from:"Rainer Canavan"

Re: [users@httpd] Directory Trailing Slash When Behind Load Balancer

2024-05-17 Thread Rainer Canavan

On Tue, May 14, 2024 at 6:07 PM Gavin Spomer  wrote:
>
> Hello,
>
> I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
> found an issue with URLs that point to a directory, but don't include the 
> trailing slash, when going through our institution's load balancer. If I 
> access directly (not going through the load balancer), everything works fine:
>
>http://mywebserver.example.com/application
>
>Above works as, from reading the mod_dir documentation, it redirects to
>http://mywebserver.example.com/application/ (adds the trailing slash) and 
> thus the application's index.php script
>is executed.
>
> My web server is fronted by our institution's load balancer which does SSL 
> termination and then sends the request to my web server on port 81. I am not 
> seeing the same behavior when accessing through our load balancer:
>
>https://loadbalancer.example.com/application
>
>The above doesn't work. It hangs, times out and then redirects to 
> http://loadbalancer.example.com:81/application/
>with a "This site can’t be reached" message. It does work if I explicitly 
> add the slash to the URL in my browser:

That's probably not the order that events are acutally happening. It
most likely redirects to
http://loadbalancer.example.com:81/application/ first.

[...]
> 
>ServerName mywebserver.example.com:81

Redirects require a complete URL, and mod_dir is probably assembling
that using the ServerName. Use the developer tools in your browser or
curl -v to see what's actually going on, particularly the "Location:"
response header, which is the URL the redirect is sending your browser
to.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-16 Thread Rainer Canavan

On Thu, May 16, 2024 at 1:15 AM Dave Wreski
 wrote:
>
> Hi,
>
[...]
> The staging site is even protected with a RequireAll statement for the 
> DocumentRoot based on the IP, which then results in a 404 and other errors in 
> GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?

[...]
>
> The next steps I'd like to do is to redirect anyone not in that RequireAll 
> statement to be redirected to the production site. Is this possible? Perhaps 
> a RewriteCond that depends upon certain IPs, then otherwise redirects to the 
> production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: Re: [users@httpd] Unable to unset Set-Cookie response headerIn-Reply-To=

2023-11-14 Thread Rainer Canavan

On Tue, Nov 14, 2023 at 3:24 PM Luigi Bellio  wrote:
>
> Hi Eric,
>
>  thanks for your feedback ... I just tried, nothing is changed ...
> moreover as documented the "always" directive should apply to all
> response codes not only "on success".

You're missing one important issue the  documentation raises:
https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
"always" and "onsuccess" apply to different sets of headers, therefore it
might help if you try duplicating your 'Header unset' line, one  with *and* one
without "always".

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unable to build Apache httpd

2023-10-25 Thread Rainer Canavan

On Tue, Oct 24, 2023 at 5:32 AM Frank Gingras  wrote:
>
> Perhaps the libtool version is older/different - what happens when you remove 
> the space?
>
> On Fri, Oct 20, 2023 at 12:19 PM Daga, Navin (Navin)  wrote:
>>
>> I'm trying to build Apache httpd RPM from the source tarball as mentioned in 
>> https://httpd.apache.org/docs/2.4/install.html
>>
>> However, it always fails with the error "libtool:   error: require no space 
>> between '-L' and '-R'"
>>
>> Complete Error :
>>
>> /usr/lib64/apr-1/build/libtool --silent --mode=link gcc   -o 
>> htpasswd  htpasswd.lo passwd_common.lo   -L -R -laprutil-1 -ldb-5.3 
>> -lexpat
>>
>> /usr/lib64/libapr-1.la -lpthread -lcrypt
>>
>> libtool:   error: require no space between '-L' and '-R'

The problem here is not the space, but the fact that -L requires a
directory as an argument - like -L/usr/local/lib - and consumes the
following argument (in this case -R) instead. You'll need to figure
out why no path is included here. -R should also have a path argument,
but I would have expected -Wl,-rpath to be used instead on Linux. All
this points to the ./configure script and its friends getting very
confused. I'd recommend re-trying the build in a clean Fedora Docker
container with only the required packages (gcc, make, ...) installed
from the distribution's default repositories. Once you have a working
build, it should be easier to determine where your current problems
actually start.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Rainer Canavan

On Fri, Oct 20, 2023 at 5:31 PM Marc  wrote:

[...]
> >ServerAlias test.*.*
[...]
> >
> > A trivial and safe way if you need a solution asap might involve declaring
> > a  for each host.
>
> I would like to have single access/error log for all these serveralias 
> matches.

That's no problem, multiple vhosts can write into the same access/error logs.

> > I’ve not seen globbing/wildcarding like this, and also makes me curious is
> > it possible to get a public key signed by a CA with this globbing pattern?
>
> yes I am getting the certs like this. I just want to prevent creating the 
> vhosts

I think what he ment is whether CAs issue wildcard certificates like
test.*.*. They don't, and that wouldn't work anyway, since only one *
is allowed, only at the beginning, and only representing a single
level of host names.

Concerning your problem, I think you're stuck with creating multiple
vhosts if you want to use httpd with multiple separate certificates.
If you can get a single certificate with all your hostnames as SAN
entries, that would work as well.

As an alternative, you could use OpenResty as an SSL offloader, and
load your certificates on demand using some lua code in
ssl_certificate_by_lua_block
(https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache static compile

2023-04-12 Thread Rainer Canavan

On Wed, Apr 12, 2023 at 1:49 AM Chris me  wrote:
>
> Basically I am trying to run a later version of apache that supports the 
> newer TLS alongside a much older version. I know it is better to upgrade the 
> server, etc. but that is not an option for the legacy server.
>
> I basically need a completely stand alone version of httpd so I don’t have to 
> worry about upgrading the server libs and current openssl version.

set an installation path with
--prefix=/usr/local/completelyseparatehttpd and
LDFLAGS=-Wl,-rpath,/usr/local/completelyseparatetlslibrary when you
configure your httpd and you should be done.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache static compile

2023-04-11 Thread Rainer Canavan

On Sat, Apr 8, 2023 at 11:22 PM Chris me  wrote:
>
> Right. Is there an option to compile Apache using a non-standard location for 
> dynamic libs? IE instead of /usr/lib it could use /usr/lib/custom
>
> I was not able to find anything other than using an ELF patcher to try and 
> change the paths directly in the httpd binary file, but not sure how that 
> would turn out.

Those are usually configured during link time, i.e. via LDFLAGS. It's
not entirely clear what you want, and the are at least a dozen rules
how the various options interact, so I'd recommend you check the man
page for your system's runtime linker (probably man ld). Normally,
you'l just pass -Wl,-rpath,/your/lib/search/path, but maybe you want
to mess with DT_RUNPATH, DT_RPATH or SEARCH_DIR.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

2022-05-19 Thread Rainer Canavan

On Wed, May 18, 2022 at 11:53 PM Frank Gingras  wrote:
>
> Not sure if you saw the other answer on the other email:
>
> // If you can't use a SAN, then you need to configure all your vhosts as 
> IP:443, whereas one vhost uses a separate IP, and the remainder uses the 
> second IP.

