Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic
On Mon, Apr 22, 2024 at 3:51 PM Daiya, Devendra singh wrote: > > SSLVerifyCLient require > SSLVerifyDepth 10 These directives apply to the client/browser connection, so you are effectively enabling mtls on the client side too, hence the error messages ("AH02008: SSL library error 1 in handshake (server hostname:port)" and "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate") if the client isn't providing a certificate. You should probably remove them if you only want mtls with the backend server. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RewriteMap and patterns
On Sun, Mar 24, 2024 at 2:31 AM Dave Wreski wrote: > > I'd like to be able to use the static map for the IDs I do know, and send any > others to the redirect script directly from within my apache config directly. > Is this possible? > > Something like this: > > RewriteEngine on > RewriteMap lsv2ids "txt:/etc/httpd/conf.d/linuxsecurity-lsv2ids.map" > RewriteRule "/content/view/([0-9]{6})/?" "${lsv2ids:$1}" [L] > > RewriteRule "/content/view/([0-9]{6})/?" > "https://linuxsecurity.com/redirection/index.php?type=view=$1=$1; Possibly using the "DefaultValue" (i.e. not found) as described in [1]: RewriteRule "/content/view/([0-9]{6})/?" "${lsv2ids:$1|https://linuxsecurity.com/redirection/index.php?type=view=$1=$1}; [L] [1] https://httpd.apache.org/docs/2.4/rewrite/rewritemap.html Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] working with a reverse proxy
On Tue, Feb 27, 2024 at 9:49 PM Marc wrote: > > Should I for instance set headers, and in the proxied website should I check > on such headers? (Btw this is php). Or are there other things available like > HTTP_X_FORWARDED_FOR mod_proxy should add the "X-Forwarded-Host" header (i.e. HTTP_X_FORWARDED_HOST in cgi/php) with the value of defaulthost, when forwarding the request to proxyhost. This is the default behaviour, unless "ProxyAddHeaders off". Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Tue, Jan 30, 2024 at 8:24 PM Sherrard Burton wrote: > > i have confirmed that the patch has been applied, and the behavior still > persists, as confirmed by comparing the counts of [SYN,ACK] and accept() > > ~$ tcpdump -n -r /tmp/tcpdump.pcap | grep -Fc '[S.]'; grep -Fh 'accept4' > /tmp/strace-apache2.out.* | grep -Fc .240.209 > reading from file /tmp/tcpdump.pcap, link-type LINUX_SLL2 (Linux cooked > v2), snapshot length 262144 > Warning: interface names might be incorrect > 3485 > 3483 This means those two connections came in (or were made available by the system) after the last accept() call, which is the race condition that httpd can do nothing about unfortunately. How much does it improve compared to non-patched httpd, how many reset connections without the patch? If not significant I don't think it's worth attempting to do something about it.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Tue, Jan 30, 2024 at 11:54 AM Yann Ylavic wrote: > > On Tue, Jan 30, 2024 at 4:37 AM Sherrard Burton wrote: > > > > i was going to add some debugging lines, but when i took a quick look at > > the patch, i wasn't clear on which sections of the code i should be > > guaranteed to hit. can you be so kind as to send an updated patch with > > some gratuitous logging in the appropriate sections so that there will > > be positive affirmation that the patch has (or hasn't) been applied and > > is falling into the expected sections? > > Sure, here is a v2 (which also includes a fix w.r.t. v1). Argh, please use this v3 instead, I missed that EINTR could interfere and should be ignored while draining. > > Regards; > Yann. Index: server/mpm/event/event.c === --- server/mpm/event/event.c (revision 1915442) +++ server/mpm/event/event.c (working copy) @@ -174,7 +174,7 @@ static int had_healthy_child = 0; static volatile int dying = 0; static volatile int workers_may_exit = 0; static volatile int start_thread_may_exit = 0; -static volatile int listener_may_exit = 0; +static volatile apr_uint32_t listener_may_exit = 0; static int listener_is_wakeable = 0;/* Pollset supports APR_POLLSET_WAKEABLE */ static int num_listensocks = 0; static apr_int32_t conns_this_child;/* MaxConnectionsPerChild, only access @@ -481,8 +481,7 @@ static void disable_listensocks(void) static void enable_listensocks(void) { int i; -if (listener_may_exit -|| apr_atomic_cas32(_disabled, 0, 1) != 1) { +if (dying || apr_atomic_cas32(_disabled, 0, 1) != 1) { return; } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(00457) @@ -575,8 +574,7 @@ static void wakeup_listener(void) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "wake up listener%s", listener_may_exit ? " again" : ""); -listener_may_exit = 1; -disable_listensocks(); +apr_atomic_cas32(_may_exit, 1, 0); /* Unblock the listener if it's poll()ing */ if (event_pollset && listener_is_wakeable) { @@ -1184,12 +1182,9 @@ read_request: cs->pub.state = CONN_STATE_READ_REQUEST_LINE; goto read_request; } -else if (!listener_may_exit) { +else { cs->pub.state = CONN_STATE_CHECK_REQUEST_LINE_READABLE; } -else { -cs->pub.state = CONN_STATE_LINGER; -} } if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) { @@ -1256,18 +1251,21 @@ static void check_infinite_requests(void) } } -static int close_listeners(int *closed) +static int close_listeners(void) { ap_log_error(APLOG_MARK, APLOG_TRACE6, 0, ap_server_conf, "clos%s listeners (connection_count=%u)", - *closed ? "ed" : "ing", apr_atomic_read32(_count)); -if (!*closed) { + dying ? "ed" : "ing", apr_atomic_read32(_count)); +if (!dying) { int i; +dying = 1; /* once */ + +ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, + "XXX: closing"); + ap_close_listeners_ex(my_bucket->listeners); -*closed = 1; /* once */ -dying = 1; ap_scoreboard_image->parent[ap_child_slot].quiescing = 1; for (i = 0; i < threads_per_child; ++i) { ap_update_child_status_from_indexes(ap_child_slot, i, @@ -1654,8 +1652,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ proc_info *ti = dummy; int process_slot = ti->pslot; struct process_score *ps = ap_get_scoreboard_process(process_slot); -int closed = 0; -int have_idle_worker = 0; +int have_idle_worker = 0, exiting = 0; apr_time_t last_log; last_log = apr_time_now(); @@ -1678,8 +1675,8 @@ static void * APR_THREAD_FUNC listener_thread(apr_ if (conns_this_child <= 0) check_infinite_requests(); -if (listener_may_exit) { -int first_close = close_listeners(); +if (exiting) { +int first_close = close_listeners(); if (terminate_mode == ST_UNGRACEFUL || apr_atomic_read32(_count) == 0) @@ -1710,7 +1707,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ apr_atomic_read32(keepalive_q->total), apr_atomic_read32(_count), apr_atomic_read32(_count)); -if (dying) { +if (exiting) { ap_log_error(APLOG_MARK, APLOG_TRACE6, 0, ap_server_conf, "%u/%u workers shutdown", apr_atomic_read32(_shutdown), @@
Re: [users@httpd] graceful-stop closes established connections without response
On Tue, Jan 30, 2024 at 4:37 AM Sherrard Burton wrote: > > i was going to add some debugging lines, but when i took a quick look at > the patch, i wasn't clear on which sections of the code i should be > guaranteed to hit. can you be so kind as to send an updated patch with > some gratuitous logging in the appropriate sections so that there will > be positive affirmation that the patch has (or hasn't) been applied and > is falling into the expected sections? Sure, here is a v2 (which also includes a fix w.r.t. v1). Regards; Yann. Index: server/mpm/event/event.c === --- server/mpm/event/event.c (revision 1915442) +++ server/mpm/event/event.c (working copy) @@ -174,7 +174,7 @@ static int had_healthy_child = 0; static volatile int dying = 0; static volatile int workers_may_exit = 0; static volatile int start_thread_may_exit = 0; -static volatile int listener_may_exit = 0; +static volatile apr_uint32_t listener_may_exit = 0; static int listener_is_wakeable = 0;/* Pollset supports APR_POLLSET_WAKEABLE */ static int num_listensocks = 0; static apr_int32_t conns_this_child;/* MaxConnectionsPerChild, only access @@ -481,8 +481,7 @@ static void disable_listensocks(void) static void enable_listensocks(void) { int i; -if (listener_may_exit -|| apr_atomic_cas32(_disabled, 0, 1) != 1) { +if (dying || apr_atomic_cas32(_disabled, 0, 1) != 1) { return; } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(00457) @@ -575,8 +574,7 @@ static void wakeup_listener(void) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "wake up listener%s", listener_may_exit ? " again" : ""); -listener_may_exit = 1; -disable_listensocks(); +apr_atomic_cas32(_may_exit, 1, 0); /* Unblock the listener if it's poll()ing */ if (event_pollset && listener_is_wakeable) { @@ -1184,12 +1182,9 @@ read_request: cs->pub.state = CONN_STATE_READ_REQUEST_LINE; goto read_request; } -else if (!listener_may_exit) { +else { cs->pub.state = CONN_STATE_CHECK_REQUEST_LINE_READABLE; } -else { -cs->pub.state = CONN_STATE_LINGER; -} } if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) { @@ -1256,18 +1251,21 @@ static void check_infinite_requests(void) } } -static int close_listeners(int *closed) +static int close_listeners(void) { ap_log_error(APLOG_MARK, APLOG_TRACE6, 0, ap_server_conf, "clos%s listeners (connection_count=%u)", - *closed ? "ed" : "ing", apr_atomic_read32(_count)); -if (!*closed) { + dying ? "ed" : "ing", apr_atomic_read32(_count)); +if (!dying) { int i; +dying = 1; /* once */ + +ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, + "XXX: closing"); + ap_close_listeners_ex(my_bucket->listeners); -*closed = 1; /* once */ -dying = 1; ap_scoreboard_image->parent[ap_child_slot].quiescing = 1; for (i = 0; i < threads_per_child; ++i) { ap_update_child_status_from_indexes(ap_child_slot, i, @@ -1654,8 +1652,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ proc_info *ti = dummy; int process_slot = ti->pslot; struct process_score *ps = ap_get_scoreboard_process(process_slot); -int closed = 0; -int have_idle_worker = 0; +int have_idle_worker = 0, exiting = 0; apr_time_t last_log; last_log = apr_time_now(); @@ -1678,8 +1675,8 @@ static void * APR_THREAD_FUNC listener_thread(apr_ if (conns_this_child <= 0) check_infinite_requests(); -if (listener_may_exit) { -int first_close = close_listeners(); +if (exiting) { +int first_close = close_listeners(); if (terminate_mode == ST_UNGRACEFUL || apr_atomic_read32(_count) == 0) @@ -1710,7 +1707,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ apr_atomic_read32(keepalive_q->total), apr_atomic_read32(_count), apr_atomic_read32(_count)); -if (dying) { +if (exiting) { ap_log_error(APLOG_MARK, APLOG_TRACE6, 0, ap_server_conf, "%u/%u workers shutdown", apr_atomic_read32(_shutdown), @@ -1792,6 +1789,10 @@ static void * APR_THREAD_FUNC listener_thread(apr_ } num = 0; } +if (!exiting && apr_atomic_read32(_may_exit)) { +ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, + "XXX: may exit (%d, %d)", rc, num); +} if (APLOGtrace7(ap_server_conf)) { now =
Re: [users@httpd] graceful-stop closes established connections without response
On Mon, Jan 29, 2024 at 4:59 PM Sherrard Burton wrote: > > On 1/29/24 10:17 AM, Yann Ylavic wrote: > > On Mon, Jan 29, 2024 at 3:06 PM Eric Covener wrote: > > > > The patch helps in this case because we no longer close the listening > > sockets unconditionally, I mean without first checking if there are > > new connections in the backlog. So I thought the option was needed > > because if nothing stops new connections from arriving it could > > prevent the child from stopping indefinitely? How could we know if a > > LB/VIP is in place? > > it sounds like this issue is all but resolved, but i would like to > understand whether the above (preventing the child from stopping > indefinitely) is an actual possibility. > > my (naive) expectation is that if a given child has been signaled while > handling an existing request then it "knows" not to accept() a new > request after completing the existing request. so it seems that the > child is not under any danger of continuing indefinitely, regardless of > the contents of the backlog. Yes, a stopping child won't accept any new connection currently in httpd, but this is what I proposed to change: each child continues to accept new connections after the graceful signal, until there is nothing to accept anymore. Though this needs an opt-in obviously. Sorry for the confusion because this is not what the patch I initially proposed is doing either, the patch simply allows for one more try at emptying the backlog after the signal was received, so it won't by itself prevent the child from stopping, but it might (likely) not be enough if resets don't happen mainly because of some bad timing in the listener thread (which this patch addresses, only). So before we go to the opt-in, as Eric said, we might as well consider that since it's not fully addressable in httpd anyway (without races), we'd rather let this be handled outside httpd (better/fully). That's where we are, I think, if this first/light patch eventually helps significantly with the "local" graceful-stop which you care about still, it's possibly worth it since it requires no opt-in (but needs testing..), but going further looks overkill/risky for httpd. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Mon, Jan 29, 2024 at 4:21 PM Eric Covener wrote: > > > > It seems to me If there is no such LB/VIP that stops new connections > > > from landing on this server, the new option should be avoided. > > > > Correct. > > > > > But if there is such a LB/VIP, the option is not really needed. Is it > > > fair? > > > > The patch helps in this case because we no longer close the listening > > sockets unconditionally, I mean without first checking if there are > > new connections in the backlog. So I thought the option was needed > > because if nothing stops new connections from arriving it could > > prevent the child from stopping indefinitely? How could we know if a > > LB/VIP is in place? > > I mean the initial patch vs. the status quo, not just the opt-in part. Even if there is a LB that stops routing new connections to the stopping httpd we might kill the ones that are in the backlog already. But yes I suppose that the switch on the LB could precede the graceful-stop by a few seconds to let httpd drain the backlog normally, in any case the race is hardly addressable fully in httpd so we might consider doing nothing to minimize it too, that's fair enough :) - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Mon, Jan 29, 2024 at 3:06 PM Eric Covener wrote: > > > Maybe I wasn't clear enough but this patch makes sense only if there > > is something in place that prevents new connections from arriving at > > the stopping httpd children processes (like a frontend/load-balancer > > or a tcp/bpf filter), otherwise they may never really stop which does > > not help for a graceful stop/restart obviously. So this change (if > > useful) should be guarded by a GracefulDrain on/off or something > > config option to not hurt the other use cases. > > Thanks Yann! > > It seems to me If there is no such LB/VIP that stops new connections > from landing on this server, the new option should be avoided. Correct. > But if there is such a LB/VIP, the option is not really needed. Is it fair? The patch helps in this case because we no longer close the listening sockets unconditionally, I mean without first checking if there are new connections in the backlog. So I thought the option was needed because if nothing stops new connections from arriving it could prevent the child from stopping indefinitely? How could we know if a LB/VIP is in place? