If you have that many look at RewriteMap
https://httpd.apache.org/docs/current/rewrite/rewritemap.html
From: Frank Gingras
Sent: 26 October 2022 02:42
To: users@httpd.apache.org
Subject: Re: [users@httpd] specification of .htaccess [EXT]
This is an extremely bad idea. Do you have access to your
Never had these issues at all if you set up vhosts correctly.
But agree we tend to have 2 vhosts for the domain
* vhost 1 is the real vhost and handle requests
* vhost 2 contains all the redirects from other domain names to the canonical
one
The only ServerAlias lines in vhost 1 are for
Lets encrypt is reliable from our point of view - never had an issue with it -
we occasionally have issues when renewing certs - we have about 90 of them -
but that is mainly with the "fake-manual" process of updating DNS which is not
100% reliable with the changes we make.
In use speed should
If touching the configuration of the system is proving difficult – there is
always an option to run a further apache on another machine which handles the
SSL, and passes the requests back of plain HTTP, in fact this is the way most
of the Apache servers we have are set up – it may be Apache,
> I'd suggest to keep the HTTP vhost for pure redirects and additionally set
> the Strict-Transport-Security header on HTTPS requests. With the header, most
> browsers will cache the information that HTTPS is enabled for your site and
> even enforce it for the time you set in the header.
If
You can add:
Header always set X-XSS-Protection "1; mode=block"
which will help – but the rest you need to look at the way you code your pages.
Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks
Remembering that XSS is
Yes the answer is almost certainly to do with the number of domains/size of
code – even if all the sites are running the same code – they are likely to
have different copies of it (unless they are all running the exact same copy of
the code – and using a name based switch somewhere in it) There
This is what we saw as well - simple things like disabling .htaccess files can
make a huge difference in performance (I haven't set up a server with .htaccess
files enabled for the best part of 20 years now because of the performance hit)
From: Rose, John B
Sent: 11 March 2021 21:02
To:
.
How about questions number 2 and 3?
On Thursday, March 11, 2021, 09:46:03 PM GMT+3:30, James Smith
wrote:
A forward proxy is what you put between your web browser and the internet
(often called a proxy by browsers) often this happens on corporate networks) -
the reverse proxy
mod_event is comparable to NGINX I believe speed wise - but from experience
Apache is more stable!
-Original Message-
From: Jason Long
Sent: 11 March 2021 17:34
To: Users Maillingsliste Apache
Subject: [users@httpd] Is NGINX faster than Apache? [EXT]
Hello,
Is it true that NGINX is
A forward proxy is what you put between your web browser and the internet
(often called a proxy by browsers) often this happens on corporate networks) -
the reverse proxy is between the internet and the webserver
There are some issues with mod_security and e.g. wordpress sites - so you have
to
forward the
requests?
On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long
wrote:
Thank you so much.
Thus, The Front end and Back end servers are same about the security.
What does "handle backend server down" mean?
On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, Jame
Yes - you should harden the front-end as this is what is likely to be
compromised by general attacking.
Run SSL, run a static server & proxy server, set security headers, handle
backend server down, handle http -> https redirects, handle basic auth (you can
have a general rule for wordpress
Without knowing what your website is we can’t really see what is wrong. Have
you used chrome (or whatever browser you are using) developer’s tools to see
what is blocked by your content security policy (CSP)
From: Nick Folino
Sent: 08 February 2021 17:30
To: users@httpd.apache.org
Subject: Re:
-Original Message-
From: Eric Covener
Sent: 08 February 2021 13:13
To: users@httpd.apache.org
Subject: Re: [users@httpd] Which parameters must be set to solve these
Vulnerabilities? [EXT]
On Mon, Feb 8, 2021 at 6:24 AM Jason Long wrote:
>
> Hello,
> I scanned my Apache web server and
Trying to understand - was it just the last POST that you were seeing - not the
series of posts leading up to that stage of the form process..