That sounds wrong to me. Apache should pick a matching certificate for
the hostname specified via SNI by the client, if any, or the first one
configured as a fallback (assuming the vhost IP / * specification
matches). Note that only vhosts with IP:port are considered, if any
are specified and match the request. You should be able to use *:443
for all vhosts.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to use DH 4096 parameters?

2022-03-14 Thread Rainer Canavan

On Sun, Mar 13, 2022 at 8:08 PM Walter Hop  wrote:
[...]

> I’m confused where the DH 3072 comes from. My question is, what should I 
> configure so that DH 4096 is sent?

Your problem is in step 2) generate DH params - internet.nl explicitly
states that "Self-generated groups are 'Insufficient'". Follow their
instructions to download one of the pre-defined groups from RFC 7919
to make that test happy.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: (EXTERNAL) Re: [users@httpd] Patching httpd in MacOS?

2021-10-28 Thread Rainer Canavan

On Thu, Oct 28, 2021 at 1:18 AM Rich Barron  wrote:
>
> We are doing a security audit. The software saw the unpatched version in the 
> MacOS and flagged it as a violation – so that is what needs to be patched.

I don't know how Apple handles bundled software. Are you sure that
this is not a false positive and that the relevant security issues
have not been patched even though the version number wasn't changed?

Anyway, I think this is a MacOS problem, you'll have to find out how
to disable, uninstall or update httpd with the MacOS specific tools,
find evidence that the installed httpd is actually safe or plead with
Apple to provide an update.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to display the True-Client-IP header in the access log

2021-10-19 Thread Rainer Canavan

On Tue, Oct 19, 2021 at 1:44 PM Mason Hayes  wrote:
>
> Hi, All
>
> When Apache is accessed via a CDN (Akamai), I would like to record the IP of 
> the accessing client in the Apache logs.
> In order to display the True-Client-IP header sent by Akamai in the access 
> log like X-Forward-For, do I have to change the Logformat setting in 
> httpd.conf as follows?
>
> Logformat
> "%{True-Client-IP}i %h %l %u %t˶~˵"%r\" %>s %b˶~˵"%{Referer}i\" 
> \%{User-Agent}i\" combined

That looks OK, but you may want to look into using
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
You would have to set RemoteIPHeader to True-Client-IP and, since
Akamai to my knowledge doesn't publish a list of its source IPs,
consider some kind of authentication, e.g. basic auth
https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html to protect
the vhost from access without Akamai. Otherwise anyone would be able
to fake an arbitrary source IP in your logs.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Reverse proxy to a website with HTTPS

2021-08-23 Thread Rainer Canavan

On Mon, Aug 23, 2021 at 10:45 AM Scott Trakker
 wrote:
[...]

> The certificate for the subdomain 'nextcloud.jeroenverhoeckx.com' is 
> installed correctly:

No. Having a certificate and actually using it on the https server
listening on port 443 are two entirely different things.
Try https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.jeroenverhoeckx.com

regards,

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] brotli with Apache and PHP-FPM - possible?

2021-03-22 Thread Rainer Canavan

[...]
> But does not work if it's PHP - in this case, the content is compressed
> with "gzip":
>
> $ curl -v -H "Accept-Encoding: gzip, deflate, br"
> https://server.tld/pp.php 2>&1 | grep content-encoding
> < content-encoding: gzip
>
> Curiously, it does work with PHP if I specify "br" as the only value in
> "Accept-Encoding" (browsers however use "gzip, deflate, br"):

Sounds like you need to enforce the correct order of the filters. I don't know
how to do that using "AddOutputFilterByType", but with "FilterProvider",
the example below should work. While you're there, you can also enable
mod_buffer to improve the compression ratio:

BufferSize 131072
FilterProvider buffer   BUFFER   "resp('Transfer-Encoding') ==
'' && %{CONTENT_TYPE} =~ m|^text/|"
FilterProvider gzip_compression DEFLATE  "resp('Transfer-Encoding') ==
'' && %{CONTENT_TYPE} =~ m|^text/|"
FilterProvider brotli_compression BROTLI_COMPRESS
"resp('Transfer-Encoding') == '' && %{CONTENT_TYPE} =~ m|^text/|"

FilterChain buffer brotli_compression gzip_compression


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP

2021-02-25 Thread Rainer Canavan

On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier  wrote:
[...]
> Could it be possible another way to give clients of a specific vHost 
> different SSLCipherSuite's depending on their IP address? (cipher of first 
> handshake, no renegotiation)

You can work around this by setting up a separate vhost on a different
port or IP and redirect the incoming traffic using  the firewall/NAT
tools supplied with your OS. Under Linux, something similar to the
following might work:

iptables -t nat -A PREROUTING -p tcp -s 1.2.3.0/24 --dport 80 -j
REDIRECT --to 8080

regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self built httpd 2.4.43 problems

2020-11-02 Thread Rainer Canavan

On Mon, Nov 2, 2020 at 4:17 PM Gabriele Bulfon
 wrote:
>
> Thanks, I configured and ran server-status after stopping/starting apache.
> Top output is:
>
[...]

> What should I check?
> Also, when system blocks I won't be able to see server-status, as it will be 
> not responding.
> Should I check it daily and look for a specific info that grows?

"requests currently being processed" would probably increase if
threads are permanently blocked. I would recommend logging this every
few seconds, so that you can at least check after the fact how quickly
the system filled up.

You should have ExtendedStatus enabled, which should give you a
complete list of all threads and their states. Any that are active
(probably "W", definitively not "." or "_") processing a single
request for extended periods are suspicious, especially if multiple of
the same kind strat piling up.

If httpd does not respond to requests anymore, and you have multiple
worker childs, you can sometimes get away with killing one and try to
squeeze a status request in there before it gets overrun again.

Anyway, serverstatus will only provide rough hints of what's going on.
If it is indeed httpd, you'll probably need gdb backtraces.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self built httpd 2.4.43 problems

2020-11-02 Thread Rainer Canavan

On Mon, Nov 2, 2020 at 11:13 AM Gabriele Bulfon
 wrote:
>[...]
> Recently we built version 2.4.43 and installed on a test machine.
> Here, we are experiencing a problem where almost once a week we have to 
> restart apache, which is no more responding.
> Threads are there, but none is answering on port 80, waiting forever.
[...]
> What may be the issue?

Lots of options, more information needed. If it's an issue that slowly
eats up your worker threads, monitoring the server-status page with
ExtendedStatus On may provide good hints. Otherwise, wait until it
stops responding and try to check with strace if anything suspicious
is going on. Finally, check
"thread apply all bt" in a gdb session attached to some of the blocked
processes, possibly a few times with cont and Ctrl+C inbetween to see
where it's really waiting. You may need to re-build with debug info,
and/or install the debug info for all libraries your httpd is linked
against.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed

2020-08-04 Thread Rainer Canavan

[...]
> FilterProvider  COMPRESSDEFLATE "%{Content_Type} = 
> 'text\/html.*$'"

I don't think you can use regular expressions with just '=', you'll
have to use '=~'

search 'regex' in the documentation at
https://httpd.apache.org/docs/2.4/expr.html for the exact syntax
required.


