:
Hi Andres,
I saw your post about Hiawatha in OpenBSD. I'd like to respond to the
remarks about "Hiawatha's source code is free of security-bugs" on the
Hiawatha website.
First of all, you have to take a look at the webserver market. You use
Apache, IIS, Lighttpd or you don'
On Dec 3, 2007 10:53 PM, Damien Miller <[EMAIL PROTECTED]> wrote:
> Secondly, I don't think anyone in OpenBSD would display as much hubris
> as this claim on the Hiawatha home page: "Hiawatha's source code is
> free of security-bugs".
Heh, OK.
On Mon, Dec 03, 2007 at 09:20:39PM -0500, STeve Andre' wrote:
> On Monday 03 December 2007 20:53:31 Damien Miller wrote:
> > On Mon, 3 Dec 2007, Andris wrote:
> > > I was reading about Hiawatha security features, and seems like a
> > > perfect fit for OpenBSD goals. I'd volunteer to talk to Hugo L
On Monday 03 December 2007 20:53:31 Damien Miller wrote:
> On Mon, 3 Dec 2007, Andris wrote:
> > I was reading about Hiawatha security features, and seems like a
> > perfect fit for OpenBSD goals. I'd volunteer to talk to Hugo Leisink
> > (the developer) and see if the code could be relicensed if t
On Mon, 3 Dec 2007, Andris wrote:
> I was reading about Hiawatha security features, and seems like a
> perfect fit for OpenBSD goals. I'd volunteer to talk to Hugo Leisink
> (the developer) and see if the code could be relicensed if the project
> has interest in it. IMHO, replacing forked software
I was reading about Hiawatha security features, and seems like a
perfect fit for OpenBSD goals. I'd volunteer to talk to Hugo Leisink
(the developer) and see if the code could be relicensed if the project
has interest in it. IMHO, replacing forked software with actively
developed one is a good idea
On Mon, 19 Nov 2007 21:45:54 +1000
David Gwynne <[EMAIL PROTECTED]> wrote:
> Hi,
>
> are you trying to use the subversion port, are you trying to roll
> your own?
>
Home-rolled. I started out with the package, but found it was for
Apache 2.2, but since the layout in
dav_svn and mod_authz_svn with apache
2.0.xx
and find that they have been moved into the ap2-subversion-1.4.4
package that
requires apache 2.2. When I go to the ports tree there is nothing
equivalent
to this module.
Does anyone know what is going on? Is subversion under apache 2.0
no longer suppo
On Mon, 12 Nov 2007 20:49:08 -0600
Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote:
> Howdy?
>
> I'm trying to install mod_dav_svn and mod_authz_svn with apache 2.0.xx
> and find that they have been moved into the ap2-subversion-1.4.4 package that
> requires apa
Howdy?
I'm trying to install mod_dav_svn and mod_authz_svn with apache 2.0.xx
and find that they have been moved into the ap2-subversion-1.4.4 package that
requires apache 2.2. When I go to the ports tree there is nothing equivalent
to this module.
Does anyone know what is going on
On Tue, Nov 06, 2007 at 08:41:08PM +1100, Chris wrote:
> On 11/6/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> > I'd like a copy of your /etc/mailer.conf file. Probably it trips a bug
> > in mailwrapper.
>
> Thanks. I had a look in my /etc/mailer.conf and it read -
>
> /usr/local/sbin/postfix-e
On 11/6/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> I'd like a copy of your /etc/mailer.conf file. Probably it trips a bug
> in mailwrapper.
Thanks. I had a look in my /etc/mailer.conf and it read -
/usr/local/sbin/postfix-enable, which I changed to the following
(exactly as my 4.1 box) -
sen
On 11/6/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> Are you sure your newaliases point to the right place?
>
> Is there is soft link or something may be on your newaliases command.
> Witch one are you using, the standard one, or the postfix one?
Thanks.
I have already removed postfix (pkg_del
On Tue, Nov 06, 2007 at 06:58:59PM +1100, Chris wrote:
> On 11/6/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> > You should also restore /etc/pwd.db and /etc/spwd.db, or recretae them
> > using pwd_mkdb(8).