In this case it looks as (Yehuda is just saying) that the request is kept in
the browser.
There are some ways to get around this:
(1) never POST and
The first place to look in this case is the size of the apache processes. Once
the OP has got on top of this - then other issues can be investigated.
So process would be:
1) Reduce number of modules in Apache (>100 at the moment) should be
around 15-25 region;
2) Look at memory
der attack. [EXT]
Hi James,
what was the command you used to see that apache uses ~1GB of memory? I deleted
the mail and that was a bad idea: there were some very useful commands you were
giving us here.
On 12.01.21 12:17, James Smith wrote:
> That shows you only have 2 incoming requests. Ho
Htcacheclean is I think only a disk based cache cleaner (something you
shouldn't really be using anyway!)
The only way to clean up apache memory is a either to kill your child processes
or restart apache itself.
-Original Message-
From: Jason Long
Sent: 12 January 2021 23:26
To:
Tuesday, January 12, 2021, 02:55:14 PM GMT+3:30, James Smith
wrote:
That shows you only have 2 incoming requests. How many lines if you remove the
TIME_WAIT
Try: netstat -n | grep ':80 ' | wc
This may show lots of short requests happening over time
But to be honest the host important thing y
:16126 FIN_WAIT2
tcp6 0 0 X.X.X.X:80 X.X.X.X:64595 FIN_WAIT2
On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith
wrote:
If you want incoming traffic you can do:
netstat -n | grep ':443 ' | grep -v TIME_WAIT
The incoming IP should be the 2nd
-DFOREGROUND
1250040 3912624 978156 64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599 84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244 74 /usr/sbin/httpd -DFOREGROUND
How can I see the IP addresses and their incoming traffic?
On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith
Subject: Re: [users@httpd] Apache in under attack. [EXT]
System administrators doing it manually???
On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith
wrote:
Rate limiting may work - but the rate may be just slightly to slow for your
setting - manually doing it is a good
Sometimes we are attacked from a farm of machines so it may have to be an ip
range that is the issue
-Original Message-
From: James Smith
Sent: 12 January 2021 10:19
To: 'users@httpd.apache.org'
Subject: RE: [users@httpd] Apache in under attack. [EXT]
Yes - it is something we need
n it automatically blocked.
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith
> wrote:
>
>
>
>
>
> Jason,
>
> I would also query why your process are ~ 1G resident that seems quite large
> for apache.
GMT+3:30, James Smith
wrote:
Can't see anything that should blow up like that to be honest - I usually use
ubuntu - which configures apache in a much, much nicer way {generally for web
development stuff it is a better flavour of linux}
What is the output of:
apache2 -t -D DUMP_MODULES
, but "Firewalld" or "iptables" can't do it automatically? When an IP
sending many request then it automatically blocked.
On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith
wrote:
Jason,
I would also query why your process are ~ 1G resident that seems qui
Can't see anything that should blow up like that to be honest - I usually use
ubuntu - which configures apache in a much, much nicer way {generally for web
development stuff it is a better flavour of linux}
What is the output of:
apache2 -t -D DUMP_MODULES
to see what modules you have
of small static request (images/css/js) where you run two
web servers - one serving static content and proxying back to dynamic content.
James
-Original Message-
From: James Smith
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT
Put a firewall rule into block whatever that first IP address is then.
Something like:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
address='X.X.X.X' reject"
If you are seeing a current attack then you can tweak Charles' command line to:
tail -1 access.log | awk
Why do you want to rate limit the upload speed to your server - slow upload
speeds tend to be the thing that causes Apache issues rather than the other way
round.
If it is because your server is on a narrow pipe and you are worried about
being swamped by one connection - then rate limiting
To be honest from a security point of view - you shouldn't be doing this if
the client can't talk to your server you need to look for a new client?
Assuming from what you say this is just a monitoring tool.
