Re: [users@httpd] Re: Serve multiple websites (not sub-domains) from port 80

[Jim Albert]

On 4/4/2022 11:16 AM, Eric Covener wrote:

On Mon, Apr 4, 2022 at 11:11 AM A  wrote:

Hi,

I am planning to make changes to Apache web server so that it can serve 
multiple websites (not sub-domains) from port 80.

This will save money for someone who has more than one website. That person 
need not buy more than one hosting plan, one hosting plan will suffice.

Based on the incoming base URL, Apache web server will decide from which 
directory to serve the index file or other files. There will be a user file 
where user can list which website is mapped to which directory.

For example:

abcd:com:/abcd
xyz.com:/xyz

It's hard to interpret what you mean by these examples. What full URL
would your user use and what would the server do with it?




I think an understanding of Apache Virtual Hosts or knowing that they 
exist might help.

https://httpd.apache.org/docs/2.4/vhosts/


--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Help Gor básico ( :-) ) rewrite

[Jim Albert]

On 4/3/2022 12:34 PM, Aitor Iturriondobeitia wrote:
Hello, I'm new to this topic and I'm finding it difficult. Let's see 
if you can help me please.

I am trying to remove the contextroot from my application.
For example, I have the following URL that calls me:
www.domain.com/REDF00K/form.xhtml 
<http://www.domain.com/REDF00K/form.xhtml>
and I want to eliminate, in the rewrite, the REDF00K leaving 
www.domain.com/form.xhtml <http://www.domain.com/form.xhtml>
in such a way that if they call me to 
www.domain.com/REDF00K/form.xhtml 
<http://www.domain.com/REDF00K/form.xhtml> it would resolve internally 
to www.domain.com/form.xhtml <http://www.domain.com/form.xhtml>

for this I am using

RewriteEngine On
LogLevel debug rewrite:trace3
RewriteRule ^/REDF00K/$ /$1 [R=301,NC,L]

but it's not working for me
Can you help me?

Thank you very much


I think the main issue is you aren't capturing the portion of the 
original URL path that you want to use in the RewriteRule


Try this
RewriteEngine On
RewriteRule ^/REDF00K/(.*)$ /$1 [R=301,NC,L]

I notice in the few places I've used mod_rewrite I have a RewriteCond, 
but I'm not positive if it is necessary. I don't think it is unless 
there's a condition you want to meet outside of the URL path. However, 
If the above doesn't work try:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/REDFOOK/
RewriteRule ^/REDF00K/(.*)$ /$1 [R=301,NC,L]

(note... I didn't test any of this).


--
Jim Albert

Re: [users@httpd] Apache setup questions

[Jim Albert]

On 3/25/2022 10:08 AM, dimitri koshlev wrote:
Hello my college course was talking about Apache servers and I was 
interested in trying to set one up on a Kali Linux virtual machine, 
but after setting it up in the root, and getting the ip, the only 
thing that pops up when I put it in the search bar is a black screen.


Your first step is to find your configuration files.. perhaps /etc/httpd
Start reading about DocumentRoot and what your DocumentRoot is set to 
and expand from there.
Find your ErrorLog and understand that important debugging information 
will be contained in your ErrorLog.


Know that important configuration documentation will be located at 
https://httpd.apache.org/


--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] IP Address restriction not working

[Jim Albert]

On 1/29/2022 10:42 PM, Praveen Gattu wrote:
I am trying to setup IP restriction for the phpmyadmin of my site. 
However, it's not working. Here's the apache.conf file for phpmyadmin. 
Any ideas what I am missing?



# phpMyAdmin default Apache configuration

Alias /padm /usr/share/phpmyadmin


    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php

    
        
            AddType application/x-httpd-php .php
        
        
            SetHandler application/x-httpd-php
        

        php_value include_path .
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir

/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
        php_admin_value mbstring.func_overload 0
    
    
        
            AddType application/x-httpd-php .php
        
        
            SetHandler application/x-httpd-php
        

        php_value include_path .
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir

/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
        php_admin_value mbstring.func_overload 0
    

    # Allowing access only from local IP addresses and the public
address for our home network.
*    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1 ::1
    Allow from localhost
    Allow from 192.168
    Allow from 
    Satisfy Any
*



-- Praveen


I'm not sure if your "Satisfy Any " is a problem, but I believe it is 
irrelevant without a "Require" based on the section of configuration listed.
Depending on your version of Apache, you might want to review changes to 
access configs:

https://httpd.apache.org/docs/2.4/upgrading.html
and if more modern version... is mod_access_compat loaded to provide 
support for old style access configs or convert to new style.


Jim

Re: [users@httpd] Source of JSESSIONID Cookie

[Jim Albert]

In Chrome you can view cookie details via:
Settings | Security and Privacy | Cookies and other site data | See all 
cookies and site data
There exists a 'Search cookies' feature which should help you find the 
origin of your cookies in question.


Once located you can see if that origin is relevant to the network 
requests as indicated in DevTools.


This might or might not help as your original posts indicates some 
messages of rejected cookies.

It can't hurt to see if you have any record of them in you cookie cache.
Although JSESSIONID sounds like a very common java related cookie.

I believe you should see some record of the rejected cookie if you 
examine all the response headers in each subrequest in DevTools (under 
the Network tab). Even if the cookie is rejected there should be an 
attempt to set it visible in the response headers.


Jim


On 1/19/2022 11:24 AM, John wrote:

Thanks for the suggestion Jim.

I checked and it just gets weirder.  The cookies that are being
reported and that seem to be responsible for my problems are arising
in other web pages that might not even be open at the moment.  Some of
them I recognize as belonging to functions that I used earlier today
and seem to be just hanging around.

Not that that excuses them, and I will start a project to update them
to have "samesite" cookies, but some of these pages are over a decade
old and have been in use longer than the samesite attribute.

That said, the JSESSIONID cookie is not one of them and I still don't
know where it is being set or by which page.

Thanks for the help and the knowledge increment!

John
=

On Tue, 2022-01-18 at 18:33 -0500, Jim Albert wrote:

On 1/18/2022 3:36 PM, John wrote:

These are default cookies from somewhere; my code doesn't set or
manage them.


Focusing on this portion of your response:
"These are default cookies from somewhere; my code doesn't set or
manage
them."

... using your browser's Developer Tools (F12), look at the Response
Header to learn more about specific cookies as in what element of
your
request results in the relevant Set-Cookie header.

Jim





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Source of JSESSIONID Cookie

[Jim Albert]

On 1/18/2022 3:36 PM, John wrote:

These are default cookies from somewhere; my code doesn't set or
manage them.



Focusing on this portion of your response:
"These are default cookies from somewhere; my code doesn't set or manage 
them."


... using your browser's Developer Tools (F12), look at the Response 
Header to learn more about specific cookies as in what element of your 
request results in the relevant Set-Cookie header.


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it possible to install/configure SSL certificates on a server behind a reverse proxy?

[Jim Albert]

With regard to:
reverse proxy --> HTTP --> back-end server
and in respect to the sensitivity of your requests and responses, you 
might want to consider any security implications or if this violates any 
compliance requirements depending on the proximity of your proxy to your 
back-end server. It's likely the proxy -> back-end server stays within a 
very tight environment. However, that request and response is traveling 
some segment of network whether physical or virtual and likely only 
yours, unencrypted or perhaps protected at most by VPN encryption.



On 1/13/2022 5:05 PM, Jeroen Verhoeckx wrote:

Hello Dino / HTH,

Thank you for your very elaborate answer!!

Your 'diagram' made it very clear!
Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS 
requests made by your clients) --> Your internal backend(s) (answer to 
HTTPS requests coming from your proxy).


It's also good to know that I set-up my reverse proxy in the correct 
way (only installing the SSL certificates on the reverse proxy).
My set-up is:  Clients  -->  HTTPS  - ->  reverse proxy --> HTTP --> 
back-end server


There is no need in my set-up to use HTTPS between the reverse proxy 
and the back-end server.


Thanks for clarification!


Jeroen


/Support the independent web, use //Firefox/ 





‐‐‐ Original Message ‐‐‐
On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti 
 wrote:



Apache httpd works at layer 7 (HTTP/HTTPS).
You CANNOT have a reverse proxy at layer 4 with apache httpd where 
the X509 certificates are only needed on your backends (like HAProxy 
does).


Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS 
requests made by your clients) --> Your internal backend(s) (answer 
to HTTPS requests coming from your proxy).


The traffic between your internet clients and apache httpd is 
protected via TLS protocol (HTTPS) so you need a X509 certificate and 
its private key on your httpd public facing reverse proxy virtual 
host to terminate TLS internet traffic to your reverse proxy.


If you also want your reverse proxy to talk to your internal 
backend(s) via HTTPS you also need a X509 certificate and private key 
on your HTTPS backend servers.


RECAP: You will need a certificate released by a public (known to all 
major browsers) Certification Authority for your reverse proxy and a 
certificate released by a private Certification Authority (only known 
by your proxy and your backends) on your backends. You could even use 
self signed certificates on your private side, or mantain a private 
CA by yourself via openssl.


HTH



13 gennaio 2022 12:58, "Jeroen Verhoeckx" 
> 
wrote:


Thanks, great to know that it is possible!

You write that you need to install the SSL certificates on both
the reverse proxy and in the virtual machine (or another local
server)?
Is that really necessary? I try to avoid duplication whenever
that is possible.

Do you have an example set-up somewhere?

Thanks!!




/Support the independent web, use //Firefox/





‐‐‐ Original Message ‐‐‐
On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti
 wrote:


My question:
/Would it have been possible to install the SSL certificates
in the virtual machines?/


YES. It's possibile to send Internet HTTPS traffic to an
internal HTTPS service behind apache httpd as a reverse proxy.
You eventally need to install same SSL certificates (but you
don't have to necessarily) on both the reverse proxy and the
internal service, enable SSLProxyProtol on your VHs and send the
traffic to HTTPS via your ProxyPass.

Re: [users@httpd] Is it possible to install/configure SSL certificates on a server behind a reverse proxy?

[Jim Albert]

You absolutely want SSL certificates installed on your public facing 
proxy... signed by a well trusted CA if you want the rest of the world 
to trust your proxy.
If you want your proxy to communicate encrypted to your back end/private 
web server then you need an SSL certificate on the back end.
Only your proxy needs to trust your back end/private web server so the 
back end would be fine with either self signed or signed by your own CA 
and have the proxy trust either.


Depending on how your public SSL certificate is configured or if the 
proxy will ignore any warnings on a mismatched CN/Subject Alternate 
Names you could use it for both.



On 1/13/2022 6:58 AM, Jeroen Verhoeckx wrote:

Thanks, great to know that it is possible!

You write that you need to install the SSL certificates on both the 
reverse proxy and in the virtual machine (or another local server)?
Is that really necessary? I try to avoid duplication whenever that is 
possible.


Do you have an example set-up somewhere?

Thanks!!




/Support the independent web, use //Firefox/ 
<https://www.mozilla.org/en-US/firefox/new/>




‐‐‐ Original Message ‐‐‐
On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti 
 wrote:



My question:
/Would it have been possible to install the SSL certificates in
the virtual machines?/


YES. It's possibile to send Internet HTTPS traffic to an internal 
HTTPS service behind apache httpd as a reverse proxy.
You eventally need to install same SSL certificates (but you don't 
have to necessarily) on both the reverse proxy and the internal 
service, enable SSLProxyProtol on your VHs and send the traffic to 
HTTPS via your ProxyPass.





--
Jim Albert

Re: [users@httpd] Logs not working

[Jim Albert]

On 1/4/2022 8:37 PM, James Coyle wrote:
I have checked both, but have made no changes to the locations of 
either the access log nor the error log:


 CustomLog "/private/var/log/apache2/access_log” common

As per these instructions, I have not created a Virtual Host 
container, so ostensibly the log files should not be elsewhere:


  # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here. Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.

Might the change I added to the DirectoryIndex be culprit? i.e. the 
index.php file?


# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#

    DirectoryIndex index.php index.html


Thank you


I don't believe DirectoryIndex would be relevant to logging, but simply 
what content to provide when presented with a directory request.


How about your error log? Is it available and does it offer any clue 
when you restart Apache?


If you have separate SSL configs do the SSL configs present their own 
log configs?


Outside of those thoughts, are the directories listed in the log configs 
writable by root assuming root starts Apache?


Jim






On Jan 4, 2022, at 5:20 PM, Jim Albert  wrote:

On 1/4/2022 8:11 PM, James Coyle wrote:
I recently added PHP and MySql to my Apache setup, and now notice 
that the access and error logs are not working. (The site IS working)


They both stopped working on the 31st - I don’t know if that is 
relevant or not. I have not changed the location of the logs and I 
have not added a Virtual Host.


I’d be grateful if someone could help me rectify this.

Thank you.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org 
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org 
<mailto:users-h...@httpd.apache.org>




It would help if you provide some more information such as relevant 
Apache log configs such as:

CustomLog
ErrorLog

Search for those settings throughout your Apache config files.
Perhaps by reviewing those settings the answer will become apparent.

--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org 
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org 
<mailto:users-h...@httpd.apache.org>







--
Jim Albert

Re: [users@httpd] Logs not working

[Jim Albert]

On 1/4/2022 8:11 PM, James Coyle wrote:

I recently added PHP and MySql to my Apache setup, and now notice that the 
access and error logs are not working. (The site IS working)

They both stopped working on the 31st - I don’t know if that is relevant or 
not. I have not changed the location of the logs and I have not added a Virtual 
Host.

I’d be grateful if someone could help me rectify this.

Thank you.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



It would help if you provide some more information such as relevant 
Apache log configs such as:

CustomLog
ErrorLog

Search for those settings throughout your Apache config files.
Perhaps by reviewing those settings the answer will become apparent.

