Re: [users@httpd] Re: security reports page blank ???

2016-03-14 Thread Michael A. Peters 

On 03/14/2016 04:25 PM, Good guy wrote:

On 14/03/2016 23:03, Richard wrote:



Date: Monday, March 14, 2016 15:57:21 -0700
From: "Michael A. Peters" 

http://httpd.apache.org/security_report.html

Currently I am getting nothing from that page, not even historic
stuff. Is this temporary or has it moved?


It works fine for me, using (firefox) browser with and without js on
and with and without cookies being accepted.


Also fine here in IE11 and Microsoft Edge (Windows 10)




Working fine for me now too, so must have been temporary glitch.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: security reports page blank ???

2016-03-14 Thread Good guy 

On 14/03/2016 23:03, Richard wrote:



Date: Monday, March 14, 2016 15:57:21 -0700
From: "Michael A. Peters" 

http://httpd.apache.org/security_report.html

Currently I am getting nothing from that page, not even historic
stuff. Is this temporary or has it moved?


It works fine for me, using (firefox) browser with and without js on
and with and without cookies being accepted.


Also fine here in IE11 and Microsoft Edge (Windows 10)




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: Apache fails to start after updating openssl from 1.0.1j to 1.0.2g

2016-03-14 Thread Ron Hawkins 
I decided to upgrade the site to Apache 2.4.17.  OpenSSL 1.0.2g was included 
and all is working well.

Ron 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] security reports page blank ???

2016-03-14 Thread Richard 


> Date: Monday, March 14, 2016 15:57:21 -0700
> From: "Michael A. Peters" 
>
> http://httpd.apache.org/security_report.html
> 
> Currently I am getting nothing from that page, not even historic
> stuff. Is this temporary or has it moved?
> 

It works fine for me, using (firefox) browser with and without js on
and with and without cookies being accepted.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] security reports page blank ???

2016-03-14 Thread Michael A. Peters 

http://httpd.apache.org/security_report.html

Currently I am getting nothing from that page, not even historic stuff. 
Is this temporary or has it moved?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache fails to start after updating openssl from 1.0.1j to 1.0.2g

2016-03-14 Thread Ron Hawkins 
Hello, I tried updating the version of OpenSSL on my Apache web server from 
1.0.1j to 1.0.2g and now the web server won't start (actually I dropped back so 
I'm not totally freaking out).  It appears to be failing before it can write to 
the error log.  To update I simply copied openssl.exe, libeay32.dll, and 
ssleay32.dll to the \Apache\bin folder.  

Here are the pertinent details on my server:
 Windows 2008 R2
 Apache 2.2.6 (Win32)
 Openssl 1.0.2g binaries downloaded from 
https://indy.fulgan.com/SSL/openssl-1.0.2g-i386-win32.zip
 I also tried https://indy.fulgan.com/SSL/openssl-1.0.1s-i386-win32.zip 
with the same results.

I have a dev server running Apache 2.4.12 and it updated successfully.

Is there a compatibility problem with Apache 2.2.6 and OpenSSL 1.0.2g?  I'm 
considering upgrading Apache to find out, but I don't want to take my site down 
any more than I have to.

Ron 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Ache 2.4 and LetsEncrypt

2016-03-14 Thread @lbutlr 
After setting up lets encrypt on my server and running it I end up with the 
following files:

$ ls -nls
total 48
8 -rw---  1 443  443  1854 Mar  4 23:38 cert-1457159890.csr
0 -rw---  1 443  443 0 Mar  4 23:38 cert-1457159890.pem
8 -rw---  1 443  443  1854 Mar  5 05:06 cert-1457179567.csr
0 -rw---  1 443  443 0 Mar  5 05:06 cert-1457179567.pem
8 -rw---  1 443  443  1854 Mar 12 04:35 cert-1457782552.csr
0 -rw---  1 443  443 0 Mar 12 04:35 cert-1457782552.pem
8 -rw---  1 443  443  3243 Mar  4 23:38 privkey-1457159890.pem
8 -rw---  1 443  443  3243 Mar  5 05:06 privkey-1457179567.pem
8 -rw---  1 443  443  3247 Mar 12 04:35 privkey-1457782552.pem

As you can see, the cert…pem files are 0 bytes.

I have not gotten the last step I need to take in order to attach these certs 
to apache so I can switch over to https. Trying to link to the csr files didn’t 
seem to work, so I am doing something wrong.

I am using the lets encrypt.sh port from FreeBSD postmaster (since letsenrypt 
still isn’t quite native on FreeBSD).

Anyone have some pointers or an RTFM link?

-- 
Nihil est--in vita priore ego imperator Romanus fui.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] How to add data to body request

2016-03-14 Thread Domingo Jimenez 
Hi! I am developing an Apache module in C and I would like to put some
information into the body request (post). How could I add content in the
post body request? I have seen the body_table param in request_rec, but it
didn't work. Thanks!