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Mon, Jan 29, 2024 at 2:23 PM Yann Ylavic wrote: > > On Sun, Jan 28, 2024 at 5:26 AM Sherrard Burton wrote: > > > > On 1/27/24 09:46 PM, Eric Covener wrote: > > > > > > Both worker and event MPMs have a dedicated listener thread per child > > > process, so it will close those copies of the listening sockets much > > > more quickly. > > > > so that i am clear, are you saying that this behavior is still possible, > > although less likely under the worker and event MPMs? > > I think it's possible regardless of the MPM, and there is quite little > a server can do about it without the help of the system or some > tcp/bpf filter (something that prepares the graceful shutdown at the > system level to prevent the 3-way handshake from completing). > This is because when the connections are ready to be accept()ed (i.e. > in the listening socket's backlog), they are already fully established > and likely contain the request data (at least partly), the system has > done this underneath httpd already. > So if/when httpd closes its listening socket(s) all the connections in > the backlog(s) are lost/reset anyway, and there is always going to be > a race condition with the draining of the backlog if nothing stops new > connections from being established at the system level. > > To minimize the race condition maybe httpd can do better at trying to > drain the backlog before closing the listeners. Does the attached > patch help for instance (it's against mpm_event 2.4.x)? > But I don't think it can be fully solved at httpd level anyway, with > this change the effective stop could be longer (so long as there are > incoming/pending connections routed to each child by the system), it > could even last forever theoretically if connections keep coming > indefinitely.. Maybe I wasn't clear enough but this patch makes sense only if there is something in place that prevents new connections from arriving at the stopping httpd children processes (like a frontend/load-balancer or a tcp/bpf filter), otherwise they may never really stop which does not help for a graceful stop/restart obviously. So this change (if useful) should be guarded by a GracefulDrain on/off or something config option to not hurt the other use cases. > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] graceful-stop closes established connections without response
On Sun, Jan 28, 2024 at 5:26 AM Sherrard Burton wrote: > > On 1/27/24 09:46 PM, Eric Covener wrote: > > > > Both worker and event MPMs have a dedicated listener thread per child > > process, so it will close those copies of the listening sockets much > > more quickly. > > so that i am clear, are you saying that this behavior is still possible, > although less likely under the worker and event MPMs? I think it's possible regardless of the MPM, and there is quite little a server can do about it without the help of the system or some tcp/bpf filter (something that prepares the graceful shutdown at the system level to prevent the 3-way handshake from completing). This is because when the connections are ready to be accept()ed (i.e. in the listening socket's backlog), they are already fully established and likely contain the request data (at least partly), the system has done this underneath httpd already. So if/when httpd closes its listening socket(s) all the connections in the backlog(s) are lost/reset anyway, and there is always going to be a race condition with the draining of the backlog if nothing stops new connections from being established at the system level. To minimize the race condition maybe httpd can do better at trying to drain the backlog before closing the listeners. Does the attached patch help for instance (it's against mpm_event 2.4.x)? But I don't think it can be fully solved at httpd level anyway, with this change the effective stop could be longer (so long as there are incoming/pending connections routed to each child by the system), it could even last forever theoretically if connections keep coming indefinitely.. Regards; Yann. Index: server/mpm/event/event.c === --- server/mpm/event/event.c (revision 1915442) +++ server/mpm/event/event.c (working copy) @@ -174,7 +174,7 @@ static int had_healthy_child = 0; static volatile int dying = 0; static volatile int workers_may_exit = 0; static volatile int start_thread_may_exit = 0; -static volatile int listener_may_exit = 0; +static volatile apr_uint32_t listener_may_exit = 0; static int listener_is_wakeable = 0;/* Pollset supports APR_POLLSET_WAKEABLE */ static int num_listensocks = 0; static apr_int32_t conns_this_child;/* MaxConnectionsPerChild, only access @@ -481,8 +481,7 @@ static void disable_listensocks(void) static void enable_listensocks(void) { int i; -if (listener_may_exit -|| apr_atomic_cas32(_disabled, 0, 1) != 1) { +if (dying || apr_atomic_cas32(_disabled, 0, 1) != 1) { return; } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(00457) @@ -575,8 +574,7 @@ static void wakeup_listener(void) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "wake up listener%s", listener_may_exit ? " again" : ""); -listener_may_exit = 1; -disable_listensocks(); +apr_atomic_cas32(_may_exit, 1, 0); /* Unblock the listener if it's poll()ing */ if (event_pollset && listener_is_wakeable) { @@ -1184,12 +1182,9 @@ read_request: cs->pub.state = CONN_STATE_READ_REQUEST_LINE; goto read_request; } -else if (!listener_may_exit) { +else { cs->pub.state = CONN_STATE_CHECK_REQUEST_LINE_READABLE; } -else { -cs->pub.state = CONN_STATE_LINGER; -} } if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) { @@ -1654,7 +1649,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ proc_info *ti = dummy; int process_slot = ti->pslot; struct process_score *ps = ap_get_scoreboard_process(process_slot); -int closed = 0; +int may_exit = 0, closed = 0; int have_idle_worker = 0; apr_time_t last_log; @@ -1678,7 +1673,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ if (conns_this_child <= 0) check_infinite_requests(); -if (listener_may_exit) { +if (may_exit) { int first_close = close_listeners(); if (terminate_mode == ST_UNGRACEFUL @@ -1899,7 +1894,7 @@ static void * APR_THREAD_FUNC listener_thread(apr_ "Idle workers: %u", ap_queue_info_num_idlers(worker_queue_info)); } -else if (!listener_may_exit) { +else { void *csd = NULL; ap_listen_rec *lr = (ap_listen_rec *) pt->baton; apr_pool_t *ptrans; /* Pool for per-transaction stuff */ @@ -1960,6 +1955,14 @@ static void * APR_THREAD_FUNC listener_thread(apr_ } /* if:else on pt->type */ } /* for processing poll */ +/* On graceful shutdown/stop we can close the listening sockets + * since the backlog should be drained now. + */ +if
Re: [users@httpd] Secure websockets and proxying
On Tue, Jan 23, 2024 at 5:22 PM Yann Ylavic wrote: > > On Tue, Jan 23, 2024 at 11:55 AM Erik Thuning wrote: > > > > I have a tomcat application running that accepts websockets. In front of > > this application I'm running apache as a reverse proxy. SSL is > > configured in apache, and my tomcat knows nothing about SSL. > > > > In the usual web traffic case, everything works just as expected - the > > SSL connection terminates in apache and the request is forwarded to > > tomcat using plain http. However, this approach doesn't seem to work > > when it comes to websockets - the upgrade requests return 403 with no > > further elaboration in the log. > > You could set "LogLevel trace8" in the VirtualHost to get more/full > information. Also httpd should log an error for a 403 it generates, can't the 403 originate from Tomcat for some reason? > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Secure websockets and proxying
On Tue, Jan 23, 2024 at 11:55 AM Erik Thuning wrote: > > I have a tomcat application running that accepts websockets. In front of > this application I'm running apache as a reverse proxy. SSL is > configured in apache, and my tomcat knows nothing about SSL. > > In the usual web traffic case, everything works just as expected - the > SSL connection terminates in apache and the request is forwarded to > tomcat using plain http. However, this approach doesn't seem to work > when it comes to websockets - the upgrade requests return 403 with no > further elaboration in the log. You could set "LogLevel trace8" in the VirtualHost to get more/full information. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] httpd -t -DDUMP_CONFIG and httpd -t -DDUMP_RUN_CFG not helping prove the value of MaxKeepAliveRequests / KeepAlive
On Mon, Dec 11, 2023 at 2:10 AM Jason Pyeron wrote: > > I thought I could > > httpd -t -DDUMP_CONFIG | grep -e KeepAlive > httpd -t -DDUMP_RUN_CFG | grep -e KeepAlive > > but to no avail. DUMP_CONFIG comes with mod_info (LoadModule required), but it will only show the directives which are configured IIUC (https://httpd.apache.org/docs/2.4/mod/mod_info.html#limitations), not the default values. > > So how can I dump the effective configuration which includes defaults? > > I would really not want to modify our configuration just to add the default > values explicitly. I don't know of a setting/module which would show all the effective configuration, it would probably not be easy to write/maintain (dumping the internal structures). Maybe if it's not shown by mod_info it could be considered that the default applies, and the auditor could live with that? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem set addressttl
Hi; On Tue, Dec 5, 2023 at 11:13 AM Piotr Redel wrote: > > I have apache version 2.4.54. I wanted to add the addressttl=60 parameter in > the BalancerMember section. The addressttl parameter is a new feature not part by any release yet, it will be in the next one (2.4.59). Your only options for now are to use a patched version of httpd or wait for the next release. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] reverse proxying websocket connections
On Tue, Jul 4, 2023 at 2:28 AM Helmut K. C. Tessarek wrote: > > The documentation states: > > Proxying both HTTP and websockets at the same time, where the websockets URL's > are not websocket-only or not known in advance can be done by using the > RewriteRule directive to configure the websockets proxying: > > ProxyPass / http://example.com:9080/ > RewriteEngine on > RewriteCond %{HTTP:Upgrade} websocket [NC] > RewriteCond %{HTTP:Connection} upgrade [NC] > RewriteRule ^/?(.*) "ws://example.com:9080/$1" [P,L] > > However, I was wondering, whether the following is an equivalent directive > (just in a single line ;-)): > > ProxyPass / http://example.com:9080/ upgrade=websocket > > afaik the upgrade only takes place when it is requested by a header, unless > upgrade=NONE or upgrade=ANY is set. > > Am I correct or are the not the same? Yes, they should be the same. Upgrade only takes place when requested AND accepted/switched by the backend server. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Wed, May 31, 2023 at 4:39 PM Yann Ylavic wrote: > > On Wed, May 31, 2023 at 2:52 PM Josef Wolf wrote: > > > > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > > > > > > > I am trying to use apache as a proxy to pass requests to a https > > > > backend like this: > > > > > > > > > > > > > > > > SSLProxyEngine on > > > > ProxyPass/service/ https://backend.do.main:4434/service > > > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > > > ProxyPassReverseCookiePath / /service/ > > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > > > > > > SetEnv force-proxy-request-1.0 1 > > > > SetEnv proxy-nokeepalive 1 > > > > SetEnv proxy-sendcl > > > > ProxyHTMLEnable On > > > > ProxyHTMLExtended On > > > > LogLevel Debug > > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > > > RequestHeader unset Accept-Encoding > > > > AuthName"Application /service" > > > > AuthType Basic > > > > AuthUserFile/m/b/httpd/passwd > > > > AuthGroupFile /m/b/httpd/group > > > > Require group service > > > > SSLRequireSSL > > > > RequestHeader set Authorization "Basic 123456778" > > > > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > > > > > > > > > > > > > > > > This works fine for http backends, but with https, I get following > > > > errors: > > > > > > I tried this configuration and it works for me. > > > > Yes. This is why I suspect it has to do with the way I generate the > > self-signed certificate: > > > >openssl req \ > > -new -newkey rsa:4096 \ > > -subj /C=DE/CN=backend \ > > -addext subjectAltName=DNS:backend.do.main \ > > -addext certificatePolicies=1.2.3.4 \ > > -x509 -nodes \ > > -days 3650 \ > > -out server-cert.pem \ > > -keyout server-key.pem > > > > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > > > > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from > > > > the SSL context > > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library > > > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx > > I don't think it has to do with the certificate generated/configured > on the backend side. This error happens at the creation of the SSL > connection, no communication with the backend yet. > > > > > > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > > > looks like httpd (mod_ssl) links/runs against an openssl version > > > different from the one it's been built with. > > > > This is not built by myself. All is stock opensuse-Leap-15.1 > > I don't know which version/patches of httpd is shipped with > opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration > above seems to work with the latest/upstream httpd-2.4.57 release. > Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem > to ship httpd-2.4.57)? This looks like https://bz.apache.org/bugzilla/show_bug.cgi?id=62232 which was fixed in httpd-2.4.34. > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Wed, May 31, 2023 at 2:52 PM Josef Wolf wrote: > > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > > > > > I am trying to use apache as a proxy to pass requests to a https backend > > > like this: > > > > > > > > > > > > SSLProxyEngine on > > > ProxyPass/service/ https://backend.do.main:4434/service > > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > > ProxyPassReverseCookiePath / /service/ > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > > > > SetEnv force-proxy-request-1.0 1 > > > SetEnv proxy-nokeepalive 1 > > > SetEnv proxy-sendcl > > > ProxyHTMLEnable On > > > ProxyHTMLExtended On > > > LogLevel Debug > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > > RequestHeader unset Accept-Encoding > > > AuthName"Application /service" > > > AuthType Basic > > > AuthUserFile/m/b/httpd/passwd > > > AuthGroupFile /m/b/httpd/group > > > Require group service > > > SSLRequireSSL > > > RequestHeader set Authorization "Basic 123456778" > > > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > > > > > > > > > > > This works fine for http backends, but with https, I get following errors: > > > > I tried this configuration and it works for me. > > Yes. This is why I suspect it has to do with the way I generate the > self-signed certificate: > >openssl req \ > -new -newkey rsa:4096 \ > -subj /C=DE/CN=backend \ > -addext subjectAltName=DNS:backend.do.main \ > -addext certificatePolicies=1.2.3.4 \ > -x509 -nodes \ > -days 3650 \ > -out server-cert.pem \ > -keyout server-key.pem > > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > > > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from > > > the SSL context > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library > > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx I don't think it has to do with the certificate generated/configured on the backend side. This error happens at the creation of the SSL connection, no communication with the backend yet. > > > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > > looks like httpd (mod_ssl) links/runs against an openssl version > > different from the one it's been built with. > > This is not built by myself. All is stock opensuse-Leap-15.1 I don't know which version/patches of httpd is shipped with opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration above seems to work with the latest/upstream httpd-2.4.57 release. Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem to ship httpd-2.4.57)? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > I am trying to use apache as a proxy to pass requests to a https backend like > this: > > > > SSLProxyEngine on > ProxyPass/service/ https://backend.do.main:4434/service > ProxyPassReverse /service/ https://backend.do.main:4434/service > ProxyPassReverseCookiePath / /service/ > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > SetEnv force-proxy-request-1.0 1 > SetEnv proxy-nokeepalive 1 > SetEnv proxy-sendcl > ProxyHTMLEnable On > ProxyHTMLExtended On > LogLevel Debug > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > RequestHeader unset Accept-Encoding > AuthName"Application /service" > AuthType Basic > AuthUserFile/m/b/httpd/passwd > AuthGroupFile /m/b/httpd/group > Require group service > SSLRequireSSL > RequestHeader set Authorization "Basic 123456778" > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > This works fine for http backends, but with https, I get following errors: I tried this configuration and it works for me. > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the > SSL context > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: > error:140BA0C3:SSL routines:SSL_new:null ssl ctx Do you build httpd by yourself? Which OS / httpd / openssl version? It looks like httpd (mod_ssl) links/runs against an openssl version different from the one it's been built with. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Keepalive closing connections prematurely on high load on newer httpd versions
Hi, On Mon, May 22, 2023 at 12:19 PM Mateusz Kempski wrote: > > Then I added following options > to default config on both servers: > ``` > > ThreadsPerChild 25 > StartServers 3 > ServerLimit 120 > MinSpareThreads 75 > MaxSpareThreads 3000 > MaxRequestWorkers 3000 > MaxConnectionsPerChild 0 > > ``` What is the difference between the two configurations (besides identical MPM parameters)? Things like EnableMMAP and EnableSendfile matter too for instance. Do the two systems have the same `ulimit -n` (or LimitNOFILE in systemd) for httpd? Also, do you see errors in the error_log file? Maybe "LogLevel mpm_event:trace1" could help see what happens while not being too verbose. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Strange behavior with directives ProxyRemote and NoProxy
Hello, On Fri, May 5, 2023 at 9:22 AM Carsten Klein wrote: > > Important(?) side note: through DNS the server can only resolve > local/intranet names and addresses. The DNS refuses to resolve > external/Internet names and addresses. Unless NoProxy contains only domain names (e.g. ".mycompany.local") which can be compared verbatim, there will be a DNS resolution for the requested host. And if that DNS resolution fails, NoProxy does not apply (i.e. ProxyRemote is used). > > According to the docs, configuring ProxyRemote and NoProxy should be > quite simple: > > # All requests go through the company's proxy > ProxyRemote "*" "http://10.5.10.20:8080; > > # Direct requests to all intranet hosts > NoProxy ".mycompany.local" "10.0.0.0/8" So here if the requested host does not end in ".mycompany.local", it will be resolved and compared to the network address. Your configuration depends on DNS, more exactly it depends on DNS to work at least for local/intranet hosts (failures on remote ones shouldn't be an issue but looks fragile and not optimal. It's broken if the DNS does not fail but returns a 10/8 address for whatever reason though). I would try to only set: NoProxy ".mycompany.local" to exclude DNS from the game and see what happens for requests to this domain at least. If it works for those and you still need to also match "10.0.0.0/8" for requests using local IP addresses directly or other/unknown/unlistable local domain names, you probably should have a look at how hosts are resolved on the local DNS when requests are misdirected. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] disable httpd ap_directory_walk() before mpm_itk transfer
On Fri, Mar 31, 2023 at 2:46 PM Yann Ylavic wrote: > > On Fri, Mar 31, 2023 at 2:27 PM Yann Ylavic wrote: > > > > Hello, > > > > On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert wrote: > > > > > > in my setup, httpd runs on a specific uid and delegates transfers to > > > mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid. > > > > > > The problem is: httpd runs ap_directory_walk() with its own uid before > > > delegating to mpm_itk with the dynamic uid. This fails, because httpd > > > doesn't have the permissions to read the directory. > > > > > > How can I disable ap_directory_walk() or delegate it to mpm_itk? > > > > I can't think of a configuration that could change this behaviour, but > > if you can patch mpm_itk I'd suggest to try to make the > > itk_post_perdir_config hook an itk_map_to_storage hook instead > > (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so > > that the next map_to_storage hooks run too). > > > > That's from a quick look at mpm_itk code (and I know very little about > > this MPM), but it looks like it could work.. > > So something like the attached patch possibly. [sorry for the spam, reading more of mpm_itk code..] The comment on itk_dirwalk_stat() suggests that it should be allowed to read any file with httpd's uid/gid rights and that the switch to AssignUserID should happen later (though there is an issue with kept-alive connections obviously once the ids are changed..). So I'm not sure what the security model of mpm_itk is, it seems that files should still be "owned" by httpd's user so that once AssignUserID is in place it can't do anything with them, which is not the same as setting files access rights to each AssignUserID individually. So be aware that the proposed patch here is probably not what mpm_itk users usually want.. > > > > > Regards; > > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] disable httpd ap_directory_walk() before mpm_itk transfer
On Fri, Mar 31, 2023 at 2:27 PM Yann Ylavic wrote: > > Hello, > > On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert wrote: > > > > in my setup, httpd runs on a specific uid and delegates transfers to > > mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid. > > > > The problem is: httpd runs ap_directory_walk() with its own uid before > > delegating to mpm_itk with the dynamic uid. This fails, because httpd > > doesn't have the permissions to read the directory. > > > > How can I disable ap_directory_walk() or delegate it to mpm_itk? > > I can't think of a configuration that could change this behaviour, but > if you can patch mpm_itk I'd suggest to try to make the > itk_post_perdir_config hook an itk_map_to_storage hook instead > (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so > that the next map_to_storage hooks run too). > > That's from a quick look at mpm_itk code (and I know very little about > this MPM), but it looks like it could work.. So something like the attached patch possibly. > > Regards; > Yann. --- mpm_itk.c.original 2023-03-31 14:37:25.665476368 +0200 +++ mpm_itk.c 2023-03-31 14:38:27.897630190 +0200 @@ -267,7 +267,7 @@ static int itk_init_handler(apr_pool_t * return OK; } -static int itk_post_perdir_config(request_rec *r) +static int itk_map_to_storage(request_rec *r) { uid_t wanted_uid; gid_t wanted_gid; @@ -420,7 +420,7 @@ static int itk_post_perdir_config(reques } } -return OK; +return DECLINED; } /* @@ -494,7 +494,7 @@ static void itk_hooks(apr_pool_t *p) ap_hook_process_connection(itk_fork_process, NULL, NULL, APR_HOOK_REALLY_FIRST); /* set the uid as fast as possible, but not before merging per-dir config */ -ap_hook_post_perdir_config(itk_post_perdir_config, NULL, NULL, APR_HOOK_REALLY_FIRST); +ap_hook_map_to_storage(itk_map_to_storage, NULL, NULL, APR_HOOK_REALLY_FIRST); /* replace core_dirwalk_stat so that we can kill the connection on stat() failure */ ap_hook_dirwalk_stat(itk_dirwalk_stat, NULL, NULL, APR_HOOK_MIDDLE); - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] disable httpd ap_directory_walk() before mpm_itk transfer
Hello, On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert wrote: > > in my setup, httpd runs on a specific uid and delegates transfers to > mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid. > > The problem is: httpd runs ap_directory_walk() with its own uid before > delegating to mpm_itk with the dynamic uid. This fails, because httpd > doesn't have the permissions to read the directory. > > How can I disable ap_directory_walk() or delegate it to mpm_itk? I can't think of a configuration that could change this behaviour, but if you can patch mpm_itk I'd suggest to try to make the itk_post_perdir_config hook an itk_map_to_storage hook instead (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so that the next map_to_storage hooks run too). That's from a quick look at mpm_itk code (and I know very little about this MPM), but it looks like it could work.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Query about support for OpenSSL 1.1.1
On Wed, Feb 15, 2023 at 9:44 AM Vivek Naruka (EXT-NSB) wrote: > > There is new version of Openssl i.e. Openssl 3.0 available for which Httpd > provide support in its newly released versions. > > We are using Openssl version 1.1.1 in our project and need to know that if > Httpd will continue its support towards Openssl 1.1.1 as well till year 2030. httpd will not support openssl-1.1.1 longer than the openssl project maintains it, and while httpd-2.4.x will surely support openssl-1.1.1 until its last revision, there is no guarantee that httpd-2.4.x itself will still be maintained in 2030. For instance if some httpd-2.6.x or httpd-3.x is released by 2030 when openssl-1.1.1 is not maintained anymore by the openssl team then it may not support this openssl version from the start, so if/whenever httpd-2.4.x itself stops being maintained by the httpd team there is no support for openssl-1.1.1 in any maintained httpd version. In any case, the questions about maintenance times/deadlines concern more the vendors/distros than the httpd project itself. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] cannot run test program while cross compiling
On Tue, Feb 14, 2023 at 6:56 PM Yann Ylavic wrote: > > On Tue, Feb 14, 2023 at 1:13 PM 유원석 wrote: > > > > Hello > > I was trying to cross-compile apache to no avail > > How can I fix this error below? > > Can you try the attached patch? Possible adding ap_cv_crypt_sha2=no (or =yes if you know that the target system's crypt() supports SHA-2) to the "./configure ..." command line could do it too, by forcing the test decision rather than running it. > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] cannot run test program while cross compiling
On Tue, Feb 14, 2023 at 1:13 PM 유원석 wrote: > > Hello > I was trying to cross-compile apache to no avail > How can I fix this error below? Can you try the attached patch? Regards; Yann. Index: configure.in === --- configure.in (revision 1907007) +++ configure.in (working copy) @@ -519,7 +519,7 @@ if test "$ac_cv_search_crypt" != "no"; then ]], [char *result = crypt(PASSWD_0, SALT_0); if (!result) return 1; if (strcmp(result, EXPECT_0)) return 2; -])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])]) +])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no], [ap_cv_crypt_sha2=no])]) if test "$ap_cv_crypt_sha2" = yes; then AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes]) fi - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache with OpenSSL 3 compiled for FIPS - SSLFIPS invalid
On Fri, Oct 21, 2022 at 2:07 AM Joshua Smith wrote: > > With that in mind, I’m confused why Apache still complains about not being > compiled for FIPS. What am I missing? Possibly this change (which was overlooked for httpd-2.4.54 release): https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3 Patching 2.4.54 with https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3.patch should work. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_http getting double-slashes sporadically
On Fri, Jul 15, 2022 at 9:35 PM wrote: > > Ok, trying to figure out how to fix this. > > For our mod_proxy configuration we are getting sporadic double-slashes > showing up after the ProxyPass URL. For example: > > ProxyPass /myapp balancer://mybalance/myapp > ProxyPassReverse /myapp balancer://mybalance/myapp How are your BalancerMember(s) defined in the block? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] reverse proxy issue