>
> Thanks. Restoring these two files resolved the issue. Ap
Chris wrote:
However, typing newaliases still gives the mailwrapper.core
segmentation fault core dumped error. I have had postfix installed
which I removed (pkg_delete) after the upgrade. Could this be the
cause of this problem? I manually deleted the _postfix user/group
after I restored the pass
On 11/6/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> You should also restore /etc/pwd.db and /etc/spwd.db, or recretae them
> using pwd_mkdb(8).
Thanks. Restoring these two files resolved the issue. Apache is now
starting fine.
However, typing newaliases still gives the mail
On Tue, Nov 06, 2007 at 05:11:29PM +1100, Chris wrote:
> On 11/6/07, Nick Holland <[EMAIL PROTECTED]> wrote:
> > Chris wrote:
> > there SHOULD be a user "nobody".
> > There always has been (at least, since 1995). Take a look in cvsweb,
> > or better yet, check your backups.
> > Something deleted
On 11/6/07, Nick Holland <[EMAIL PROTECTED]> wrote:
> Chris wrote:
> there SHOULD be a user "nobody".
> There always has been (at least, since 1995). Take a look in cvsweb,
> or better yet, check your backups.
> Something deleted it. That's not good.
You are right. I accidentally installed the "
Chris wrote:
> I just upgrade from 4.1-current to 4.2-current on i386. Apache failed
> to start saying "bad username nobody". There is no mention of user
> "nobody" in /etc/passwd or httpd.conf file. The user/group apache
> starts as is www and both of them
I just upgrade from 4.1-current to 4.2-current on i386. Apache failed
to start saying "bad username nobody". There is no mention of user
"nobody" in /etc/passwd or httpd.conf file. The user/group apache
starts as is www and both of them exist in /etc/group, passwd file.
Apa
ttings, so it'll be (obviously) a security
worry, for example, if you have some Auth options, a normal user can
override these directories settings.
Hope helped,
Celso.
2007/9/14, Jacob Yocom-Piatt <[EMAIL PROTECTED]>:
>
> have a few apache config settings that are needed in a
On Fri, Sep 14, 2007 at 07:10:22PM -0500, Jacob Yocom-Piatt wrote:
> have a few apache config settings that are needed in an .htaccess file,
> such as SetEnvIf, RewriteEngine, RewriteBase and RewriteRule. by having
> "AllowOverride All" for the Directory corresponding to whe
have a few apache config settings that are needed in an .htaccess file,
such as SetEnvIf, RewriteEngine, RewriteBase and RewriteRule. by having
"AllowOverride All" for the Directory corresponding to where the
.htaccess file resides one can have these additional settings in the
.hta
Stuart Henderson skrev:
On 2007/09/05 17:57, Johan L wrote:
We are trying to get the PHP exec() function to work in a chrooted Apache
environment (4.1-stable MP ACPI enabled, PHP 5.1.6).
could be wrong, but iirc it needs /bin/sh
Yep, copy /bin/sh to /var/www/bin made it all work. Now both
On 9/5/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> On Wed, 5 Sep 2007, Johan L wrote:
> >
> > Any suggestion on how to solve this (other than disabling chroot of
> > course...)?
> >
> > /Johan
>
> depending on how you invoke the executable, you might need /bin/sh as
> well in the chroot. Please
On Wed, 5 Sep 2007, Johan L wrote:
> Hi,
>
> We are trying to get the PHP exec() function to work in a chrooted Apache
> environment (4.1-stable MP ACPI enabled, PHP 5.1.6).
>
> Even if using a static binary (for example date) in the chrooted directory,
> exec just returns
Hi,
We are trying to get the PHP exec() function to work in a chrooted
Apache environment (4.1-stable MP ACPI enabled, PHP 5.1.6).
Even if using a static binary (for example date) in the chrooted
directory, exec just returns 127.