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed

2020-08-03 Thread Rainer Canavan

On Fri, Jul 31, 2020 at 9:01 PM eika from Ru-Board
 wrote:
>
> Hi folks!
>
> I come across with issue I can't fix. I have Apache/2.4.43 OpenSSL/1.1.1g
> with mod_autoindex (showing directory listings instead of index.html) and
> with mod_deflate.
>
> I was able to get content gzipped, but only if they are files with
> extensions (e.g. .css, .html, etc.) But when I want to get gzipped page
> coming from mod_autoindex, I can't get it. E.g. https://domain.dom,
> https://domain.dom/somedir/, https://domain.dom/test/, etc. These URLs comes
> without Content-encoding: gzip header.
>
> I think that I am not far from the reason why, because I found that
> directory indexes sent by chunks (transfer-encoding: chunked). But files
> with extensions came with these headers:

I suspect that you have simply configured mod_gzip to be only active
for URLs ending in .html etc, and the transfer-encoding just happens
to correlate with that because it's not a local "file" but generated
dynamically. You should check the outgoing content-type instead of the
URL. We've been using the following for quite some time:

   FilterProvider buffer   BUFFER   "%{CONTENT_TYPE} =~ m|^text/|"
   FilterProvider buffer   BUFFER   "%{CONTENT_TYPE} =~ m|^model/|"
[... more content types ]
   FilterProvider gzip_compression DEFLATE  "%{CONTENT_TYPE} =~ m|^text/|"
   FilterProvider gzip_compression DEFLATE  "%{CONTENT_TYPE} =~ m|^model/|"
[...]
   FilterChain buffer gzip_compression

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] TLS Client Hello not responded by mod_ssl

2020-07-14 Thread Rainer Canavan

> Dear Apache enthusiasts ...
>
> My application is a very simple https-only apache (2.4.43) server with
> mod_ssl (openssl 1.1.1g) in Linux (crux distribution 3.5).

[...]

> ./configure --enable-layout=CRUX \
> --with-apr=/usr \
> --with-apr-util=/usr \
> --with-pcre=/usr \
> --enable-so \
> --enable-modules=all \
> --enable-mods-shared=all \
> --enable-mpms-shared=all

[...]

> == (d)
>  ./config --prefix=/usr \
>   --libdir=lib \
>   --openssldir=/etc/ssl \
>   shared \
>   enable-ec_nistp_64_gcc_128
> == -the end-

It appears that you're trying to use a custom openssl installation
to build your httpd, but at a casual glance, I haven't seen anything
that would actually make your httpd use that openssl installation.

Make sure that only the correct openssl headers are included during the
build, and that the LD_LIBRARY_PATH, LD_RUN_PATH or preferrably
DT_RUNPATH or DT_RPATH are set so that the matching libraries are
loaded and used (typically using -Wl,-R,/). Also, make sure that
no other modules or libraries  are - possibly indirectly - linked against other
versions of openssl and load those during runtime. Use ldd against all
binaries involved to make sure.

If you want to dig deeper, I'd recommend re-compiling with debug infos (-g),
running with mpm_prefork for simplicity, attaching one httpd process that's
stuck in the ssl handshake and getting a full backtrace (bt full).

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] force secondary authentication for one Proxy URL QUERY_STRING

2020-06-15 Thread Rainer Canavan

On Thu, Jun 11, 2020 at 3:13 PM Jason Keltz  wrote:
[...]
> The URL that I would like to limit looks like this:
>
> https://example.com/#/?key=KJKJHjkdflkjsdflkjJhdsfjhf
[...]
> I want to only apply authentication when the QUERY_STRING includes "?key".

In the URL you have given above, "key" is not in the query string,
it's in the fragment, which
should never be sent to the server. I would suspect that that part is
evaluated by Javascript
in the browser, which probably triggers additional requests to some
arbitrary, different URL.
Not sure if authentication failures for such requests would ever cause
the browser to
request username/password interactively. Use the developer tools in
your browser to
check what's really going on.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Proxy pass settings

2020-06-15 Thread Rainer Canavan

On Fri, Jun 12, 2020 at 5:02 AM Niranjan Rao  wrote:
> [...] Example could be
>
> https://myserver/uat/app1
> https://myserver/qa/app1
>
>
> Earlier I have tried just https://myserver/app1 and it works correctly.
> But now I want to add environment to it. Applications don't know they
> are proxied and when "app1/" is accessed it sends back to "/app1/login",
> relative to app1. T

sounds like something you could fix with proxypassreverse:
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse

If the html generated in your tomcat also contains absolute links, the note
about mod_proxy_html may apply, but you'll have to decide for yourself
at what point you may be better off re-configuring the tomcat applications.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Where is gone RemoteIPProxyProtocol directive (mod_remoteip) ?

2020-05-06 Thread Rainer Canavan

On Wed, May 6, 2020 at 11:04 AM JK Pard0x  wrote:

> Looking at the mod_remoteip source code for httpd 2.4.6 [1], it appears
> the directive RemoteIPProxyProtocol does not exist anymore. I'm not sure
> to understand how the versioning works.

And indeed, it looks like versioning works differently than you
believe it does. With the vast majority of open source projects, the
dots separate decimal numbers, not digits that are used individually.
So 2.4.9 is older than 2.4.10 and 2.4.4 is a lot older than 2.4.40.

Compiling a mod_remoteip from a different version of httpd may work,
but you should compile just the one module using the header files from
the httpd developer packages, apr etc. that belong to the httpd you're
actually using, not the where you're getting the updated mod_remoteip.

I suspect you're using RHEL or CentOS. There are packages of newer
httpds available, for example in the redhat software collections, but
they are probably supported differently from the one included in the
standard distribution.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compiling Apache with Non-System OpenSSL

2019-07-31 Thread Rainer Canavan

On Wed, Jul 31, 2019 at 1:39 AM Nigel B. Peck  wrote:
>
> Thanks for the answers, great to have more insight on this.
>
> Is this a bug? Shouldn't it set up the linking correctly itself when
> the library has been specified using `--with-ssl`, as it does for
> `--with-pcre`? I'm considering submitting a bug report, but only want
> to do so if it really is.

In my opinion, this is not a bug. autoconf has been handling this the
way it currently does for decades. Adding an RUN_PATH has the potentially
unwanted side effect that the binary will preferentially use libraries from
that directory instead of the system search paths. Additionally, the library
locations during build time are frequently different from those used at
run time. If you want your library locations fixed at build time, try cmake.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compiling Apache with Non-System OpenSSL

2019-07-30 Thread Rainer Canavan

On Tue, Jul 30, 2019 at 7:15 AM Nigel B. Peck  wrote:
>
> Hi,
>
> Having some trouble compiling Apache with non-system OpenSSL, any help
> appreciated. Looked at many threads online but no answers so far.
[...]

> Is there any way I can resolve this without having to add the location
> to LD_LIBRARY_PATH?

LDFLAGS=-Wl,-rpath,/path/to/libs  ./configure --prefix to set the rpath.
Depending on the platform you're on or the linker you're using, you
may have to use -R instead.