On Wed, Jun 8, 2022 at 3:21 PM Serge Krawczenko wrote: > > We have application server behind httpd as a reverse proxy, > with basic ldap auth, so only ldap authenticated users are able to get into > the application. > (Require valid-user > Allow from all > ) It's usually not a good idea to mix Require (httpd >= 2.4) and Allow (httpd < 2.4) directives together, though I don't see how it could lead to the symptoms you are seeing. > > Everything works well and configuration is very basic. > However, > Sometimes like once in a month or two it fails and httpd stops acting like a > reverse proxy. > I.e. https://url/my-app fails with 404 trying to find my-app locally. > (the requested URL /my-app was not found on this server) If there are multiple VirtualHosts on the same IP:port in your server, possibly some requests reach one with no "ProxyPass /my-app ..." defined? It may happen if an unknown Host/SNI is handled by the default vhost for instance, but it wouldn't explain why all the following requests go there (unless the app/something at some point starts redirecting to a different URL). > > It is 'fixed' by restarting httpd and is very annoying for users. > > Debug turned on for proxy and ldap modules and there's absolutely nothing > suspicious. > When the situation occurs, there's just no attempt to refer to the > 'proxypass' it is > just trying to get the local path immediately. > > It cannot be reproduced as well and there's no specific periodicity for this > failure. > Anything i'm missing? Any more debug to turn on? Which httpd MPM and modules are used? It could be a non thread-safe module running on a threaded MPM, corrupting some global state when the load increases. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Apache threads getting killed
On Tue, May 17, 2022 at 7:02 PM Rajkumar Adsule wrote: > > I am using apache / httpd as a web server i.e. lamp configured on CentOS > system. Apache version 2.4.34 was working fine, it started killing threads > when I upgrade apache to 2.4.53. > > Please help with the possible reasons and solutions. You are possibly hitting this bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=66004 The fix is not released yet but there is a patch available here: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/313.diff Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Variable of document root path based on source ip
On Tue, May 3, 2022 at 5:44 PM Yann Ylavic wrote: > > On Mon, May 2, 2022 at 8:24 AM Ivan Ionut wrote: > > > > I'm trying to set a virtual host on apache2 with this configuration. > > > > > > ServerName mysite.com > > ServerAlias www.mysite.com > > > > > > Define directory_path /srv/http/mysite > > > > > > Define directory_path /srv/http/under_construction > > > > > > DocumentRoot ${directory_path} > > > > > > Require all granted > > > > > > > > The problem is that the If directive does not match when I access it from > > that lan. > > Possibly something like this could work: > > Define directory_path_mysite "/srv/http/mysite" > Define directory_path_under_construction "/srv/http/under_construction" > > > DocumentRoot "${directory_path_mysite}" > > DocumentRoot "$(directory_path_under_construction}" > But DocumentRoot might not be allowed in an > Require all granted > > > Require all granted > > > > Both DocumentRoots would be initialized at startup (when Defines are > evaluated, the DocumentRoot used at runtime will be determined based on the still. > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Variable of document root path based on source ip
On Mon, May 2, 2022 at 8:24 AM Ivan Ionut wrote: > > I'm trying to set a virtual host on apache2 with this configuration. > > > ServerName mysite.com > ServerAlias www.mysite.com > > > Define directory_path /srv/http/mysite > > > Define directory_path /srv/http/under_construction > > > DocumentRoot ${directory_path} > > > Require all granted > > > > The problem is that the If directive does not match when I access it from > that lan. Possibly something like this could work: Define directory_path_mysite "/srv/http/mysite" Define directory_path_under_construction "/srv/http/under_construction" DocumentRoot "${directory_path_mysite}" DocumentRoot "$(directory_path_under_construction}" Require all granted Require all granted Both DocumentRoots would be initialized at startup (when Defines are evaluated, the
Re: [users@httpd] 答复: [users@httpd] [apache]maxconnectionsperchild problem
On Fri, Apr 15, 2022 at 3:50 PM Yann Ylavic wrote: > > On Fri, Apr 15, 2022 at 2:16 PM 刘孟 wrote: > > > > > > What I want to ask is, will these 1000 sub processes fail at the same time, > > causing my httpd serivce to stop responding.But I think you have given the > > answer > > >because the clients connections themselves will not have the same > > >lifetime (including keep-alive in between requests). In my opinion the > > >risk is negligible. > > > > I think setting MaxConnectionsPerChild will lead to a slight decrease in > > the processing capacity of my server, > > but the possibility that all processes failed at the same time can be > > ignored.. Is my understanding correct > > Yes, and I don't think there will be a noticeable capacity change if > you don't set MaxConnectionsPerChild too low (the right tuning depends > on the number of connections per second). > > > > > in this way, the restart action usually occurs in the busiest period of the > > server in daytime, > > so I think your advice of using cron is a good suggestion. Of course, in > > order to prevent all httped services from > > stopping at the same time, I think I should set cron for the servers at > > different times. Is that I am in the right way? > > Yes, and ideally your DNS switches do not happen at the load peak, so > there should be too much processes restarted when the cron executes. "there should *not* be" > > > > > I also thank you for your suggestions on max/minspareservers. The > > adjustment of them will also be in my plan. > > > you probably should raise it to something more close to MaxRequestWorkers > > > for efficiency. > > > > Do you mean I should adjust it to a daily peak of about 1000? > > Yes, that way at the load peak you have the full capacity of > processes, and after the peak they should be killed by > MaxConnectionsPerChild at some point (without being restarted) hence > move towards MinSpareservers, until the next peak.. > So you should find the MaxConnectionsPerChild setting that does kill "that does *not* kill" > processes too often at load peak but still kills enough processes > after the peak (during the ramp down). > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 答复: [users@httpd] [apache]maxconnectionsperchild problem
On Fri, Apr 15, 2022 at 2:16 PM 刘孟 wrote: > > > What I want to ask is, will these 1000 sub processes fail at the same time, > causing my httpd serivce to stop responding.But I think you have given the > answer > >because the clients connections themselves will not have the same > >lifetime (including keep-alive in between requests). In my opinion the risk > >is negligible. > > I think setting MaxConnectionsPerChild will lead to a slight decrease in the > processing capacity of my server, > but the possibility that all processes failed at the same time can be > ignored.. Is my understanding correct Yes, and I don't think there will be a noticeable capacity change if you don't set MaxConnectionsPerChild too low (the right tuning depends on the number of connections per second). > > in this way, the restart action usually occurs in the busiest period of the > server in daytime, > so I think your advice of using cron is a good suggestion. Of course, in > order to prevent all httped services from > stopping at the same time, I think I should set cron for the servers at > different times. Is that I am in the right way? Yes, and ideally your DNS switches do not happen at the load peak, so there should be too much processes restarted when the cron executes. > > I also thank you for your suggestions on max/minspareservers. The adjustment > of them will also be in my plan. > > you probably should raise it to something more close to MaxRequestWorkers > > for efficiency. > > Do you mean I should adjust it to a daily peak of about 1000? Yes, that way at the load peak you have the full capacity of processes, and after the peak they should be killed by MaxConnectionsPerChild at some point (without being restarted) hence move towards MinSpareservers, until the next peak.. So you should find the MaxConnectionsPerChild setting that does kill processes too often at load peak but still kills enough processes after the peak (during the ramp down). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] [apache]maxconnectionsperchild problem
Hello, On Fri, Apr 15, 2022 at 7:39 AM 刘孟 wrote: > > During the peak hours of the company's internal servers, the number of sub > processes(hpptd) of > each server is about 1000,[Maxconnectionsperchild] is currently set to 0. In > order to be able to > resolve the access target regularlyIn DNS, we plan to adjust the value of > [maxconnectionsperchild] > to make each child process in half a day that It can be restarted once. > > My question is After setting this parameter, if it is possible that 1000 > processes are arrive at the same time > resulting in service interruption? I suppose that you worry about 1000 processes restarting at the same time hence all issuing DNS requests (which could disrupt the DNS service)? If so it is very unlikely that MaxConnectionsPerChild triggers at the same time on all the children processes because the clients connections themselves will not have the same lifetime (including keep-alive in between requests). In my opinion the risk is negligible. > > Current server setting of [maxsparechlid = 20] and [minspareechlid = 10] > If [maxconnectionsperchild] is set, should the settings of these two values > be adjusted synchronously (I suppose you are referring to MaxSpareServers and MinSpareServers here) If the peak is around 1000 connections then MaxSpareServers 20 is probably to low, if the load fluctuates a little httpd will keep stopping and recreating the processes all the peak time (there are 980 processes above the limit from its point of vue..). I don't think MaxSpareServers is a good fit for your goal of restarting processes at least twice a day anyway, you probably should raise it to something more close to MaxRequestWorkers for efficiency. While MaxConnectionsPerChild can help in lowering/restoring the number of processes after the peak, it's not ideal either for restarting processes in synchronization with your DNS because there can still be processes that are restarted just before the DNS have switched and they will not work until MaxConnectionsPerChild have failed.. Did you think of a cron job (or a trigger) that explicitely restart httpd (gracefuly) just after the DNS have switched? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Are this option
On Thu, Mar 24, 2022 at 9:36 AM Marc Serra wrote: > > I tested the settings with Apache Bench ... > > ab -l -H 'Accept-Encoding: gzip,deflate' -k -n 1 -c 1000 > https://www.DOMAIN1.TLD/index.html > > I'm not sure if the following are good numbers or bad numbers. Can > anyone help me interpret this result please? Pretty bad numbers actually, aren't you limited by the network bandwidth between ab and the server? What are the numbers from ab when it's running on the server (i.e. ab ... https://localhost/index.html)? The CPU usage looks high (20%) too for the requested load, but that's probably on mod_deflate (and TLS handshakes), how does "-H 'Accept-Encoding: gzip,deflate'" change things? Sorry, more questions than answers, but results on my (poor) laptop look like: $ bin/ab -k -n 1 -c 1000 https://localhost:40443/250KB.bin ... Server Software:Apache/2.5.1-dev Server Hostname:localhost Server Port:40443 SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256 Server Temp Key:X25519 253 bits Document Path: /250KB.bin Document Length:256000 bytes Concurrency Level: 1000 Concurrency achieved: 1000 Rampup delay: 0 [ms] Time taken for tests: 2.437 seconds Complete requests: 1 Failed requests:0 Keep-Alive requests:1 Total transferred: 2607109000 bytes HTML transferred: 2603564800 bytes Requests per second:4103.52 [#/sec] (mean) Time per request: 243.694 [ms] (mean) Time per request: 0.244 [ms] (mean, across all concurrent requests) Transfer rate: 1044756.99 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect:0 34 103.0 0 378 Processing: 181 203 9.6203 527 Waiting:0 13 6.9 10 152 Total:181 237 105.3203 579 Percentage of the requests served within a certain time (ms) 50%203 66%206 75%209 80%212 90%517 95%552 98%563 99%567 100%579 (longest request) Or with a shorter resource (1KB) and 10x more requests to amortize the ramp up: $ bin/ab -k -n 10 -c 1000 https://localhost:40443/1KB.bin ... Concurrency Level: 1000 Concurrency achieved: 1000 Rampup delay: 0 [ms] Time taken for tests: 1.953 seconds Complete requests: 10 Failed requests:0 Keep-Alive requests:99475 Total transferred: 135073187 bytes HTML transferred: 103209984 bytes Requests per second:51202.91 [#/sec] (mean) Time per request: 19.530 [ms] (mean) Time per request: 0.020 [ms] (mean, across all concurrent requests) Transfer rate: 67540.43 [Kbytes/sec] received Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Are this option
On Fri, Mar 18, 2022 at 8:27 AM Marc Serra wrote: > > Thank's for your comments Frank, > > Reading the Apache documentation > (https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#threadlimit) > I cannot find the way to calculate an optimal value for ThreadLimit > and ThreadsPerChild directives for that reason I kept the default > values (64 and 25). > > Can you (or anyone) help me to find the right values? This script might help for an MPM event configuration based on MaxRequestWorkers: ``` #!/bin/bash if [ $# -lt 1 ]; then echo>&2 "usage: `basename $0` " exit 1 fi # Some pre-computations numWorkers=$1 if [ $numWorkers -lt 1000 ]; then numProcesses=10 elif [ $numWorkers -lt 1 ]; then numProcesses=$(($numWorkers / 100)) else numProcesses=100 fi numThreads=$(($numWorkers / $numProcesses)) cat <
Re: [users@httpd] configure fails using --with-pcre with httpd-2.4.53
On Mon, Mar 14, 2022 at 5:46 PM Ash wrote: > > Configure fails for us when building httpd-2.4.53 from source using the > --with-pcre option. The error occurs on both RHEL 8 and Solaris 11.3. A > prior release of httpd (httpd-2.4.51) builds successfully in these same > environments with the same commands. > > We're using apr 1.7.0, apr-util 1.6.1, PCRE 8.4.1 and OpenSSL 1.1.1l. > > Our configure command is: > ./configure --prefix=/path/to/apache \ > --with-crypto --with-openssl=/path/to/ssl \ > --with-included-apr \ > --with-pcre=/path/to/pcre \ > --with-ssl=/path/to/ssl It should probably be "--with-pcre=/path/to/pcre-config", pointing to the pcre-config file rather than pcre the installation directory. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to use DH 4096 parameters?