Everything works fine when running chroot from the command
I've been seeing this since OpenBSD 3.4 with Uebimiau php webmail and
sometimes httpd stops working, restarting is needed.
- Original Message -
From: "Joachim Schipper" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, July 11, 2007 10:28 AM
Subject: Re: apache + php
On We
Joachim Schipper wrote:
On Wed, Jul 11, 2007 at 12:56:27PM +0200, Marc Balmer wrote:
Otto Moerbeek wrote:
On Wed, 11 Jul 2007, Adam PAPAI wrote:
The system hangs after 1 day. It's a very strongly loaded system. Any idea
why? It seems that the system does not really handle the http requests
we
On Wed, Jul 11, 2007 at 12:56:27PM +0200, Marc Balmer wrote:
> Otto Moerbeek wrote:
> >On Wed, 11 Jul 2007, Adam PAPAI wrote:
> >>The system hangs after 1 day. It's a very strongly loaded system. Any idea
> >>why? It seems that the system does not really handle the http requests
> >>well.
> >>
> >
Otto Moerbeek wrote:
On Wed, 11 Jul 2007, Adam PAPAI wrote:
Hello,
I have the following problem with the php and the httpd.
We have a bit-modified kernel:
in /usr/src/sys/arch/i386/conf/GENERIC we changed the
maxusers256
unaame -a
OpenBSD arsenic.digitalinfluence.hu 4.1 GENERIC.MP#1 i38
On Wed, 11 Jul 2007, Adam PAPAI wrote:
> Hello,
>
> I have the following problem with the php and the httpd.
> We have a bit-modified kernel:
>
> in /usr/src/sys/arch/i386/conf/GENERIC we changed the
> maxusers256
>
>
> unaame -a
> OpenBSD arsenic.digitalinfluence.hu 4.1 GENERIC.MP#1 i386
Hello,
I have the following problem with the php and the httpd.
We have a bit-modified kernel:
in /usr/src/sys/arch/i386/conf/GENERIC we changed the
maxusers256
unaame -a
OpenBSD arsenic.digitalinfluence.hu 4.1 GENERIC.MP#1 i386
The system hangs after 1 day. It's a very strongly loaded s
On 6/16/07, Mackan <[EMAIL PROTECTED]> wrote:
Hi list!
How do you guys restart apache (apachectl stop / start) without
having all the current shell variables show up in phpinfo() that
is exported in the shell?
Mackan
On Jun 16, 2007, at 1:59 PM, Almir Karic wrote:
env -i is your
* Mackan <[EMAIL PROTECTED]> [2007-06-16 13:57]:
> Hi list!
>
> How do you guys restart apache (apachectl stop / start) without
> having all the current shell variables show up in phpinfo() that
> is exported in the shell?
env - apachectl restart
?
--
Henning Brauer, [EMA
env -i is your friend.
On 6/16/07, Mackan <[EMAIL PROTECTED]> wrote:
Hi list!
How do you guys restart apache (apachectl stop / start) without
having all the current shell variables show up in phpinfo() that
is exported in the shell?
Mackan
--
almir
Hi list!
How do you guys restart apache (apachectl stop / start) without
having all the current shell variables show up in phpinfo() that
is exported in the shell?
Mackan
I want to change/lessen the number of default modules built with apache
and would prefer to not have to recompile apache, separate from the rest
of the userland, every time i update/upgrade my system.
I'm currently running 4.1 and am running the stock install of apache
which &quo
chrooted apache, but on FreeBSD + apache 2.x it works
well for me.
I am rather unexperienced in this field so any advice is highly appreciated!
(including other relatively safe php4+php5 methods that might work on
OpenBSD)
both lighttpd and apache allow you to have both php4 and php5 side by
side. in apache one has to be a FCGI process the other can be
Matt wrote:
...
> So I am trying to have another instance of the OpenBSD version of Apache
> 1.3 - chrooted and all.
>
> I *think* it can be done by downloading src.tar.gz and compile it again
> from there with instructions so it does not overwrite the existing httpd.
> Just
running php.