--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to display the True-Client-IP header in the access log

[Jim Albert]

On 10/19/2021 7:43 AM, Mason Hayes wrote:

Hi, All

When Apache is accessed via a CDN (Akamai), I would like to record the 
IP of the accessing client in the Apache logs.
In order to display the True-Client-IP header sent by Akamai in the 
access log like X-Forward-For, do I have to change the Logformat 
setting in httpd.conf as follows?


Logformat
"%{True-Client-IP}i %h %l %u %t˶~˵"%r\" %>s %b˶~˵"%{Referer}i\" 
\%{User-Agent}i\" combined


If anyone has had any success with True-Client-IP showing up in the 
logs, please let me know.


Regards,



If the real client IP is not in X-Forwarded-For you'll need to know what 
environment variable it is supplied in. You should be able to write some 
server side code to list all the environment variables and their values 
presented to you by the web server. That variable in Apache for me  is 
X-Forwarded-For.


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_status over SSL?

[Jim Albert]

On 9/7/2021 5:18 PM, Dave Wreski wrote:


Hi,

I have an apache-2.4.48 server on fedora34 and would like to enable 
mod_status to be able to obtain server status information. However, 
the docs appear to say the only way to access it is over port 80, not 
SSL. Is that correct?


Chrome is also expecting the site to be over SSL, of course.

https://httpd.apache.org/docs/2.4/mod/mod_status.html

Here is my virtual host entry on port 80:


  ServerName darwin-perf.example.com
  ServerAdmin ad...@example.com

  ErrorLog /var/www/otherdomains-443/logs/error_log
  CustomLog /var/www/otherdomains-443/logs/access_log timing
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U dp80 s:%s V:%V v:%v" timing


    
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 localhost 192.168.1.0/24
    

    
    SetHandler server-info
    Order Deny,Allow
    Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    

    
  SetHandler perl-script
  PerlResponseHandler Apache2::Status
  Order deny,allow
  Deny from all
  Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    

    
  RewriteEngine Off
  SetHandler 
"proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"

    







You have server-status defined within an 80/http virtual host and as 
such I expect it will only be available via port 80/http.
You can define server-status more globally or within an https 
configuration depending on what you want to support.
However, bottom line is server-status and server-info can be configured 
for https/443.


As an aside, you do want to be careful on your configuration for 
availability of server-status and server-info and likely not something 
you want to provide public access. I do see you are controlling access.
However...  Order, Deny, Allow are deprecated in Apache 2.4 and you 
might want to consider reading:

https://httpd.apache.org/docs/2.4/howto/access.html

Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL Cipher configuration issue

[Jim Albert]

When you are retesting on qualys are you clearing the qualys cache? 
There is a link to do so (Clear cache).
If your test results are immediately returning then qualys isn't 
rescanning. A scan usually takes about a minute or so.


Jim

On 8/26/2021 3:04 PM, Paul Claridge wrote:


Thanks Jim for response.

I spotted an article suggesting SSLProtocol -all +TLSv1.3, but that 
didn't make any difference either.


Could it be the Qualys SSL Labs tool is not resetting? Any other 
recommendations for testing cipher strength?


With regards to WAF we are using mod_security and I cannot see any 
reference to SSL. The other tool we use is fail2ban but I am pretty 
sure that's not causing this either.


Still slightly baffled as how to progress!

Thanks, Paul



On 26/08/2021 15:35, Jim Albert wrote:

On 8/26/2021 6:16 AM, Paul Claridge wrote:

Hi Team,

I am trying to configure recommendations from a pentest with regard to
excluding weak ciphers.

My ssl labs report shows the following:

Protocols
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

Cipher Suites
# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS
    256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)
  FS 256
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS
    128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq.
3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072
bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072
bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 
bits

RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 
bits

RSA)   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS WEAK
    128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS WEAK 
128

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS WEAK
    256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS WEAK 
256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

My current ssl.conf is as follows:



    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL 
library.

    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough 
entropy
    # is available. This means you then cannot use the /dev/random 
device

    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which 
doesn't
    # block. So, if available, use this one instead. Read the 
mod_ssl User

    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be 
used).

    #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300
    SSLSessionTickets  off

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    #   (Disabled by default, the global Mutex directive 
consolidates

Re: [users@httpd] SSL Cipher configuration issue

[Jim Albert]

On 8/26/2021 6:16 AM, Paul Claridge wrote:

Hi Team,

I am trying to configure recommendations from a pentest with regard to
excluding weak ciphers.

My ssl labs report shows the following:

Protocols
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

Cipher Suites
# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS
    256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)
  FS 256
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS
    128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq.
3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072
bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072
bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072
bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits
RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits
RSA)   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS WEAK
    128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS WEAK
    256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

My current ssl.conf is as follows:



    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl 
User

    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be 
used).

    #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300
    SSLSessionTickets  off

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    #   (Disabled by default, the global Mutex directive consolidates by
default
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate. 
See the

    #   ciphers(1) man page from the openssl package for list of all
available
    #   options.
    #   Enable only secure ciphers:
    #SSLCipherSuite
HIGH:!aNULL:!ECDHE_RSA_WITH_AES_128_CBC_SHA256:!ECDHE_RSA_WITH_AES_256_CBC_SHA384:!ECDHE_RSA_WITH_AES_128_CBC_SHA:!ECDHE_RSA_WITH_AES_256_CBC_SHA:!DHE_RSA_WITH_AES_128_CBC_SHA256:!DHE_RSA_WITH_AES_128_CBC_SHA:!DHE_RSA_WITH_AES_256_CBC_SHA256:!DHE_RSA_WITH_AES_256_CBC_SHA:!RSA_WITH_AES_128_GCM_SHA256:!RSA_WITH_AES_256_GCM_SHA384:!RSA_WITH_AES_128_CBC_SHA256:!RSA_WITH_AES_256_CBC_SHA256:!RSA_WITH_AES_128_CBC_SHA:!RSA_WITH_AES_256_CBC_SHA 


    #SSLCipherSuite

Re: [users@httpd] Question about running apache server using WAMP

[Jim Albert]

I've found facebook pretty much keeps me logged in for a very long time, 
if not indefinitely unless I clear cookies... so I'd expect your concern 
to mostly be a non issue from having their own FB account.


If I really wanted to attempt what you want to do, I'd write some socket 
code and see what FB offers in terms of an API

https://developers.facebook.com/docs/facebook-login/

Jim

On 7/30/2021 6:02 AM, Nick Folino wrote:

I have to know Why??

On Fri, Jul 30, 2021 at 12:17 AM Krishna P > wrote:


Hello everyone,
   I want to run a apache server with my facebook account login
and give the access to my family. I am able to get the local
server WAMP page when I give my local host but how I do I connect
to https://facebook.com  and login with my
credentials and give the address to my family who can login from
different computer location or mobile and see the same content as
I see ?
Thanks and regards
Krishna

Re: [users@httpd] query regarding httpd server [EXT]

[Jim Albert]

You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/

Jim

On 7/19/2021 5:27 AM, Jim Albert wrote:
X-XSS-Protection is just an HTTPD response header that instructs the 
browsers that respect the header to not make a request from the 
content of the page that appear to be an XSS attack.


Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

XSS really needs to be addressed at the point where content is created 
particularly if your concern is responding to security scan results. 
A  Content Security Policy offers better protection, but that still 
won't get you passed a security scan where XSS vulnerabilities exist 
nor should it. Per the previous reply, "Defensive code" is the best 
solution.


Jim

On 7/19/2021 2:04 AM, Thejas Hl wrote:

hi ,
    thanks for your email,
         Is it possible the server is filtering xss attacks 
from browser to server request(with header= X-XSS-Protection: "1;  
mode=block" ), if that then kindly provide the steps for the same.


regards
Thejas


On Fri, 16 Jul 2021 at 12:50, James Smith <mailto:j...@sanger.ac.uk>> wrote:


You can add:

Header always set X-XSS-Protection "1;  mode=block"

which will help – but the rest you need to look at the way you
code your pages.

Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks

Remembering that XSS is often a vector for other attacks.

*From:*Thejas Hl mailto:thejashl...@gmail.com>>
*Sent:* 16 July 2021 06:31
*To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
*Subject:* [users@httpd] query regarding httpd server [EXT]

Hello team,

            Is xss attack internally taken care by httpd apache
server if yes kindly share the steps to activate for protection
against such attack.

Thanks and regards

tej

-- The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and
a company registered in England with number 2742969, whose
registered office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] query regarding httpd server [EXT]

[Jim Albert]

X-XSS-Protection is just an HTTPD response header that instructs the 
browsers that respect the header to not make a request from the content 
of the page that appear to be an XSS attack.


Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

XSS really needs to be addressed at the point where content is created 
particularly if your concern is responding to security scan results. A  
Content Security Policy offers better protection, but that still won't 
get you passed a security scan where XSS vulnerabilities exist nor 
should it. Per the previous reply, "Defensive code" is the best solution.


Jim

On 7/19/2021 2:04 AM, Thejas Hl wrote:

hi ,
    thanks for your email,
         Is it possible the server is filtering xss attacks 
from browser to server request(with header= X-XSS-Protection: "1;  
mode=block" ), if that then kindly  provide the steps for the same.


regards
Thejas


On Fri, 16 Jul 2021 at 12:50, James Smith > wrote:


You can add:

Header always set X-XSS-Protection "1;  mode=block"

which will help – but the rest you need to look at the way you
code your pages.

Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks

Remembering that XSS is often a vector for other attacks.

*From:*Thejas Hl mailto:thejashl...@gmail.com>>
*Sent:* 16 July 2021 06:31
*To:* users@httpd.apache.org 
*Subject:* [users@httpd] query regarding httpd server [EXT]

Hello team,

            Is xss attack internally taken care by httpd apache
server if yes kindly share the steps to activate for protection
against such attack.

Thanks and regards

tej

-- The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose
registered office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert]

I'm not following your port configs.
If you want to listen on 215 for https then I'd expect you need:
Listen 215 https
... and then you'd have to choose a different port for http.

I'd try different ports and see if it makes a difference and possibly 
rule out any cipher issues.


Jim

On 6/24/2021 11:25 AM, Pavel Heimlich, a.k.a. hajma wrote:
Basically yes. It was this hack that redirected users to https when 
they tried http. But it stopped working when I tried to drop TLSv1.1


čt 24. 6. 2021 v 15:31 odesílatel Jim Albert <mailto:j...@netrition.com>> napsal:



215 is configured to answer for both http and https? I only see
one Listen config in your original post. I wasn't aware Apache can
distinguish based on the traffic and thought you need to use
different ports.

Jim

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert]

On 6/24/2021 4:25 AM, Pavel Heimlich, a.k.a. hajma wrote:



čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <mailto:j...@netrition.com>> napsal:


Have you attempted from more than one client?


yes. Firefox and wget. Both behave identically.


Expand more, please on what you have running on port 215. I'm
unfamiliar with the Solaris apache configs.


there's just the Apache server, nothing else


215 is configured to answer for both http and https? I only see one 
Listen config in your original post. I wasn't aware Apache can 
distinguish based on the traffic and thought you need to use different 
ports.


Jim

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert]

On 6/23/2021 8:06 PM, Pavel Heimlich, a.k.a. hajma wrote:
st 23. 6. 2021 v 23:06 odesílatel Otis Dewitt - NOAA Affiliate 
 napsal:


Check your Openssl ciphers to see if it supports TLS 1.2
Try:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite
 
HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH


This made no difference. 'The connection was reset'


# openssl ciphers -tls1


# openssl ciphers -tls1
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA


Have you attempted from more than one client?

Expand more, please on what you have running on port 215. I'm unfamiliar 
with the Solaris apache configs.


Jim

Re: [users@httpd] blacklisting

[Jim Albert]

On 6/16/2021 9:05 PM, Will Fatherley wrote:

Hi All,

I have been using A2 for a few years now, but I've not really needed 
to implement any deny/black-listing because I simply have no 
meaningful security/traffic constraints. In moving forward with 
development on top of A2 which does have security implications, I'm 
hoping it might be possible that folks might be willing to share how 
they store blocked remote addresses. For instance, are relational 
datastores and other such objects typically required at the enterprise 
level to store blocked addresses? Or is a plaintext file suitable from 
an efficiency standpoint?


Best,
Will F


I find it easiest to implement blocks at the border firewall especially 
if I'm implementing a stored list of known attack IP addresses. At the 
border firewall I can easily block a set of IP addresses from the WAN to 
all my resources... httpd and others.


Within Apache there are a variety of examples of what you can do at:
https://httpd.apache.org/docs/2.4/howto/access.html

I'm sure others can add to this advice from their own experiences.

Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Poor Load Balancer performance

[Jim Albert]

Some HTTP load balancers perform additional duties such as acting as a 
web application firewall (WAF). The load balancer/WAF helps to weed out 
attacks (and balance load) leaving the back end servers focusing on what 
are seen as legitimate requests... each portion of the reverse proxy 
environment focusing on what it does best. Load balancing WAFs are a 
common part of the HTTP environment where security is a requirement.


Jim

On 5/27/2021 8:02 AM, Daniel Ferradal wrote:
 if you have thousands of connections you need to have more servers 
and then a balancer will help spreading the load (not increasing 
performance) among all the servers, or add bigger figures to your mpm 
settings in your single server (if the hardware will be able to cope 
with it).


If you have thousand of connections and just 800 workers, then it is 
logical that it clogs.


Supposing 800 connections would be enough for peaks if you want no 
clogging with prefork because load is quite variable it is better to 
specify a higher minspareservers value (more workers readily 
available, not have to be spawned, less cpu usage because less 
processes have to be spawned).