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

2016-03-14 Thread Stefan Eissing 
Good to hear! I will update the bug. Thanks.

> Am 14.03.2016 um 13:08 schrieb Russel Van Tuyl :
> 
> Stefan, version 1.2.8 works great. Thanks for the fix and for your help. I 
> create a bug report with Apache yesterday. Do you want to update it or would 
> you like me to? https://bz.apache.org/bugzilla/show_bug.cgi?id=59176
> 
> On Mon, Mar 14, 2016 at 7:05 AM, Stefan Eissing 
>  wrote:
> Russel,
> 
> if you have a apxs installed, it's probably easiest to checkout and make the 
> github alpha
> release from https://github.com/icing/mod_h2/releases/tag/v1.2.8 where I just 
> released the
> fix. There are other bug fixes in there, that should be good to have as well.
> 
> If you want to stay on the pure 2.4.18, you can apply this patch:
> 
> 
> 
> 
> Let me know if this works for you.
> 
> -Stefan
> 
> > Am 14.03.2016 um 11:35 schrieb Russel Van Tuyl :
> >
> > I've never applied or tested a patch before, but i'm willing to give it a 
> > shot.
> >
> > On Mon, Mar 14, 2016 at 5:35 AM, Stefan Eissing 
> >  wrote:
> >
> > > Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl :
> > >
> > > I'm running an Apache 2.4.18 web server (Server-A) compiled from source 
> > > as a reverse proxy. I'm using ProxyPass on Server-A to pass traffic to a 
> > > proxy, nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy sends 
> > > traffic to a second server, Server-B, across the network. Connections 
> > > from a web browser on Client-C work fine connecting to Server-A that 
> > > connects to nghttpx proxy on 127.0.0.1:3000 that connects to Server-B. 
> > > These connections only work when Server-B is using Apache 2.4.17. When 
> > > Server-B is using Apache 2.4.18 the connection errors out and will not 
> > > complete. The exact error message is down below this narrative. I'm not 
> > > sure why it is requesting http://(null)/ . At this point, the only that 
> > > has changes is Server-B's version of Apache. Neither Server-A or the 
> > > nghttpx's configuration change, just the version of Apache on Server-B. 
> > > I've built both Apache 2.4.17 and 2.4.18 from source on Server-B using 
> > > the same configurations. The debug output from mod_http2 for both a 
> > > failed and successful connection can be found here: 
> > > http://pastebin.com/XnUL8aeh . Is this is a bug in Apache 2.4.18 or is 
> > > there something else I can try and do to narrow the problem down?
> > >
> > >
> > > [Sat Mar 12 20:54:53.087621 2016] [http2:debug] [pid 21439:tid 
> > > 140096657385216] h2_stream.c(321): [client 192.168.56.120:34283] 
> > > h2_stream(73-1): RST=2 (internal err) GET http://(null)/
> >
> > What I see from the 2.4.18 log is that the incoming request has no 
> > ':authority' header and is rejected. Reading RFC 7540 carefully, this is a 
> > bug. The nghttpx, acting as h1->h2 proxy MUST not send and :authority 
> > header. nghttpx does everything right and mod_http2 has it wrong.
> >
> > Are you able to apply/test a patch?
> >
> > -Stefan
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> >
> >
> > --
> > Respectfully,
> > Russel Van Tuyl
> >
> > “If you don’t go after what you want, you’ll never have it. If you don’t 
> > ask, the answer is always no. If you don’t step forward, you’re always in 
> > the same place.” -- Nora Roberts, author
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> 
> -- 
> Respectfully,
> Russel Van Tuyl
> 
> “If you don’t go after what you want, you’ll never have it. If you don’t ask, 
> the answer is always no. If you don’t step forward, you’re always in the same 
> place.” -- Nora Roberts, author


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

2016-03-14 Thread Russel Van Tuyl 
Stefan, version 1.2.8 works great. Thanks for the fix and for your help. I
create a bug report with Apache yesterday. Do you want to update it or
would you like me to? https://bz.apache.org/bugzilla/show_bug.cgi?id=59176

On Mon, Mar 14, 2016 at 7:05 AM, Stefan Eissing <
stefan.eiss...@greenbytes.de> wrote:

> Russel,
>
> if you have a apxs installed, it's probably easiest to checkout and make
> the github alpha
> release from https://github.com/icing/mod_h2/releases/tag/v1.2.8 where I
> just released the
> fix. There are other bug fixes in there, that should be good to have as
> well.
>
> If you want to stay on the pure 2.4.18, you can apply this patch:
>
>
>
>
> Let me know if this works for you.
>
> -Stefan
>
> > Am 14.03.2016 um 11:35 schrieb Russel Van Tuyl  >:
> >
> > I've never applied or tested a patch before, but i'm willing to give it
> a shot.
> >
> > On Mon, Mar 14, 2016 at 5:35 AM, Stefan Eissing <
> stefan.eiss...@greenbytes.de> wrote:
> >
> > > Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl <
> russel.vant...@gmail.com>:
> > >
> > > I'm running an Apache 2.4.18 web server (Server-A) compiled from
> source as a reverse proxy. I'm using ProxyPass on Server-A to pass traffic
> to a proxy, nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy
> sends traffic to a second server, Server-B, across the network. Connections
> from a web browser on Client-C work fine connecting to Server-A that
> connects to nghttpx proxy on 127.0.0.1:3000 that connects to Server-B.
> These connections only work when Server-B is using Apache 2.4.17. When
> Server-B is using Apache 2.4.18 the connection errors out and will not
> complete. The exact error message is down below this narrative. I'm not
> sure why it is requesting http://(null)/ . At this point, the only that
> has changes is Server-B's version of Apache. Neither Server-A or the
> nghttpx's configuration change, just the version of Apache on Server-B.
> I've built both Apache 2.4.17 and 2.4.18 from source on Server-B using the
> same configurations. The debug output from mod_http2 for both a failed and
> successful connection can be found here: http://pastebin.com/XnUL8aeh .
> Is this is a bug in Apache 2.4.18 or is there something else I can try and
> do to narrow the problem down?
> > >
> > >
> > > [Sat Mar 12 20:54:53.087621 2016] [http2:debug] [pid 21439:tid
> 140096657385216] h2_stream.c(321): [client 192.168.56.120:34283]
> h2_stream(73-1): RST=2 (internal err) GET http://(null)/
> >
> > What I see from the 2.4.18 log is that the incoming request has no
> ':authority' header and is rejected. Reading RFC 7540 carefully, this is a
> bug. The nghttpx, acting as h1->h2 proxy MUST not send and :authority
> header. nghttpx does everything right and mod_http2 has it wrong.
> >
> > Are you able to apply/test a patch?
> >
> > -Stefan
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> >
> >
> > --
> > Respectfully,
> > Russel Van Tuyl
> >
> > “If you don’t go after what you want, you’ll never have it. If you don’t
> ask, the answer is always no. If you don’t step forward, you’re always in
> the same place.” -- Nora Roberts, author
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>



-- 
Respectfully,
Russel Van Tuyl

“If you don’t go after what you want, you’ll never have it. If you don’t
ask, the answer is always no. If you don’t step forward, you’re always in
the same place.” -- Nora Roberts, author

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

2016-03-14 Thread Stefan Eissing 
Russel,

if you have a apxs installed, it's probably easiest to checkout and make the 
github alpha
release from https://github.com/icing/mod_h2/releases/tag/v1.2.8 where I just 
released the
fix. There are other bug fixes in there, that should be good to have as well.

If you want to stay on the pure 2.4.18, you can apply this patch:



proxy-authority.patch
Description: Binary data


Let me know if this works for you.

-Stefan

> Am 14.03.2016 um 11:35 schrieb Russel Van Tuyl :
> 
> I've never applied or tested a patch before, but i'm willing to give it a 
> shot.
> 
> On Mon, Mar 14, 2016 at 5:35 AM, Stefan Eissing 
>  wrote:
> 
> > Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl :
> >
> > I'm running an Apache 2.4.18 web server (Server-A) compiled from source as 
> > a reverse proxy. I'm using ProxyPass on Server-A to pass traffic to a 
> > proxy, nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy sends 
> > traffic to a second server, Server-B, across the network. Connections from 
> > a web browser on Client-C work fine connecting to Server-A that connects to 
> > nghttpx proxy on 127.0.0.1:3000 that connects to Server-B. These 
> > connections only work when Server-B is using Apache 2.4.17. When Server-B 
> > is using Apache 2.4.18 the connection errors out and will not complete. The 
> > exact error message is down below this narrative. I'm not sure why it is 
> > requesting http://(null)/ . At this point, the only that has changes is 
> > Server-B's version of Apache. Neither Server-A or the nghttpx's 
> > configuration change, just the version of Apache on Server-B. I've built 
> > both Apache 2.4.17 and 2.4.18 from source on Server-B using the same 
> > configurations. The debug output from mod_http2 for both a failed and 
> > successful connection can be found here: http://pastebin.com/XnUL8aeh . Is 
> > this is a bug in Apache 2.4.18 or is there something else I can try and do 
> > to narrow the problem down?
> >
> >
> > [Sat Mar 12 20:54:53.087621 2016] [http2:debug] [pid 21439:tid 
> > 140096657385216] h2_stream.c(321): [client 192.168.56.120:34283] 
> > h2_stream(73-1): RST=2 (internal err) GET http://(null)/
> 
> What I see from the 2.4.18 log is that the incoming request has no 
> ':authority' header and is rejected. Reading RFC 7540 carefully, this is a 
> bug. The nghttpx, acting as h1->h2 proxy MUST not send and :authority header. 
> nghttpx does everything right and mod_http2 has it wrong.
> 
> Are you able to apply/test a patch?
> 
> -Stefan
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> 
> 
> -- 
> Respectfully,
> Russel Van Tuyl
> 
> “If you don’t go after what you want, you’ll never have it. If you don’t ask, 
> the answer is always no. If you don’t step forward, you’re always in the same 
> place.” -- Nora Roberts, author