You could also switch to cmake instead of autoconf, since cmake usually
gets the linker options right on its own, if you point it to the correct
directories.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] caching of HTML5 (MP4)

2019-06-17 Thread Rainer Canavan

On Sun, Jun 16, 2019 at 12:21 PM rexkogit...@gmx.at  wrote:
[...]
>
> In HTTP 1.1, the caching is a simple HTTP header field, see section 14.9 here:
>
> https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

The current RFC would be https://tools.ietf.org/html/rfc7234, but
https://tools.ietf.org/html/rfc7232#section-2 may also apply here.

If you're serving the same file from multiple servers, you may have to
ensure that the modification times are identical on all servers, so
that the Last-Modified Headers don't change, and possibly adjust the
way ETags are calculated (see
https://httpd.apache.org/docs/2.4/de/mod/core.html#fileetag), since
the INode numbers may be different from one server to the next.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: Need some advice - thread safe php module

2019-05-23 Thread Rainer Canavan

On Thu, May 23, 2019 at 12:15 AM Jeff Cauhape  wrote:
>
> Yehuda,
>
> But how do you tell if the Apache thread-safe module is included?
>
> I’ve already wasted more than enough time on this task, and I’d like
>
> some way to determine I’m not just wasting more time.

It's in the FAQ, a single mouse click away from the link Yehuda has provided:

https://blog.remirepo.net/pages/English-FAQ#scl

in short: pick the right package from Remi's repositories.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Tuning Apache Web Server Parameters

2019-05-02 Thread Rainer Canavan

On Thu, May 2, 2019 at 11:57 AM Supun Abeysinghe  wrote:
>
> Hi all,
>
> I'm working on a project to dynamically tune the parameters of the Apache web 
> server. I'm particularly looking at changing MaxRequestWorkers (formerly 
> known as MaxClients) parameter by looking at runtime characteristics. I have 
> tried setting the parameter using the /etc/apache2/apache2.conf file, and 
> gracefully restarting the server. However, the value set for 
> MaxRequestWorkers does not seem to get reflected after the restart (I checked 
> the running processes). Is there any alternative way of doing this?

Are you sure you're not hitting ServerLimit
(https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#serverlimit)?

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: CVE-2019-0211 - Apache 2.2

2019-04-03 Thread Rainer Canavan

On Wed, Apr 3, 2019 at 10:18 AM LuKreme  wrote:
>
> On Apr 3, 2019, at 02:05, Hajo Locke  wrote:
> > Is apache 2.2 exploitable by CVE-2019-0211 ?
> > Description says that first affected version is 2.4.17, but may be 2.2 was 
> > not analyzed.
>
> “Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38” seems clear.

Since Apache httpd 2.2 is not supported anymore, it is quite possible
that nobody has
checked if 2.2 is affected. However, it looks like redhat has checked
for their old
RHEL releases that ship with 2.2 and they appear to be unaffected:
https://access.redhat.com/security/cve/cve-2019-0211

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] restrict Location URL with special string

2018-06-13 Thread Rainer Canavan

On Wed, Jun 13, 2018 at 2:27 PM MOKRANI Rachid  wrote:

> I have URL like below (with ? and =)
> http://myserver/?s=about
>
> What’s the correct syntax to allow only some IP.
> 
> Require ip 127.0.0.1
> 

 only matches the path part of the URL, not the query string
(i.e. the part after the ?).

There's an example for matching QUERY_STRING in
https://httpd.apache.org/docs/2.4/en/mod/core.html#if


Require ip 127.0.0.1


may work, but I haven't tested it.


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logging in apache

2018-04-19 Thread Rainer Canavan

On Wed, Apr 18, 2018 at 9:29 PM, Eric Covener  wrote:
> On Wed, Apr 18, 2018 at 3:18 PM, Hemant Chaudhary
>  wrote:
>> Thanks Eric
>>
>> It means thread are using lock so that one thread/process can write a time.
> I believe it's unlocked, I think posix promises they will not be
> interleaved if written through a shared file descriptor.

If I recall correctly, that's only true as long as the log lines are shorter
than PIPE_BUF (apparently 4096 on Linux). Very long log lines are
actually sometimes written interleaved by httpd.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Need Help in AB load testing with random query params.

2018-04-12 Thread Rainer Canavan

On Wed, Apr 11, 2018 at 5:54 PM, Absonworld .  wrote:
> Hi All ,

[...]
> a) Input file : text1 text2 text3
>
> b) URL :- {{BaseURL}}/apps/{{ApplId}}/courses/search?query={{random text
> from input file }}
>
> I would like to hit this search URL with different/random texts present in
> the input file
[...]

maybe try siege (https://www.joedog.org/siege-home/) instead, but you'd still
have to expand your list of "random" texts to full URLs, e.g.
for i in `cat inputfile`; do echo {{BaseURL}}/...?query=$i ; done > URLs
and then use siege -f URLs

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is httpd 2.4.x is supported on CentOs6?

2017-11-28 Thread Rainer Canavan

On Tue, Nov 28, 2017 at 1:47 PM, chetan jain  wrote:
> Hi All,
>
> As apache 2.2.x is EOL, I need to upgrade to httpd 2.4.x version but I am
> not able to verify anywhere if it is supported/tested configuration with
> Centos 6 OS?

If your requirement is that you are only allowed to run supported software,
you may be able to stick with what you currently have, because the httpd 2.2.x
packages that ship with RHEL 6 are still supported by Redhat. In same vein,
the essentially identical httpd 2.2.x packages that ship with CentOS 6 are
of course still supported by the CentOS team until November 2020, if I'm
not mistaken.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 DoS?

2017-11-13 Thread Rainer Canavan

On Fri, Nov 10, 2017 at 6:41 PM, Douglas Duckworth
 wrote:
> Hi
>
> I am running old PHP under Apache httpd-2.4.

[...]
> Though, ever few weeks, we see sudden increase in workers who never seem to
> retire:
>
> [Fri Nov 10 02:43:20.019924 2017] [mpm_prefork:error] [pid 13584] AH00161:
> server reached MaxRequestWorkers setting, consider raising the
> MaxRequestWorkers setting
>
> user@server[/var/www]$ ps aux | grep [h]ttpd | wc -l
> 257

If the php locks up while processing your request, no logs will be
written. You may be running
into a bug where circular, unresolvable dependencies for a lock
prevent the processes from
completing their requests. To check what's going on, install gdb, the
debug info for your php
and httpd and find the .gdbinfo that came with the httpd and php
version you're using. Then
attach gdb to any of the hanging processes (gdb `which httpd` PID),
source both .gdbinit files,
do a "zbacktrace" and a "bt full", and repeat for some other hanging
processes. Depending
on the type of lock,  you may be able to identify the first process
that has acquired that lock
that all others are waiting for, and the php code and / or php module
that causes it.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How can I detect if SSLEngine is ON?