We have switched off TLS v1.0 and v1.1 as all the browsers which we consider
secure
It's not clear why you would need to serve that many "concurrent" connections,
a bit more information would be required.
* What is your dynamic content being generated by, is it running inside
apache, or is it running on it's own "server" and being to proxied by Apache?
* Is content mainly
more extra tips/directions to tune
the enterprise network,
if not, it is all okay for now.
Thank you very much for your help.
Thanks and regards
Eric
On Thu, Oct 29, 2020 at 12:03 PM James Smith
mailto:j...@sanger.ac.uk>> wrote:
Is your test over a local network or over the in
Is your test over a local network or over the internet. If the latter there is
little you can do.
HTTP upload was never really designed for large files like this. That’s why
more languages/frameworks put a limit on the size of uploads. And these are
usually in the 5-10M size.
There are much
@httpd] Forwarding IP to HTTPS. [EXT]
James,
Unless the user has many hosts, I would recommend against using mod_rewrite
here. It isn't needed. And your vhost should include an explicity ServerName
directive.
On 12/10/20 11:56 AM, James Smith wrote:
> So I would do this for the virtual h
create conflicts or ambiguities.
On 12/10/20 11:22 AM, James Smith wrote:
> This would be my set-up in your case - note as someone said it was too
> complex I've removed the extra security bits I'd left in by accident...
>
> ## Port 80 && 443 default configs...
>
>
>
n 12/10/20 11:22 AM, James Smith wrote:
> This would be my set-up in your case - note as someone said it was too
> complex I've removed the extra security bits I'd left in by accident...
>
> ## Port 80 && 443 default configs...
>
>
> RequestHeader unset X-is-ssl
&
This would be my set-up in your case - note as someone said it was too complex
I've removed the extra security bits I'd left in by accident...
## Port 80 && 443 default configs...
RequestHeader unset X-is-ssl
RewriteEngine on
RewriteRule ^(.*)$
Yes - with Apache you put a default virtual host which redirects all traffic to
your https server
RequestHeader unset X-is-ssl
Require all denied
Require all granted
ProxyPreserveHost on
RewriteEngine on
RewriteRule ^(.*)$
There are two sorts of compression - TLS and HTTP.
It is recommended not to compress the TLS traffic (as CRIME can then be used to
guess cookies etc) - compresses the whole response.
But compressing HTTP traffic is OK - unless there is some secret stored in the
body of the HTML page {it only
This has nothing to do with keepalivetimeout – that is to do with keeping a
connection open to send subsequent requests without re-negotiating the
connection.
It is TimeOut which is the gap between sending packets of the response.
If your response is taking more than 1 minute to generate then
It’s probably the size of your SQLlite database – so I would look at reducing
the size of that.
Still unclear what you are doing to know what the delay is – perhaps some
sample code would be useful for us to look at – so we know what you parse &
store; and also what you display if you display
Definitely SQLite will be a bottle neck in this system – not great for writing
to – both Pg or MySQL would be an almost certainly better solution for repeated
writing to.
You could get some simple gains by splitting the database up so that there is a
database per site rather than a database
I frames have their use – but usually to include content from another site
(e.g. google maps, you tube etc) – or to embed dynamic content that either
needs to be dynamically updated and can’t do this with AJAX or you are
struggling with CSS clashes as the iframe is a different document. Not
There are a number of things you can do:
1) Why are you doing what you are doing - i.e. why are you updating what is
displayed to the user
2) Others have suggested using AJAX, another thing you can look at here is what
and how you are retrieving the data.
You can look at using a cleanup
ason Long
Sent: 06 September 2020 12:22
To: users@httpd.apache.org; James Smith
Subject: Re: [users@httpd] Some questions about configuration Apache from a
beginer. [EXT]
Thank you for your help.
Is the content of "/etc/hosts" and "/etc/hostname" files important for get
HTTPS ce
The first one doesn’t matter – but to be honest you shouldn’t do it – you
should create two configurations – one for the www.domain and one for domain.