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

2016-03-14 Thread Russel Van Tuyl 
I've never applied or tested a patch before, but i'm willing to give it a
shot.

On Mon, Mar 14, 2016 at 5:35 AM, Stefan Eissing <
stefan.eiss...@greenbytes.de> wrote:

>
> > Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl  >:
> >
> > I'm running an Apache 2.4.18 web server (Server-A) compiled from source
> as a reverse proxy. I'm using ProxyPass on Server-A to pass traffic to a
> proxy, nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy sends
> traffic to a second server, Server-B, across the network. Connections from
> a web browser on Client-C work fine connecting to Server-A that connects to
> nghttpx proxy on 127.0.0.1:3000 that connects to Server-B. These
> connections only work when Server-B is using Apache 2.4.17. When Server-B
> is using Apache 2.4.18 the connection errors out and will not complete. The
> exact error message is down below this narrative. I'm not sure why it is
> requesting http://(null)/ . At this point, the only that has changes is
> Server-B's version of Apache. Neither Server-A or the nghttpx's
> configuration change, just the version of Apache on Server-B. I've built
> both Apache 2.4.17 and 2.4.18 from source on Server-B using the same
> configurations. The debug output from mod_http2 for both a failed and
> successful connection can be found here: http://pastebin.com/XnUL8aeh .
> Is this is a bug in Apache 2.4.18 or is there something else I can try and
> do to narrow the problem down?
> >
> >
> > [Sat Mar 12 20:54:53.087621 2016] [http2:debug] [pid 21439:tid
> 140096657385216] h2_stream.c(321): [client 192.168.56.120:34283]
> h2_stream(73-1): RST=2 (internal err) GET http://(null)/
>
> What I see from the 2.4.18 log is that the incoming request has no
> ':authority' header and is rejected. Reading RFC 7540 carefully, this is a
> bug. The nghttpx, acting as h1->h2 proxy MUST not send and :authority
> header. nghttpx does everything right and mod_http2 has it wrong.
>
> Are you able to apply/test a patch?
>
> -Stefan
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Respectfully,
Russel Van Tuyl

“If you don’t go after what you want, you’ll never have it. If you don’t
ask, the answer is always no. If you don’t step forward, you’re always in
the same place.” -- Nora Roberts, author

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

2016-03-14 Thread Stefan Eissing 

> Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl :
> 
> I'm running an Apache 2.4.18 web server (Server-A) compiled from source as a 
> reverse proxy. I'm using ProxyPass on Server-A to pass traffic to a proxy, 
> nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy sends traffic to a 
> second server, Server-B, across the network. Connections from a web browser 
> on Client-C work fine connecting to Server-A that connects to nghttpx proxy 
> on 127.0.0.1:3000 that connects to Server-B. These connections only work when 
> Server-B is using Apache 2.4.17. When Server-B is using Apache 2.4.18 the 
> connection errors out and will not complete. The exact error message is down 
> below this narrative. I'm not sure why it is requesting http://(null)/ . At 
> this point, the only that has changes is Server-B's version of Apache. 
> Neither Server-A or the nghttpx's configuration change, just the version of 
> Apache on Server-B. I've built both Apache 2.4.17 and 2.4.18 from source on 
> Server-B using the same configurations. The debug output from mod_http2 for 
> both a failed and successful connection can be found here: 
> http://pastebin.com/XnUL8aeh . Is this is a bug in Apache 2.4.18 or is there 
> something else I can try and do to narrow the problem down?
> 
> 
> [Sat Mar 12 20:54:53.087621 2016] [http2:debug] [pid 21439:tid 
> 140096657385216] h2_stream.c(321): [client 192.168.56.120:34283] 
> h2_stream(73-1): RST=2 (internal err) GET http://(null)/

What I see from the 2.4.18 log is that the incoming request has no ':authority' 
header and is rejected. Reading RFC 7540 carefully, this is a bug. The nghttpx, 
acting as h1->h2 proxy MUST not send and :authority header. nghttpx does 
everything right and mod_http2 has it wrong.

Are you able to apply/test a patch?

-Stefan
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org