I would try to go for event asap though, much better to have to spawn 
8 processes with 100 threads than 800 processes.


El jue, 27 may 2021 a las 13:35, Marc Serra (>) escribió:


Thank's Eric, I understand.

But if configuring a load balancer I'm adding another hop with
reducing the performance, seems that is not the best way to
improve this performance, correct?

As I explained before, it's only a test setup before move to a
real environment.

Now I have a single server (8 cores, 32GB RAM with prefork) and
the following apache tunning. In some moments, I have thousands of
concurrent connections that collapse the server and I thought the
best way to fix this was by setting up a load balancer. Isn't it?

ServerLimit 800
StartServers 10
MinSpareServers 200
MaxSpareServers 400
MaxRequestsWorkers 800
MaxConnectionsPerChild 1

Missatge de Eric Covener mailto:cove...@gmail.com>> del dia dj., 27 de maig 2021 a les 13:15:

On Thu, May 27, 2021 at 7:06 AM Marc Serra mailto:mse...@manxa.com>> wrote:
> I has inverted the results! I'm sorry!

I see -- I think this is a case where you aren't taxing either
backend
and you've just added another hop.
This is probably especially true when testing static files.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org




-- 
Marc Serra

Organització i Sistemes


/Manxa 1876, S.L. /
/Ctra. Les Tries, 85. 17800 Olot (Girona)///
//Tel. 972 27 45 30 Fax 972 27 45 32//

* Manxa Industrial | *Coneix més aquí 

* Manxa Ferros | *Coneix més aquí 

* Manxa Ferreteria i Parament de la Llar | *Coneix més aquí


**

El contingut d’aquest correu electrònic i els seus annexos és
estrictament confidencial. En el cas que no siguis el destinatari
i hagis rebut aquest missatge per error, preguem que ho comuniquis
al remitent i procedeixis a la seva eliminació, sense difondre,
emmagatzemar o copiar el seu contingut.Imprimeix aquest correu
només si és necessari.

El contenido de este correo electrónico y sus anexos es
estrictamente confidencial. En el caso de que no seas el
destinatario y hayas recibido este mensaje por error, rogamos lo
comuniques al remitente y procedas a su eliminación, sin difundir,
almacenar o copiar su contenido.Imprimir este correo solo si es
necesario.

The content of this email and its attachments is strictly
confidential. If you are not the recipient and you have received
this message by mistake, please notify the sender and proceed to
its elimination, without spreading, storing or copying its
content. Print this email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes est strictement
confidentiel. Dans le cas où vous n'êtes pas le destinataire et
avez reçu ce message par erreur, veuillez en informer l'expéditeur
et procéder à sa suppression, sans diffuser, stocker ou copier son
contenu.Imprimez cet e-mail uniquement si nécessaire.



--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Is proxy to proxy improving the security?

[Jim Albert]

On 5/15/2021 10:21 AM, Jason Long wrote:

Hello,
Is proxy to proxy improving the security? For example:

The Internet --> Reverse Proxy Server --> Reverse Proxy Server --> Web Site



It really depends on what functions your proxies are performing. For 
example, are the reverse proxies simply load balancers or do they also 
serve as a WAF (Web Application Firewall)? A combination of both 
services on the same reverse proxy is a common implementation often 
offered commercially. Weeding out malicious requests falls on on the 
reverse proxy WAF while the backend web servers are free to spend their 
resources on legitimate requests.


I think part of the answer is for security don't completely rely on your 
reverse proxy to keep  out all malicious activity. It should do a good 
job. None the less you still want your backend free of vulnerabilities 
like XSS and SQLi.


I think you'd have to define more of the purpose of multiple reverse 
proxies.


Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittently the TLS handshake results in plaintext 400 Bad Request response

[Jim Albert]

On 4/29/2021 11:11 AM, Liwei wrote:

On Thu, 29 Apr 2021 at 22:36, Liwei  wrote:

On Thu, 29 Apr 2021 at 21:06, Rob Emery  wrote:
-- 8< Snip 8< -

Yeah we actually already have that enabled in our access logs and we can
see that the clients in question are using TLS1.2 when successful (i.e.
on the next connection). However these connections that result in the
plaintext response actually aren't logged in either the access or error
log at all.

This seems to indicate something wrong in front of Apache. Likely some
other machine trying to respond in http mode. A misconfigured load
balancer perhaps?

If you have some fancy multicast/round-robin DNS configuration, maybe
a misconfigured endpoint? Seems like the domain is on Route 53, so
that might be a possibility.

Not as likely since you did report that a system integrator
experienced the same problem, but do you have any local DNS overrides
that might be interfering with things?

Lih

Doh! Ignore my previous email, the capture and your first email
clearly stated that the response is coming from httpd, so what I said
doesn't make sense.

Looking at common code paths that lead to a 400 error, I'd imagine two
possible scenarios:
1. Something is mangling the initial TLS hello, can you verify that
the raw packet makes sense?
2. Worker exhaustion, given that you seem to be proxying requests,
does this happen during particularly busy moments?

There are too many variables to contend with here, especially with the
upstream firewall potentially mangling things and the proxy and
downstream server potentially killing a request early.

You're trying to get this replicated in a lab environment, so I'd say
that would be the best way forward in eliminating other variables. I'd
probably try to replay the exact contents of the failing TLS hello you
captured to quickly eliminate the possibility of upstream mangling.
I'd also monitor or capture packets to the downstream server to see if
there's any correlation.




I actually thought your suggestion of a reverse proxy or load balancer 
presenting a problem had merit. I still think that's a good question so 
we know are we dealing with the error coming from a back end apache  or 
something in front of it.


Also, does your packet trace allow you the ability to see if a firewall 
is dropping packets and perhaps a misguided IPS blocking some traffic?


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittently the TLS handshake results in plaintext 400 Bad Request response

[Jim Albert]

On 4/29/2021 9:06 AM, Rob Emery wrote:

Hiya Jim

Thanks for the reply.

If not already included, you could include %{SSL_PROTOCOL}x 
%{SSL_CIPHER}x in your request log and see if there is any commonality 
in requests assuming the communication is open long enough for the 
logging to occur or if the client's desired protocol and cipher might 
get listed.


Yeah we actually already have that enabled in our access logs and we 
can see that the clients in question are using TLS1.2 when successful 
(i.e. on the next connection). However these connections that result 
in the plaintext response actually aren't logged in either the access 
or error log at all.


However we can see from the packet captures that they are a TLS 1.2 
handshake and everything "looks fine" there when compared to a 
successful handshake.




Assuming your site is public facing, give this evaluation a try and see 
if anything interesting is mentioned.

https://www.ssllabs.com/ssltest/

Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittently the TLS handshake results in plaintext 400 Bad Request response

[Jim Albert]

On 4/29/2021 8:25 AM, Rob Emery wrote:

Hello,

We have a problem where intermittently users are getting a plaintext
400 Bad Request response in the middle of the TLS handshake (always
the 6th packet in the TCP stream); it happens about 1 in 40K requests
at current. As far as we can tell, there is no difference between a
successful connection from a client and these failures (we have
confirmed that all the options in the handshake are identical apart
from the session/random level components).

We have traffic captures of the problem occurring (see attached
screenshot with the end-user’s IP redacted) and it happens fairly
frequently for us in our production environment (about 10 per hour or
similar).

We've examined the user agents etc that those requests usually come
from and see a mixture of different types of clients (PHP + Curl,
Firefox, Chrome, Safari, Java, Python) and Operating Systems (iOS,
Linux, Windows 10, Android) etc, so there doesn't appear to be any
commonality between the clients.

There’s a firewall performing NAT between the client and the httpd
instance and the error is definitely coming from httpd as the traffic
captures were taken on the physical interface that httpd is listening
on. It is happening on multiple (> 5) servers that share nothing so we
don’t think it could be a physical issue.

They’re apache2 2.4.25-3+deb9u7 on Debian 9. This is 2 minor patches
behind the latest however we have reviewed the patches and there
doesn’t seem to be any way those changes could affect this behaviour.
We have also read through the changelog for Apache2, the only possible
related change that we can see is in 2.4.38:

 *) mod_ssl: Fix the error code returned in an error path of
 'ssl_io_filter_handshake()'. This messes-up error handling performed
 in 'ssl_io_filter_error()' [Yann Ylavic]

However that change only resolves a situation where httpd returns a
502 when it should return a 400, so we don’t think that’s related. We
spent a good portion of yesterday reviewing the mod_ssl code, however
we weren't able to identify a situation where this would happen.

We have logging at “warn” everywhere, however these requests don’t
show in either the access or error log when we check for them.

We are currently trying to get this reproduced in a lab environment so
we can increase the log levels etc however any guidance as to where to
focus our efforts would be much appreciated.

Thanks
Rob

Other relevant information we can think of:

apache2 2.4.25-3+deb9u7
Linux 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux
openssl 1.1.0j-1~deb9u1

We’re using: mod_ssl and mpm_worker with:

    StartServers    2
    MinSpareThreads    25
    MaxSpareThreads    75
    ThreadLimit    64
    ThreadsPerChild    25
    MaxRequestWorkers    150
    MaxConnectionsPerChild    0

Other modules we have enabled are:

access_compat.load
alias.load
auth_basic.load
authn_core.load
authn_file.load
authz_core.load
authz_host.load
authz_user.load
deflate.load
dir.load
env.load
filter.load
headers.load
lbmethod_byrequests.load
mime.load
negotiation.load
proxy_balancer.load
proxy_html.load
proxy_http.load
proxy.load
rewrite.load
setenvif.load
slotmem_shm.load
socache_shmcb.load
status.load
Xml2enc.load

Example of the site (edited for brevity):


    ServerName example.com

    ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/example.com.access.log 
vhost_combined_cw_tls env=!dontlog


    #Enable mod-deflate for everything except images
    SetOutputFilter DEFLATE
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip

    RewriteEngine On

    RewriteCond %{REQUEST_METHOD} 
!^(GET|HEAD|OPTIONS|POST|PUT|DELETE|PATCH)$ [NC]

    RewriteRule .* "-" [F]

    RequestHeader unset X-Forwarded-For
    RequestHeader unset X-Forwarded-Host
    RequestHeader unset X-Forwarded-Proto
    RequestHeader unset Max-Forwards

    SSLEngine On
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLProxyEngine on
    SSLProxyVerify none
    SSLHonorCipherOrder on

    # MSIE 2-6
    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0

    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    RequestHeader set X-ClientSSLProtocol "%{SSL_PROTOCOL}s"
    RequestHeader set X-ClientSSLCipher "%{SSL_CIPHER}s"
    RequestHeader set X_FORWARDED_PROTO "https"
    RequestHeader set X-Forwarded-Proto "https"

SSLCertificateFile/etc/apache2/ssl/example.com/_.example.com.crt
SSLCertificateKeyFile/etc/apache2/ssl/example.com/_.example.com.key
    SSLCertificateChainFile /etc/apache2/ssl/example.com/chain.crt

    RewriteRule ^(.*)$http://upstreamserver/$1 [P,QSA]






Can you tell from the user agents if they indicate old clients?
I see you disable TLSv1.1.
You could try temporarily enabling TLSv1.1 and see if those failures 
stop and then you would know it's 

Re: [users@httpd] SSLCipherSuite DEFAULT

[Jim Albert]

On 4/21/2021 3:56 PM, @lbutlr wrote:

On 20 Apr 2021, at 13:20, Jim Albert  wrote:

On 4/20/2021 2:56 PM, @lbutlr wrote:

Right, and I am running the current version of OpenSSL which, for example, 
doesn't support SSLv3 or TLSv1.1.

I'd be surprised if that were true.
If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?

TLSv1 is not a cipher, the cipher suites are different than the protocols, 
right?

I'm pretty sure you cannot make a TLSv1 or TLSv1.1 connection to a openSSL 
1.1.1k versions of OpenSSL.




Speaking very generally and rudimentary, cipher suites define a set of 
algorithms to secure network communications and include things like key 
exchange, authentication and encryption. They'll include various 
encryption and hash algorithms such as AES, RSA, MD5, SHA# and lots more.


SSL and TLS are protocols that define how sets of cipher suites are to 
be used. In order to achieve a certain level of security the various 
protocols require a certain level of cipher suite.


So.. in order to achieve a certain level of security you need to define 
above what level of SSL/TLS you will suport (currently that is generally 
TLSV1.1 and above) and then your cipher suite based on those required 
for your supported SSL/TLS protocol version minus any that have known 
significant vulnerabilities.


Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite DEFAULT

[Jim Albert]

On 4/20/2021 2:56 PM, @lbutlr wrote:

On 20 Apr 2021, at 09:45, Jim Albert  wrote:

On 4/20/2021 9:48 AM, @lbutlr wrote:

If I define SSLCipherSuite DEFAULT will apache show the ciphers that are 
defined by openSSL and will be used?

Is this the best way to go, or should I specifically list TLSv1.2 and 

TLS1.3?


The complete list of ciphers that openssl supports numbers 60 and still

includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
Trying to search on recommendations comes up with a lot of "use these 

settings to allow IE 6.0" which is of literally no. interest to me at all.


This is what I am looking at using:

Protocols h2 h2c http/1.1
SSLCipherSuite DEFAULT
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3

But I may relent on TLSv1/1.1 after checking logs.

I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the 
older TLS and SSL that will provide ciphers and security that are supported by 
current browsers and if I allow TLSv1 it should support old browsers going back 
more than a decade, yes?


Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.

Right, and I am running the current version of OpenSSL which, for example, 
doesn't support SSLv3 or TLSv1.1.


