[users@httpd] Piping multiple log files to a single java program

2017-03-07 Thread Milind Vaidya 
I am using this directive successfully.


ErrorLog  "| /usr/bin/tee -a /var/log/httpd/error_log |  java -cp
producer.jar stdin.producer.StdInProducer /CustomProducer/config.json
>> /producer_init.log 2>&1"



if I also want to send ssl_error_log to this program as well, is there
any provision to do so ?

This is what I was doing when using manual script to launch the log consumer.

*tail* *-n0* *-F** /var/log/httpd/error_log /var/log/httpd/ssl_error_log **|*

[users@httpd] config mod_user_dir apache apache v.2.4.6.

2017-03-07 Thread Wilmer Arambula 
Hi, what would be the best way to run suexec instead /home/directory,

[userdir.conf]:


AllowOverride All FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
AddHandler cgi-script .cgi .pl .py .rb
Require method GET POST OPTIONS


This is the best way, I hope for your recommendations,

Thks,

-- 
*Wilmer Arambula. *

Re: [users@httpd] Piping logs to a java process : creates multiple processes

2017-03-07 Thread Milind Vaidya 
As an extension to this, if I also want to send ssl_error_log to this
program as well, is there any provision to do so ?


This is what I was doing when using manual script to launch the log
consumer.

*tail* *-n0* *-F** /var/log/httpd/error_log /var/log/httpd/ssl_error_log *
*|*

On Mon, Jan 23, 2017 at 5:38 PM, Milind Vaidya  wrote:

> Thanks for prompt reply Eric.
>
> Adding relevant code resolved, the issue of 2 processes at the beginning.
> Let me wait for logrotate to kick in and see over few hours how it behaves.
>
>
>
> On Mon, Jan 23, 2017 at 4:41 PM, Eric Covener  wrote:
>
>> On Mon, Jan 23, 2017 at 7:36 PM, Milind Vaidya  wrote:
>> > When httpd is started it spawns 2 processes and adds one every one hour,
>> > keeping all alive
>>
>>
>> Your java program needs to exit when stdin returns EOF.
>>
>> --
>> Eric Covener
>> cove...@gmail.com
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] Help with rewriterule

2017-03-07 Thread Luca Toscano 
2017-03-06 19:15 GMT+01:00 Robert Moskowitz :

> Luca,
>
> Thank you for replying.
>
> On 03/06/2017 04:07 AM, Luca Toscano wrote:
>
> Hi Robert,
>
> 2017-03-05 21:57 GMT+01:00 Robert Moskowitz :
>
>> Hello,
>>
>> This is for Apache 2.4 on Centos7.  I am migrating from Apache 2.2 on
>> Centos6.
>>
>> I want to support redirecting all webmail queries to https.  for either
>> queries to:
>>
>> webmail.foo.com or foo.com/webmail
>>
>> My old rules were:
>>
>> 
>> ServerName webmail.htt-consult.com
>> ServerAlias webmail
>> RewriteEngine On
>> RewriteCond  %{SERVER_PORT} !^443$
>> RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
>> ExpiresDefault "access plus 10 years"
>> AddOutputFilterByType DEFLATE text/html text/plain text/xml
>> php_admin_flag session.cookie_secure "1"
>> 
>>
>> This SEEMED to only work for the webmail virtual host, and not others on
>> this server.  When I used this rule set on the new server, it clearly was
>> redirecting all web accesses to https.
>
>
> Have you checked if the VirtualHost is the default one (you can use
> apachectl -S to confirm)?
>
>
> Comes back  response.
>


This is really strange.. Have you checked if the apachectl binary is
working correctly?


