.2.25/support/ab.c:2241: undefined reference to `TLSv1_2_client_method' My ./configure line is pretty simple, just because I haven't really figured it out: ./configure --enable-modules=all --enable-ssl What am I missing? Thanks! -- David Benfell benf...@parts-unknown.org Normally you should expect a GnuPG signature: https://parts-unknown.org/node/2 But this mailer does not support it. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] undefined reference to tls client method
Hi Aurélien, On 2013-11-01 02:48, Aurélien Terrestris wrote: Check that you have openssl and openssl-devel installed on your server : rpm -qa | grep 'openssl' If not, install them (sudo yum install -y openssl openssl-devel) (Interesting that you figured out I'm running an RPM-based system ;-)) I built openssl from source. I'm trying to get TLS 1.2 working, which the old and crufty openssl on Centos 6.4 doesn't do. Do I need to do something different to get the development libraries in place? Thanks! 2013/11/1 David Benfell benf...@mail.parts-unknown.org: Hi all, I'm trying to build apache-2.2.25 and I'm getting: .libs/ab.o: In function `main': /home/benfell/httpd-2.2.25/support/ab.c:2239: undefined reference to `TLSv1_1_client_method' /home/benfell/httpd-2.2.25/support/ab.c:2241: undefined reference to `TLSv1_2_client_method' My ./configure line is pretty simple, just because I haven't really figured it out: ./configure --enable-modules=all --enable-ssl What am I missing? Thanks! -- David Benfell benf...@parts-unknown.org Normally you should expect a GnuPG signature: https://parts-unknown.org/node/2 But this mailer does not support it. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- David Benfell benf...@parts-unknown.org Normally you should expect a GnuPG signature: https://parts-unknown.org/node/2 But this mailer does not support it. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] undefined reference to tls client method
On 2013-11-01 03:32, Pete Houston wrote: Hello David, On Fri, Nov 01, 2013 at 03:21:35AM -0700, David Benfell wrote: I built openssl from source. I'm trying to get TLS 1.2 working, which the old and crufty openssl on Centos 6.4 doesn't do. Do I need to do something different to get the development libraries in place? Since it is the build of ab which fails to link to client methods, did you correctly build and deploy these with your build of openssl? If so, you may just need to tell the linker where they are. I'm not seeing a lot of options where I could have gone wrong (which maybe means I missed something horrendous). I repeated 'make test' there and saw that it did TLSv1.2 tests. And 'make test' completes okay. Try a standalone test of a TLSv1.2 client method with openssl to see if you have built these features correctly. Okay, stupid question time: How do I do this? I tried: openssl s_client -connect gmail.com:443 This, among other verbiage, seemed to indicate it was using a protocol of TLSv1.2. If it works, just pass the lib locations on your apache ./configure line (probably using --with-ssl=DIR). That would seem to be --with-ssl=/usr/include/openssl , which has lots of fresh .h files. I don't seen anything remotely relevant in /usr/lib . OTOH, if it fails, you'll probably have to revisit your build of openssl. HTH, Pete -- David Benfell benf...@parts-unknown.org Normally you should expect a GnuPG signature: https://parts-unknown.org/node/2 But this mailer does not support it. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] SOLVED Re: [users@httpd] undefined reference to tls client method
On 2013-11-01 04:12, David Benfell wrote: On 2013-11-01 03:32, Pete Houston wrote: OTOH, if it fails, you'll probably have to revisit your build of openssl. Actually, even though the test passed, I needed to revisit the build of openssl. The big ugly question is where in (insert obscenity of your choice) libcrypto* went. I still don't know the default answer to that, but it should be specified to the right location in the build (in my case, ./config --lib=lib64). A decent clue as to how this needs to be done can be found on the LinuxFromScratch site. Thanks! -- David Benfell benf...@parts-unknown.org Normally you should expect a GnuPG signature: https://parts-unknown.org/node/2 But this mailer does not support it. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache insists on binding to *all* addresses even though Listen directives specify specific ip addresses