On Sun, Mar 13, 2022 at 3:55 PM Walter Hop wrote: > > On my old setup, this was DH 2048, which is considered “insufficient” > according to internet.nl. I have tried the following things: > > 1) use a 4096 bit RSA key and get a new certificate > 2) generate DH params with: openssl dhparam -out /etc/apache2/dhparam.pem 4096 > 3) in my configuration, added: SSLOpenSSLConfCmd DHParameters > "/etc/apache2/dhparam.pem” Step 3) does not work anymore with latest openssl versions, the only way to configure custom dhparams in httpd is to append them to the certificate file (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass option mapping=servlet hurts mod_rewrite
Hi Hendrik; > > > RewriteRule "^/alpha/gobeta/(.*)$" http://server2.localnet:8080/beta/$1 > > [P] > If the RewriteRule is specified with the option [P] it works correctly. The > request > https://example.ort/alpha/gobeta/anypath is sent to the beta backend. > > > Also, it seems to me that "/alpha/gobeta/.." is not matched by the > > "ProxyPass /beta ...", so it really boils down to the RewriteRule only. > > What do you expect here? > But when I take the option [PT] the behavior changes. Without > "mapping=servlet" the > request is sent to the beta backend. With "mapping=servlet" the request is > replied > by a 404 NOT FOUND. - Is this change of behavior acceptable? I don't think that it's a change in behaviour, what changes is ProxyPass with and without mapping= with regard to the following matches (RewriteRule or ), but existing ProxyPass without mapping= and RewriteRules work like before. The ProxyPass mapping=servlet has to apply some special normalization to the request uri-path (notably stripping path parameters defined by the servlet specification) so that further mapping in httpd works according to the backend application(s) server (e.g. Tomcat), so that authn/authz in and RewriteRules have the same path representation as the backend and can enforce relevant access or forwarding rules. Still the potential path ";parameters" from the original uri-path need to be forwarded to the backend since they will finally be consumed by the applications (which is the point of the servlet specification). So there is no way for a RewriteRule happening *after* this normalization to be able to modify the uri-path (e.g. with a [PT] rule) without losing everything stripped by the normalization, while sending the resulting uri-path to the backend (as I proposed with a [P] rule) would be quite useless actually. I'm afraid that the interaction between a ProxyPass mapping=servlet and the following RewriteRules is then limited to non-rewrite rules or rewrite rules that "break" the proxying (like [F] or [R] or internal redirects to a local resource), which is is what r1898509 addresses, but reconstructing a servlet uri-path based on the original one and random regex substitutions to the path segments is outside the scope of httpd or mod_proxy modules (this is also why there is no ProxyPassMatch mapping=servlet so far), at least I wouldn't engage in such dev but since httpd is a participative project anyone is free to propose a patch ;) > Maybe it is acceptable cause the option [PT] is the wrong choice if I want > the request > to be replied by the proxied beta backend. > But some inexperienced admins will run into trouble. (like me ;-) Admins have the choice to use a ProxyPass with mapping=servlet which does simple/prefix rewrite like in: ProxyPass /alpha/gobeta http://server2.localnet:8080/beta mapping=servlet which should be enough for most use cases (including your simple example) without any RewriteRule (besides eventually to prevent this ProxyPass from applying by using some further [R], [F] or (internal) redirect rules, or yet some policies); Or admins can use a ProxyPass[Match] without mapping=servlet and then RewriteRules/, but then they need to take path parameters into account in the regexes (which is not very practical if not impossible in some cases). Best of both worlds where httpd does application specific normalization and restores it across all possible rewrites is not something someone has proposed to implement so far.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass option mapping=servlet hurts mod_rewrite
On Thu, Mar 3, 2022 at 12:24 PM Yann Ylavic wrote: > > Hi Hendrik; > > > > > after reading your commit comment in https://svn.apache.org/r1898509 I > > realised that one important test case is missing: > > What happens if mod_rewrite manipulates the URL of a target that is proxied > > with the option mapping=servlet? > > > > From my point of view this test case fails. :-( > >ProxyPass /beta http://server2.localnet:8080/beta mapping=servlet > >RewirteRule "^/alpha/gobeta" /beta [PT,L] > > Calling https://example.org/alpha/gobeta/test sends back a 404 instead > > the beta content. > > In this case mod_proxy could not map the requests to the beta backend. > > Given that "ProxyPass ... mapping=servlet" applies before the > RewriteRule, I don't see how you can have a RewriteRule [PT] that > either "cancels" the ProxyPass (like in your RewriteMap examples) > and/or that rewrites the uri but keeps proxying (like in the above > example). > > Isn't: > RewriteRule "^/alpha/gobeta/(.*)$" http://server2.localnet:8080/beta/$1 [P] > (or alike) what you are looking for in the above example? Also, it seems to me that "/alpha/gobeta/.." is not matched by the "ProxyPass /beta ...", so it really boils down to the RewriteRule only. What do you expect here? > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass option mapping=servlet hurts mod_rewrite
Hi Hendrik; > > after reading your commit comment in https://svn.apache.org/r1898509 I > realised that one important test case is missing: > What happens if mod_rewrite manipulates the URL of a target that is proxied > with the option mapping=servlet? > > From my point of view this test case fails. :-( >ProxyPass /beta http://server2.localnet:8080/beta mapping=servlet >RewirteRule "^/alpha/gobeta" /beta [PT,L] > Calling https://example.org/alpha/gobeta/test sends back a 404 instead the > beta content. > In this case mod_proxy could not map the requests to the beta backend. Given that "ProxyPass ... mapping=servlet" applies before the RewriteRule, I don't see how you can have a RewriteRule [PT] that either "cancels" the ProxyPass (like in your RewriteMap examples) and/or that rewrites the uri but keeps proxying (like in the above example). Isn't: RewriteRule "^/alpha/gobeta/(.*)$" http://server2.localnet:8080/beta/$1 [P] (or alike) what you are looking for in the above example? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass option mapping=servlet hurts mod_rewrite
Hi, > > I have applied your patch to my httpd-2.4.52 and created two test cases. > One with a simple RewriteRule and a second one using a RewriteMap. > Both are working fine. :-) Thanks for testing! Now checked in https://svn.apache.org/r1898509 Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass option mapping=servlet hurts mod_rewrite
Hi Hendrik, > > Is this a bug or do I have to use the "mapping=servlet" option very carefully? I'd say both.. mod_proxy mapping= acts very early in request processing and kind of "appropriates" the request URI to mod_proxy, confusing mod_rewrite, so it's probably a bug because your use case is legitimate and should be handled. But you'll also have to be careful because early mapping also means that the normalization applied to the request URI depends on the mapping, so the URI as seen by mod_rewrite and/or sections depends on the mapping. For instance mapping=servlet/decoded will not %-decode the URI internally (besides the "unreserved" characters as defined by the RFC), so you could have to use the %-encoded form of some characters in a RewriteRule to match special URIs (this is not the case in your exemple configuration, I'm warning just in case..). Anyway, could you please try the attached patch and see if it works for you? Regards; Yann. Index: modules/mappers/mod_rewrite.c === --- modules/mappers/mod_rewrite.c (revision 1898463) +++ modules/mappers/mod_rewrite.c (working copy) @@ -4576,7 +4576,7 @@ static int hook_uri2file(request_rec *r) unsigned int port; int rulestatus; void *skipdata; -const char *oargs; +char *ofilename, *oargs; /* * retrieve the config structures @@ -4629,7 +4629,10 @@ static int hook_uri2file(request_rec *r) /* * remember the original query string for later check, since we don't * want to apply URL-escaping when no substitution has changed it. + * also, we'll restore original r->filename if we decline this + * request. */ +ofilename = r->filename; oargs = r->args; /* @@ -4672,13 +4675,14 @@ static int hook_uri2file(request_rec *r) apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URI, var); if (!(saved_rulestatus = apr_table_get(r->notes,"mod_rewrite_rewritten"))) { -/* if filename was not initially set, - * we start with the requested URI +/* if r->filename was not initially set, or if proxy_pre_translate_name() + * set its reverse "proxy:" URL, we start with the requested URI */ -if (r->filename == NULL) { +if (r->filename == NULL || r->proxyreq == PROXYREQ_REVERSE) { r->filename = apr_pstrdup(r->pool, r->uri); -rewritelog((r, 2, NULL, "init rewrite engine with requested uri %s", -r->filename)); +rewritelog((r, 2, NULL, "init rewrite engine with requested uri " +"%s. Original filename = %s", +r->filename, ofilename ? ofilename : "n/a")); } else { rewritelog((r, 2, NULL, "init rewrite engine with passed filename " @@ -4702,6 +4706,7 @@ static int hook_uri2file(request_rec *r) if (rulestatus) { unsigned skip; apr_size_t flen; +int to_proxyreq; if (ACTION_STATUS == rulestatus) { int n = r->status; @@ -4711,7 +4716,19 @@ static int hook_uri2file(request_rec *r) } flen = r->filename ? strlen(r->filename) : 0; -if (flen > 6 && strncmp(r->filename, "proxy:", 6) == 0) { +to_proxyreq = (flen > 6 && strncmp(r->filename, "proxy:", 6) == 0); + +/* If a proxy reverse/pre_trans filename was rewritten to a new uri + * this is not a proxy request anymore. + */ +if (r->proxyreq == PROXYREQ_REVERSE && !to_proxyreq) { +if (r->handler && strcmp(r->handler, "proxy-server") == 0) { +r->handler = NULL; +} +r->proxyreq = PROXYREQ_NONE; +} + +if (to_proxyreq) { /* it should be go on as an internal proxy request */ /* check if the proxy module is enabled, so @@ -4735,9 +4752,7 @@ static int hook_uri2file(request_rec *r) r->filename = apr_pstrcat(r->pool, r->filename, r->path_info, NULL); } -if ((r->args != NULL) -&& ((r->proxyreq == PROXYREQ_PROXY) -|| (rulestatus == ACTION_NOESCAPE))) { +if (r->args && (r->proxyreq || rulestatus == ACTION_NOESCAPE)) { /* see proxy_http:proxy_http_canon() */ r->filename = apr_pstrcat(r->pool, r->filename, "?", r->args, NULL); @@ -4878,7 +4893,9 @@ static int hook_uri2file(request_rec *r) } } else { -rewritelog((r, 1, NULL, "pass through %s", r->filename)); +rewritelog((r, 1, NULL, "pass through %s (%s)", +r->filename, ofilename)); +r->filename = ofilename; return DECLINED; } } @@ -5213,7 +5230,8 @@ static int hook_fixup(request_rec *r) } } else { -rewritelog((r, 1,
Re: [users@httpd] adding cloudstack to our internal cloud
Hi, On Mon, Nov 15, 2021 at 8:27 PM Mohamad Bannout wrote: > > First time user here, > > We have private cloud setup in our company using vmware with only vcenter for > management, I’m considering adding cloudstack to the mix. You probably want to contact the Apache Cloudstack users mailing list [1], we can't answer your questions here (Apache HTTP Server users). Regards; Yann. [1] https://cloudstack.apache.org/mailing-lists.html - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem when compiling httpd-2.4.51 on MacOSX
Hi, On Mon, Nov 15, 2021 at 7:33 PM Israel Timoteo wrote: > > mod_ext_filter.c:372:10: error: implicit declaration of function > 'apr_procattr_limit_set' is invalid in C99 > [-Werror,-Wimplicit-function-declaration] What's the definition of APR_HAVE_STRUCT_RLIMIT in /opt/local/apr-1.7.0/include/apr.h ? Please show the "config.log" file from the apr-1.7.0 build. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Issue with Apache 2.4.51 hanging
On Tue, Oct 26, 2021 at 7:36 PM Patrick Verdon wrote: > > Do you know who maintains mod_php, is it worth following up with them? I'd suggest reporting the issue to the php maintainers (https://bugs.php.net/). It may ring a bell there.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Linking a third party library with httpd during installation
On Wed, Oct 20, 2021 at 10:55 PM Shariful Alam wrote: > > I do not understand why it shows my C compiler is not working? The config.log > https://pastebin.com/U72JMZqF This is because "./configure" will try to run this command to test the compile: gcc -DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF -g -O2 -pthread -DLINUX -D_REENTRANT -D_GNU_SOURCE -L./libxxx -Wl,-Bstatic -lxxx -Wl,-rpath=/opt/openssl/lib conftest.c which raises: 1. /usr/bin/ld: cannot find -lxxx 2. /usr/bin/ld: cannot find -lgcc_s 3. /usr/bin/ld: cannot find -lgcc_s You probably can address 1. by using the real lib name. For 2. and 3. I'd suggest: LDFLAGS='-L./libxxx -Wl,-Bstatic -lxxx -Wl,-Bdynamic -Wl,-rpath=/opt/openssl/lib' because only the libs between -Bstatic and -Bdynamic should be linked statically. Though probably the '-Wl,-Bstatic -lxxx -Wl,-Bdynamic' belongs more in LIBS=... Also note that you could use NOTEST_LDFLAGS and NOTEST_LIBS (instead of LDFLAGS and LIBS) for them to apply to the httpd linking only (they won't be added to all the gcc tests run by ./configure). They need to be correct still, otherwise ./configure will pass but not make.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] timeout and keepalive parameter in ProxyPass
On Wed, Oct 13, 2021 at 4:22 PM Usha Nayak wrote: > > Need help in understanding the highlighted parameters: > > ProxyPass "/example" "http://backend.example.com; timeout=3600 keepalive=On > > keepalive parameter - As I understand relates to TCP or socket keep alive > probes that are sent to prevent idle connection. > > My confusion is : > > Assuming the backend server takes 4 hrs to process a request and I have > 'keepalive on' in Apache httpd with the OS setting to send tcp probes every 2 > minutes. Backend server and Apache httpd are sending TCP keep alive packets > to indicate the socket connection is not idle. > > In this case, would the 'apache httpd' close the connection in 1 hr ( > timeout = 3600) because the 'apache httpd' didn't get the http data? Yes, the timeout= parameter sets the inactivity timeout for the backend connection. If reading from or writing to this connection takes more time than the timeout= va lue then the connection is forcibly closed and an error (504) is returned to the client. The keepalive= parameter is to enable the TCP keepalive mechanism on the connection at the operating system level (SO_KEEPALIVE socket option). As you noted it consists of periodic TCP probes sent by the OS on the connection to prevent intermediaries/routers/firewalls from closing it due to their own TCP inactivity timeout, and also to detect whether the peer is still connected (by acking the probes). The settings for the probes period, ack timeout and number of retries happen at the OS level for all the connections, that's why keepalive= is a simple on/off. Note that the ProxyPass keepalive= parameter must not be confused with the "KeepAlive on/off" directive pertaining to the client connection. The KeepAlive and KeepAliveTimeout directives are about the lifetime of the client connection in between HTTP transactions. Once a request has been handled and a response was sent to the client the KeepAliveTimeout is the time to wait for the next request on the same connection (if "KeepAlive off" the connection is closed immediately and thus each connection handles a single request/response only). FWIW, here is the correspondence between the client side and backend side settings regarding timeout and keepalive: Client side: Proxy/Backend side: Timeout N <=> timeout=N KeepAlive On/Off<=> enablereuse=On/Off KeepAliveTimeout N <=> ttl=N [*Always On*] <=> keepalive=On/Off Hope that helps.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Issue with Apache 2.4.51 hanging
Hi Patrick, On Mon, Oct 18, 2021 at 10:13 PM Patrick Verdon wrote: > > Just a quick follow up - we've tried removing mod_http2 but still managed to > provoke a crash. See the error_log below when stopping/restarting after httpd > becomes unresponsive. It seems to have eliminated the "reslist_cleanup: Assertion `rl->ntotal == 0' failed" and "Aborted (6)" errors, which was the primary goal. Hopefully the other "corrupted size vs. prev_size" and "Segmentation fault (11)" errors were related but it does not seem to be the case.. > We need to be a bit more careful removing other modules to make sure they're > not used, which is more time consuming - do you think this is still worth > doing to address the issue? I can't tell this from the few pieces of information available so far. > > If you have any other suggestions let me know. Since httpd is now crashing with "Segmentation fault" (only), there is a way to get a coredump file generated for further analysis, you need to add this to your main/base httpd configuration: CoreDumpDirectory /tmp After each crash there should be a "/tmp/core" (or "/tmp/core.[pid]") file which can be analysed with the gdb debugger, by using these commands: $ gdb /usr/sbin/httpd /tmp/core[.pid] [and once in gdb with the "(gdb)" prompt] (gdb) thread apply all bt Please paste the result here. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Issue with Apache 2.4.51 hanging
Hi Patrick, On Mon, Oct 18, 2021 at 11:27 AM Patrick Verdon wrote: > > # cat /var/log/httpd/error_log > httpd: misc/apr_reslist.c:161: reslist_cleanup: Assertion `rl->ntotal == 0' > failed. [] > *** Error in `/usr/sbin/httpd': corrupted size vs. prev_size: > 0x557f94567e4f *** [] > httpd: misc/apr_reslist.c:161: reslist_cleanup: Assertion `rl->ntotal == 0' > failed. > [Sun Oct 17 15:53:47.990497 2021] [core:notice] [pid 2620] AH00052: child pid > 3166 exit signal Aborted (6) [] > [Sun Oct 17 15:53:47.990781 2021] [core:notice] [pid 2620] AH00052: child pid > 2741 exit signal Segmentation fault (11) > *** Error in `/usr/sbin/httpd': corrupted size vs. prev_size: > 0x557f94567e4f *** [] > [Sun Oct 17 15:53:48.056599 2021] [core:notice] [pid 2620] AH00052: child pid > 2727 exit signal Aborted (6) > [Sun Oct 17 15:53:48.056667 2021] [mpm_prefork:notice] [pid 2620] AH00169: > caught SIGTERM, shutting down The log seems to show a stop then start sequence (which is possibly what "service httpd restart" does), anyway the stop crashes children processes that at some point have reserved/handled mod_proxy connections. We will discuss whether/how to fix this on the dev@ mailing list, in the meantime I'd suggest that: > [Sun Oct 17 15:53:48.180621 2021] [http2:warn] [pid 3581] AH10034: The mpm > module (prefork.c) is not supported by mod_http2. The mpm determines how > things are processed in your server. HTTP/2 has more demands in this regard > and the currently selected mpm will just not do. This is an advisory warning. > Your server will continue to work, but the HTTP/2 protocol will be inactive. .. you do not "LoadModule http2_module mod_http2.so" in your MPM prefork configuration, because due to its multithreaded nature (unlike MPM prefork) mod_http2 implies that mod_proxy will have to allocate/handle multiple simultaneous connection to the backend which is what is causing the crash here. > [Sun Oct 17 15:53:48.181146 2021] [lbmethod_heartbeat:notice] [pid 3581] > AH02282: No slotmem from mod_heartmonitor Likewise you probably don't need lbmethod_heartbeat and several modules in your list, so I'd suggest that you cleanup your LoadModules a bit, ideally to the strict minimum needed. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Httpd is hanging intermittently
On Wed, Sep 22, 2021 at 8:12 PM alchemist vk wrote: > > I am pretty sure, we not changed anything related to httpd config for quite a > time time and have no idea, why this issue started getting manifested now. Which operating system and openssl version are you using? Did you upgrade openssl recently? What are your SSLRandomSeed settings? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] httpd SIGILL
On Fri, Jul 2, 2021 at 2:09 PM RONDEC JUNE RUBIO wrote: > > I have not tried to repro the issue with higher version. Is it known issue? Not to me (doesn't ring a bell). But I'm not very inclined to investigate if it's already fixed.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] httpd SIGILL
Hi, On Fri, Jul 2, 2021 at 8:04 AM RONDEC JUNE RUBIO wrote: > > I've been investigating this issue with httpd corrupted memory and throwing > SIGILL. I can pinpoint what makes the memory corrupted. Is this known issue > guys could someone shed some light. > > callstack : > Core was generated by `/usr/sbin/httpd -k start -D SSL'. > Program terminated with signal SIGILL, Illegal instruction. > #0 ap_die (r=0x7f9403ba08, type=-1811695096) at > /usr/src/debug/apache2/2.4.41-r0/httpd-2.4.41/modules/http/http_request.c:817 Can you still reproduce with httpd-2.4.48? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Bug in mod_proxy_balancer or just a bad configuration?