2017-10-25 Thread Rainer Canavan

[...]
> But, I don’t just need to know if a module is available: once the module is 
> loaded, its available for all virtualhosts.  I need to know if the SSLEngine 
> has been enabled within a virtualhost so I can do something like the 
> following:

mod_ssl sets the environment variable HTTPS to "on" if the current
request was received via https. You should be able to use the "env="
conditions for Header set to get your example to work as intended.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache upgrade error

2017-08-03 Thread Rainer Canavan

[...]
> [Wed Aug 02 23:57:17.644430 2017] [http:error] [pid 23461910:tid 4627]
> [client 10.140.66.12:50843] AH02429: Response header name 'P3P:
> policyref="/w3c/p3p.xml"' contains invalid characters, aborting request
>

The header name may not contain : or space. You have to assemble them
as separate name and value.


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Mod_ Backtrace in apache-2.4.25

2017-06-21 Thread Rainer Canavan

On Wed, Jun 21, 2017 at 8:16 AM, Hemant Chaudhary
 wrote:
> Hi
>
> Can mod_backtrace is available to support apache-2.4.25. I want to support
> it on HPE Non-stop.
> If no then order module which can work as backtrace.

You can enable core dumps and use a cron job to automatically generate
backtraces and delete the core dump files in case there are too many.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-24 Thread Rainer Canavan

On Tue, May 23, 2017 at 8:45 PM, Ken Mycock  wrote:
> Eric
>
> It seems to make sense that REMOTE_USER wasn't set when the rule I tried in
> htaccess ran, as that would explain RU not being set.
>
> But, REMOTE_USER must be set by Apache, even if it is late in the sequence,
> so where/how can I get at it?

ap_add_common_vars() sets REMOTE_USER from r->user, and practically nothing
happens between then and the execution of the cgi script (assuming you're using
mod_cgi, I haven't checked anything else). So it looks like your options are

- change the environment variable in the CGI process itself
- write an apache module to remove the leading zeroes
- possibly use mod_lua

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Rainer Canavan

On Tue, May 23, 2017 at 2:10 PM, Ken Mycock  wrote:
[...]

> Hence, we need to allow authentication of either form of number but to strip
> leading zeros from the number stored in REMOTE_USER.
>
> I've tried various combinations of:
> RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
> RewriteRule ^0*([1-9]+)$ [E=RU:$1]

I haven't tested it, but I think

RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^ -  [env=REMOTE_USER:%1]

might work. The RewriteRule does nothing to the current location,
and sets REMOTE_USER from a backreference on the RewriteCond
matches.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best Form Redirect Http --> Https VirtualHost Apache.

2017-04-20 Thread Rainer Canavan

On Thu, Apr 20, 2017 at 2:05 AM, Wilmer Arambula
 wrote:
>
> If that domain points to your servers external IP, it will be handled by the 
> first *:443 virtualhost:
>
> Ok, Perfect thanks a lot for your answer, is there any way to prevent it from 
> redirecting to the first *: 443 virtualhost, without having to define a 
> virtualhost
> for each domain undefined.

You can define one virtual host that handles all requests that do not match any
of your existing virtual hosts. If you define the new wildcard virtual
host in the
correct order, you won't even have to use a ServerAlias with lots of
"*.* *.*.*" etc.

There's a detailed description of how virtualhost matching works at

https://httpd.apache.org/docs/2.4/vhosts/details.html


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Spoofing SERVER_PORT/HTTPS env?

2017-03-23 Thread Rainer Canavan

[...]
>> SetEnvIf X-HTTPS "on" SERVER_PORT=443
>>
>> The above results in:

[...]

>> $_SERVER[SERVER_PORT]; => 80

We had the same problem a few years ago, and went with a
workaround in the end. We're simply setting and evaluating a
different variable instead of SERVER_PORT, e.g.
OVERRIDE_SERVER_PORT,  if it is set.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Some basic (idiotic) queries regarding tunnelling-proxy

2017-03-22 Thread Rainer Canavan

> Now, we require something like opening an IFrame on the Server, and provide
> virtual access to the HTTP-Server (via Intermediatary), something like what
> Teamviewer does. We have the ability to modify to Server and Intermediatary,
> but not HTTP-Server in the general case.
>
> It would be great to have a Teamviewer-like experience, providing access of
> the HTTP-Server on the Server (via Intermediatary as the tunnelling-proxy).
> We are running Linux-flavours on Server and Intermediatary.

I don't understand what half of your statements may exactly mean, but
this doesn't appear to be an apache httpd related request. I think
the dynamic proxy option of most ssh clients (-D for openssh), used
as a SOCKS proxy in your browser may solve your problem. If that
doesn't help, some sort of VPN tunnel may be an alternative.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unable to start apache-2.4.25; missing ssl module

2017-03-22 Thread Rainer Canavan

On Wed, Mar 22, 2017 at 3:29 AM, John Iliffe  wrote:
> Just in case anyone is thinking about this, I managed to resolve it, more
> by luck than by any plan.
>
> Basically, I just added links in the httpd/lib directory to everything that
> it claimed it couldn't find.  Some are actually links to links.

Links to links are perfectly fine. Alternatives to your solution would be
setting LD_LIBRARY_PATH=/usr/openssl-1.0.2k/lib in the environment
or re-building apache with suitable LDFLAGS,  e.g. on linux
-Wl,-rpath, /usr/openssl-1.0.2k/lib. Check the man pages for ld and
ld.so (or however the dynamic linker on your platform may be called).

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?

2017-02-21 Thread Rainer Canavan

On Tue, Feb 21, 2017 at 3:53 PM, Yann Ylavic <ylavic@gmail.com> wrote:
> On Tue, Feb 21, 2017 at 3:19 PM, Rainer Canavan
> <rainer.cana...@sevenval.com> wrote:
[...]
>> If you know where the .pid file is, you can read that and check if the
>> process is
>> running, e.g. via ps --pid `cat /var/run/apache2.pid`
>
> Or:
> kill -0 `cat /var/run/apache2.pid`
>
> which is likely "lighter".

That's probably the preferred way if the user has the proper
permissions, but fails if a non-privileged user attempts to check if a
process running as root is actually running.  I also haven't checked
if ps --pid is POSIX or a GNU extension, but it should at least work
on debian.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?

2017-02-21 Thread Rainer Canavan

On Tue, Feb 21, 2017 at 2:53 PM, Tom Browder  wrote:
> I need to programatically determine whether httpd is running or not, whether
> I'm root or not. The only reliable way I have found is to use the system
> command 'ps -C httpd' and grep the results.
>
> Is there a better way?


If you know where the .pid file is, you can read that and check if the
process is
running, e.g. via ps --pid `cat /var/run/apache2.pid`


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.18: warnings issued since environment vars definitions isn't always loaded

2017-01-20 Thread Rainer Canavan

> sudo apache2 -M
>
> writes spurious lines like this:
>
> [Wed Jan 18 03:32:29.510875 2017] [core:warn] [pid 11564] AH00111: Config
> variable ${APACHE_LOG_DIR} is not defined
>
> even though the mentioned variable *is* defined in /etc/apache2/envvars

apache2 is the binary - you're not really supposed to use that directly when
starting the httpd service. The envvars script is used by the
apache2ctl script,
not the httpd (=apache2) binary itself.