Choose one as canonical (the one you really want users to see) and put the real
configuration here.
Under the other domain – you include a
Not sure what Nextcloud is - but this is often common amongst "black-box" web
apps that bootstrap themselves, and handle upgrades from the UI interface.
The webserver has to be able to re-write it's own files for the upgrades.
Scary and against all "normal" secure procedures if you manage
You will need to read up the difference between the 2.2 and 2.4 apache
documents [there are some ugrade docs] - just copying the configuration over
will not work...
e.g. LockFile -> Mutex;
Order allow,deny / Deny from all -> Require all denied
Order allow,deny / Allow from all -> Require all
Add also remember to add the HSTS headers
Header always set Strict-Transport-Security "max-age=63072000;
includeSubDomains; preload"
{only put includeSubDomains & preload if you can} this stops the client sending
further HTTP requests but only HTTPS {most web servers}
This can stop the plain
Do you see anything different between the users that work and the users
that don't.. Do they use a different browser (useragent) or HTTP protocol?
On 18/03/2020 12:40, "Jürgen Göres" wrote:
Hi all,
we are currently observing a really bizarre problem on a customer system.
Our software runs a
Do you embed external resources (like fonts in) these don't tend to have
the same headers set... I get this with one of my static sites - I have
13 requests and three are for google fonts (nunito-sans) and these don't
have decent headers set!
On 18/02/2020 19:00, edflecko . wrote:
I mention
mod_proxy is the standard approach here..
Set up a second vhost on 192.168.0.1 and get that to proxy back to
192.168.0.2
You will need to specify a small folder as doc root - basically to serve
error pages! - our error directory has static pages for each error
message we wont to handle +
Looks like you are using php5_module with a PHP7 so file - you should be
using:
LoadModule php7_module /libphp7.0.so
On 01/06/2017 20:26, Roparzh Hemon wrote:
I am not on Apple here, and you don't say whether you are using php-fpm or
not, but assuming that you are, check the start up
You really only have one option at the moment and that is to pay for a
wild card certificate which will do this {lets encrypt doesn't allow you
yet}
It will probably set you back something like 100$ a year
o/w you will need to set your redirects up from xxx. to https://
individually
Is there an error.log in the same directory? This is usually in the same
directory this should contain some information about why the system failed.
On 03/05/2017 07:41, John Covici wrote:
Hi. I am having major problems figuring out a 500 response code I am
getting on my hserver.
I am
As I only run HTTPS - I have the following on port 80 - (this can't be
done with redirect)
...
...
...
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI}
[R=permanent,L,NE]
So I only have one
Debian 8 (Jessie?) Apache version is 2.4.10 which would suggest your
error is in the Order Allow, Deny area..
Should just be:
Requireall granted
see:
https://httpd.apache.org/docs/2.4/upgrading.html
On 2017-01-19 04:34 PM, David Miranda Aragón wrote:
Good morning.
I am looking for help on
At work all out software is open source - but we have to include a
copyright notice in all source files where possible - as we then
distribute the content under LGPL. The logic is that if we didn't claim
copyright on the contents of the source - someone else might claim it
and make it closed
Before you get into trying to resolve issues with load there are a few
things to consider:
Your "model" of traffic is probably wrong...
* Have you seen this traffic shape.. if a user requests a page - it
will probably be a few milliseconds before the browser requests the
first static
Why are you attaching after the last meta tag - wouldn't it be easier
just before the tag or just after the tag - you should
have no other js in the header - except possibly an HTML 5 shim...
On 23/11/2016 08:08, Mayuresh wrote:
Any suggestions?
On Nov 22, 2016 11:32 AM, "Mayuresh"
Never used mod_substitute - but the standard PCRE way is s/(.*)>/$1/mxs - the .* will capture greedily - so captures all but last
meta...