On Fri, Jun 18, 2021 at 10:35 AM Yann Ylavic wrote: > > Hi Daniel, Hi Nick, sorry.. (Hi Daniel too though!) - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Bug in mod_proxy_balancer or just a bad configuration?
Hi Daniel, How do you monitor this, but looking at the request Cookie header sent by the browser or the Set-Cookie sent by httpd? >> >> >> >> >> >> Header add Set-Cookie "RZROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" >> >> env=BALANCER_ROUTE_CHANGED What if you configure "path=/rz" here ... >> >> BalancerMember http://www.google.com route=01 >> >> BalancerMember http://www.yahoo.com route=02 >> >> ProxySet stickysession=RZROUTEID >> >> >> >> >> >> Header add Set-Cookie "RZ2ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" >> >> env=BALANCER_ROUTE_CHANGED And "path=/rz2" here ? >> >> BalancerMember http://www.fox.com route=03 >> >> BalancerMember http://www.cnn.com route=04 >> >> ProxySet stickysession=RZ2ROUTEID >> >> Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache Reverse Proxy SSL to TOMCAT no SSL
Hi, On Tue, Jun 1, 2021 at 5:24 PM Carlos Castro wrote: > > > [] > ProxyRequests On You probably should remove the above line (which is not in the non-SSL virtual host by the way). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Why so much difference in memory used per process in apache2 between two different systems
Hi, On Mon, May 17, 2021 at 1:34 PM Marc Serra wrote: > > I have a pair of Ubuntu dedicated servers... > > Server1: > Ubuntu 16.04.7 (64 bits) > 16GB RAM > 8 Xeon CPU > Apache 2.4.18 > MPM mode: prefork > > Server2: > Ubuntu server 20.04.2 (64 bits) > 32GB RAM > 8 Xeon CPU > 2.4.41 > MPM mode: event MPM prefork is single threaded, while MPM event uses multiple threads, and each thread "consumes" 8MB of rss (for its stack) on a typical linux system. The default thread stack size can be changed with "ulimit -s" (or LimitSTACK= on systemd), depending on the loaded modules and their stack "consumption". I usually run httpd with "ulimit -s 512" (KB) without issues, but this needs testing in your environment (i.e. no crash).. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_hcheck response timeout?
Hi Daniel, On Thu, Apr 22, 2021 at 12:21 PM Daniel Ferradal wrote: > > Is my approach correct? As with most initial approaches to a specific > scenario, this may very well be the case, which other approach do you > suggest? I think that it's missing in the code but can't think of a workaround. Does the attached patch working for you? Regards; Yann. Index: modules/proxy/mod_proxy_hcheck.c === --- modules/proxy/mod_proxy_hcheck.c (revision 1888249) +++ modules/proxy/mod_proxy_hcheck.c (working copy) @@ -491,10 +491,12 @@ static proxy_worker *hc_get_hcworker(sctx_t *ctx, hc->hash.def = hc->s->hash.def = ap_proxy_hashfunc(hc->s->name, PROXY_HASHFUNC_DEFAULT); hc->hash.fnv = hc->s->hash.fnv = ap_proxy_hashfunc(hc->s->name, PROXY_HASHFUNC_FNV); hc->s->port = port; -if (worker->s->conn_timeout_set) { -hc->s->conn_timeout_set = worker->s->conn_timeout_set; -hc->s->conn_timeout = worker->s->conn_timeout; -} +hc->s->conn_timeout_set = worker->s->conn_timeout_set; +hc->s->conn_timeout = worker->s->conn_timeout; +hc->s->ping_timeout_set = worker->s->ping_timeout_set; +hc->s->ping_timeout = worker->s->ping_timeout; +hc->s->timeout_set = worker->s->timeout_set; +hc->s->timeout = worker->s->timeout; /* Do not disable worker in case of errors */ hc->s->status |= PROXY_WORKER_IGNORE_ERRORS; /* Mark as the "generic" worker */ - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Help: Building httpd from source with specific (different then system default) OpenSSL
On Wed, Apr 7, 2021 at 10:56 PM Shariful Alam wrote: > > Yes, I'm looking for libssl. But not the default one. Here, you can see that > my mod_ssl.so is still linked with the default libssl. However, during httpd > installation, I use the following configuration, > > CFLAGS='-DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF' > ./configure --prefix=/etc/apache2 --enable-ssl --with-ssl=/opt/openssl/ssl > --with-pcre=/usr/local/pcre --enable-so > > so, my understanding is, with the above configuration, after a successful > build, my mod_ssl should be linked with the libssl.so (/opt/openssl/ssl) not > with the default (/lib/x86_64-linux-gnu/) Try adding LDFLAGS='-L/opt/openssl/ssl/lib -Wl,-rpath,/opt/openssl/ssl/lib' here too in addition to (or even instead of) the CFLAGS. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Help: Building httpd from source with specific (different then system default) OpenSSL
Hello, On Wed, Apr 7, 2021 at 10:30 AM Shariful Alam wrote: > > root@:/etc/apache2/bin# ldd httpd > linux-vdso.so.1 => (0x7fffe4df9000) > libpcre.so.1 => /usr/local/pcre/lib/libpcre.so.1 (0x7ff2ad391000) > libaprutil-1.so.0 => /usr/local/apr/lib/libaprutil-1.so.0 (0x7ff2ad16b000) > libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 (0x7ff2acf38000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x7ff2acd1b000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7ff2ac951000) > libexpat.so.0 => /usr/local/apr/lib/libexpat.so.0 (0x7ff2ac729000) > libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x7ff2ac4f1000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7ff2ac2ed000) > /lib64/ld-linux-x86-64.so.2 (0x7ff2ad5ae000) > > Any comment on what I'm doing wrong? And How can I fix it? httpd itself needs no link to openssl, mod_ssl does though. So you should have a look at: # ldd /etc/apache2/modules/mod_ssl.so Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: External exception in httpd
On Thu, Apr 1, 2021 at 8:56 AM Michael Rabatscher wrote: > > we always use the precompiled version from > https://www.apachelounge.com/download/ > (httpd-2.4.46-win32-VS16.zip) Hopefully it's fixed in [1], if you could apply this patch and test it would help backporting it to 2.4. If you don't build httpd yourself, you may want to ask on apachelounge that they create a version including it (possibly Steffen is listening here anyway and can help ;) Regards; Yann. [1] https://svn.apache.org/r1888266 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: External exception in httpd
On Wed, Mar 31, 2021 at 12:56 PM Christophe JAILLET wrote: > > Le 30/03/2021 à 11:30, Michael Rabatscher a écrit : > > > > system exception (code 0xc008) > > > > which as far as I could research is due to a double CloseHandle call in > > libapr > > > > could be a duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=59798 If so it should be fixed in APR-1.7.0, which APR version are you using Michael? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4.37 graceful restart causes error “scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.”
On Wed, Mar 31, 2021 at 1:49 AM A.J. Gatlin wrote: > > For now, I'm trying to solve the problem by increasing some MPM parameters, > but it's all a bit nebulous, since I'll never be completely sure that the > values are sufficient to prevent another deadlock situation in which the > server just hangs. I usually configure something like this, based on the maximum number of simultaneous clients/workers needed (numWorkers). # Some pre-computations numWorkers = [your needs] if numWorkers < 1000 numProcesses = 10 elif numWorkers < 1 numProcesses = numWorkers / 100 else numProcesses = 100 endif numThreads = numWorkers / numProcesses # MPM settings StartServers 1 ServerLimit $numProcesses * 2.5 ThreadLimit $numThreads ThreadsPerChild $numThreads MinSpareThreads $numThreads MaxSpareThreads $numWorkers / 2 MaxRequestWorkers$numWorkers MaxConnectionsPerChild 0 Hth.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] The number of child processes is less than MinSpareThreads.