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unresolved reference to ap_getword_nulls

2016-12-02 Thread Rainer Canavan

On Fri, Dec 2, 2016 at 6:08 AM, Hemant Chaudhary
 wrote:

>> > "unresolved reference to ap_getword_nulls".
> After "make install", I started my apache server, but it was not running
> because it was unable to recognize .so file. Hence I planned to convert .a
> into .so file.
>
> I am porting apache on Tendem NonStop.
> While converting I got this error. I think I am missing some library.

You don't state how you attempt that conversion. You should not need to
perform any conversion, instead, apxs should generate a dynamic module.
ap_getword_nulls is defined by the httpd executable, but you shouldn't
link against it (if that is even possible), since the symbol is resolved when
the module is loaded.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache 2.4 core dump on launch, no error logging

2016-11-17 Thread Rainer Canavan

On Thu, Nov 17, 2016 at 4:08 PM, @lbutlr  wrote:
> On Nov 17, 2016, at 3:56 AM, Nick Kew  wrote:
>> On Wed, 2016-11-16 at 12:12 -0700, @lbutlr wrote:
>>> When launching apache 2.4 I get a core dump. Nothing is logged to the 
>>> http-error log. I’ve tried rebuilding it to no avail. Ideas?
>>>
>> At the top of your coredump is libpcre.  Could it be that your
>> httpd has been built against a different/slightly incompatible
>> pcre version?
>
> Maybe? I’ve rebuilt apache several times and there’s been no change in 
> behavior, and I’ve updated all port versions as of yesterday.
>
> PCRE-8.39 is installed. I’m not sure how to tell if http is trying to access 
> a different version.

The output as posted is probably not too helpful, since it doesn't
appear to incude a  backtrace.
Try a 'thread apply all bt full' in gdb, it there's only one thread,
and it's really OPENSSL_ia32_cpuid(),
then openssl is the culprit, and it's possible that the openssl
command line client segfaults as well,
e.g. with openssl s_client  or openssl s_server.

The list with pcre on the top is just the list of libraries gdb tries
to load debug symbols from.
To get a more useful backtrace, you have to install the debug symbols
for all the relevant libraries,
such that gdb does not complain "(no debugging symbols found)" on
startup for any library that is
referenced in any backtrace shown by 'thread apply all bt full'.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Parameter POST to PHP with proxy

2016-10-07 Thread Rainer Canavan

[...]
> But I have a HTML form which calls doctechnique.example.com like this
[...]
> redirection to http://doctechnique.exemple.com is OK but I cannot retrieve
> the variable Hqsdf218regTYH414 in the PHP code of doctechnique.example.com
> (variable POST).

If by redirect you mean a 301 or 302 redirect, then your browser is probably not
POSTing the second request, but just using GET. If such a redirect is indeed
currently used and necessary, you may have to use 307. Check

https://tools.ietf.org/html/rfc7231#section-6.4


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Rainer Canavan

On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller  wrote:
> From the looks of it I would say it is targeting servers running SSL.  Are
> you serving up HTTP or HTTPS ?

I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday about this:

https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/

if I try `openssl s_client -connect localhost:14020`, I get the below
entry in my access.log,
which matches the description in the diary:

127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
"\x16\x03\x01\x01,\x01" 400 226 "-" "-"

this, however, is something completely different. I'd also guess it's some kind
of vulnerability scan:

> IP
> 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
> "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
> 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
> "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
> 200 48605

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

2016-09-13 Thread Rainer Canavan

On Mon, Sep 12, 2016 at 7:37 PM, Marat Khalili <m...@rqc.ru> wrote:
> On 12/09/16 18:47, Rainer Canavan wrote:
>> The obvious ones I can come up with would be Alias, ScriptAlias,
>> FastCGIExternalServer,
>> Action and RewriteRule. All those can be defined in the global context
>> (i.e. outside
>> of any vhost) and are valid for all vhosts. (for RewriteRule, that may
>> require
>> RewriteOptions Inherit), all others simply apply to all vhosts.
>
> But if I remove my default "deny" virtual host, what changes? That's what I
> cannot quite get in your explanation.

If you remove the special "deny" vhost, everything is fine. If you add one,
you may have set yourself  a much larger set of traps than the configuration
options  I've listed above.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

2016-09-12 Thread Rainer Canavan

On Mon, Sep 12, 2016 at 3:21 PM, Marat Khalili <m...@rqc.ru> wrote:
> On 12/09/16 15:25, Rainer Canavan wrote:
>>
>>
>> However, in this example, you'd add a virtualhost that may expose
>> globally configured resources without the individual access controls of
>> the "real" vhosts. On top of that, the additional vhost may not see any
>> significant testing in case of configuration changes.
>
> I don't get it, can you please provide an example? IMO any additional vhosts
> should not depend at all on what's inside this vhost.

The obvious ones I can come up with would be Alias, ScriptAlias,
FastCGIExternalServer,
Action and RewriteRule. All those can be defined in the global context
(i.e. outside
of any vhost) and are valid for all vhosts. (for RewriteRule, that may require
RewriteOptions Inherit), all others simply apply to all vhosts.

>> Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that
>> checks the Host: header.
>
> You mean, outside any virtualhost? Why do you think it's better? Initial
> problem was default virtualhost -- I want none.

that's exaclty what I'm saying. A default vhost has the potential to add
more problems than it can ever solve.

[...]

>> Overall I'd say that the negligible gain in
>> perceived security isn't worth the effort or the additional risks
>> (both regarding security and availability).
>
> Well, for one thing log messages from actual vhosts and from internet scans
> are separated, this alone saves a lot of time.

Finally, an actual, measurable benefit, although it only filters out the
not-too-smart scanners.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

2016-09-12 Thread Rainer Canavan

[...]

>> Additionally, if you bind any further vhosts to specific IP addresses, e.g.
>> , then that virtualhost will have precedence for
>> requests to 192.0.2.1:80 over the *:80 virtualhost.
>
> In this case you'll have create separate default deny configuration for each
> IP address, right?
>
>> Overall, I'd say that such a construct is more likely to increase the attack 
>> surface
>> instead of reducing it.
>
> I don't think _denying_ something can _increase_ attack surface.

However, in this example, you'd add a virtualhost that may expose
globally configured resources without the individual access controls of
the "real" vhosts. On top of that, the additional vhost may not see any
significant testing in case of configuration changes.

> But since
> there's seemingly demand for this kind of configuration it'd be nice if
> community helped make it better and more secure. What extra steps do you
> think one should take to securely deny (and subsequently ban) clients
> (mostly bots) that do not even know domain name they are accessing?

Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that
checks the Host: header. I'd guess that httpd 2.4 has more elegant means
to express this with actual "deny" directives, possibly combined with a
SetEnvIf.

If you're really serious, you'd also have to make sure that any error messages
don't contain the hostname, and you'd have to set reverse DNS lookups to
point to a useless name. Overall I'd say that the negligible gain in
perceived security isn't worth the effort or the additional risks
(both regarding
security and availability).

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

2016-09-12 Thread Rainer Canavan

>> 
>> ServerName default
>>
>> 
>> AllowOverride none
>> Order Allow,Deny
>> Require all denied
>> 
>> 
[...]