I'd be surprised if that were true.
If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?
Not that you should make use of them, but I'd expect them to still be 
supported.





I believe running 'openssl ciphers'

Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.


That's what I'd expect  per my comment above.

You can compare:
openssl ciphers -v ALL
to
openssl ciphers -v DEFAULT

However, I doubt very much that either is what you want to use in practice.

I'd continue to suggest
https://wiki.mozilla.org/Security/Server_Side_TLS
or
https://ssl-config.mozilla.org/
which someone else pointed out and is also referenced from 
https://wiki.mozilla.org/Security/Server_Side_TLS



will list your openssl installation's default cipher list which I am assuming 
is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have 
to confirm that.

I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a decent starting point. Intermediate is usually a pretty good starting point for a public web server. Then watching for any cipher-based vulnerabilities that are announced or reported by any vulnerability testing 

you might have performed.

Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ 
years old.

It's impressive how much faster h2 is than http/1.1.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite DEFAULT

[Jim Albert]

On 4/20/2021 9:48 AM, @lbutlr wrote:

If I define SSLCipherSuite DEFAULT will apache show the ciphers that are 
defined by openSSL and will be used?

Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?

The complete list of ciphers that openssl supports numbers 60 and still 

includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.


Trying to search on recommendations comes up with a lot of "use these settings to 
allow IE 6.0" which is of literally no. interest to me at all.

This is what I am looking at using:

Protocols h2 h2c http/1.1
SSLCipherSuite DEFAULT
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3

But I may relent on TLSv1/1.1 after checking logs.

I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the 
older TLS and SSL that will provide ciphers and security that are supported by 
current browsers and if I allow TLSv1 it should support old browsers going back 
more than a decade, yes?



Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.

I believe running 'openssl ciphers' will list your openssl 
installation's default cipher list which I am assuming is what 
SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to 
confirm that.


I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS 
as a decent starting point. Intermediate is usually a pretty good 
starting point for a public web server. Then watching for any 
cipher-based vulnerabilities that are announced or reported by any 
vulnerability testing you might have performed.


https://www.ssllabs.com/ssltest/
is a pretty nice site to check on your httpd SSL configs.

Jim






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.37 graceful restart causes error “scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.”

[Jim Albert]

On 3/30/2021 8:51 AM, A.J. Gatlin wrote:



On Tue, Mar 30, 2021 at 2:42 AM Jim Albert <mailto:j...@netrition.com>> wrote:



Have you checked your request logs at the time of restart for any
request activity associated with the restart?


Yes, I did have a look at this to see if there was anything out of the 
ordinary. However, I didn't see anything interesting -- no scans or 
attacks that would result in especially high numbers of connections. 
The reload happens during a relatively quiet overnight period.


Does https://yourserver.com/server-status
<https://yourserver.com/server-status> present any clues,
particularly the processes section or will that also not respond?


Nothing would respond until I forcibly restarted the httpd process. I 
was getting the "scoreboard is full" error logged once per second to 
the error_log during this period.


Does a restart, graceful or full restart, outside of a logrotate
present
the same issue?


A full restart always works fine -- no errors. It just takes some time 
and is disruptive.
For the graceful restart, I was able to reproduce the issue on a test 
machine when I fed it simulated traffic from the tool slowhttptest. 
I'd issue the reload command, see the "scoreboard is full" in the 
logs, and then the system would be unresponsive as long as my 
simulated traffic was continuing. As soon as the simulated traffic 
ends, the system seems to recover. It would appear, though, that in 
production, the system never gets a chance to recover, because there 
are always incoming connection requests. At least that's my guess.



Maybe give MaxConnectionsPerChild a setting. I believe the default
is 0
which indicates httpd children do not expire. Maybe try 2000 so httpd
children expire occasionally and restart new... just in case of some
memory issue you are facing.
https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxconnectionsperchild

<https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxconnectionsperchild>


I'll consider it. Thanks very much.




How about a graceful restart right after a fresh full restart. Does that 
immediate graceful restart present the same issue or does the problem 
require some period of requests before a graceful restart will present 
the problem. Some process information ('top' on UNIX) might tell you if 
you have some httpd processes taking a long time to complete. You could 
watch your server-status over time to see what might be building up to 
the problem state.


Jim

Re: [users@httpd] Apache 2.4.37 graceful restart causes error “scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.”

[Jim Albert]

On 3/29/2021 8:45 AM, A.J. Gatlin wrote:

Hi there,

I'm running some PHP-based sites on CentOS 8, which uses version 
2.4.37 of Apache. Apache is set to use MPM Event mode, which is also 
the default.


Once per day during a quiet period, logrotate rotates the Apache logs 
by doing a graceful restart (reload) as part of a postrotate command:


/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true

This causes the following line to appear in the Apache error log, 
which I believe to be normal and expected:


[mpm_event:notice] [pid 1413:tid 140292271810880] AH00493: SIGUSR1 
received.  Doing graceful restart


The log is then rotated, and in the newly created error log, I see the 
following:


[lbmethod_heartbeat:notice] [pid 1413:tid 140292271810880] AH02282: No 
slotmem from mod_heartmonitor
[mpm_event:notice] [pid 1413:tid 140292271810880] AH00489: 
Apache/2.4.37 (centos) OpenSSL/1.1.1g configured -- resuming normal 
operations
[core:notice] [pid 1413:tid 140292271810880] AH00094: Command line: 
'/usr/sbin/httpd -D FOREGROUND'


Then, immediately after, I see this error repeated once per second:

[mpm_event:error] [pid 1413:tid 140292271810880] AH03490: scoreboard 
is full, not at MaxRequestWorkers.Increase ServerLimit.


The server then becomes unresponsive and will not answer HTTPS 
requests. It continues logging the above error and will not begin 
working again until I manually restart the Apache process.


All configs on this server are essentially the default for CentOS 8. I 
have not tried making any adjustments to the MPM Event config settings 
-- mostly because I'm not sure what setting for ServerLimit would be 
"correct," and also because this problem happens *only* when logrotate 
does its graceful restart, and not during other periods of high traffic.


My research on this issue brings up a lot of results about an old 
Apache bug related to MPM Event mode, but my version of Apache 
shouldn't be affected by this particular bug. I have also seen 
suggestions that some long-running processes may hang and eat up all 
available worker processes, but I don't understand why this would 
interrupt the restart. And I don't have any particularly long-running 
processes served by Apache -- just quickly executing PHP scripts.


Can anyone suggest what might fix this issue, given that it seems to 
happen only during a graceful reload? Should I try changing the method 
that logrotate uses to restart Apache?


Is there some other way I can avoid the server hanging, or is it 
really necessary to increase the ServerLimit as the error suggests?


Thank you very much for any insight or help.


Have you checked your request logs at the time of restart for any 
request activity associated with the restart?
Does https://yourserver.com/server-status present any clues, 
particularly the processes section or will that also not respond?
Does a restart, graceful or full restart, outside of a logrotate present 
the same issue?


Maybe give MaxConnectionsPerChild a setting. I believe the default is 0 
which indicates httpd children do not expire. Maybe try 2000 so httpd 
children expire occasionally and restart new... just in case of some 
memory issue you are facing.

https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxconnectionsperchild

Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

[Jim Albert]

On 3/15/2021 8:48 AM, Jason Long wrote:

Thank you.
I guess something is wrong!
I put my IP address in "tor-ip.conf" file and restarted my Apache service, then 
visit my website and checked the log file, but the IP address in the log file Vs. my IP 
address!!!
For example, the https://www.myip.com/ website shows me that my IP address is "1.2.3.4", 
but in Apache log, my IP address is "1.2.3.5".
Please see: https://paste.ubuntu.com/p/BhWN6dmCJX/




On Monday, March 15, 2021, 04:01:58 PM GMT+3:30, Antony Stone 
 wrote:





On Monday 15 March 2021 at 12:22:07, Jason Long wrote:


Thank you.
I opened Tor Browser and visited "https://www.iplocation.net/; website and
find my IP address, then checked my IP address with the list of IP
addresses in "tor-ip.conf" file. My IP existed in the list, but I can
visit my website!!!

I thought one of the aspects of the Tor network was that subsequent connection
requests can enter the standard Internet from different egress points (ie: you
appear to have a different IP address for different requests).

Therefore visiting one website and finding out what IP address you appear to
have, and then visiting another website does not confirm that your visit to the
second site comes from the same IP address as the first.

As I already suggested:

*Look in your website log files* to find out which address the connection came
from.

Then compare this with the list of blocked addresses you used to prevent
access.


Regards,


Antony.



You mentioned in another post that you are attempting to do some load 
balancing and/or proxying. Could you be seeing your reverse proxy's IP 
in your logs?
If you are, in fact, reverse proxy'ing then that is expected and perhaps 
you want to place your access restrictions on the proxy, if possible.


Jim

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy and Load Balancer.

[Jim Albert]

On 3/15/2021 7:25 AM, Jason Long wrote:

Thanks.
Thus, Apache can't help me about it? I need something like Clustering or...






On Monday, March 15, 2021, 02:14:55 AM GMT+3:30, Daniel Ferradal 
 wrote:





Perhaps you are looking to configure orchestration of some kind in
your infrastructure, but that is probably offtopic here.

El jue, 11 mar 2021 a las 20:29, Jason Long
() escribió:

Hello,
I configured my Apache Reverse Proxy as a Load Balancer to handle Back-End 
servers. When a Back-End server stopped, then another one provide service.
How can I do it with Reverse Proxy server itself? When a Reverse Proxy stopped, 
then another Reverse Proxy provides services?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





I use a WAF/load balancer separate from Apache, but have you looked at:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
I have no experience with mod_proxy_balancer.

Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Forwarding IP to HTTPS.

[Jim Albert]

On 10/12/2020 9:09 AM, Jason Long wrote:

Thank you.
I want when a user enter my server IP address in his\her browser then it forward to 
"https://mywebsite.com;.


Most users will not enter an IP address, but rather a domain name. For 
those that enter a domain name (https://mywebstie.com) first DNS is 
involved to resolve the domain name to an IP address.


For the most part, along with possible forward or reverse proxies... the 
client browser is then in communication with your mywebsite.com web 
server using SSL over the http protocol.


Jim









On Monday, October 12, 2020, 12:14:31 PM GMT+3:30, Antony Stone 
 wrote:





On Monday 12 October 2020 at 07:25:56, Jason Long wrote:


Hello,
Forwarding an IP address to HTTPS domain is the task of Apache or SSL?

What do you mean by "forwarding", and what protocol (presumably either HTTP or
HTTPS) is being used by the client application which starts the connection
(ie: a web browser or equivalent)?

Please give more details about your question so that we have a better idea
what the correct answer might be.


Antony.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to set “Strict-Transport-Security”?

[Jim Albert]

On 9/28/2020 3:52 PM, Jason Long wrote:

Header set Content-Security-Policy "default-src 'self';"

After it, some features of WordPress like menu disabled!



You posted this same question about a week ago for which I responded. My 
response is repeated below with some additional advice.


Use your browser's developer tools (usually F12) to view your console 
errors and warnings. The console will tell you what content your CSP 
might be blocking.
Until you have your CSP set properly you can use a report only CSP 
header to report what's in violation of your CSP without actually 
blocking it.


https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 


https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

That's about the best advice you are going to get.  You need to 
understand the syntax of a Content Security Policy (CSP), what its 
purpose is and how it can affect content of a web page.

Start with the links above.

The content you no longer see might come from a source not allowed by 
your CSP. Your browser's dev tools console will confirm if that is true.


Jim









On Sunday, September 27, 2020, 05:29:51 PM GMT+3:30, Jim Albert 
 wrote:





On 9/27/2020 2:50 AM, Jason Long wrote:


Hello,
For a website with the name "my-example.net", what is the correct syntax of:

Header set Content-Security-Policy "default-src 'self';"

?

Thank you.


Which header are you asking about?
Strict-Transport-Security (your email subject) - indicates to the
browser that the site should only be accessed via https. The browser
will make make future requests via https.
Content-Security-Policy (your email body) - sets a trust policy for
content on a given site.

Jim






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to set “Strict-Transport-Security”?

[Jim Albert]

On 9/27/2020 2:50 AM, Jason Long wrote:

Hello,
For a website with the name "my-example.net", what is the correct syntax of:

Header set Content-Security-Policy "default-src 'self';"

?

Thank you.




Which header are you asking about?
Strict-Transport-Security (your email subject) - indicates to the 
browser that the site should only be accessed via https. The browser 
will make make future requests via https.
Content-Security-Policy (your email body) - sets a trust policy for 
content on a given site.


Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Content-Security-Policy for a WordPress website.

[Jim Albert]

On 9/17/2020 4:17 PM, Jim Albert wrote:

On 9/17/2020 3:27 PM, Jason Long wrote:

Hello,
When I added "Header set Content-Security-Policy "default-src 
'self';"" to "httpd.conf" then my website style and some graphical 
features are disable.

Why?

Thank you.




Use your browser's developer tools (usually F12) to view your console 
errors and warnings. The console will tell you what content your CSP 
might be blocking.
Until you have your CSP set properly you can use a report only CSP 
header to report what's getting blocked without actually blocking it.


https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 


https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP



Sorry.. I should have phrased the above as:
"Until you have your CSP set properly you can use a report only CSP 
header to report what's in violation of your CSP without actually 
blocking it."


Jim

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Content-Security-Policy for a WordPress website.

[Jim Albert]

On 9/17/2020 3:27 PM, Jason Long wrote:

Hello,
When I added "Header set Content-Security-Policy "default-src 'self';"" to 
"httpd.conf" then my website style and some graphical features are disable.
Why?

Thank you.




