to 111.10.250.188.
If you want to prevent the client from connecting, instead of
restricting what the client is allowed to request after it connects, use
a firewall.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail
are all equivalent:
/usr/private
/usr//private
/usr/private/
/usr/private/
For more reading, see
http://teaching.idallen.com/cst8207/12f/notes/160_pathnames.html
--
Mark Montague
m...@catseye.org
https://httpd.apache.org/docs/2.4/programs/htcacheclean.html
If this doesn't meet your need, you might want to look into writing your
own module to do exactly what you need for your experiment.
--
Mark Montague
m...@catseye.org
/
--
Mark Montague
m...@catseye.org
server.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
web browser
and check in your web server access log to find out what, specifically,
is being requested over HTTP.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
directives that you already have
/VirtualHost
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
HTTPS instead. To find out what content on your page is
being served to you via HTTPS, see
http://stackoverflow.com/questions/2632983/any-tool-available-to-detect-whats-not-https-on-an-encrypted-page
--
Mark Montague
m...@catseye.org
.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
#errorlog )
Or you may find it easiest to upgrade to Apache HTTP Server 2.4.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h
%{SSL:HTTP_SSL_CLIENT_S_DN_CN} (.+)
RewriteRule ^.*$ - [E=REMOTE_USER:$1]
Tried some variations, but it does not :-(
Could someone help me out with this?
Remove those mod_rewrite directives. Instead, use
SSLUserName SSL_CLIENT_S_DN_CN
See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusername
--
Mark
On November 5, 2012 10:24 , Martin Drescher dresc...@snafu.de wrote:
On 05/11/12 14:35, Mark Montague wrote:
On November 5, 2012 6:32 , Martin Drescher dresc...@snafu.de
wrote:
I would like to set the REMOTE_USER environment to the value of
%{HTTP_SSL_CLIENT_S_DN_CN}.
SSLUserName
mod_ssl with OpenSSL but use whatever
software you want to use for managing your certificates.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users
to clients.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
else other than
the user apache home directory, the -i option to ssh will allow you
to do this. See the ssh manual page for more information.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr
connections, and renegotiation should never be triggered.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
the regular expression you are
using to see if you have an error in it. If you post the relevant
configuration directives here, list members can have a look at them. Be
sure to include which version of Apache HTTP Server you are using.
--
Mark Montague
m...@catseye.org
this worked just fine with Firefox 15 under MacOS X, so I
don't think this is the only source of your problem with Safari client
certificates).
Sorry I don't have any better advice.
--
Mark Montague
m...@catseye.org
.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
hope this helps.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
On October 1, 2012 5:41 , Tom Browder tom.brow...@gmail.com wrote:
On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague m...@catseye.org wrote:
On September 30, 2012 19:45 , Tom Browder tom.brow...@gmail.com wrote:
Does anyone have a pointer to help on restricting a directory to
access only
Location), the directives inside the Directory stanza, and then
the URL that, when a client requests it, results in access being granted
despite the client not presenting a certificate.
--
Mark Montague
m...@catseye.org
On October 1, 2012 14:58 , Tom Browder tom.brow...@gmail.com wrote:
On Mon, Oct 1, 2012 at 10:53 AM, Mark Montague m...@catseye.org wrote:
On October 1, 2012 9:17 , Tom Browder tom.brow...@gmail.com wrote:
Inside the restricted area I have:
SSLVerifyClient require
I have found
documentation contains examples of
serving CGIs from underneath DocumentRoot and also user home
directories: https://httpd.apache.org/docs/2.4/howto/cgi.html
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr
user that CGIs run as.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
should
apply only to proxied requests). Or you can put most directives directly
into the server config context or a virtual host context, in order to
have the directives apply to all requests. For more information, see
https://httpd.apache.org/docs/2.4/sections.html
--
Mark Montague
m
, as it does now.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
that is missing is missing
from PHP, not from Apache HTTP Server. But there are workarounds that
you can do in Apache HTTP Server, such as the mod_rewrite based
workaround that I discuss above.
--
Mark Montague
m...@catseye.org
currently does both
with cgi.fix_pathinfo=1 and cgi.fix_pathinfo=0 and replaces it all with
what I personally believe PHP should do according to RFC 3875 with no
regard for any sort of backward compatibility. Feedback is welcome.
--
Mark Montague
m...@catseye.org
diff -up php-5.4.6/sapi/fpm
running, under which
version of which distribution of which OS?
- Is there anything special about how you have either Apache HTTP Server
or your operating system configured?