>
>
>> So I tried to write a more restrictive rule, trying to follow
>> instructions from
>>
>> http://httpd.apache.org/docs/current/rewrite/intro.html
>>
>> It would seem the rule:
>>
>> RewriteRule ^.*webmail https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
>>
>> Should work, but the test site I tried:
>>
>> http://martinmelin.se/rewrite-rule-tester/
>>
>> Did not show this did the rewrite to https.
>
>
> So from http://httpd.apache.org/docs/current/mod/mod_rewrite.
> html#rewriterule:
>
> "RewriteRule Pattern Substitution [flags]"
> "In VirtualHost context, The Pattern will initially be matched against the
> part of the URL after the hostname and port, and before the query string
> (e.g. "/app1/index.html"). This is the (%-decoded) URL-path."
>
> If I got it correctly you are trying to match the hostname in the Pattern,
> that shouldn't work in Vhost context.
>
> Also how to direct Webmail.foo.com to https://webmail.foo.com?
>>
>
> https://httpd.apache.org/docs/2.4/mod/mod_alias.html#redirect or
> https://httpd.apache.org/docs/2.4/mod/mod_alias.html#redirectmatch might
> help you (and in my opinion they are way more maintainable than rewrite
> rules).
>
>
>
> RedirectMatch ^.*webmail https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
>
> But how do I get this NOT to redirect when it is already https:// ?
>

It shouldn't be a problem if you use the rule only in the Virtual Host
listening on port 80 (since no https request should land there).


> And how do I handle Webmail as well as webmail?  Would that be
>
> RedirectMatch ^.*[wW]ebmail https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
>

I would do multiple tests on your environment to see which one works best :)

Thanks!

Luca

Re: [users@httpd] mod_lua and subprocess_env

2017-03-07 Thread Andrei Ivanov 
On Mon, Mar 6, 2017 at 12:57 PM, Yann Ylavic  wrote:

> Hi Andrei,
>
> On Mon, Mar 6, 2017 at 10:15 AM, Andrei Ivanov 
> wrote:
>
>> On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov 
>> wrote:
>>
>>> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov >> > wrote:
>>>
 On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <
 andrei.iva...@gmail.com> wrote:

> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <
> andrei.iva...@gmail.com> wrote:
>
>> On Feb 24, 2017 22:54, "Yann Ylavic"  wrote:
>>
>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <
>> andrei.iva...@gmail.com> wrote:
>> >
>> > I've managed to apply your patch and rebuild Apache and now I have:
>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>
>> Could you please add:
>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>> PeerExtList('2.5.29.17')"
>> ?
>>
>> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
>> precedence.
>> I'll try on my side, but you may beat me to it since you have the
>> environment...
>>
>>
>> Ugh, it's my work environment, I'll be able to access it only on
>> Monday.
>>
>>
> Tried now, I've adapted your suggestion a bit as it doesn't seem
> correct:
>
> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:2.5.29.17}"
>
> This results in:
> Expr: 'IP Address:'.159.107.78.127 -in email:,
> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>
> As far as I understand, it doesn't perform the concatenation properly.
> I've tried
> Header set Expr "expr='%{IP Address:'
> ​​
> .%{REMOTE_ADDR}} -in %{PeerExtList:2.5.29.17}"
>
> But I get a parse error at startup:
> Can't parse value expression : syntax error, unexpected T_ERROR,
> expecting T_VAR_END or ':': Invalid character in variable name ' '
>
> But I think mod_headers has some different way of interpreting
> expressions, because this doesn't work:
>
> Header set matched false
>  ​​
> %{PeerExtList:2.5.29.17}">
> Header set matched true
> 
>
> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
> expecting T_ID or '{
>

 Yann? Any clues? :-)

>>>
>>> Ping 
>>>
>>
>> Hello?
>>
>
> ​Yes sorry, was busy these days ;)
>

I understand, who isn't? :-)

​
> ​Mixing different types (string, boolean, list) of expressions is not
> working currently, and requires changes in the parser (I'll try to work on
> this soon).
>
> In the meantime, maybe with my patch you could try to (uglily) match
> "%{PeerExtList:2.5.29.17}" (as a string, hence with the operator "~=")
> against something like "IP Address:".​%{REMOTE_ADDR}(,|$) ?
>
> I've experimented a bit more with your suggestion, still doesn't work :-(

Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
%{PeerExtList:2.5.29.17}"
Header set Expr2 "expr=%{PeerExtList:2.5.29.17} =~ /%{REMOTE_ADDR}/"
Header set Expr3 "expr=%{PeerExtList:2.5.29.17} =~ /159.107.78.131/"

Expr1: 'IP Address:'.159.107.78.131 -in email:,
email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
Address:159.107.78.131, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
Expr2: email:, email:, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/
Expr3: email:, email:, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/

So for mod_headers the expression isn't fully evaluated...