Use your browser's developer tools (usually F12) to view your console 
errors and warnings. The console will tell you what content your CSP 
might be blocking.
Until you have your CSP set properly you can use a report only CSP 
header to report what's getting blocked without actually blocking it.


https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] http-https

[Jim Albert]

On 8/11/2020 10:44 AM, Nick Kew wrote:



On 11 Aug 2020, at 08:52, MEjaz  wrote:

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Read the error message and log.  It's giving you exactly the advice you need.
My guess is that you've configured SSL on both ports.

More generally, don't confuse the configuration of your http and https vhosts.
If you have the redirect in the latter, it becomes an infinite loop!

(the mod_rewrite advice is wrong on too many levels to enumerate).



Many ways of handling http->https, mod_rewrite being one of them with 
variations of the syntax based on what you want to do.

Positive guidance per stack overflow.
https://stackoverflow.com/questions/10489895/http-to-https-through-htaccess

(agreed... likely some other apache config issues for OP involving port 
configs).


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] http-https

[Jim Albert]

On 8/11/2020 3:00 AM, MEjaz wrote:


Hello,.

I have requirement to redirect the url. Whoever typed my site 
http://newtraffic.cyberia.net.sa , it should redirect to 
https://newtraffic.cyberia.net.sa


I am bit struggling to achieve this. please assit

Ejaz



As long as the request is staying on the same server, mod_rewrite is a 
good use for this and I believe avoids another request as in a redirect.

The following 3 lines would go in your httpd.conf file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [L,R=302]

https://httpd.apache.org/docs/current/mod/mod_rewrite.html

This assumes you want all http traffic handled via https and not just 
the root of your site.


Change the 302 (temporary) to 301 (permanent) once you know things are 
working as you like.


Jim

Re: [users@httpd] Apache 2.4 access control (.htaccess)

[Jim Albert]

On 7/29/2020 6:34 PM, Jim Albert wrote:
In Apache 2.2 I could set up an .htaccess file and establish simple 
and easily maintainable access control such as:



require user jim joe


require user jim joe



order deny,allow
deny from all

allow from 10.10.0.1
allow from 10.10.0.2
require valid-user



order deny,allow
deny from all


... and that would work very nicely so that for resources other than 
abc.html and def.html as defined in the FILES section the request 
would have to come from client 10.10.0.1 or 10.10.0.2 and be any 
authenticated user. The  is the only restriction.


If the request were specifically for abc.html or def.html the GET 
request would still be required to originate from 10.10.0.1 or 
10.10.0.2, but now the user must be specifically jim or joe as defined 
in the  restriction. So both the  restrictions 
were respected along with the FILES restriction requiring specific 
user authentication.



In apache 2.4, access control configurations change so that I migrate 
the above to:



require user jim joe


require user jim joe





Require ip 10.10.0.1
Require valid-user


Require ip 10.10.0.2
Require valid-user





Require all denied


In Apache 2.4 combining access for multiple IPs in combination with 
users make the configurations somewhat more complex, but I can live 
with that.


However, I can't easily get the same access experience as in 2.2 
without a lot of redundant configuration.


In my 2.4 configuration, the FILES directives are looked at without 
respect to the Limit on the GET/POST.

I can comment out:

Require ip 10.10.0.1
Require valid-user


and I'm still allowed to make a request to either abc.html or def.html 
as defined in the FILES section as long as I am authenticiated as user 
jim or joe even with the request originating from 10.10.0.1.


It seems like I'd have to do something like the following which seems 
absurd and incredibly redundant and difficult to maintain with changes.




Require ip 10.10.0.1
require user jim joe


Require ip 10.10.0.2
require user jim joe





Require ip 10.10.0.1
require user jim joe


Require ip 10.10.0.2
require user jim joe






Require ip 10.10.0.1
Require valid-user


Require ip 10.10.0.2
Require valid-user





Require all denied


I tested and the above does seem to work in getting me the access 
control that I want, but the configurations are incredibly redundant 
and difficult to manage. Expand that out to a dozen more IPs and 
dozens of resources and that configuration gets very long.


Note, in my production environment there are many users other than jim 
and joe and users are restricted to certain resources. Not all users 
are allowed access to the same set of resources.


Can anyone simplify those Apache 2.4 restrictions or instruct me on 
what I might be overlooking or misunderstanding, please?




I did some more testing and I can list multiple IP addresses on the 
"Require ip" line, so I believe I can simplify my .htaccess controls to 
the following:




Require ip 10.10.0.1 10.10.0.2
require user jim joe





Require ip 10.10.0.1 10.10.0.2
# Note I added jack to the user list to indicate my user list access 
controls change per resource.

require user jim joe jack






Require ip 10.10.0.1 10.10.0.2
Require valid-user





Require all denied


However, note how the list of IP addresses is required to be 
continuously repeated in Apache 2.4 access control.
That looks to be my biggest issue. For each  section along with 
the default  I have to repeat the same Require ip line. 
If I have say 100 separate  sections I have to repeat that same 
Require ip line for each . Adding or removing IP addresses 
becomes a maintenance issue.


Thanks,
Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache 2.4 access control (.htaccess)

[Jim Albert]

In Apache 2.2 I could set up an .htaccess file and establish simple and 
easily maintainable access control such as:



require user jim joe


require user jim joe



order deny,allow
deny from all

allow from 10.10.0.1
allow from 10.10.0.2
require valid-user



order deny,allow
deny from all


... and that would work very nicely so that for resources other than 
abc.html and def.html as defined in the FILES section the request would 
have to come from client 10.10.0.1 or 10.10.0.2 and be any authenticated 
user. The  is the only restriction.


If the request were specifically for abc.html or def.html the GET 
request would still be required to originate from 10.10.0.1 or 
10.10.0.2, but now the user must be specifically jim or joe as defined 
in the  restriction. So both the  restrictions 
were respected along with the FILES restriction requiring specific user 
authentication.



In apache 2.4, access control configurations change so that I migrate 
the above to:



require user jim joe


require user jim joe





Require ip 10.10.0.1
Require valid-user


Require ip 10.10.0.2
Require valid-user





Require all denied


In Apache 2.4 combining access for multiple IPs in combination with 
users make the configurations somewhat more complex, but I can live with 
that.


However, I can't easily get the same access experience as in 2.2 without 
a lot of redundant configuration.


In my 2.4 configuration, the FILES directives are looked at without 
respect to the Limit on the GET/POST.

I can comment out:

Require ip 10.10.0.1
Require valid-user


and I'm still allowed to make a request to either abc.html or def.html 
as defined in the FILES section as long as I am authenticiated as user 
jim or joe even with the request originating from 10.10.0.1.


It seems like I'd have to do something like the following which seems 
absurd and incredibly redundant and difficult to maintain with changes.




Require ip 10.10.0.1
require user jim joe


Require ip 10.10.0.2
require user jim joe





Require ip 10.10.0.1
require user jim joe


Require ip 10.10.0.2
require user jim joe






Require ip 10.10.0.1
Require valid-user


Require ip 10.10.0.2
Require valid-user





Require all denied


I tested and the above does seem to work in getting me the access 
control that I want, but the configurations are incredibly redundant and 
difficult to manage. Expand that out to a dozen more IPs and dozens of 
resources and that configuration gets very long.


Note, in my production environment there are many users other than jim 
and joe and users are restricted to certain resources. Not all users are 
allowed access to the same set of resources.


Can anyone simplify those Apache 2.4 restrictions or instruct me on what 
I might be overlooking or misunderstanding, please?



Thanks,
Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Failure to start apache2 after SSL cert update.

[Jim Albert]

On 7/11/2020 6:10 AM, Holger Schramm wrote:

Am 11.07.20 um 00:32 schrieb Jack M. Nilles:
The apache error logs all quit at the point just before I restarted 
it. User and group permissions for the SSL files are all root, as 
before.


Jack


have you checked the files? sometime there are missing newlines in 
cert chains or other malformed things.


you can try to set a higher log level on apache to get more details. 
it should log sth in the error log.


There are various utilities to read private/public key files. For 
example, openssl on UNIX. I believe certutil for Windows.

If those utilities can read your key files then they should be valid format.

Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Received 404 not found error on existing CGI script

[Jim Albert]

Check your Apache error log. It's unlikely anything in your mysql log 
will be useful here. Apache will print any STDERR messages to the Apache 
error log. You shouldn't need your Apache logging at anything other than 
the default logging level to be useful to debug your Perl CGI issue.


Jim

On 6/25/2020 2:58 PM, barry kimelman wrote:

Hello,

Thanks for your reply. I solved the not being able to run a Perl CGI 
script issue. I now have several of my old Perl CGI scripts up and 
running.


Now one of my other CGI scripts is failing badly. The mysql error log 
does not show anything useful. All I see on my screen is a '500 
internal server error'. I checked the syntax of my perl script and it 
is ok.


Your message stated that setting "my log file level to debug" was a 
good debugging idea. I have been trying to figure out how to 
accomplish this task with no success. Which config file do I need to 
change and what specific change do I need to make to the config file ?


Thanks/

On Wed, Jun 24, 2020 at 11:15 AM angel Hall-Coulston 
 wrote:


Try setting your log file level to debug, you will get far more
information. Also at the end of the 'log format' code in your
configuration file (easy double check by command 'httpd -V' which
will double check your conf file) add '%L' which when added to
both access_log file formats AND error_log formats will give
matches between the two easily found with the 'grep' command 'grep
"[long-scrambled-unique-characters-for-that-particular-error]
'*_log' . Make sure you first are in the log directory.

Another helpful tip… your apache comes with it’s VERY OWN manual
pages which when enabled in your 'includes' section of your config
file, will allow you to access MUCH quicker than going online,
where you will find everything you need to know.

Angel Hall-Coulston
Scotland.


On 24 Jun 2020, at 00:35, barry kimelman mailto:perlmaste...@gmail.com>> wrote:

my system is an ubuntu 20.04 lts laptop.

I successfully installed apache2. I verified the installation by
visiting http://localhost:80 

Now I am having problems trying to run a Perl CGI script which I
had running under Windows 10 on  Apache 2.4

I modified the sites-enabled/000-default.conf file by removing
the '#' from the start of the "Include
conf-available/serve-cgi-bin.conf" line. I then created the
/usr/lib/cgi-bin directory. I next put a small Perl CGI script
named "printenv.cgi" under /usr/lib/cgi-bin. I then restarted the
apache2 server. When I attempted to run my newly created CGI
script gy visiting localhost:80/cgi-bin/printenv.cgi
 all that happened was I
received a "404 Not Found" error. I looked at the apache logfile
and it provided no further info.

I even tried using the "wget" command. same 404 error.

What have I done wrong?

-- 


Barrry Kimelman
Winnipeg, Manitoba, Canada




--

Barrry Kimelman
Winnipeg, Manitoba, Canada

Re: [users@httpd] Apache configuration

[Jim Albert]

On 5/14/2020 3:04 PM, Jim Albert wrote:

On 5/14/2020 2:55 PM, Suresh Kumar wrote:

Hi, I am not an expert in Apache.

I have a synology DS918+ NAS (some kind of flavor of linux kernel 
4.4) and using their package center installed apache 2.2, perl etc.


The webroot is working for php (I believe they use nginx) along with 
Mariadb at

http://localIP/phpMyAdmin/

I have some perl cgi scripts and trying to execute it under
http:// localIP/myfolder/index.pl <http://index.pl>

Please note that static html is working. Thus this
  http:// localIP/myfolder/index.html
works however this
  http:// localIP/myfolder/index.pl <http://index.pl>
does not work and get a 500 error.

I need to enable cgi and need some guidance how to go about the change.

Thank you





You are probably missing configurations explained here:
https://httpd.apache.org/docs/2.2/mod/mod_alias.html#scriptalias


Jim 


Also... please take note the warning on the above apache documentation 
page about placing your scripts under DocumentRoot which appears to be 
what you are doing given your script and static page are within the same 
directory.


Jim

Re: [users@httpd] Apache configuration

[Jim Albert]

On 5/14/2020 2:55 PM, Suresh Kumar wrote:

Hi, I am not an expert in Apache.

I have a synology DS918+ NAS (some kind of flavor of linux kernel 4.4) 
and using their package center installed apache 2.2, perl etc.


The webroot is working for php (I believe they use nginx) along with 
Mariadb at

http://localIP/phpMyAdmin/

I have some perl cgi scripts and trying to execute it under
http:// localIP/myfolder/index.pl 

Please note that static html is working. Thus this
  http:// localIP/myfolder/index.html
works however this
  http:// localIP/myfolder/index.pl 
does not work and get a 500 error.

I need to enable cgi and need some guidance how to go about the change.

Thank you





You are probably missing configurations explained here:
https://httpd.apache.org/docs/2.2/mod/mod_alias.html#scriptalias


Jim

Re: [users@httpd] "Work from home" access

[Jim Albert]

On 3/19/2020 4:50 PM, Stormy wrote:

Jim -- tnx -- see below

On 2020-03-19 4:05 p.m., Jim Albert wrote:

On 3/19/2020 3:48 PM, Stormy wrote:

I have, on Apache 2.4.7:
https://mysite.com/ which runs a Perl/Mysql based application perfectly
and a parallel "staff only" accessed (now) only on our LAN to edit 
the above public application.


I need to add "outside" access for staff working from home, so that 
I would end up with e.g.


https://mysite.com/  [working exactly as before]
and
https://mysite.com/foo  [for the "staff_only", fully working on LAN]

I have tried variations of:   Redirect permanent "/foo/" 
"http://mysite.com/staff_only/; -- but end up with 404 every time.


Is there an elegant solution for this?