--
Mark Montague
m...@catseye.org
the identity of the
authenticated user into the REMOTE_USER environment variable, which can
be accessed in your PHP script with the code $_SERVER['REMOTE_USER']
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail
subject=/C=US/ST=Michigan/O=catseye dot org/CN=Mark
Montague/emailAddress=m...@catseye.org/UID=markmont
...and when I authenticate to my web server using this certificate, I
have httpd configured to populate the REMOTE_USER environment variable
using the UID attribute of the validated certificate
message you are getting.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
obsolete and unsupported for many years. You should upgrade to 2.4.3 or
2.2.22.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h
block instead.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
as which you are running httpd have permission to read
the HTML file in the filesystem?
- What version of Apache HTTP Server are you running?
- What operating system (including version) are you running?
- How did you install httpd?
- How did you configure httpd?
--
Mark Montague
m
virtual
host. But since the default virtual host will not be serving any
content -- it's only purpose is to catch and deny proxy abuse -- this
doesn't matter.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail
/ProxyAbuse
If you look at the page above and determine that what you are seeing in
your logs is not what the page above is talking about, please send the
mailing list just a couple representative log lines so we can see what
you're describing.
--
Mark Montague
m...@catseye.org
the configuration that you had
in your original message to redirect all HTTP request to HTTPS.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail
OS distribution can help you set up and configure things properly.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
for users who don't know to type https://; in
their browser location bars as a part of all URLs for your site.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional
to sites (in addtion to using web searches,
links, and bookmarks). Based on this observation, I'd weigh security
with user friendliness and choose set up HTTP-to-HTTPS redirects for
either just / or for all URL paths for all but the most
security-critical sites.
--
Mark Montague
m
hope this helps.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
sure that OpenSSL and Apache HTTP
Server are both compiled using the same compiler.
--
Mark Montague
m...@catseye.org
httpd is no problem.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
., Fedora 17), including
version and platform-specific details (e.g., x86_64).
Good luck. I hope this helps!
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional
working, which you can reload as many times as needed.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
the new configuration files, and when you
end maintenance stop httpd and start it using your regular configuration
files.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
if you want it to apply
to only a single directory):
DirectoryIndex index.php
I hope this helps.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e
,
but hopefully using _default_ in both VirtualHost stanzas will work for
you; see the documentation for the VirtualHost directive to understand
the difference).
I hope this helps.
--
Mark Montague
m...@catseye.org
to have only one process that handles
everything via threads. In the special case where you are trying to
debug httpd, you can start it with the -X option to limit it to a single
worker in a single process.
--
Mark Montague
m...@catseye.org
/envvars and/or apachectl to fix
LD_LIBRARY_PATH, if it is in fact being handled insecurely on your
system (it appeared to be fine on the two older systems where I checked
for this vulnerability).
--
Mark Montague
m...@catseye.org
as which httpd runs, or set the ACLs appropriately (if you are
using ACLs), and/or set the permission bits properly (if you're running
httpd under a Unix-like OS).
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users
|jpg|jpeg|bmp|txt|pdf)$
http://www.example.com/somepage.html [F,NC]
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
happens when you try?
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
, as it can be tricky --
or inappropriate -- to correctly set up caching for dynamically
generated content.
Instead of caching web service calls, you may want to analyze how Tomcat
is spending its time and see if the code of your web application can be
made more efficient.
--
Mark Montague
m
, and you've installed this
version of mod_php in /opt/mystuff/apache-httpd/libexec/libphp5.so, then
you can load it using the following directive:
LoadModule php5_module /opt/mystuff/apache-httpd/libexec/libphp5.so
I hope this helps.
--
Mark Montague
m...@catseye.org
files that the Red Hat provided
build of httpd uses.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
is.
Hopefully other people on this list will have additional, and better,
suggestions of things to check.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e
certificates. On the other hand,
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
says that SSLCertificateChainFile specifies the all-in-one file
containing certificates from the server certificate up through and
including the root CA certificate.
--
Mark Montague
mod_security and AppArmor:
both can be used together, and they complement each other to provide
defense in depth.
I hope this helps.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr
breaks and how/why it breaks them. I do hope to go back and take
another stab at this, but I can't say when it will be, so if anyone else
wants to, please feel free.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail
.*
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
you may have heard about are SELinux and Tomoyo.
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
will be owned by the
user who is authenticated. Does this sound right?
For more information, see https://wiki.apache.org/httpd/PrivilegeSeparation
--
Mark Montague
m...@catseye.org
-
To unsubscribe, e-mail: users-unsubscr
(which is more detailed than debug) and see if
that provides any additional information as to what is -- or is not --
happening. For example, when debugging PHP-FPM issues, I use:
LogLevel info ssl:notice rewrite:trace8 proxy:trace8 proxy_fcgi:trace8
Good luck! I hope this helps.
--
Mark
cgi-bin/cbws1084.dll is always requesting
it from the same IP address, block that IP address at your network-level
or host-level firewall. This will prevent the requests from getting to
Apache HTTP Server and from getting logged.