So I am trying to have another instance of the OpenBSD version of Apache
1.3 - chrooted and all.
I *think* it can be done by downloading src.tar.gz and compile it again
from there with instructions so it does not overwrite the existing httpd.
Just changing the /usr/src/usr.sbin/httpd
Hi folks,
It's possible that ports@ would be a better place for this, but since there
is a possibility that Apache (base install) is involved, I thought I'd try
here first. (I've also discussed this with Joachim on the misc newsgroup.
Thanks, Joachim.)
I recently upgraded my home
On 3/28/07, Dan Brosemer <[EMAIL PROTECTED]> wrote:
>
> On Wed, Mar 28, 2007 at 12:20:53PM -0700, christian johansson wrote:
>
> Some people on this list speak highly of pound. I haven't used it myself
> yet.
>
> I like haproxy. I've run it in an 80,000 (mod_perl-generated) page per
> hour
> situ
up redundant httpd loadbalancing to these 3 machines from the
> openbsd machines.
>
> I know PF can do simple round-robin balancing to these machines, but I want
> something that can take the load of the apache running machines into
> consideration and shape the traffic sent to them according
On Wed, Mar 28, 2007 at 12:20:53PM -0700, christian johansson wrote:
> I know PF can do simple round-robin balancing to these machines, but I want
> something that can take the load of the apache running machines into
> consideration and shape the traffic sent to them accordingly.
>
&
round-robin balancing to these machines, but I want
something that can take the load of the apache running machines into
consideration and shape the traffic sent to them accordingly.
Would it be a good idea to use apaches own loadbalancing module, the
mod_proxy_balance, and run instances of apache
Hi list,
Please Cc: me in your reply, I'm not subscribed. Thanks.
I've already sent this to Apache users' ML and was redirected here
because it appears OpenBSD's httpd(8) is more or less heavily
patched. According to them, this problem would not occur with
a classical Apa
Hi all,
I've seen this problem crop up before with other people, but can someone
please explain to me why compiling apache with the "mpm=worker"
directive (i.e threads) does not work as expected on OpenBSD ? (3.6, 3.9
& 4.0)
Initital connections to the server seem t
At 02:45 AM 3/9/2007 +0800, First Last wrote:
I have apache 1.3 setup to execute cgis (perl).
But I'm having a problem getting the cgis
to execute while apache is chrooted. If
I disable chroot (httpd -d) the cgis exexute
just fine, but they won't run while
chrooted (500 internal se
On Fri, Mar 09, 2007 at 02:45:13AM +0800, First Last wrote:
> But, if I follow the openbsd faq to see
> what dependencies my cgi needs to run in
> the chrooted environment I get this:
>
> ldd hellowworld.cgi
> helloworld.cgi:
> ldd: helloworld: not an ELF executable
You'll need perl and its depen
I have apache 1.3 setup to execute cgis (perl).
But I'm having a problem getting the cgis
to execute while apache is chrooted. If
I disable chroot (httpd -d) the cgis exexute
just fine, but they won't run while
chrooted (500 internal server error).
But, if I follow the openbsd faq t
Julien TOUCHE wrote:
i know about mod_perl and i was considering it to replace perl in chroot.
but as far as i know, it does not replace perl modules ... or i miss it ?
You can load the modules on apache startup. They don't have to exist in
chroot.
http://www.apacheref.com/ref/mod
sory have been solved , only set need set in squid.conf
On 2/16/07, sonjaya <[EMAIL PROTECTED]> wrote:
Dear all
I have machine running squid n apache at OBSD also set as
transparent proxy with pf .
Now i have limit who can use that proxy ( of course limit by ip in squid conf).
The p
Dear all
I have machine running squid n apache at OBSD also set as
transparent proxy with pf .
Now i have limit who can use that proxy ( of course limit by ip in squid conf).
The problem show when ip non allow acces the proxy access webserver
at that machine proxy always get denied.
int
This is slightly off topic, but since chroot has been integral to
openbsd's apache longer than pretty much anywhere else, I figure you
guys will probably have an answer for me.