Many thanks -- Paul


You need to explain in more detail what you are trying to do.
Is mysite.com referencing the same server whether accessed publicly 
or privately?
Yes -- its a standalone LAMP server with a very large Mysql db with 
public access for output, and a staff interface to edit the data. It 
is behind an Nginx front end server to four others and which takes 
care of Letsencrypt, firewall etc.


Are you trying to use split-DNS to reference public vs private 
servers so you can use the same domain name to access a private 
server across a VPN? 


Split-DNS, if I understand the term is already in place on the LAN, 
the app is on 192.168.1.50 and the editing is on 192.168.1.50, but 
Bell only give us a single static public IP. (I'm not certain that 
this meets the definition of VPN)


If staff-only is confidential and on the same server as public 
mysite.com you still have some significant risks which can be 
mitigated with apache access controls (.htaccess for example)... but 
still not a very good idea.


If none of above is relevant to what you want to do then your 
redirect is to an http resource where you reference https everywhere 
else... is that your problem?


All the public interfaces are https (I tried that in the "Redirect" 
and get 404)


If still none of my discussion is relevant then what is the purpose 
of https://mysite.com/foo redirecting to staff_only... why not just 
use a URL directly to staff_only?


I maybe oversimplified: the site is in fact 
https://database.mysite.com which goes direct to the public app. I was 
looking to add /foo (even /gobble-de-gook-foo) for hopefully temporary 
"staff at home" access.


If working from home is completely new to your company (and I imagine 
there's a lot of that with current health concerns) and security is a 
concern then opening up private resources on a public server is not a 
good idea and you should look into some secure remote access 
solutions to access private servers across a vpn.


The staff resources are of course pw protected. A vpn might make 
sense, but I have no experience (virt-manager, Gnome-boxes whatever 
would put me into a brand new learning curve :={ )


I was just hoping for a simple Apache redirect that can be put in 
place quickly as a temporary work-around and removed just as quickly.


Thanks -- paul


OK... I've presented the caveats of serving private resources on a 
public server... if, in fact, that's what you are trying to do and if so 
please consider how you are protecting those private resources from the 
public.
I take it your employees need to work from home and instead of accessing 
via private 192.168... IP as they would on your LAN, you'll be accessing 
via public IP?


Just going back to what you want to do outside of the topic of security, 
give us the Redirect configuration again (did you really make an http vs 
https mistake in your original post?)


What is the context of the Redirect?... .htaccess, config file, etc...

As Richard asks, please present relevant apache error logs rather than 
what you are simply seeing in your browser.


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] "Work from home" access

[Jim Albert]

On 3/19/2020 3:48 PM, Stormy wrote:

I have, on Apache 2.4.7:
https://mysite.com/ which runs a Perl/Mysql based application perfectly
and a parallel "staff only" accessed (now) only on our LAN to edit the 
above public application.


I need to add "outside" access for staff working from home, so that I 
would end up with e.g.


https://mysite.com/  [working exactly as before]
and
https://mysite.com/foo  [for the "staff_only", fully working on LAN]

I have tried variations of:   Redirect permanent "/foo/" 
"http://mysite.com/staff_only/; -- but end up with 404 every time.


Is there an elegant solution for this?

Many thanks -- Paul


You need to explain in more detail what you are trying to do.
Is mysite.com referencing the same server whether accessed publicly or 
privately?
Are you trying to use split-DNS to reference public vs private servers 
so you can use the same domain name to access a private server across a VPN?


If staff-only is confidential and on the same server as public 
mysite.com you still have some significant risks which can be mitigated 
with apache access controls (.htaccess for example)... but still not a 
very good idea.


If none of above is relevant to what you want to do then your redirect 
is to an http resource where you reference https everywhere else... is 
that your problem?


If still none of my discussion is relevant then what is the purpose of 
https://mysite.com/foo redirecting to staff_only... why not just use a 
URL directly to staff_only?


If working from home is completely new to your company (and I imagine 
there's a lot of that with current health concerns) and security is a 
concern then opening up private resources on a public server is not a 
good idea and you should look into some secure remote access solutions 
to access private servers across a vpn.


Jim Albert



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache redirect issue.

[Jim Albert]

On 12/23/2019 11:52 PM, Balvinder wrote:


Hello group,

I have a site running on Apache where when the URL is prefixed with 
https, it loads fine but when it is prefixed with http, it generates 
the below error.


Have checked that the mod_ssl and mod_rewrite modules are loaded. 
Anyone have an idea about what could be the issue here or have 
experienced a similar error?




Are you positive your apache server doesn't sit behind a Web Application 
Firewall perhaps not configured for port 80?

Sounds like something other than apache providing that content.

Jim Albert

Re: [users@httpd] Apache 2.4.6 - ErrorLog

[Jim Albert]

On 9/13/2019 5:07 PM, William A Rowe Jr wrote:
On Fri, Sep 13, 2019 at 3:46 PM Jim Albert <mailto:j...@netrition.com>> wrote:


In use of CentOS7 servers and the included apache, I'm moving to
Apache/2.4.6

It appears something related to ErrorLog has changed.
I'm using what I have always used:
ErrorLog "logs/error_log"

and I do see messages going to logs/error_log such as start/stop and
certain types of errors such as access denied, but something
simple like
a file not found error is not getting logged outside of certain
scripts
not being found associated with SriptAlias definitions.

But just a request to https://'my_web_server'/no_such_file.html
does not
get logged as not found as it used to in earlier apache. Nothing
related
to this file not being found gets printed to logs/error_log.

I've checked docs on ErrorLog along with httpd.conf and .htaccess
files,
but nothing is jumping out at me as relevant to this behavior.

Note LogLevel setting:
LogLevel warn


Right, if the file isn't found the client asked for a 
non-existent resource.

Nothing to be "warned" of.

Try LogLevel info (or event debug) if you want to see higher resolution
details about errors caused by the client, as opposed to errors in your
configuration that the operator needs to act on.



Thanks!

I had tried that, but had overlooked that I have a LogLevel setting in 
ssl.conf as well which was overriding the http.conf LogLevel setting.


Apparently, Apache folks change what they consider a warning over time.

What I want to be informed about as in a missing image file used to be 
considered a warning, but now it is not.


In order to be notified of missing files (File not found) messages, I 
have to set LogLevel to at minimum info. Unfortunately, that's way too 
verbose, making the logs mostly useless in terms of a human reviewing 
them casually. Would need some parsing. I prefer a less verbose log with 
helpful statements  I can periodically review myself.


Aside... I don't agree with Apache's decision on what is considered a 
warning.


But again... thanks for pushing me to look further at LogLevel.

Jim

[users@httpd] Apache 2.4.6 - ErrorLog

[Jim Albert]

In use of CentOS7 servers and the included apache, I'm moving to 
Apache/2.4.6


It appears something related to ErrorLog has changed.
I'm using what I have always used:
ErrorLog "logs/error_log"

and I do see messages going to logs/error_log such as start/stop and 
certain types of errors such as access denied, but something simple like 
a file not found error is not getting logged outside of certain scripts 
not being found associated with SriptAlias definitions.


But just a request to https://'my_web_server'/no_such_file.html does not 
get logged as not found as it used to in earlier apache. Nothing related 
to this file not being found gets printed to logs/error_log.


I've checked docs on ErrorLog along with httpd.conf and .htaccess files, 
but nothing is jumping out at me as relevant to this behavior.


Note LogLevel setting:
LogLevel warn

Thanks,
Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache web server devouring resources

[Jim Albert]

On 3/28/2019 12:11 PM, Darryl Philip Baker wrote:


Gentlefolk,

I had an incident yesterday where the Apache web server host had a 
load average of over 170 and was performing very slowly. Stopping the 
web server did fix the issue but when I restarted the daemons the load 
started to increase very quickly. I ended up having to reboot the 
system to fix the issue. I don’t like that one bit, this is a Linux 
system not a Windows server. (Editorial remark: I have found that 
systems need reboots to fix stuff much more frequently since the 
adoption of systemd) I have been asked to do a root cause analysis, 
but I have not found anything as of yet. I am reaching out for help in 
this matter.


The system is a RHEL7 ESX VM with the Red Hat’s main line distribution 
of Apache 2.4 as opposed to the RHSCL version. The configuration is 
quite complex and a bit sensitive so I cannot share all of that. What 
I’m looking for is technics to look at what happened rather than being 
given the answer anyway.


*Darryl Baker * (he/him/his)

Sr. System Administrator

Distributed Application Platform Services

*Northwestern University*

1800 Sherman Ave.

Suite 6-600 – Box #39

Evanston, IL  60201-3715

_darryl.ba...@northwestern.edu _

(847) 467-6674



First thing would be to check request logs during time of high load. I 
assume this is a public web server. Perhaps you were being probed heavily.


Jim

Re: [users@httpd] Apache SSL cerificates

[Jim Albert]

On 9/13/2018 8:27 AM, Vandana Sakamuri wrote:

Hi,

I compile Apache on one server and install the same on multiple 
servers in different domains. I am currently working on moving from 
HTTP to HTTPS. Can someone help me on what sort of SSL certificate I 
need to include so that it works on all the domains. Is a wildcard 
certificate needed in this situation or a single public SSL 
certificate be enough.


Thanks!


You can use an SSL wildcard certificate for all hosts within a single 
domain or an SSL certificate with Alternate Name extensions for a single 
certificate to cover multiple domains. Public CAs will charge more for 
either of these types of certificates vs a certificate to cover a single 
non-wildcard CN, but it is less expensive than a separate certificate 
for each domain. Wildcard certificates will have a set price while 
Alternate Name extension certificates are usually priced by the number 
of extensions.


Jim

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Rewriting SSI URLs

[Jim Albert]

Is anyone aware of a method of rewriting a URL within a Server Side 
Include (SSI)?


So for example,

I would like the web server to actually run the following
/abc/def/test.cgi

Changing  is not a reasonable 
solution for me.


I understand that with SSIs the requests are all pre-output to the 
client so the client does not make these requests, but I thought 
relevant mod_rewrite directives particularly within the httpd.conf file 
would be respected for an SSI but that does not seem to be the case. 
Googling for advice on this presents almost zero relevant results except 
one indicating that rewriting an SSI is not possible, so perhaps that is 
the definitive answer.


Thank you.
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ESTABLISHED connections

[Jim Albert]

On 3/13/2015 7:54 PM, el kalin wrote:



On Fri, Mar 13, 2015 at 7:36 PM, Jim Albert j...@netrition.com
mailto:j...@netrition.com wrote:

On 3/13/2015 7:17 PM, el kalin wrote:


if i have this in the

Directory /server/doc/root

  Order allow,deny
  Allow from all
  deny from 111.10.250.188
/Directory
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.inovapo
ESTABLISHED


this is growing with every netstat i do.  any ideas???

thanks…


I believe your Order allow, deny is correct.


i believe so too...

You are controlling what can be served by Apache, but not the actual
network connection to your Apache server, hence the continued
entries in your connection table. I would assume your Apache error
log is spewing lots of access denied or such errors indicating your
deny is working.


If you really want to keep a given an IP address completely out of
Apache, block it in iptables or better yet the firewall behind which
your Apache server sits, but iptables will do it.


i'm aware. the problem is that this is an netbsd ec2 (amazon instance)
and the only firewall right now is the security groups that service
offers. those are not meant to block individual ips. they are rather all
exclusive. so my only other option was pf. which i'm used to but it
appears that the whole dynamic kernel module loading is screwed up
because of the kernel build to fit xen…   and so on…


iptables?

--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ESTABLISHED connections

[Jim Albert]

On 3/13/2015 7:17 PM, el kalin wrote:


if i have this in the

Directory /server/doc/root

 Order allow,deny
 Allow from all
 deny from 111.10.250.188
/Directory

how come this:

tcp0  0  ip-10-102-190-93.http  111.10.250.188.21806
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.21805
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23202
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23188
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22544
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22490
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23364
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23365
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22825
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22751
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22561
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22340
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22339
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23151
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23159
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22698
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22512
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22457
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22416
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22403
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23377
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23376
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23105
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23108
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22803
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22135
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.dcap
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.21924
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.21923
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23329
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23319
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22546
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22545
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.22139
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.21694
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.21658
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23075
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23074
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23026
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.23025
ESTABLISHED
tcp0  0  ip-10-102-190-93.http  111.10.250.188.inovapo
ESTABLISHED


this is growing with every netstat i do.  any ideas???

thanks…


I believe your Order allow, deny is correct.
You are controlling what can be served by Apache, but not the actual 
network connection to your Apache server, hence the continued entries in 
your connection table. I would assume your Apache error log is spewing 
lots of access denied or such errors indicating your deny is working.


If you really want to keep a given an IP address completely out of 
Apache, block it in iptables or better yet the firewall behind which 
your Apache server sits, but iptables will do it.


--
Jim Albert


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] internal dummy connection

[Jim Albert]

On 10/30/2013 4:35 PM, el kalin wrote:

i did. it said it's normal but my server gets bogged down on it...  i
think.
all the examples on line have an ip number (at least 127.0.0.1) in front
too. mine doesn't..


On Wed, Oct 30, 2013 at 4:00 PM, Eric Covener cove...@gmail.com
mailto:cove...@gmail.com wrote:

Search the web for Apache (internal dummy connection)?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
mailto:users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
mailto:users-h...@httpd.apache.org




I believe these are making a request to / on your apache server.
Assuming whatever is at / (your home page?) is resource intensive and 
causing your problems, you could try using mod_rewrite to redirect those 
requests to something small and static.

Maybe something like:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule ^/$ /small_static.html [L]

There's probably some better redirects to handle this (assuming your / 
resource is the problem), but the above might help.


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] phpmyadmin auth

[Jim Albert]

On 7/9/2013 5:21 PM, Jerry K wrote:

configure a local VPN, and only allow access from the VPN IP range is
one possible Plan B.