I'm not 100% sure, but that may not deny access to absolutely everything,
in case you have global
directives such as cgi aliases or proxy constructs, possibly with
mod_rewrite and [P] which point
to non-directory resources.

Therefore it may be better to use  instead of .

Additionally, if you bind any further vhosts to specific IP addresses, e.g.
, then that virtualhost will have precedence for
requests to 192.0.2.1:80 over the *:80 virtualhost.

Overall, I'd say that such a construct is more likely to increase the
attack surface
instead of reducing it.

rainer

Re: [users@httpd] Apache Host not found

2016-07-18 Thread Rainer Canavan

On Wed, Jul 13, 2016 at 10:16 AM, Theo Sweeny  wrote:
> Thank you Daniel.
>
>
>
> At the moment it is set to –
>
>
>
> STATUSURL="http://localhost:80/server-status;
>
>
>
> Should it be configured like so when there are multiple sites?
>
>
>
> STATUSURL="http://www.site1.com:80/server-status;
> http://www.site2.com:80/server-status; http://www.site3.com:80/server-status;

No, the output of mod_status is identical on all vhosts. If you get
“Host not found”
for localhost, you should fix your /etc/hosts. You also may have to
unset http_proxy
and related variables, if you have them in your environment.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: Apache default page shows up periodically

2016-06-30 Thread Rainer Canavan

On Thu, Jun 30, 2016 at 11:37 PM, Rose, John B  wrote:
> Single host.

If you haven't already, make sure that your LogFormat contains %v:%p
_and_ host:\"%{host}i\"
and check both if the problem reappears.

Is there any good reason why you still have the default vhost
configured at all, much less as
the first (and therefore default) vhost?

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How i can determine SSL protocol?

2016-04-18 Thread Rainer Canavan

On Mon, Apr 18, 2016 at 10:47 AM, Виталий Фадеев  wrote:
> Hello!
> We want to show different page for users that come with SSL3 or TLS/1.0
> Is this possible?
> For example, by creating two virtual servers with different
> SSLProtocols. DirectoryRoot, and the same ServerName?

I don't think that will work, because the SSL Handshake runs only once.

If you set SSLOptions StdEnvVars, you should be able to select/alter content
based on the SSL_PROTOCOL variable.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

2016-04-15 Thread Rainer Canavan

On Fri, Apr 15, 2016 at 9:14 AM, Ben RUBSON  wrote:
> Hello,
>
> I already do it with a RewriteMap Perl script, but perhaps a faster (in terms 
> of performance) solution exists.
> Let's assume an incoming request contains a username, is there a way to get 
> the system UID of this username string (Linux/FreeBSD) ?
> And from a UID string, to get the corresponding GID ?

I can't think of any solution that would work out of the box, but
you can always write your own apache module in C.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

2016-04-08 Thread Rainer Canavan

On Fri, Apr 8, 2016 at 6:02 PM, Christopher Schultz
 wrote:
[...]
> I'm speaking from a position of ignorance, here, but can a dynamic
> library modify the main process's search path? If only mod_ssl is
> compiled with the static-path to OpenSSL but httpd is not (and it's
> not clear to me that httpd is missing this static-path), surely the
> loadable module isn't modifying the process's library load-path, is it?

The manpage would indicate that the rnupath is only valid for the library
for which it has been set:

https://docs.oracle.com/cd/E19683-01/816-0210/6m6nb7md6/index.html

The runtime linker uses a prescribed search path for locating the
dynamic dependencies of an object. The default search paths are
therunpath recorded in the object, followed by /usr/lib for 32-bit
objects or /usr/lib/64 for 64-bit objects. This latter component can
be modified using a configuration file created with crle(1). The
runpath is specified when the dynamic object is constructed using the
-Roption to ld(1). LD_LIBRARY_PATH can be used to indicate directories
to be searched before the default directories.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

2016-04-08 Thread Rainer Canavan

On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic  wrote:
> On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel
>  wrote:
>>
>> LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib"
>
> I don't know which compiler you are using, but gcc's -R is not working
> correctly (on Linux at least), whereas "-Wl,-rpath,$OPENSSLDIR/lib"
> is...

-R used to work for us on Solaris with gcc to compile/link/run our own
httpd / php / curl / openssl stack. However, I'm not sure which linker we
used to use. If ldd claims it's picking up the correct libraries, I'd assume
it should work at runtime as well.  In case there's any doubt, lsof may show
which libraries are actually used.


rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: How to load an image with out extension in browser

2016-02-16 Thread Rainer Canavan

On Tue, Feb 16, 2016 at 3:42 PM, Curtis Maurand  wrote:
>
>
> On 2/16/2016 5:37 AM, @lbutlr wrote:
>
> On Feb 16, 2016, at 2:02 AM, Aravin  wrote:
>
> Before we upgrade the apache 2.4 the below image url can be viewable through
> browsers. but after upgraded the apache we are not able to view this image
>
> http://www.mytechlogy.com/upload/f457c545a9ded88f18ecee47145a72c01411190633050_5R4EHmGwkmmVaSaQLJdvH2hE6EZBaSOQIx2zHDrnJWubAdd6djHQQSkZHG4eSE0Ek4VNFEmDqcVw
>
> Works fine here.
>
> Works OK, here, too.

The response does not include a Content-Type: header field (with an
appropriate value, such as "image/jpeg" or whatever). Therefore it
isn't guaranteed to work, although it should work with practically all
modern browsers.

If this is indeed the source of the problem, the MimeMagicFile
directive may help.

http://httpd.apache.org/docs/current/mod/mod_mime_magic.html#mimemagicfile

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] AH00273: apr_proc_mutex_lock failed, possibly caused by cron, systemd or su

2015-12-18 Thread Rainer Canavan

Hi,

we've got an obscure problem with the apache httpd that was shipped
with CentOS 7.2. We perform automatic builds and updates via cron,
and, since the update to CentOS 7.2. The update script is triggered by
cron and stops, yum updates and starts the httpd. When the next cron
job that is run as the same user as the httpd (not the update job)
terminates, the httpd frequently fails, starting with a AH00273:
apr_proc_mutex_lock failed message, and then a never ending loop of
AH00272 messages, one from each httpd process that is forked, until
the listener process is stopped.

[Thu Dec 17 08:30:04.895455 2015] [mpm_worker:notice] [pid 12021:tid
140011320178752] - AH00295: caught SIGTERM, shutting down
[Thu Dec 17 08:30:52.783949 2015] [mpm_worker:notice] [pid 23947:tid
140703866935360] - AH00292: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
configured -- resuming normal operations
[Thu Dec 17 08:30:52.784091 2015] [core:notice] [pid 23947:tid
140703866935360] - AH00094: Command line: '/usr/sbin/httpd -d
/opt/sevenval/fit14/ -f /opt/sevenval/fit14/conf/httpd.conf'
[Thu Dec 17 08:40:54.959482 2015] [mpm_worker:emerg] [pid 23949:tid
140703388559104] (43)Identifier removed: - AH00273:
apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.
[Thu Dec 17 08:40:55.669532 2015] [mpm_worker:emerg] [pid 25505:tid
140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock
failed before this child process served any requests.
[Thu Dec 17 08:40:55.991490 2015] [mpm_worker:emerg] [pid 23950:tid
140703388559104] (22)Invalid argument: - AH00273:
apr_proc_mutex_unlock failed. Attempting to shutdown process
gracefully.
[Thu Dec 17 08:40:57.672519 2015] [mpm_worker:emerg] [pid 25540:tid
140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock
failed before this child process served any requests.
[Thu Dec 17 08:40:59.676573 2015] [mpm_worker:emerg] [pid 25575:tid
140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock
failed before this child process served any requests.