I've been beating my head against the monitor for a couple of days
trying to figure out the best way t
xzf $file && cd $dir
perl Makefile.PL PREFIX=/var/www/usr/myperl5
make
make install
fi
done
rm -Rf $tmp $filelist $build_dir 2>/dev/null
<<<
works ok for me
set PERL5LIB in apache conf for your perl webapp
Regards
Julien
Marc Balmer wrote on 11/02/07 11:32:
> there is also mod_perl which we successfully used for Perl applications
> like www.otrs.org (a ticketing system)
i know about mod_perl and i was considering it to replace perl in chroot.
but as far as i know, it does not replace perl modules ... or i miss it
Julien TOUCHE wrote:
i try to use a perl web application with a lots of perl modules (most of
them not in ports).
as i want to keep apache chrooted, i can
- install in /usr/local and copy all stuff to /var/www. i want to avoid
this.
- install in /var/www/lib/myapp and add an env PERL5LIB or
i try to use a perl web application with a lots of perl modules (most of
them not in ports).
as i want to keep apache chrooted, i can
- install in /usr/local and copy all stuff to /var/www. i want to avoid
this.
- install in /var/www/lib/myapp and add an env PERL5LIB or something
like that
; which installs the necessary
libs for rrdtool to work in a chroot environment.
I launched that script and it most probably copied a library I missed out.
Unfortunately I have no clue which ones where missing.
The ones on your list are not in mine because they aren't on my system at
a
On 2007/02/11 00:24, doc Hyde wrote:
> I have already donne this, here is my output:
> # ldd /usr/local/bin/rrdtool
That is only part of what I said;
> > It works with the following files copied in (obviously adjust for
> > machine arch etc). Found by a combination of ldd /usr/local/bin/rrdtool,
On 2/10/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>
> On 2007/02/10 21:43, doc Hyde wrote:
> > '/usr/local/libdata/perl5/site_perl/i386-openbsd/auto/RRDs/RRDs.so' for
> > module RRDs: Cannot load specified object at
> > /usr/libdata/perl5/i386-openbsd/5.8.8/DynaLoader.pm line 230.
> > at /cgi
On 2007/02/10 21:43, doc Hyde wrote:
> '/usr/local/libdata/perl5/site_perl/i386-openbsd/auto/RRDs/RRDs.so' for
> module RRDs: Cannot load specified object at
> /usr/libdata/perl5/i386-openbsd/5.8.8/DynaLoader.pm line 230.
> at /cgi-bin/mailgraph/mailgraph.cgi line 7
> Line 7 is the RRDs perl modul
Hello!
I have installed an OpenBSD server with postfix MTA and I am trying to have
mailgraph work.
I used the "pkg_add" command to add the mailgraph software.
The script cgi script is installed in the default chroot apache:
/var/www/cgi-bin/mailgraph/mailgraph.cgi
I have defined t
Ter, 2007-01-30 C s 16:44 +0100, Pierre-Yves Ritschard escreveu:
> On Tue, 30 Jan 2007 15:20:42 +
> Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:
> > Promising, it does say that it's now part of the OpenBSD system, but
> > sine when? CURRENT? I can't seem to find it in the 4.0 CD's...
> >
On Tue, 30 Jan 2007 15:20:42 +
Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:
> Ter, 2007-01-30 `s 14:25 +0100, Pierre-Yves Ritschard escreveu:
> > On Tue, 30 Jan 2007 13:06:00 +
> > Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:
> >
> > > By the way, what do you use/recommend in
Ter, 2007-01-30 C s 14:25 +0100, Pierre-Yves Ritschard escreveu:
> On Tue, 30 Jan 2007 13:06:00 +
> Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:
>
> > By the way, what do you use/recommend in order to manage the webserver
> > pool? 1 test/min (in cron for instance) is too large a value fo
On Mon, Jan 29, 2007 at 05:36:12PM +0100, Marian Hettwer wrote:
> Pierre-Yves Ritschard schrieb:
> >On Mon, 29 Jan 2007 17:20:50 +0100
> >Marian Hettwer <[EMAIL PROTECTED]> wrote:
> >
> >>Which would mean, I send a SYN to my load balancer, which forwards
> >>the SYN to one of my webservers, and the
On Tue, 30 Jan 2007 13:06:00 +
Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote:
> By the way, what do you use/recommend in order to manage the webserver
> pool? 1 test/min (in cron for instance) is too large a value for many
> use cases, so what would be best in your opinion?