Reviewing my own log files, its amazing how many malware hits there are
for this particular software product.

What ever you do, be as safe/secure as you can.

Good Luck

Jerry
Agreed; the default phpmyadmin aliases are a very common attack point. 
VPN/private address space would absolutely be the best solution, but if 
that's not possible then on top of htpasswd authentication with strong 
passwords, some security through obscurity in changing the alias is 
probably not a bad idea to keep out the bot attacks.


Jim



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] phpmyadmin auth

[Jim Albert]

On 7/9/2013 5:46 PM, Jim Albert wrote:

On 7/9/2013 5:21 PM, Jerry K wrote:

configure a local VPN, and only allow access from the VPN IP range is
one possible Plan B.

Reviewing my own log files, its amazing how many malware hits there are
for this particular software product.

What ever you do, be as safe/secure as you can.

Good Luck

Jerry

Agreed; the default phpmyadmin aliases are a very common attack point.
VPN/private address space would absolutely be the best solution, but if
that's not possible then on top of htpasswd authentication with strong
passwords, some security through obscurity in changing the alias is
probably not a bad idea to keep out the bot attacks.

Jim
... and verify that SSLRequireSSL is enforced and it should be if you 
are using the phpmyadmin.conf config file.


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Form problem with non-ascii characters (æ or ß)

[Jim Albert]

On 6/27/2013 11:34 AM, Pi Dizayn wrote:

On Thu, Jun 27, 2013 at 4:57 AM, Jim Albert j...@netrition.com
mailto:j...@netrition.com wrote:

On 6/26/2013 1:02 PM, Pi Dizayn wrote:


 Here is a simple form from that server.

Sorry I forgot to send the link of the form.
http://medyab.com/formtest2.php


Have you checked to see that the browser is submitting the request?
Check your apache access logs.

The firefox httpfox addon might help so that you can see the
communication between browser and server:
https://addons.mozilla.org/en-us/firefox/addon/httpfox/

IE has similar feature with F12/Developer tools and the Network tab.

Maybe viewing the returned headers will help.

It sure seems related to the character set. Did you check the
settings on AddDefaultCharset between your old and new apache server
(possibly in httpd.conf since I assume any .htaccess files would be
the same)? If that's set, it should match the characters intend to
display and should be in sync with what you are setting via meta tags.

I'm assuming that:

meta http-equiv='Content-Type' content='text/html; charset=iso-8859-9'
is what you set in your code when it was working on your old server.
Maybe the AddDefaultCharset (assuming it is set) on your new server
conflicts with iso-8859-9.
http://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset

Jim


Dear Jim,

First of all thank you for recommending me HttpFox. I was checking
headers from FireBug but HttpFox looks better.
--
There is no log for error or access in httpd logs.

AddDefaultCharset is disabled both of the server.  I tried
AddDefaultCharset iso-8859-9. It doesn't solve.
--
When I checked with HttpFox what I get is;

  * (Request-Line)POST /formtest2.php HTTP/1.1
  * Host medyab.com http://medyab.com
  * User-AgentMozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0)
Gecko/20100101 Firefox/21.0
  * Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  * Accept-Languageen-us,tr;q=0.7,en;q=0.3
  * Accept-Encodinggzip, deflate
  * Referer http://medyab.com/formtest2.php
  * Cookie
__utma=256146967.1605253938.1371937614.1372254337.1372331162.12;

__utmz=256146967.1371937614.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__atuvc=7%7C26; PHPSESSID=d2rr0kb8q0rn0hlvt801vt6na5; __utmc=256146967
  * Content-Typeapplication/x-www-form-urlencoded
  * Content-Length5

which are the same as the form that works normally on my server.

It also says NS_ERROR_NET_RESET. When I googled NS_ERROR_NET_RESET I saw
that somebody is mentioning about enctype. When I add
enctype=application/x-www-form-urlencoded to the form, it started
working for Turkish characters and also for æ, ß too. But I can't add
enctype to all of my forms. I feel I'm close to the solution. :)


application/x-www-form-urlencoded should be the default enctype if none 
is supplied:

http://www.w3schools.com/tags/att_form_enctype.asp

Do you actually see a difference in the raw post data with and without 
setting the enctype? You can see this in httpfox and the encoding type 
will be indicated.


Are you sure you were not setting an enctype on the form? Check on that 
especially if you are using some API for form building and not printing 
out the form html yourself. Maybe some feature in php and it's set to 
something else.


Since you switched severs maybe something different in the code (eg php) 
being used to build your forms (assuming you are using a form building 
API), perhaps something related to:

http://www.w3schools.com/tags/att_form_accept_charset.asp
Did you compare the html source for the forms generated on old and new 
server?


Taking any form building APIs out of the equation and building the html 
yourself may provide some clues, but I would expect a comparison between 
html source for the forms on old and new server to expose any issue there.


Do you still have the old server up and running?
Check the headers *from* the servers when you make the request to load 
the initial form. Maybe any differences there will offer some clues if 
it's an Apache config issue.


Just the way it's going, I'm kind of leaning toward something in the 
form building and perhaps some default php setting differences between 
old and new server again check the html produced between old and new 
server if possible. So, I'm kind of leaning away from an apache issue 
here and maybe php... but that's speculation and maybe following some of 
my thoughts above will point out the needed clues.


Jim

Re: [users@httpd] Re: Form problem with non-ascii characters (æ or ß)

[Jim Albert]

On 6/26/2013 9:50 AM, Pi Dizayn wrote:

Update; When I make

meta http-equiv='Content-Type' content='text/html;
http-equiv='Content-Type' content='text/html; charset=utf-8'
it works. But

meta http-equiv='Content-Type' content='text/html; charset=iso-8859-9'

doesn't work.


My apologies... German ß and Greek β mess-up on my part. German ß is in 
fact Western.


I think you need to decide on what charset you want your site/page to 
support.


iso-8859-9 looks like Turkish:
http://www.charset.org/charactersets.php?charset=iso-8859-9
I wouldn't expect German character ß to exist in a Turkish charset.

I'd expect any charset mismatches to result in the browser sending 
entity references which seems to be the case in my experience, but not 
just failing dropping the connection, but my experience is only with 
ISO-8859-1 and UTF-8 and the experience will likely be browser specific 
in addition to any charset settings specifically on the browser.


I found this to be a good read when I was wading through charset 
conversion issues:

http://htmlpurifier.org/docs/enduser-utf8.html

Any AddDefaultCharset settings between your old Apache server and new 
one could play a role.


UTF-8 can simplify things but then you have to be prepared in terms of 
what you are going to do with that data including storage.






On Tue, Jun 25, 2013 at 8:34 PM, Pi Dizayn pidiz...@gmail.com
mailto:pidiz...@gmail.com wrote:

Dear Apaches :) ,

I'm moving a website to another server. In the new server when I
submit a form with æ or ß the browser says The connection was
reset. This never happened before. The OS is CentOS. PHP or CGI
forms are the same.

--
Boray Eris
www.pidizayn.com http://www.pidizayn.com




--
Boray Eris
www.pidizayn.com http://www.pidizayn.com



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Form problem with non-ascii characters (æ or ß)

[Jim Albert]

On 6/26/2013 1:02 PM, Pi Dizayn wrote:


Here is a simple form from that server.

Sorry I forgot to send the link of the form.
http://medyab.com/formtest2.php


Have you checked to see that the browser is submitting the request? 
Check your apache access logs.


The firefox httpfox addon might help so that you can see the 
communication between browser and server:

https://addons.mozilla.org/en-us/firefox/addon/httpfox/

IE has similar feature with F12/Developer tools and the Network tab.

Maybe viewing the returned headers will help.

It sure seems related to the character set. Did you check the settings 
on AddDefaultCharset between your old and new apache server (possibly in 
httpd.conf since I assume any .htaccess files would be the same)? If 
that's set, it should match the characters intend to display and should 
be in sync with what you are setting via meta tags.


I'm assuming that:
meta http-equiv='Content-Type' content='text/html; charset=iso-8859-9'
is what you set in your code when it was working on your old server.
Maybe the AddDefaultCharset (assuming it is set) on your new server 
conflicts with iso-8859-9.

http://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset

Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Form problem with non-ascii characters (æ or ß)

[Jim Albert]

On 6/25/2013 1:34 PM, Pi Dizayn wrote:

Dear Apaches :) ,

I'm moving a website to another server. In the new server when I submit
a form with æ or ß the browser says The connection was reset. This
never happened before. The OS is CentOS. PHP or CGI forms are the same.

--
Boray Eris
www.pidizayn.com http://www.pidizayn.com


Did you verify the problem yourself assuming you would not normally use 
non-western characters or is this feedback from visitors?


Since I believe those are non-western characters could the problem be 
related to network problems from distant users (as in another part of 
the world from your server)?


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Protect server-status with https required?

[Jim Albert]

On 6/18/2013 9:51 PM, Kevin A. McGrail wrote:

Hello All,

We are protecting server-status and info with basic auth using a config
block similar to the following:

Location /server-info
 SetHandler server-info
 #Order deny,allow
 #Deny from all
 #Allow from .example.com
 AuthType basic
 AuthName Apache Info
 AuthUserFile /usr/local/apache2/conf/server-status_htpasswd
 Require valid-user
/Location

Is there a a way to require https to access this Location?

Using a rewrite so far is a problem because to get to the rewrite, you
have to enter the basic auth and that fails the PCI scan because it's
consider cleartext access.  But perhaps that just because I've been
trying a .htaccess and we can do it some other way?

Apologies if this is simple.  I've been getting bleary eyed looking at
it and might be missing the forest for the trees.


This should be relevant:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequiressl

Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Deny by IP address unsuccessful

[Jim Albert]

On 4/27/2013 10:28 AM, Angela Barone wrote:

On Apr 27, 2013, at 7:18 AM, Martin Hasicek wrote:

Just put allow from all to the bottom of configuration. You have order deny, 
allow so your config should look same :-)


Hi Martin,

Thank you for your reply.  I'm pretty sure I had tried that before, but 
I just changed it as you suggested and I'm still able to get in.  It's not 
blocking my IP address.  :\


You want
order allow, deny

Is your .htaccess at the proper directory level with the resource you 
want to block?


If there are .htaccess files at sublevels that could be your problem.

Is .htaccess readable by your apache user?

Is Apache configured for AllowOverride with at minimum Limit at the 
appropriate level?


Jim


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] fedora - apache

[Jim Albert]

I expect the interfaces would have been detected and configured during 
the linux install, but check:

/etc/sysconfig/network-scripts
for files looking like ifcfg-eth* (probably ifcfg-eth0 if only one NIC) 
as those would be your network interface configurations.


On 4/13/2013 9:49 AM, georg wrote:

right ifconfig only comes up with local loop i-f,
so does that mean there is no Hw on the machine for eth ?  (there is a
distinct plugg looking IPish :)
/georg

- Original Message -
*From:* Serge Fonville mailto:serge.fonvi...@gmail.com
*To:* users@httpd.apache.org mailto:users@httpd.apache.org
*Sent:* Saturday, April 13, 2013 4:10 PM
*Subject:* Re: [users@httpd] fedora - apache

Hi,

Possibly you have a hint for where im stuck just now:  Cant find any
ethernet  device on the PC im digging into.
Perhaps there is no NIC detected.
if you run ifconfig and lspci, you should be able to determine if
that is the case

HTH

Kind regards/met vriendelijke groet,

Serge Fonville

http://www.sergefonville.nl

Convince Microsoft!
They need to add TRUNCATE PARTITION in SQL Server

https://connect.microsoft.com/SQLServer/feedback/details/417926/truncate-partition-of-partitioned-table



2013/4/13 georg georg.chamb...@telia.com
mailto:georg.chamb...@telia.com

Terrific, tnx.

Possibly you have a hint for where im stuck just now:  Cant find
any ethernet device on the PC im digging into.
(new to linux/fedora, but shurely there should be some eth ??)

tnx again
Georg

- Original Message - From: How7 how0...@freeshell.org
mailto:how0...@freeshell.org
To: users@httpd.apache.org mailto:users@httpd.apache.org
Sent: Saturday, April 13, 2013 3:27 PM
Subject: Re: [users@httpd] fedora - apache



On 4/13/2013 7:45 AM, georg wrote:

I have seen some documentation that indicate that some
version (2.2?) of Apache is
included in the fedora dist.
Does anyone have any information of how to find such a
package and whether these
are good things or if I should go for downloading other
version


In a terminal on my Fedora 16 I do this to see what version
I have installed:
~  rpm -q httpd
httpd-2.2.21-1.fc16.x86_64

2.2 is fine for me but I just use it to test my work locally.

I would use the yum package manager to see what upgrades are
available. Maybe:
~  yum check-update httpd

View the yum manual page for more information on package
management and updating:
~  man yum

If you wanted a newer version than is available at the
fedora upgrade repos yum looks at you could build from source.



--__--__-
To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
mailto:users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
mailto:users-h...@httpd.apache.org




--__--__-
To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
mailto:users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
mailto:users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] trivial question about webserver

[Jim Albert]

On 2/10/2012 5:48 AM, Dr. Sunil M. Dogra wrote:


Hi John,


the Ips of CDRSTDU.EDU.IN http://CDRSTDU.EDU.IN, TIER-3.CDRSTDU.EDU.IN
http://TIER-3.CDRSTDU.EDU.IN has changed so that's why its is not working.

Now I wanted to make a webpage working if you could suggest how to start
working.


So... your DNS servers have also changed IP address?