The httpd version is the old version from RHEL (httpd-2.4.6-40.el7).
The backtrace is rather uninteresting:

(gdb) bt full
#0  accept_mutex_error (func=0x7f3fcac5d299 "unlock", rv=22,
process_slot=0) at worker.c:659
level = 0
#1  0x7f3fcac5b46a in listener_thread (thd=0x7f3fcdc405c8,
dummy=) at worker.c:849
ti = 
process_slot = 0
tpool = 
csd = 0x7f3fc00444c0
ptrans = 0x7f3fc0044438
pollset = 0x7f3fc003fa30
rv = 
lr = 0x7f3fcdbd5a98
have_idle_worker = 1
last_poll_idx = 1
#2  0x7f3fcc26cdc5 in start_thread (arg=0x7f3fb0fe1700) at
pthread_create.c:308
__res = 
pd = 0x7f3fb0fe1700
now = 
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139911529109248,
4832434510689815290, 0, 139911529109952, 139911529109248, 0,
-4796579440261772550,
-4796375556103124230}, mask_was_saved = 0}}, priv =
{pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0,
canceltype = 0}}}
not_first_call = 
pagesize_m1 = 
sp = 
freesize = 
#3  0x7f3fcbd9621d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.

Does anyone habe any ideas what may cause these mutex errors?

thanks,

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logging an masqueraded header in Apache 2.4

2015-12-16 Thread Rainer Canavan

2015-12-16 17:56 GMT+01:00 Christian Georg :
> Hi all,
>
>
> I am looking for a solution to masquerade/anonymize data I am writing to the
> acccess log on my proxy. For debugging purposes we need to trace data based
> on the x-auth header. As this header contains critical data I do not want to
> enable logging of the full header. Instead I am looking for a solution to
> only log the first X and the last y header. so instead of logging
>
>
>   ycsfsfdawlkcfawncfewmlcsdfacs
>
>
> I would like to see something like this
>
>   ycsfsfd###csdfacs
>
>  or this.
>
>   ycsfsfd..csdfacs
>
>
> I am using apache 2.4 on centos
> Any suggestion?

setenvif or  a RewriteRule, possibly together with a RewriteCond
should be able to apply a regular expression to the value of a header
and set a new environment variable based on that.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] debugging segmentation fault

2015-07-27 Thread Rainer Canavan

2015-07-27 6:33 GMT+02:00 deva seetharam tagse...@yahoo.com.invalid:
 hello

 we are running debian linux stable (Jessie) with apache 2.4.10 and mod_wsgi
 4.3.0-1 on a x86_64 machine.
 our application is written in python 2.7 and django 1.8.

 the list of modules as reported by apachectl -M are:
 Loaded Modules:
[...]
 we were getting segmentation faults when rest api clients were making
 requests. the apache error log has the following messages:

 [Mon Jul 27 09:04:38.375433 2015] [core:notice] [pid 32693:tid
 140315326191488] AH00052: child pid 32700 exit signal Segmentation fault
 (11)
 [Mon Jul 27 09:04:38.375556 2015] [core:notice] [pid 32693:tid
 140315326191488] AH00052: child pid 32701 exit signal Segmentation fault
 (11)

 i have enabled core dumps by setting ulimit to unlimited and adding core
 dump config directive in the apache2.conf file.

 but the core dumps are not happening.

Does www-data have write permissions in the CoreDumpDirectory? Another method
to set the core dump directory in linux is

echo /var/tmp/core-%e.%p  /proc/sys/kernel/core_pattern

The ulimit is only valid for the shell (and subsequent child
processes) you're currently in,
so you should restart apache from the same shell.

You can test if your configuration works by just sending a SIGSEGV
yourself, just
kill -11 one of the apache processes.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Rainer Canavan

  Remove etags (Header unset Etag/FileETag None)

 Won't this disable conditional requests, ex. If-None-Match and friends? Is
 your recomendation because of the header overhead or am I missing something?

Just if-None-Match. If-Modified-Since would still work. I believe
people recommend disabling ETags because they may cause problems with
clusters (i.e. different inode numbers or modification times for
otherwise identical files), or gzip content encoding
(https://bz.apache.org/bugzilla/show_bug.cgi?id=45023).

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Random latency in reentrant calls (Bug 57916)

2015-05-12 Thread Rainer Canavan

2015-05-12 10:03 GMT+02:00 Luc Andre landre3...@gmail.com:

 Thanks for your reply.

 We did a test on a powerful server with

 StartServers  20
 MinSpareServers   5
 MaxSpareServers  20

 And we still have the issue...


To ensure that you don't hit the child spin up issue, you'll have to set
 MinSpareServers to a value equal to or greater than the number of
processes you need for your test, I'd recommend 20 in this case, just to be
sure. Are you sure that you're using the prefork mpm, and therefore those
settings are actually relevant? If you don't have a good reason to use
prefork, you may get better performance with worker or event (but be sure
to tune the associated settings, such as ThreadsPerChild appropriately)

Additionally, you don't specify how your PHP is configured. If you're using
PHP-FPM, you need to ensure that pm.start_servers and pm.min_spare_servers
are large enough as well.

rainer

Re: [users@httpd] Handling MS Internet Shortcuts and Links

2015-05-04 Thread Rainer Canavan

2015-05-01 16:00 GMT+02:00 David A. Cobb superbis...@cox.net:
[...]
 However, if I click the URL file in a Directory List served from Apache, I
 get the plain text file displayed.  I can go to the target with one or two
 extra steps, but it's a PITA.


It's a text file, so that's the expected result, since there are no special
handlers for .url-Files in httpd.

 It seems what I should do is to parse the file in the server and send a
 Permanently Moved To redirection to the browser.

I don't think you can achieve this with the likes of mod_rewrite, mod_setenvif
etc. It should require a proper program, e.g. via CGI, mod_perl
mod_php or the likes, plus probably a RewriteRule to start the script
whenever a .url file is requested. Or maybe mod_lua and a LuaOutputFilter.

 Or, I suppose, I could simply do the redirection; but somehow that feels less 
 safe.

Not sure what you're trying to say here.

 Now, if I can be allowed a second question in the same post, can I do the
 same thing with Microsoft .lnk shortcuts?  It would be a simple script
 operation to transform the local FileSystem path to a localhost:8080/
 path.

That's actually not trivial in the general case, since it's not
necessarily obvious
how file system paths map to URLs.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

66 matches

Mail list logo