>
> It's likel
On 2007/01/30 13:06, Rui Miguel Silva Seabra wrote:
> By the way, what do you use/recommend in order to manage the webserver
> pool?
hoststated.
Seg, 2007-01-29 C s 09:54 -0700, Bob Beck escreveu:
> I'm not using NAT, my load balancer looks like this:
>
> web2# more /etc/pf/webmail_servers
(...)
> pf.conf:
>
> table persist file "/etc/pf/webmail_servers"
> WEBMAIL_IP = "{129.128.98.89}"
> rdr pass on $ext_if proto tcp to $WEBMAIL_IP
On Tue, Jan 30, 2007 at 09:09:46AM +0100, Marian Hettwer wrote:
|
| requests go like this:
| origin -> balancer -> destination
|
| replies like this:
| destination -> origin
This sounds a lot like what certain loadbalancers call "DSR" or
"Direct Server Return". Basically, this is layer 2 NAT'ing.
Hej Stuart,
Stuart Henderson schrieb:
On 2007/01/29 16:21, Marian Hettwer wrote:
Is there any possible way to get the real ip addresses in my apache
access log?
Readers who didn't see the earlier posts about setting this up, they're
here: http://marc.theaimsgroup.com/?l=open
Henning Brauer schrieb:
* Marian Hettwer <[EMAIL PROTECTED]> [2007-01-29 18:46]:
Ah... there we go.
I can't setup the webservers with their default gateway to my load
balancer. The boxes are dedicated servers and I have no possibility to
change the network settings.
These are rented servers (d
and memory usage.
So I'd say: Thats great :)
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip of
the request.
Completely untrue. if you are doing
* Marian Hettwer <[EMAIL PROTECTED]> [2007-01-29 18:46]:
> Pierre-Yves Ritschard schrieb:
> >On Mon, 29 Jan 2007 17:20:50 +0100
> >Marian Hettwer <[EMAIL PROTECTED]> wrote:
> >
> >>Which would mean, I send a SYN to my load balancer, which forwards
> >>the SYN to one of my webservers, and the webser
Pierre-Yves Ritschard schrieb:
On Mon, 29 Jan 2007 17:20:50 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
Which would mean, I send a SYN to my load balancer, which forwards
the SYN to one of my webservers, and the webserver would send a
SYN-ACK back to me. But my machine, obviously can't do a
On Mon, 29 Jan 2007 17:34:51 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
>
>
> Pierre-Yves Ritschard schrieb:
> > On Mon, 29 Jan 2007 17:20:50 +0100
> > Marian Hettwer <[EMAIL PROTECTED]> wrote:
> >
> >> Which would mean, I send a SYN to my load balancer, which forwards
> >> the SYN to one
Hi,
Pierre-Yves Ritschard schrieb:
On Mon, 29 Jan 2007 16:21:13 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote
nd memory usage.
> So I'd say: Thats great :)
>
> However, one thing is bothering me.
> Obviously, my apache access logs on those load balanced machines can
> only show the IP address of my load balancer, not the real remote ip of
> the request.
Completely untrue. if y
Pierre-Yves Ritschard schrieb:
On Mon, 29 Jan 2007 17:34:51 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
You could also do an ugly hack which would consist of attaching a
second network on your servers and load balancers (provided they are in
the same (v)?lan) like 172.16.1.0/24 and use tha
Hej Berk,
Berk D. Demir schrieb:
Marian Hettwer wrote:
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip
of the request.