Header set matched-dynamic false

Header set matched-dynamic true

Header set matched-static false

Header set matched-static true


matched-dynamic: false
matched-static: true

The match against a dynamic expression fails.

Require expr "PeerExtList('2.5.29.17') =~ /'IP
Address:'.%{REMOTE_ADDR}(,|$)/"
Require expr "PeerExtList('2.5.29.17') =~ /'IP
Address:159.107.78.131'(,|$)/"

These both fail :-(

Thank you for your patience.

Re: [users@httpd] httpd 2.4.25-1.fc25 avoiding search permission errors across file systems Fedora 25 linux

2017-03-07 Thread Robert Moskowitz 
Yes,  We really want the protection afforded our servers with SELInux, 
but then there are all these policies to apply when we need to open 
things up some.


Very challenging for sure.

On 03/06/2017 09:16 AM, David B Snyder wrote:

Thanks, this seems to have worked!

I guess I need to learn about SELinux now. :)


On 03/05/2017 06:04 PM, Robert Moskowitz wrote:

Are you running SELinux?

Have you done the needed:

chcon -R -t httpd_sys_content_rw_t /diretory

commands?

On 03/05/2017 05:48 PM, David B Snyder wrote:
I am trying to set up httpd across several file systems on a Fedora 
25 Linux

 system, and I'm doing something wrong.

I haven't succeeded in getting httpd to serve pages across the 
mounted file systems.


example errors:
[Sun Mar 05 13:31:50.628070 2017] [core:error] [pid 1001] 
(13)Permission denied: [client ::1:50082] AH00035: access to 
/snyder/index.html denied (filesystem path 
'/mnt/Workspace/snyder/www/index.html') because search permissions 
are missing on a component of the path


[Sun Mar 05 13:32:01.840581 2017] [core:error] [pid 999] 
(13)Permission denied: [client ::1:50084] AH00035: access to 
/local/index.html denied (filesystem path '/home/snyder/index.html') 
because search permissions are missing on a component of the path



As far as I can tell, the permissions are correct, allowing read and 
execute

drwxr-xr-x.  14 root   root4096 Feb  3 09:51 /mnt #this works

drwxr-xr-x. 6 root root  4096 Mar  4 15:55 /mnt/Workspace #does not 
work

drwxr-xr-x.   9 snyder snyder  4096 Dec  9 10:31 /home #does not work

From httpd.conf:
...


Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted



Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted



Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
   Require all granted



alias /local/ /home/snyder/
alias /mnt/ /mnt/
alias /snyder/ /mnt/Workspace/snyder/www/

...

From my browser [Firefox]
'localhost'  displays the index.html

'localhost/mnt/' produces a directory listing, however clicking on the
Workspace entry [localhost/mnt/Workspace] produces 403 "Forbidden /n
You don't have permission to access /mnt/Workspace/ on this server."

'localhost/local/' produces a similar 403 "Forbidden" message.

The error_log messages are

[Sun Mar 05 13:31:50.628070 2017] [core:error] [pid 1001] 
(13)Permission denied: [client ::1:50082] AH00035: access to 
/snyder/index.html denied (filesystem path 
'/mnt/Workspace/snyder/www/index.html') because search permissions 
are missing on a component of the path


[Sun Mar 05 14:07:25.405553 2017] [autoindex:error] [pid 1000] 
(13)Permission denied: [client ::1:50688] AH01275: Can't open 
directory for index: /mnt/Workspace/, referer: http://localhost/mnt/



from /etc/mtab:
/dev/sda6 /mnt/Workspace ext4 rw,seclabel,relatime,data=ordered 0 0
/dev/mapper/fedora_snydercpu-home /home ext4 
rw,seclabel,relatime,data=ordered 0 0


I'm running Fedora 25 with
httpd.x86_64 2.4.25-1.fc25   @updates
httpd-filesystem.noarch 2.4.25-1.fc25 @updates
httpd-manual.noarch 2.4.25-1.fc25   @updates
httpd-tools.x86_64 2.4.25-1.fc25   @updates

I suppose I could work exclusively within the root file system, But 
I think I

should not have to :).

Thanks for any advice

-David Snyder






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org