On 22/11/2016 16:50, Mayuresh wrote:
Hi,
How can I check for the last occurrence of a string in the response
html and only replace the last
Things you can do are trying to track down if there is any pattern - are
these first request on a child, "nth" request on child etc... we add
additional variables to access logs which include things such as
PID/request no in PID, memory usage before and after etc. This allows us
sometimes to
On 9/6/2016 3:55 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 9/4/16 5:16 AM, Dr James Smith wrote:
You don't give enough information about the setup to solve any of
your problems really.
Are the apache/tomcat/cms on the same box or different
We
You don't give enough information about the setup to solve any of your
problems really.
Are the apache/tomcat/cms on the same box or different
We have seen big problems with mod_jk when there are firewalls involved
(so much so we don't use it any more but use mod_proxy instead) -
connections
g 17, 2016 at 2:50 PM, Dr James Smith <j...@sanger.ac.uk
<mailto:j...@sanger.ac.uk>> wrote:
Depends on your backends - nginx is good if it is serving
primarily static files and or proxying back to quick responding
backends. It seems to be less well suited to slower/heavie
Depends on your backends - nginx is good if it is serving primarily
static files and or proxying back to quick responding backends. It seems
to be less well suited to slower/heavier backends. Apache always seems
to work - slower mind you - but always seems to work... So if
reliability is your
(Simple) You can use sticky sessions
(Better) Or re-write your code to use a shared memory layer such as
memcached...
On 7/27/2016 9:58 AM, kaushalender shekhawat wrote:
HI All,
Please forgive me if this sound very dump,as I am very new beginner
to apache load balancer, Following is the
I use something similar - you should really be applying this in one of
the AAA level of handlers (I use mod_perl rather than C handlers) but
there are various places you can hook into the process
Usually (and slightly naughtily) I add this to the access handler within
mod_perl {it does the
I use:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
as the setting for ciphers - this gets a A+ rating on the qualys SSL
labs scoring
Is the response the same as the response for / - thats' all I can assume...?
On 09/07/2016 14:00, Jonesy wrote:
On Fri, 8 Jul 2016 15:51:27 -0700, Red-Tail Books wrote:
--D86F2E214EC5EE5DBED2B3B9
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding:
How are you connecting between the web-proxies and web-logic application
servers?
Having a firewall in place can be an issue - the firewall may drop idle
connections silently (we see this with oracle, mod_jk/ajp/memcache and
in some instances cached mysql connections; unfortunately neither
Setting up apache server-status module is always a good idea - as you
can (try) and see the information about load/requests etc.
wp-cron.php is a wrapper script around a whole system of potentially
complex functions which maintain the database (garbage collect etc) it
depends on what modules
Agree with Michael,
My start/stop scripts all now do a configtest before trying to
stop/start apache - this way I never have no service if something goes
wrong!
I do have a forcestop which will stop an apache if the config is wrong -
as a last resort!
James
On 01/05/2016 14:27, Michael
On 10/04/2016 15:31, Roland Szűcs wrote:
Hi folks,
I use Apache 2.4 and I installed a Glassfish application server behind
it. I use mod_jk modul as the dynamic content has to be handled by
Glassfish and my static content (wordpress blog) is handled by Abapche.
My test domain is:
On 3/21/2016 4:07 PM, Michael A. Peters wrote:
On 03/21/2016 08:51 AM, ismail berrada wrote:
Hi
Can someone tell me when Apache 2.2 EOL will occurs ?
Regards
I can't find anything official but 1.3 went EOL in 2010 and 2.0 went
EOL in 2013.
Not enough data points to say there's a
Apache will have already started... try -k restart or -k stop followed
by -k start
On 19/03/2016 07:21, Roparzh Hemon wrote:
Hello all, I get the following error message when I try to launch the
Apache server :
$ sudo ./bin/apachectl -k start
Password:
(48)Address already in use: AH00072:
Can you not just go into debug mode -X?