If so, then you need to update what are called glue records:
http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records
This is done through your domain registrar.
So, first your DNS servers must be seen by the world and they are not:
http://www.webdnstools.com/dnstools/domain_check
enter CDRSTDU.EDU.IN
and it fails...  no DNS servers are found and I suspect it's because the 
glue records at the edu.in level have not been updated.


So... there's two things.
1. Get your glue records updated which indicate the IP addresses of your 
DNS server(s).
2. Update your DNS server(s) with new records pointing your domain to 
new IP addresses.


Your domain registrar should be able to help with this as that is the 
contact through which your glue records will be updated. They may not 
know what you are talking about at first depending on the level of 
support you first reach, but if the IP addresses of your DNS servers 
have changed, then your glue records must be updated.


--
Jim Albert

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] trivial question about webserver

[Jim Albert]

On 2/10/2012 2:17 PM, Jim Albert wrote:

On 2/10/2012 5:48 AM, Dr. Sunil M. Dogra wrote:


Hi John,


the Ips of CDRSTDU.EDU.IN http://CDRSTDU.EDU.IN, TIER-3.CDRSTDU.EDU.IN
http://TIER-3.CDRSTDU.EDU.IN has changed so that's why its is not
working.

Now I wanted to make a webpage working if you could suggest how to start
working.


So... your DNS servers have also changed IP address?

If so, then you need to update what are called glue records:
http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records

This is done through your domain registrar.
So, first your DNS servers must be seen by the world and they are not:
http://www.webdnstools.com/dnstools/domain_check
enter CDRSTDU.EDU.IN
and it fails... no DNS servers are found and I suspect it's because the
glue records at the edu.in level have not been updated.

So... there's two things.
1. Get your glue records updated which indicate the IP addresses of your
DNS server(s).
2. Update your DNS server(s) with new records pointing your domain to
new IP addresses.

Your domain registrar should be able to help with this as that is the
contact through which your glue records will be updated. They may not
know what you are talking about at first depending on the level of
support you first reach, but if the IP addresses of your DNS servers
have changed, then your glue records must be updated.



Please note... the advise above assumes you control/manage your own DNS 
servers. In other words, the IP addresses of your DNS servers changed. 
If this is true then my advise on glue records is likely valid.


If you do not manage your own DNS servers, then glue records should not 
need to be adjusted.


--
Jim Albert

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] trivial question about webserver

[Jim Albert]

On 2/9/2012 11:16 PM, Dr. Sunil M. Dogra wrote:

Hi,
A trivial question.I would like to make webpage on my own, I have been
struggling on this for long time. My ISP has changed the IP's given to
us and now I want proper registration of my domain name.



My ISP has given set of IP's range
IPs:  qqq.aa.zzz.xxx to qqq.aa.zzz.x75
SubNetMask: 255.255.255.252
One of my IP is used a  Gateway qqq.aa.zzz.x61
DNS: 202.kkk.hhh.yyy

Now kindly suggest what are the things I should register with my registrar.

With Best Regards
sunil





I'm assuming you had a working web site and the IP address change has 
caused you a problem. If so, then you likely need to have the DNS entry 
for your domain/web server changed. You'll need to contact the 
organization that handles DNS for you and that may be the company 
through which you have registered your domain. You'll need to give them 
domains/hosts you want changed in DNS and the new IP addresses.


The DNS address given to you by your ISP would be irrelevant in this 
matter. That would be a DNS resolver that you can use for resolving 
domains to IP addresses.


Jim Albert

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [EMAIL PROTECTED] javascript src path on apache

[Jim Albert]

Hiep Nguyen wrote:

hi there,

i'm not sure this is the right list to ask, if not please help direct me 
to the right list.


i have problem with path for java on my apache:

this is working just fine:
script language=javascript src=calendar.js 
type=text/javascript/script


but as soon as i move calendar.js to a sub-folder includes/
script language=javascript src/includes/calendar.js 
type=text/javascript/script


You are missing an = after your src attribute in your script tag above.

Assuming, that was just a typo in your email, check your httpd error log 
when you try:

http://your_server/includes/calendar.js

Any error in the log should give you a clue.



then it's not working.

full path for include files: /var/www/html/includes/calendar.js

full path for test.php: /var/www/html/test.php

i searched javascript src path on google, but no good solution.

thanks.
T. Hiep

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Jim Albert


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] javascript src path on apache

[Jim Albert]

Hiep Nguyen wrote:

i tried: http://10.0.0.120/calendar.js, i can save the file

but http://10.0.0.120/includes/calendar.js, i can't and get 500 internal 
server error


so i looked into the log, this is what i got:
[Thu Dec 06 14:09:34 2007] [alert] [client 10.0.0.128] 
/var/www/html/includes/.htaccess: IndexIgnore not allowed here


any idea what's wrong? thanks.


Check your httpd.conf for any Directory configurations on your 
'includes' directory.


http://www.webmasterworld.com/forum92/3879.htm
http://www.howtoforge.com/forums/archive/index.php/t-788.html
seems relevant

I'm guessing you need
AllowOverride Indexes in whatever Directory configuration you have on 
your includes directory.


Or you might just want to put your IndexIgnore entry in your httpd.conf 
if you want that IndexIgnore applied throughout your site.


Just some thoughts... you'll have to decide what best to do based on how 
you are using IndexIgnore.


--
Jim Albert, Software Development
Netrition.com - The Internet's Premier Nutrition Superstore!
http://www.netrition.com/

-
This message is intended only for the named recipient. If you are not
the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Please note that any views or
opinions presented in this email are solely those of the author and
do not necessarily represent those of the company.
-

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Make apache sleep

[Jim Albert]

For the purposes of testing a heavy load situation, I'd like to 
configure one of my apache web servers to intentionally respond slow to 
a request.


Is anyone aware of some type of apache sleep or delay configuration that 
will easily allow me to configure this? For example, tell apache to wait 
10 seconds before responding to any request.


Thanks,
Jim Albert


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache dummy connection

[Jim Albert]

Jim Albert wrote:

T. Devergranne wrote:

I have a lot of theses (Apache internal dummy connection), 



but I can't


get rid of them, I don't know where they come from. Any hints ?


192.168.1.20 - - [09/Mar/2006:08:42:40 +] GET / HTTP/1.0 200 
15545 - Apache (internal dummy connection) 192.168.1.20 - - 
[09/Mar/2006:08:42:41 +] GET / HTTP/1.0 200 15564 - Apache 
(internal dummy connection) 192.168.1.20 - - [09/Mar/2006:08:42:42 
+] GET / HTTP/1.0 200 15440 - Apache (internal dummy 
connection)


I'm using 2.2.0.



Maybe this will help you: 
http://www.archivatna.com/t52552-internal-dummy-connection.html





I've seen the discussion, but it doesn't help much. Anyone, an way out ?



I've noticed this also starting with Apache2.2.
I see a large number of those internal dummy connection requests during 
an apache graceful restart (SIGUSR1) and at the same time the cpu load 
on the Apache2.2 server maxes out at nearly 100%.


I'm wondering if anyone else sees this high cpu usage with a graceful 
restart of Apache2.2.


My home page (GET /) is dynamically generated (although running under 
mod_perl) but I use the following mod_rewrite rule to make / a very 
uncostly http request when the HTTP_USER_AGENT is internal dummy request.


RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule ^/$ /small_static_page.html [L]

Can anyone comment or confirm a similar experience with high cpu usage 
during a graceful restart of Apache2.2?


My OS is Linux 2.6.16-1.2133_FC5smp



In addition I see the following when doing a graceful restart of httpd:
[Mon Jun 26 14:17:14 2006] [notice] Graceful restart requested, doing 
restart
[Mon Jun 26 14:17:15 2006] [error] (9)Bad file descriptor: 
apr_socket_accept: (client socket)
[Mon Jun 26 14:17:59 2006] [notice] Digest: generating secret for digest 
authentication ...

[Mon Jun 26 14:17:59 2006] [notice] Digest: done

I find very little on what the Bad file descriptor: apr_socket_accept 
error means.


I am using Apache/2.2.0 on Linux 2.6.16-1.2133_FC5smp


--
Jim Albert

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache dummy connection

[Jim Albert]

T. Devergranne wrote:
I have a lot of theses (Apache internal dummy connection), 


but I can't 


get rid of them, I don't know where they come from. Any hints ?


192.168.1.20 - - [09/Mar/2006:08:42:40 +] GET / HTTP/1.0 200 
15545 - Apache (internal dummy connection) 192.168.1.20 - - 
[09/Mar/2006:08:42:41 +] GET / HTTP/1.0 200 15564 - Apache 
(internal dummy connection) 192.168.1.20 - - [09/Mar/2006:08:42:42 
+] GET / HTTP/1.0 200 15440 - Apache (internal dummy 
connection)


I'm using 2.2.0.


Maybe this will help you: 
http://www.archivatna.com/t52552-internal-dummy-connection.html




I've seen the discussion, but it doesn't help much. 
Anyone, an way out ?


I've noticed this also starting with Apache2.2.
I see a large number of those internal dummy connection requests during 
an apache graceful restart (SIGUSR1) and at the same time the cpu load 
on the Apache2.2 server maxes out at nearly 100%.


I'm wondering if anyone else sees this high cpu usage with a graceful 
restart of Apache2.2.


My home page (GET /) is dynamically generated (although running under 
mod_perl) but I use the following mod_rewrite rule to make / a very 
uncostly http request when the HTTP_USER_AGENT is internal dummy request.


RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule ^/$ /small_static_page.html [L]

Can anyone comment or confirm a similar experience with high cpu usage 
during a graceful restart of Apache2.2?


My OS is Linux 2.6.16-1.2133_FC5smp

--
Jim Albert

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [users@httpd] trying to debug a mod_perl app

[Jim Albert]

I notice your BML.pm is composed of several packages. I see at least 
BML::Request and Apache::BML and maybe some others in whatever you've 
truncated.

I guess I'd suggest tracking down where exactly your BML.pm file is used 
by either some apache configuration file or some mod_perl or cgi 
application and what packages from it are used.

bruce wrote:
hi...
i hope this is the right place to turn to!!
i have mod_perl installed on an apache1.3.33/mod_perl1.29/FC3 setup.
i'm trying to track down how i can print something from a '.pm' file that's
used with an apache app that i'm testing...
my perl skill is enough to get me in trouble!!
here's the situation:
i have an application (livejournal) that uses a file, BML.pm. I'm trying to
print out information from within the file to the error_log file. I can
accomplish this via a 'print STDERR foo' in other '.bml' files that are used
by the application. the '.bml' files appear to be pretty much perl files.
the BML.pm file appears to be used by apache at startup, as when i mv the
file, apache doesn't start, so i know the file is used. 

a portion of the BML.pm file is listed below.
i've searched (am searching) google to try to get a feel for what i need to
do to be able to print something from the file to the STDERR/error_log.
right now, i'm stumped/confused!!! 

if the file is required by apache, does that imply that apache
runs/interprets the file during startup? if this is the case, doesn't this
also imply that i should be able to do an initial print/debug statement at
the beginning of the file to get something to show up in the error_log file.
or, is it possible that the file is required by apache to start, but isn't
used???
my current delimma is that i can't figure out a way to print anything from
the BML.pm file to the error_log file..
arrggghhh!!! 

thanks
-bruce
[EMAIL PROTECTED]
ps. i tried to talk with a few of the guys on the livejournal forums.. not
much help!!
portion of the bml.pm listing...
#!/usr/bin/perl
#
print STDERR bdouglas bml top\n;
use strict;
package BML::Request;
use fields qw(
  env blockref lang r blockflags BlockStack
  file scratch IncludeOpen content_type clean_package package
  filechanged scheme scheme_file IncludeStack etag location
  most_recent_mod stop_flag want_last_modified cookies
  );
package Apache::BML;
print STDERR bdouglas bml n\n;
use Apache::Constants qw(:common REDIRECT HTTP_NOT_MODIFIED);
use Apache::File ();
use Apache::URI;
use Digest::MD5;
use File::Spec;
BEGIN {
print STDERR bdouglas bml 55\n;
$Apache::BML::HAVE_ZLIB = eval use Compress::Zlib (); 1;;
}
# set per request:
use vars qw($cur_req);
use vars qw(%CodeBlockOpts);
# scalar hashrefs of versions below, minus the domain part:
my ($SchemeData, $SchemeFlags); 

# keyed by domain:
my $ML_SCOPE;  # generally the $r-uri, auto set on each request
(unless overridden)
my (%SchemeData, %SchemeFlags); # domain - scheme - key - scalars (data
has {s} blocks expanded)
# safely global:
use vars qw(%FileModTime %LookItems);  # LookItems: file - template - [
data, flags ]
use vars qw(%LookParent);  # file - parent file
use vars qw(%LookChild);   # file - child - 1
my (%CodeBlockMade);
use vars qw($conf_pl $conf_pl_look);  # hashref, made empty before loading a
.pl conf file
my %DenyConfig;  # filename - 1
my %FileConfig;  # filename - hashref
my %FileLastStat;# filename - time we last looked at its modtime
use vars qw($base_recent_mod); 

# the request we're handling (Apache-request).  using this way
# instead of just using Apache-request because when using
# Apache::FakeRequest and non-mod_perl env, I can't seem to get/set
# the value of Apache-request
use vars qw($r);
# regexps to match open and close tokens. (but old syntax (=..=) is
deprecated)
my ($TokenOpen, $TokenClose) = ('\?', '\?');
tie %BML::ML, 'BML::ML';
tie %BML::COOKIE, 'BML::Cookie';
print STDERR bdouglas 11 -bml\n;
sub handler
{
   $r-log_error( bdouglas 1123 -bml\n);
my $r = shift;
my $file;
$Apache::BML::r = $r;
'
'
'
}
.
.
.
---



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

--
Jim Albert
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]