On Mon, Mar 15, 2021 at 7:14 AM motoda.hiron...@fujitsu.com wrote: > > > This is working as designed, the server checks only once per second to > > see if processes need to be started or killed based on the current > > idle threads. > > Is it okay for the number of child processes to fall below MinSpareThreads in > this environment? > If possible, please tell me the reason. If there are 5 idle threads (e.g. StartServers=MinSpareThreads=5 with ThreadsPerChild=1), when 6 connections/requests arrive and are being handled then there is no idle thread anymore, so httpd has to make 5 new idle threads available (actually 5 children processes with ThreadsPerChild=1) to honor MinSpareThreads=5. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe wrote: > > Are you sure that you have any MD5 ciphers enabled. Wrong thread? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: > > I thought about something like that as cause, but since the client IP is > known from the very first start of the request, before TLS handshake, I > thought it could be evaluated. Yes but to determine the context from which the takes place (VirtualHost, directory, location..), the server needs to know the request header, thus negotiate TLS with the user-agent already. Chicken and egg.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] stickysession and BalancerMember route
On Tue, Feb 16, 2021 at 4:52 PM DICKEY Rob wrote: > > The source code appears to perform basic string comparisons to match the > stickysession token value against the route, but are there character or > length constraints to the route attribute? The route is limited to 64 characters and must be preceded by a special character within the URL/cookie value (default character is '.', though stickysessionsep= might be used to change it). These are the only constraints I'm aware of.. But this means that the backend must set routed URLs/cookies of that form, otherwise some "automatic" routing can be performed like in https://httpd.apache.org/docs/2.4/en/mod/mod_proxy_balancer.html#example (the one using mod_headers). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Self built httpd 2.4.43 problems
Hi Gabriele, There have been some fixes to the APR library since 1.5.2, notably on the Solaris apr_pollset_poll() implementation, though I can only think of a bug [1] pertaining to MPM event (not MPM worker which you seem to be using). It could be worth upgrading to a more recent APR-1.6.5 or APR-1.7.0 still. Regards; Yann. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61786 On Tue, Feb 9, 2021 at 11:07 AM Gabriele Bulfon wrote: > > Hi, I finally could produce the httpd blocked problem and ran a script to > dump stack of all running processes/threads. > They strangely look all quite the same! I attach here all the httpd threads > dumps, maybe you can help us see why it was blocked? > > Thanks! > Gabriele > > > Sonicle S.r.l. : http://www.sonicle.com > Music: http://www.gabrielebulfon.com > eXoplanets : https://gabrielebulfon.bandcamp.com/album/exoplanets > > > > > -- > > Da: Rainer Canavan > A: users@httpd.apache.org > Data: 2 novembre 2020 17.19.27 CET > Oggetto: Re: [users@httpd] Self built httpd 2.4.43 problems > > On Mon, Nov 2, 2020 at 4:17 PM Gabriele Bulfon > wrote: > > > > Thanks, I configured and ran server-status after stopping/starting apache. > > Top output is: > > > [...] > > > What should I check? > > Also, when system blocks I won't be able to see server-status, as it will > > be not responding. > > Should I check it daily and look for a specific info that grows? > > "requests currently being processed" would probably increase if > threads are permanently blocked. I would recommend logging this every > few seconds, so that you can at least check after the fact how quickly > the system filled up. > > You should have ExtendedStatus enabled, which should give you a > complete list of all threads and their states. Any that are active > (probably "W", definitively not "." or "_") processing a single > request for extended periods are suspicious, especially if multiple of > the same kind strat piling up. > > If httpd does not respond to requests anymore, and you have multiple > worker childs, you can sometimes get away with killing one and try to > squeeze a status request in there before it gets overrun again. > > Anyway, serverstatus will only provide rough hints of what's going on. > If it is indeed httpd, you'll probably need gdb backtraces. > > rainer > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database
Thanks Kyle. Since this fix resulted in two 2.4 changes actually, it's possibly worth mentioning them to the redhat team, that could help them: - http://svn.apache.org/r1701404 - http://svn.apache.org/r1701405 Regards; Yann. On Mon, Feb 8, 2021 at 5:27 PM Kyle Hansen wrote: > > Good suggestion. Done here (https://bugs.centos.org/view.php?id=18053) for > anyone that may be interested. > > -Original Message----- > From: Yann Ylavic > Sent: Saturday, February 6, 2021 7:31 AM > To: users@httpd.apache.org > Subject: Re: [users@httpd] RE: Apache authorization using require dbd-group > from SQL Server database > > Hi Kyle, > > On Sat, Feb 6, 2021 at 12:21 AM Kyle Hansen > wrote: > > > > After a lot of work, I was able to solve this myself. I updated the > > previously linked Stack Overflow link with the solution, but am copying it > > here for completeness. > > Thanks for the feedback. > > > > > My Apache Version was 2.4.6 but the most recent RHEL Version, > > httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for > > apache 2.4 (https://www.apachelounge.com/Changelog-2.4.html) most of > > the mod_authz_dbd changes were included in the CentOS version except > > for the one integrated in Apache 2.4.17 entitled > > > > *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions. > >PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic] > [] > > Unfortunately, my Apache now doesn't have the benefits of RHEL if I go > > this route > > You may want to reach out with the RHEL/centos team to report this bug and > upstream fix to possibly have it included in their httpd-2.4.6-next version. > > Regards; > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database
Hi Kyle, On Sat, Feb 6, 2021 at 12:21 AM Kyle Hansen wrote: > > After a lot of work, I was able to solve this myself. I updated the > previously linked Stack Overflow link with the solution, but am copying it > here for completeness. Thanks for the feedback. > > My Apache Version was 2.4.6 but the most recent RHEL Version, > httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for apache 2.4 > (https://www.apachelounge.com/Changelog-2.4.html) most of the mod_authz_dbd > changes were included in the CentOS version except for the one integrated in > Apache 2.4.17 entitled > > *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions. > PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic] [] > Unfortunately, my Apache now doesn't have the benefits of RHEL if I go this > route You may want to reach out with the RHEL/centos team to report this bug and upstream fix to possibly have it included in their httpd-2.4.6-next version. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to troubleshoot/fix DAV errors during SVN checkout
On Thu, Jan 14, 2021 at 2:14 PM Yann Ylavic wrote: > > You could use a "ProxyPass ... ttl=[timeout]" on the proxy with > [timeout] < KeepAliveTimeout on the backend (say the KeepAliveTimeout > on the backend's vhost is 5, try ttl=3 in the proxy's ProxyPass > directive). > By doing this, you avoid the case where the proxy is reusing a > connection that is being closed by the backend at the same time > (because its KeepAliveTimeout expires), the more connections the > greater the risk of this happening.. > > But this is unlikely to fix the errors raised by the backend, because > those seem to happen on well established connections. > I may be missing something though, so this first step could help already.. As a first first-step and before fine tuning like described above though, I'd suggest completely disabling keepalive to see if it helps. So either "ProxyPass ... disablereuse=on" on the proxy or "KeepAlive off" on the backend. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to troubleshoot/fix DAV errors during SVN checkout
Hi, On Thu, Jan 14, 2021 at 11:15 AM Bram Mertens wrote: > > Our setup: > Subversion 1.10 on RHEL8 served by httpd 2.4 > Reverse proxy httpd 2.4 on RHEL8 [snip backend errors] > Am I correct to assume that it is the client (or something between the client > and the proxy server) that is breaking the connection? Or is this a problem > on either of the apache servers? The errors on the backend suggest that the connection with the client was aborted (downstream). Do determine whether it happens before the reverse proxy or between the proxy and the backend you'd have to capture traffic there (tcpdump/wireshark to look for tcp connections reset) or use "LogLevel trace1" on the proxy (that's the level where client network errors are logged there). > > In the error_log of the proxy server I see errors like: > > [Thu Jan 14 06:42:01.647633 2021] [proxy_http:error] [pid 17204:tid > 140412413015808] (104)Connection reset by peer: [client 192.168.x.y:38940] > AH01102: error reading status line from remote server :443 This may be the symptom of a KeepAliveTimeout mismatch between the proxy and the backend, which can be addressed by using a slightly lower value on the proxy. You could use a "ProxyPass ... ttl=[timeout]" on the proxy with [timeout] < KeepAliveTimeout on the backend (say the KeepAliveTimeout on the backend's vhost is 5, try ttl=3 in the proxy's ProxyPass directive). By doing this, you avoid the case where the proxy is reusing a connection that is being closed by the backend at the same time (because its KeepAliveTimeout expires), the more connections the greater the risk of this happening.. But this is unlikely to fix the errors raised by the backend, because those seem to happen on well established connections. I may be missing something though, so this first step could help already.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_lua / mod_proxy: set cookie on the proxied connection
On Fri, Jan 8, 2021 at 10:30 AM Gerry wrote: > > > function proxy_handler(r) > > if r.uri:match("^/local/websocket") then > > r.handler = "proxy-server" > > r.proxyreq = apache2.PROXYREQ_REVERSE > > r.filename = "proxy:wss://192.0.2.1/remote/websocket" I'm not a Lua coder but wouldn't (something like) this here: local cookie_in = r.headers_in['Cookie'] if cookie_in ~= nil then cookie_in = cookie_in .. "; key=value" else cookie_in = "key=value" end r.headers_in['Cookie'] = cookie_in work? > > return apache2.OK > > end > > return apache2.DECLINED > > end Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] APR util slotmem errors.
Hi, These are more questions for the dev@apr.a.o (or dev@httpd) mailing list, though there are APR developers on this list too ;) > > Quick question how does the apr use the shm segments and why does it have a > slotmem error if we use mod_proxy with several balancer name calls and > multiple hosts apache servers on a single dev box? I am really trying to > understand how this code segment below works? So you don't have balancer://url duplicates (anymore) and still slotmem errors? > > shm.c file call? > > #if APR_USE_SHMEM_SHMGET >71 static key_t our_ftok(const char *filename) >72 { >73 /* to help avoid collisions while still using >74 * an easily recreated proj_id */ >75 apr_ssize_t slen = strlen(filename); >76 return ftok(filename, >77 (int)apr_hashfunc_default(filename, )); >78 } >79 #endif This is a wrapper around the system's ftok() function, a thingy needed by the IPC SysV API to create a unique ID from a file path, to be passed to shmget() & co system calls. >From the Linux man page: SYNOPSIS key_t ftok(const char *pathname, int proj_id); DESCRIPTION The ftok() function uses the identity of the file named by the given pathname (which must refer to an existing, accessible file) and the least significant 8 bits of proj_id (which must be non‐zero) to generate a key_t type System V IPC key, suitable for use with msgget(2), semget(2), or shmget(2). The resulting value is the same for all pathnames that name the same file, when the same value of proj_id is used. The value returned should be different when the (simultaneously existing) files or the project IDs differ. NOTES On some ancient systems, the prototype was: key_t ftok(char *pathname, char proj_id); Today, proj_id is an int, but still only 8 bits are used. Typical usage has an ASCII character proj_id, that is why the behavior is said to be undefined when proj_id is zero. Of course, no guarantee can be given that the resulting key_t is unique. Typically, a best-effort attempt combines the given proj_id byte, the lower 16 bits of the inode number, and the lower 8 bits of the device number into a 32-bit result. Collisions may easily happen, for example between files on /dev/hda1 and files on /dev/sda1. Neat.. the IPC SysV API is horrid (IMHO) :/ Fortunately the APR lib does not expose this proj_id since it has no meaning for the other possible SHM mechanisms (e.g. POSIX). To help with the collision issue, the proj_id is not fixed to a non-zero constant either, but rather hashed from the filename to improve mixing. The apr_hashfunc_default() function used here (djbhash) is not the more collision resistant one. For the POSIX mechanism the APR lib also mixes in an rshash of the filename, for IPC SysV this would be: static key_t our_ftok(const char *filename) { /* to help avoid collisions while still using * an easily recreated proj_id */ apr_ssize_t flen; unsigned int h; flen = strlen(filename); h = apr_hashfunc_default(filename, ); h ^= rshash(filename); if (h == 0) { h = 0xc; /* arbitrary, non-zero */ } return ftok(filename, h); } But there have been no issue raised so far for the current IPC SysV implementation. Do you observe collisions for different file names here, by e.g. adding a printf of the filename and hash in the current our_ftok() function? > > APR_PERMS_SET_IMPLEMENT(shm) > 696 { > 697 #if APR_USE_SHMEM_SHMGET || APR_USE_SHMEM_SHMGET_ANON > 698 struct shmid_ds shmbuf; > 699 int shmid; > 700 apr_shm_t *m = (apr_shm_t *)theshm; > 701 > 702 if ((shmid = shmget(m->shmkey, 0, SHM_R | SHM_W)) == -1) { > 703 return errno; > 704 } Here m->shmkey is then the result of our_ftok(filename). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
On Fri, Dec 11, 2020 at 5:43 PM Yann Ylavic wrote: > > On Fri, Dec 11, 2020 at 5:10 PM Wendell Hatcher > wrote: > > > > Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within > > the shm.c file what does it do exactly and can we set the option to 0 or 1? > > What would the setting of the option to those values effect? > > It's defined (in lib APR) by the ./configure script (autoconf) based > on its availability, and is the default on unix(es) systems (where IPC > SysV shared memories are usually/always implemented). > > This can't be defined explicitly (./configure will overwrite it) but > it's possible to select the POSIX semaphores mechanism instead with > "./configure --enable-posix-shm ...", which is usually a good > alternative "suffering" less from system limits than IPC SysV, since > limits are then the filesystem's maximum number of inodes (as opposed > to SysV's kernel.sem=... settings). s/kernel.sem/kernel.shm*/ for SHMs obviously ;) > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
On Fri, Dec 11, 2020 at 5:10 PM Wendell Hatcher wrote: > > Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within the > shm.c file what does it do exactly and can we set the option to 0 or 1? What > would the setting of the option to those values effect? It's defined (in lib APR) by the ./configure script (autoconf) based on its availability, and is the default on unix(es) systems (where IPC SysV shared memories are usually/always implemented). This can't be defined explicitly (./configure will overwrite it) but it's possible to select the POSIX semaphores mechanism instead with "./configure --enable-posix-shm ...", which is usually a good alternative "suffering" less from system limits than IPC SysV, since limits are then the filesystem's maximum number of inodes (as opposed to SysV's kernel.sem=... settings). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: GET working but POST failing with error 502
Hi Anton, On Wed, Dec 9, 2020 at 12:00 PM Anton Shepelev wrote: > > > There should be a line like: > > > > ProxyPass ... http://127.0.0.1:3002 ... > > > > or: > > > > > > ... > > ProxyPass http://127.0.0.1:3002 ... > > ... > > > > > > somewhere, and adding disablereuse=on to the end of this > > ProxyPass line would disable connection reuse. > > That ProxyPass setting has come up many times in context of > this error 502, but the catch is that is commented out in > our version of > >apache2\conf\httpd.conf If this log shows up on the httpd side: [proxy_http:error] ... AH01102: error reading status line from remote server 127.0.0.1:3002 it means that there *is* a ProxyPass (or RewriteRule [P]) that configures httpd to do the proxying to 127.0.0.1:3002. If you can't find this piece of configuration you can send me the full "apache2\conf" archive (privately if you prefer). Since Redmine seems to run on port 3001 (not 3002), the fix would be to replace 127.0.0.1:3002 by 127.0.0.1:3001 in the httpd proxy settings.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Changing the 'Range' inside the RequestHeader on the fly
On Tue, Dec 8, 2020 at 12:18 PM Ran Mozes wrote: > > RequestHeader edit Range bytes=\s bytes= early I'm surprised this one doesn't work though. Could it be that there are multiple spaces, or a space before the '=' sign too? I.e. doesn't: RequestHeader edit* Range ((\s+=)|(=\s+)) = early work better? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Changing the 'Range' inside the RequestHeader on the fly
On Tue, Dec 8, 2020 at 12:18 PM Ran Mozes wrote: > > > http_request.c(440): [client 10.xxx.xxx.xx:x] Range: bytes= > 7168-414976430 > > Looks like this causes to fail serve the request. Which error exactly does the log show ? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: GET working but POST failing with error 502
On Mon, Dec 7, 2020 at 5:55 PM Anton Shepelev wrote: > > All POST requests fail: when I either repeat the same > requiest over and over, or try different requrest. All GET > requests work. This sounds like a crash or something which causes Redmine to close the connection upon receipt of the POST request (without any response). > > > If some requests succeed, it may be a problem of > > connection reuse between Redmine (running on 127.0.0.1) > > and the httpd proxy (configured to forward the requests to > > localhost). > > I should still like to sound that possibilty. Can you please > explain to the Apache dummy that I am how to reconfigure > either httpd or Redmine hosting to avoid that collition? I don't know what a "Bitnami Redmine stack" httpd configuration looks like unfortunately. There should be a line like: ProxyPass ... http://127.0.0.1:3002 ... or: ... ProxyPass http://127.0.0.1:3002 ... ... somewhere, and adding disablereuse=on to the end of this ProxyPass line would disable connection reuse. If that changes nothing, something is happening in the Redmine application which httpd really can't know about.. If Redmine crashed (which could explain why there are no logs on its side), you should see something like "child pid exit signal..." in one of the log files. Possibly you could ask on Bitnami forums how to get more traces from Redmine. Hth, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] slotmem error still occuring after updating to Apache 2.4.43 APR 1.7.0
On Mon, Dec 7, 2020 at 6:33 PM Wendell Hatcher wrote: > > Yann, quick question would it be ok to have a cronjob running daily maybe at > slow periods that runs a script to delete the sephmore segments using a > script while apache is running? It shouldn't cause issues with the apache > server processing data correct? I think that the error is about shared memories (SHM), not semaphores (your httpd -V output shows "-D APR_USE_PROC_PTHREAD_SERIALIZE" which indicates the use of pthread global mutexes, not backed by a system descriptor/inode, so nothing to cleanup really). The SHMs usually do have a descriptor or inode to delete somewhere on your system, but I don't think it's safe to do so while httpd is running. By the way, you didn't tell which SHM mechanism was used by the APR library on your system (which system? httpd/APR compiled manually? SysV, POSIX or other SHM mechanism? Where do your SHMs land on the filesystem?). It is not shown by httpd -V unfortunately (I added it to trunk lately, but it's not in any 2.4 version yet). > Second ndly, we want to run a script during our apache stop process that will > deleting the files from the shm folder we are hoping this will reschedule le > our hanging apache servers during stops and starts with a slotmem error. I'm not sure to understand this, deleting the SHMs could avoid conflicts temporarily but as soon as all the httpd instances are started again, the conflicts will show up again if they exist in the configuration files. One particular thing to look at are the URLs used in declarations, in all the instances. Each balancer should have a unique [id], system wide, because a SHM will be created (system wide) based on this [id]. This is usually not an issue with a single httpd instance where uniqueness makes sense and balancer1,..,n is simply/often used, but when this first instance gets copied to create others then it breaks.. You can use almost anything as [id], provided it's unique and the same [id] is used in the associated ProxyPass. It can be a UUID for example, a tool like `uuidgen` can generate one when a new balancer needs to be added. Hth, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: GET working but POST failing with error 502
On Mon, Dec 7, 2020 at 1:39 PM Anton Shepelev wrote: > > I wrote: > > > The problem is that Redmine's REST API works for reading > > but not for writing, that is the GET command works whereas > > the POST command fails with error 502 > > Even with the most detailed logging, the failed POST > requests do not appear in the Redmine log, whereas > successful GET request are all there. Does that mean POST > requests are lost before they even reach Redmine? If so, it > may be a problem on the level of Apache or network. We > access our test Remine locally, via 127.0.0.1 . Do all the POST requests fail or only some of them? If some requests succeed, it may be a problem of connection reuse between Redmine (running on 127.0.0.1) and the httpd proxy (configured to forward the requests to localhost). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] slotmem error still occuring after updating to Apache 2.4.43 APR 1.7.0
The logs from mod_slotmem_shm are the most interesting, so "LogLevel slotmem_shm:debug" should be enough (to limit debug logging to this module). This should show which shared memories paths (i.e. .../slotmem-shm-*.shm) are created/reused/attached by which instance, and figure out what kind of duplicates there may be.. On Sun, Dec 6, 2020 at 8:21 PM Wendell Hatcher wrote: > > Let me gather this information from one of our servers next week. I will > provide a little more background information tomorrow as well. > > On Sat, Dec 5, 2020, 7:08 PM Yann Ylavic wrote: >> >> On Fri, Dec 4, 2020 at 7:45 PM Wendell Hatcher >> wrote: >> > >> > This has nothing to do with underlying SHM stuff and everything to do with >> > how multiple balancers, global and outside of virtual hosts, are >> > initialized and sometimes persisted. This was changed greatly in >> > 2.4.29.You should find the minimal set of balancers that reproduces the >> > error and It is likely related to duplicate virtual hosts or duplicate >> > proxy "workers". >> >> Could you please provide the full error_log (with LogLevel debug) of >> the httpd startup failure? >> If there are multiple instances (and potential duplicates), the >> error_log of all the instances may help too (with LogLevel debug, >> still). >> >> Regards; >> Yann. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] slotmem error still occuring after updating to Apache 2.4.43 APR 1.7.0
On Fri, Dec 4, 2020 at 7:45 PM Wendell Hatcher wrote: > > This has nothing to do with underlying SHM stuff and everything to do with > how multiple balancers, global and outside of virtual hosts, are initialized > and sometimes persisted. This was changed greatly in 2.4.29.You should find > the minimal set of balancers that reproduces the error and It is likely > related to duplicate virtual hosts or duplicate proxy "workers". Could you please provide the full error_log (with LogLevel debug) of the httpd startup failure? If there are multiple instances (and potential duplicates), the error_log of all the instances may help too (with LogLevel debug, still). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Sending client's IP address to local proxied application server.