--
Mark Montague
m...@catseye.org
different approaches. Some programs to look into include Splunk,
logwatch, swatch, AWstats, Analog, and Webalizer. Do a google search on
log file analyzer or log file filter, or describe what you want to
do on this mailing list and ask for advice.
--
Mark Montague
m...@catseye.org
into the topic in detail and
discusses the difficulties and various potential solutions:
https://wiki.apache.org/httpd/PrivilegeSeparation
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache
of trust, but I'm keeping things
simple for the purposes of this discussion).
I hope this helps.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http
source automated and heuristic web vulnerability
scanner ?
I don't know, hopefully someone else can answer this.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See
?
No, what I've been using is very similar:
RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9003/www/wp3/wordpress/$1 [P,L]
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server
running an old version of PHP that I've
patched to solve my specific problems, though. Try the examples I give
above and if you still have errors, ask about the problem again -- I
might be able to update to the newest versions and then give you some
better advice.
--
Mark Montague
m
said is intended for the 2.2 series, apologies for not making
that clear in my original response to this and the other PHP-FPM
thread. I sort of assumed that the two PHP-FPM threads were occasioned
by people trying out 2.4.1, this was a bad assumption on my part.
--
Mark Montague
m
balancing to provide scalability and fault
tolerance across a pool of PHP-FPM servers all running the same web
applications.
So for this reason I have not tried using a Unix socket.
--
Mark Montague
m...@catseye.org
curious.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr
yourself and you patched the source to fix CVE-2011-3368 thus creating
the vulnerability described in CVE-2011-4317 but you did not apply the
patch to fix CVE-2011-4317 for some reason, despite applying other fixes.
--
Mark Montague
m...@catseye.org
in an external daemon (e.g.,
FastCGI).
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e
us what problem you are trying to solve or why you are asking the
question? Knowing this might help us help you better.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server
privileges to read the IO
pins (and *only* those privileges) to the www-data user, if possible.
--
Mark Montague
m...@catseye.org
On January 26, 2012 13:51 , Doug McNutt dougl...@macnauchtan.com wrote:
At 09:56 -0500 1/26/12, Mark Montague wrote, and I snipped a bunch:
On January 26, 2012 2:50 , Tarzan
Janemailto:lapierr...@hotmail.comlapierr...@hotmail.com wrote:
Concerning the security I believe when using binary
for it? then the
answer is no. In fact, Fedora 8 itself is no longer supported by the
Fedora Project: Fedora 8 reached its end of life on January 7th, 2009.
If you want to run a version of Fedora that is supported by the Fedora
Project then you should use Fedora 16.
--
Mark Montague
m...@catseye.org
binaries to be root and
turn on the set-uid bit. This way, when the CGI binaries are run they
will be run as root. https://en.wikipedia.org/wiki/SetuidSince
you've already said that you're aware of the security issues, I won't
repeat any dire warnings here.
--
Mark Montague
m
them from the database instead of from the filesystem.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more
, the time between
requests, request pipelining, and how long a connection is held open by
the client after the last request on it.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP
cross-site scripting, see
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
I hope this helps.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache
configurations or just by hosting all my
static contents in a new domain it can be achieved...
To be cookie-free, do not use any code on your web site that sets
cookies. This is the default, especially when you are serving static
content.
--
Mark Montague
m...@catseye.org
thread safety issues. The worker MPM for
Apache HTTP Server is threaded. This can create problems and
instability. See
http://www.php.net/manual/en/faq.installation.php#faq.installation.apache2
If you want to use PHP, either use the prefork MPM or FastCGI.
--
Mark Montague
m...@catseye.org
the log file in your
web server error log file?
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info
need to have a |RewriteEngine on| directive for each virtual
host in which you wish to use rewrite rules.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See
or other
context within the virtual host context.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info
need to
switch to a httpd binary that provides the worker MPM and then change
the worker MPM directives in your configuration files back to the
prefork MPM configuration directives that you had before upgrading.
--
Mark Montague
m...@catseye.org
:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50945
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more
.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr
this, I don't
know if it will work)
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME/index.php !-f
RewriteRule ^. - [F]
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum
linking. (I'm
using version 1.7.0 beta with the jumbo patch).
http://cronolog.org/
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http
seems to generate a big spike in CPU usage? When what goes live?
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html
mod_rewrite as a cause of the problem you're seeing.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info
since 2.3.5-beta and have been happy with
it; 2.3.14-beta is the current release.
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org
handoffs to the content management
system (Drupal).
Have you considered mod_usertrack ?
https://httpd.apache.org/docs/2.2/mod/mod_usertrack.html
--
Mark Montague
m...@catseye.org
-
The official User-To-User support forum
1 - 100 of 185 matches
Mail list logo