This is, to my knowledge, due to the fact that
On 2007/01/29 16:21, Marian Hettwer wrote:
> Is there any possible way to get the real ip addresses in my apache
> access log?
Readers who didn't see the earlier posts about setting this up, they're
here: http://marc.theaimsgroup.com/?l=openbsd-misc&m=116905272009036&w=2
On Mon, 29 Jan 2007 17:20:50 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
>
> Which would mean, I send a SYN to my load balancer, which forwards
> the SYN to one of my webservers, and the webserver would send a
> SYN-ACK back to me. But my machine, obviously can't do anything with
> a SYN-ACK
Marian Hettwer wrote:
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip of
the request.
This is, to my knowledge, due to the fact that pf(4) is working on the
TCP layer
hing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip
of the request.
This is, to my knowledge, due to the fact that pf(4) is working on the
TCP layer and is doing NAT.
Is there any possible wa
On Mon, 29 Jan 2007 16:21:13 +0100
Marian Hettwer <[EMAIL PROTECTED]> wrote:
> However, one thing is bothering me.
> Obviously, my apache access logs on those load balanced machines can
> only show the IP address of my load balancer, not the real remote ip
> of the req
Gregory Edigarov schrieb:
Marian Hettwer wrote:
Okay... anybody with any usable suggestions?
There's the X-Forwarded-to Information in a http header, which can be
set via some software load balancers. However, those are operating on
the application layer, which pf isn't... too bad.
Uhmm...
Hi OpenBSD'lers,
I'm about to use OpenBSD's pf(4) for load balancing some webservers. So
far, everything is looking just perfect.
Compared to pound, pf(4) is incredibly fast with few CPU and memory usage.
So I'd say: Thats great :)
However, one thing is bothering me.
Hi,
On Fri, 26.01.2007 at 19:17:41 +0800, Lars Hansson <[EMAIL PROTECTED]> wrote:
> Toni Mueller wrote:
> >To me, this currently comes down to using unique user and group ids for
> >individual web site instances, and then chroot each server into their
> >respective tree where the requirement for r
rtual hosting in the proxy to
redirect vhosts to the right apache instance.
Toni Mueller wrote:
To me, this currently comes down to using unique user and group ids for
individual web site instances, and then chroot each server into their
respective tree where the requirement for reading other people's data
is to break out of the chroot first.
This can be done with the
Hi,
On Tue, 23.01.2007 at 21:45:14 +0100, Joachim Schipper <[EMAIL PROTECTED]>
wrote:
> On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote:
> > what i would like to achieve is that on a shared host if bad guys (tm)
> > break into one site they can't get to other sites.
> >
> > is this p
Joachim, could you share your config files for that?
On 1/23/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
The simple solution is to not allow the web server to write anywhere but /tmp.
Regards
Alex
--
http://preferans.de
On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote:
> is this possible? i've been looking at su-exec but it is for
> cgi scripts only :/, what other options there are?
If you can run the app(s) with FastCGI (most PHP stuff I have
tried does), another option is to use suexec wrapper for d
ttp://www.openbsd.org/faq/faq10.html#httpdchroot
". . . the starting configuration of the OpenBSD chroot(2)ed Apache is
where the user the httpd(8) program is running as can not run any
programs, can not alter any files, and can not assume another user's
identity."
IF you maintain that
On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote:
> what i would like to achieve is that on a shared host if bad guys (tm)
> break into one site they can't get to other sites.
>
> is this possible? i've been looking at su-exec but it is for cgi
> scripts only :/, what other options ther
Almir Karic wrote:
what i would like to achieve is that on a shared host if bad guys (tm)
break into one site they can't get to other sites.
is this possible? i've been looking at su-exec but it is for cgi
scripts only :/, what other options there are?
AFAIK chroot is not the correct answer to
Maybe use permissions, diff user on each site, chmod to disallow
writing from other users?
that would solve the problem, but i have no idea how to achive it, and
google doesn't seem to like me :/. any hints?
--
almir
701 - 800 of 1139 matches
Mail list logo