Hi all, I've run into a problem. First things first: [root@munich ~]# cat /etc/issue CentOS release 6.4 (Final) Kernel \r on an \m [root@munich ~]# uname -a Linux munich 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@munich]/etc/httpd/conf# yum list httpd Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile Excluding mirror: mirror.de.leaseweb.net * base: ftp-stud.fht-esslingen.de Excluding mirror: mirror.de.leaseweb.net Excluding mirror: mirror.nl.leaseweb.net * epel: mirrors.n-ix.net * extras: centos.mirror.linuxwerk.com * remi: mirror5.layerjet.com Excluding mirror: mirror.de.leaseweb.net Excluding mirror: centos.copahost.com * updates: ftp.plusline.de Installed Packages httpd.x86_64 2.2.15-29.el6.centos @updates The choice of an earlier version of Centos was meant to accommodate zimbra, which it seems to be doing nicely. But now I'm trying to bring up my old web services on selected IP addresses and ports. I've confirmed that zimbra is not occupying the address/port combinations. I have numerous Listen directives to accomplish this: [root@munich ~]# grep -r ^Listen /etc/httpd/ /etc/httpd/conf/sites-enabled/greybeard95a.com:Listen 91.205.174.233:80 /etc/httpd/conf/sites-enabled/greybeard95a.com:Listen 91.205.174.233:443 /etc/httpd/conf/sites-enabled/n4rky.me:Listen 91.205.174.234:80 /etc/httpd/conf/sites-enabled/n4rky.me:Listen 91.205.174.234:443 /etc/httpd/conf/sites-enabled/cybernude.org:Listen 91.205.174.230:80 /etc/httpd/conf/sites-enabled/cybernude.org:Listen 91.205.174.230:443 /etc/httpd/conf/sites-enabled/parts-unknown.org:Listen 193.34.144.104:80 /etc/httpd/conf/sites-enabled/parts-unknown.org:Listen 193.34.144.104:443 /etc/httpd/conf/sites-enabled/disunitedstates.com:Listen 91.205.174.231:80 /etc/httpd/conf/sites-enabled/disunitedstates.com:Listen 91.205.174.231:443 /etc/httpd/conf/sites-enabled/disunitedstates.org:Listen 91.205.174.232:80 /etc/httpd/conf/sites-enabled/disunitedstates.org:Listen 91.205.174.232:443 (some matches elided) The sites-enabled directory is Included like so: [root@munich ~]# grep -r sites-enabled /etc/httpd /etc/httpd/conf/httpd.conf:Include /etc/httpd/conf/sites-enabled/ And it contains: [root@munich ~]# ls -al /etc/httpd/conf/sites-enabled/ total 8 drwxr-xr-x 2 root root 4096 Sep 23 15:31 . drwxr-xr-x 4 root root 4096 Sep 23 15:31 .. lrwxrwxrwx 1 root root 32 Sep 21 21:35 cybernude.org - ../sites-available/cybernude.org lrwxrwxrwx 1 root root 38 Sep 21 21:35 disunitedstates.com - ../sites-available/disunitedstates.com lrwxrwxrwx 1 root root 38 Sep 21 21:35 disunitedstates.org - ../sites-available/disunitedstates.org lrwxrwxrwx 1 root root 35 Sep 21 21:35 greybeard95a.com - ../sites-available/greybeard95a.com lrwxrwxrwx 1 root root 27 Sep 21 21:35 n4rky.me - ../sites-available/n4rky.me lrwxrwxrwx 1 root root 36 Sep 21 21:35 parts-unknown.org - ../sites-available/parts-unknown.org Folks who are familiar with the Debian/Ubuntu set-up will recognize the layout. I originally created this many years ago and have preserved it across numerous installations on various distributions. When I try to start apache, I get: [root@munich]/etc/httpd/conf# /etc/init.d/httpd start Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down Unable to open logs [FAILED] It does not seem to be listening to my Listen directives with respect to port 443 and instead is attempting to open every address on the system. This is a *very* *bad* thing for it to attempt to do. What am I missing? Thanks! -- David Benfell My mail is usually signed cryptographically, but from Zimbra, it generally will not be. Please see https://parts-unknown.org/node/2 for more information. BEGIN:VCARD VERSION:3.0 FN:David Benfell N: EMAIL;TYPE=internet:benf...@parts-unknown.org REV:2013-09-21T20:53:44Z UID:eba45e63-b04a-4395-a263-015ae97837d6:1806 END:VCARD - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache insists on binding to *all* addresses even though Listen directives specify specific ip addresses
Hi Yehuda, You had written: ...(I am not a grep expert, but you might miss a line that has a space before the Listen directive). This turned out to be at least close. It wasn't something I had done, but rather something I had overlooked that was left over from the package installation. A file called ssl.conf that had been included and that did a blanket Listen 443. :facepalm. Thanks! Now I can move on to the next problem -- David Benfell My mail is usually signed cryptographically, but from Zimbra, it generally will not be. Please see https://parts-unknown.org/node/2 for more information.BEGIN:VCARD VERSION:3.0 FN:David Benfell N: EMAIL;TYPE=internet:benf...@parts-unknown.org REV:2013-09-21T20:53:44Z UID:eba45e63-b04a-4395-a263-015ae97837d6:1806 END:VCARD BEGIN:VCARD VERSION:3.0 FN:David Benfell N: EMAIL;TYPE=internet:benf...@parts-unknown.org REV:2013-09-21T20:53:44Z UID:eba45e63-b04a-4395-a263-015ae97837d6:1806 END:VCARD - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org