On Fri, Oct 30, 2020 at 9:04 PM Mike Diehl wrote: > > Well, I added this to the vhost definition: > > ProxyPreserveHost On > RemoteIPHeader X-Forwarded-For > > Now I'm getting the web server's outside IP address as the value of the > x-forwarded-for header. This is progress, but not quite what I need. I need > the original client's IP address before the request gets proxied to my > application server. > > Any other ideas? You need to tell the proxy itself to add the X-Forwarded-* headers, using ProxyAddHeaders ([1]). So your section could be something like: ProxyPass "http://127.0.0.1:8080/apps/; ProxyAddHeaders on Regards; Yann. [1] https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#proxyaddheaders - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache memory usage
On Fri, Jun 19, 2020 at 4:20 PM Yann Ylavic wrote: > > On Thu, Jun 18, 2020 at 8:03 PM Danny Mallory wrote: > > > > Anyone here know a good way to tell what Apache may be chewing up memory on? > > Do you have MaxMemFree configured already > (https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxmemfree)? > If not, does "MaxMemFree 2048" (for instance) help? Nevermind, MaxMemFree 2048 is already the default so it's likely not the issue. Which modules do you load? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache memory usage
On Thu, Jun 18, 2020 at 8:03 PM Danny Mallory wrote: > > Anyone here know a good way to tell what Apache may be chewing up memory on? Do you have MaxMemFree configured already (https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxmemfree)? If not, does "MaxMemFree 2048" (for instance) help? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Tomcat 9 doesnt load ECDSA keystore
Hi Madhan, wrong list, consider asking on us...@tomcat.apache.org instead. Regards; Yann. On Wed, Jun 3, 2020 at 3:07 AM Madhan Raj wrote: > > Hi all, > > this is my connector tag > scheme="https" secure="true" > protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" > minSpareThreads="25"> > sessionTimeout="1800" protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DSS-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" > sessionCacheSize="1"> > certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/certs/tomcat-ECDSA.keystore" > certificateKeystorePassword="8o8yeAH2qSJbJ2sn" > certificateKeystoreType="PKCS12" type="EC"/> > > > > > it doesn't load my EC keystore whereas it works with RSA . Any insights > please . > > Thanks, > Madhan - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RewriteRules with ajp and secret
Hi Christian, On Mon, May 18, 2020 at 11:52 AM wrote: > > But there are several context based RewriteRules like this: > > RewriteRule (.*) ajp://IP:PORT$1 [QSA,P,L] > > I haven’t found any solution to get secret parameter passed in RewriteRules. You need a Proxy directive (provided by mod_proxy) to define a proxy entity/URL (called proxy worker) on which you can associate parameters (like "secret"). A RewriteRule [P] won't let you do that, without an associated mod_proxy declaration, the above RewriteRule will use a generic reverse proxy with no parameter, no connection reuse etc.. The usual way to declare a proxy worker, and its parameters, without any particular path mapping is: ProxySet secret=my_secret Then "ajp://IP:PORT" can be mapped to any path with either a ProxyPass or a RewriteRule [P] like you did. Hth, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] What is a request for dash ("-")?
Hi, On Sun, Apr 26, 2020 at 3:43 AM Jeffrey Walton wrote: > > What is this request I see in the logs: > > 186.222.62.229 - - [25/Apr/2020:21:35:18 -0400] "-" 408 - > 186.222.62.229 - - [25/Apr/2020:21:35:18 -0400] "-" 408 - If you are using the default LogFormat (i.e. "common"), the "-" here is the request line ("%r" format). A dash means not available (n/a), and 408 means timeout (request line not received within the configure Timeout). > > The reason I ask is, we have a MediaWiki attached to Apache. It gets > quite a bit of spam attempts. If it is not a legitimate request, then > I'd like to ban the host. I suspect it is some kind of probe, but I'd > like to know for sure before I take action. I don't think you should ban users for a timeout, while it can be malicious (a try to exhaust resources on your server), it's more likely a network issue (anywhere between the user and you server). In any case it's not spam, you'd need some kind on content analysis to detect spam, but here there is no content to look at. If there is a need to limit resources usage caused by timeouts or (maliciously-)slow clients, you should have a look at AcceptFilter ([1]) and/or mod_reqtimeout ([2]). Regards, Yann. [1] https://httpd.apache.org/docs/2.4/mod/core.html#acceptfilter [2] https://httpd.apache.org/docs/2.4/en/mod/mod_reqtimeout.html - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] What search permissions are missing from where?
On Sun, Apr 26, 2020 at 6:17 AM Jeffrey Walton wrote: > > As far as I can tell, the search permissions are present. Apache has > access to the file: > > # ls -Al /var > ... > drwxr-xr-x. 4 root apache 33 Apr 26 00:00 www > # ls -Al /var/www/ > ... > drwxr-xr-x. 2 root apache 24 Apr 21 11:20 html > # ls -Al /var/www/html > -rw-r--r--. 1 root apache 104 Apr 21 11:20 index.html > > How do I find out what search permissions are mission from which > directory or directories? Probably selinux ones, adding -Z to `ls` command could help. IIRC, on RHEL/centos, you need selinux context "httpd_sys_content_t" for read access, `chcon` command may be your friend here. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
On Sat, Apr 25, 2020 at 1:24 PM baptx wrote: > > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} != > %{CONN_REMOTE_ADDR}": > I want to restrict access on some virtualhosts only because I want to use > some domain names without Cloudflare. > It looks like your previous solution with mod_rewrite is better in my case, > since Require does not work in virtualhosts (I got the error: "Require not > allowed in context"). Ah yes, correct, it should be enclosed in a location like: ... RemoteIP... Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" ... >>> >>> Thanks Yann, it worked. Great! Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
On Sat, Apr 25, 2020 at 12:24 AM Yann Ylavic wrote: > > On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic wrote: > > > > Hi, > > > > On Fri, Apr 24, 2020 at 10:49 PM bapt x wrote: > > > > > > Is there a way to have the same functionality as the directive > > > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? > > > I would like to block access to users who try to bypass Cloudflare > > > reverse proxy (e.g. accessing my web server directly by guessing the IP > > > address). It looks like iptables is not a solution since I still want to > > > host some websites without Cloudflare. > > > > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this: > > > > RemoteIPHeader CF-Connecting-IP > > RemoteIPTrustedProxyList /path/to/proxies.list > > RewriteEngine on > > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" > > Err, this should be: > RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}" > because mod_remoteip will change REMOTE_ADDR (to the value of the > header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both > are equal it means that CONN_REMOTE_ADDR is not a trusted proxy.. > > > RewriteRule ^ - [F] > > > > With "proxies.list" containing the same list as mod_cloudflare's ([1]). Actually, if this works, a simpler way to do it (with the core authorization mechanism) is: RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxyList /path/to/proxies.list Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" > > > > Hth, > > Yann. > > > > [1] > > https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic wrote: > > Hi, > > On Fri, Apr 24, 2020 at 10:49 PM bapt x wrote: > > > > Is there a way to have the same functionality as the directive > > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? > > I would like to block access to users who try to bypass Cloudflare reverse > > proxy (e.g. accessing my web server directly by guessing the IP address). > > It looks like iptables is not a solution since I still want to host some > > websites without Cloudflare. > > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this: > > RemoteIPHeader CF-Connecting-IP > RemoteIPTrustedProxyList /path/to/proxies.list > RewriteEngine on > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" Err, this should be: RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}" because mod_remoteip will change REMOTE_ADDR (to the value of the header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both are equal it means that CONN_REMOTE_ADDR is not a trusted proxy.. > RewriteRule ^ - [F] > > With "proxies.list" containing the same list as mod_cloudflare's ([1]). > > Hth, > Yann. > > [1] > https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Hi, On Fri, Apr 24, 2020 at 10:49 PM bapt x wrote: > > Is there a way to have the same functionality as the directive > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? > I would like to block access to users who try to bypass Cloudflare reverse > proxy (e.g. accessing my web server directly by guessing the IP address). It > looks like iptables is not a solution since I still want to host some > websites without Cloudflare. I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this: RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxyList /path/to/proxies.list RewriteEngine on RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" RewriteRule ^ - [F] With "proxies.list" containing the same list as mod_cloudflare's ([1]). Hth, Yann. [1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Access from Internet to web app
Hi Serge, On Mon, Apr 20, 2020 at 6:43 PM wrote: > > > I need to access to a web app from the local network and from > internet (GLPI) Not sure what "GLPI" internet means. > > The current configuration is : Is that complete configuration? For instance I don't see some configuration which is the entry point in Apache httpd for serving content from a listening IP address. Access from both local network or internet is done on different IP addresses (and/or DNS names) is suppose, right? > > With this setup, the site is not available from Internet. How > to do ? > > > > And I can access it about 10 minutes from local machine and > after a error message appears : « A link to the SQL server could not be > establied. Please check your configuration » This looks like the application needs an access to a database, something httpd can do nothing about I'm afraid. > > I don’t understand and I don’t know what to do ? To start with httpd, there is: https://httpd.apache.org/docs/2.4/getting-started.html I can't really suggest something more precise without knowing about your needs and environment... Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: LDAP SASL support in Apache configuration
On Wed, Apr 22, 2020 at 1:11 PM Eric Covener wrote: > > On Wed, Apr 22, 2020 at 3:28 AM Rathore, Rajendra wrote: > > > > Hi Team, > > > > > > > > Can you please provide me any document or module which we can use to > > support LDAP SASL(ADS) with Apache httpd server. > > > > There's a large patch somewhere in bugzila. I see two PRs in my mail archive: https://bz.apache.org/bugzilla/show_bug.cgi?id=51757 https://bz.apache.org/bugzilla/show_bug.cgi?id=55178 Hth.. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_cgi not passing headers for authentication
On Tue, Mar 10, 2020 at 2:46 AM Roderick wrote: > > Excuse me the question: does httpd obtain REMOTE_USER by parsing > the AUTHORIZATION header? Yes, that's where it's available for basic auth, so mod_auth_basic will do this: https://github.com/winlibs/apache/blob/master/2.4.x/modules/aaa/mod_auth_basic.c#L139 (i.e. anything up to the first ':' after base64 decoding). > The same with AUTH_TYPE? Same, set to "basic" by mod_auth_basic when doing auth by itself. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org