On 19/02/2016 12:52, Aurélien Terrestris wrote:
Richard, is this a config that you tried successfully ? On my server,
"prefork MPM" will put requests in the backlog (waiting), and "event
MPM" is not designed for such behaviours because of its
You need to set up one webserver on the fixed IP as a proxy. (Look up
docs for mod_proxy) and set up appropriate rules to proxy through to
your back-end servers...
On 27/12/2015 18:28, Jim Paniagua wrote:
I dont even know how VM's work .. sorry no help
On Fri, Dec 25, 2015 at 7:11 AM,
Have you looked at installing apache server status code so you can see
what the last request is on each of these hung threads...
Alternatively if you have something like mod_perl installed one thing
that you can do is add a handler to warn the PID/request to the error
logs at the start and
From Apache point of view...
* Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache has
to look for .htaccess files in the directory and any parent directories}
include AllowOverride None in httpd.conf
* Remove
when most users were on 28K/33.6K modems
(or slower) and the transfer of data was the slow part of the equation!
James
On 09/06/2015 13:27, Frederik Nosi wrote:
Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:
From Apache point of view...
* Don't use .htaccess files... put everything
It's not the etag calc it's actually the round tripping to the server
that is the main over head - better to get the client to cache content...
Apache will still have to touch the file system to see if the content
has changed (however it is done) and on some filesystems just
locating the file
, Frederik Nosi wrote:
Hi James,
On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the
request at which point the server has got to decide has it changed
before even - which for most static requests is the heaviest
(slowest) part before returning
You are probably hitting child spin up issues...
Out of the box apache uses a process per apache child... There is an
overhead/delay when a child is initially spun up,
and that is what you are possibly seeing...
nginx works a different way - and can cope with a moderate number of
light
Dan,
The #! line has to be the first line - so it's being ignored... remove
the ##! line at the start and see what happens.
James
On 19/04/2015 18:28, Dan Östberg wrote:
Dear Jeff:-) As you can see from the enclosed files I've changed the
scriptinpretersource.
Are there any updates of
On 17/04/2015 09:15, Bremser, Kurt (AMOS Austria GmbH) wrote:
Tomcat uses several ports. One of these is a standard HTML port that
can be usefully accessed with a browser. Since tomcat itself listens
on this port, DO NOT USE it in httpd!
If you want to serve tomcat content via your
On 17/03/2015 07:59, Alfredo De Luca wrote:
Hi all.
Any clue on this?
On 15/03/2015 9:30 PM, Alfredo De Luca alfredo.del...@gmail.com
mailto:alfredo.del...@gmail.com wrote:
Hi all.
I ve never done this before so I am asking best practice/info/docs of
how to have 2 apache web
Wrong header...
RequestHeader unset Accept-Encoding
is the way to stop the backend compressing the request...
On 09/03/2015 14:57, dennis.luna...@t-systems.com wrote:
Hi,
I have some problems using mod_deflate to decompress requests.
I am using a apache 2.4 as a reverse proxy on Red Hat
On 27/12/2014 13:21, georg chambert wrote:
Hi, have for a bit of time had trouble with my server PC running
Fedora Os and Apache.
After some time it goes into non-communicatable mode, does not take
any input whatsover,
hard shutdown is only way to get out. It can be 24hours and it can be
Message -
*From:* Dr James Smith mailto:j...@sanger.ac.uk
*To:* users@httpd.apache.org mailto:users@httpd.apache.org
*Sent:* Saturday, December 27, 2014 3:49 PM
*Subject:* Re: [users@httpd] Apache make fedora go into corner
On 27/12/2014 13:21, georg chambert wrote:
Hi
I have just upgraded from apache 2.2 to apache 2.4 - running apache2 as (me)
a non-privileged user... as part of a development server
When I start apache I get the following errors (to screen)..
mkdir: cannot create directory '/var/run/apache2': Permission denied
chown: changing ownership
93 matches
Mail list logo