Apache mit OpenLDAP/OpenSSL, cert7.db in ca.cert ( BASE64_FILE) umwandeln, Verbindung zu LDAPS nicht möglich
Hallo Habe dieses Problem: [Tue Nov 28 16:27:23 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required [Tue Nov 28 16:27:23 2006] [warn] LDAP: SSL initialization failed Das mit Openldap gebaute mod_ldap kann nur mit ca.cert (BASE64 codiert) umgehen. Wer weis wie man man das cert7.db (Netscape) und ein BASE64 codiertes Zertifikat umwandeln kann. Das sollte doch mit den OpenSSL-Tools möglich sein. Thomas Vogel -- Apache HTTP Server Mailing List users-de unsubscribe-Anfragen an [EMAIL PROTECTED] sonstige Anfragen an [EMAIL PROTECTED] --
Re: Apache mit OpenLDAP/ OpenSSL, cert7.db in ca.cert (BASE64_FILE) um wandeln, Verbindung zu LDAPS nicht möglich
On Tue, Nov 28, 2006 at 04:48:19PM +0100, Vogel, Thomas (BOT) wrote: Wer weis wie man man das cert7.db (Netscape) und ein BASE64 codiertes Zertifikat umwandeln kann. openssl x509 -inform DER -outform PEM Rainer -- Apache HTTP Server Mailing List users-de unsubscribe-Anfragen an [EMAIL PROTECTED] sonstige Anfragen an [EMAIL PROTECTED] --
[EMAIL PROTECTED] Virtual Hosts and SSL
Where should I go to learn about configuring Virtual Hosts and SSL in the same apache? I have virtual hosts woking using NameVirtualHost *:80 SSL works for the Virtual Hosts *I* have defined But in the (default) ssl.conf file installed with apache I find: VirtualHost _default_:443 SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key ... (other, less interesting lines) /VirtualHost What puzzles me is this: The VirtualHost definition above seems to be working as SSL is finding the Certificate File (otherwise how would SSL work at all?) How is this VirtualHost definition working in conjunction with NameVirtualHost *:80 ? -- Steve Swift http://www.swiftys.org.uk
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
On Tue, Nov 28, 2006 at 09:09:20 +, Steve Swift wrote: Where should I go to learn about configuring Virtual Hosts and SSL in the same apache? I have virtual hosts woking using NameVirtualHost *:80 SSL works for the Virtual Hosts *I* have defined But in the (default) ssl.conf file installed with apache I find: VirtualHost _default_:443 SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key ... (other, less interesting lines) /VirtualHost What puzzles me is this: The VirtualHost definition above seems to be working as SSL is finding the Certificate File (otherwise how would SSL work at all?) How is this VirtualHost definition working in conjunction with NameVirtualHost *:80 ? You need a separate IP for each SSL virtualhost, since SSL certificates are exchanged before any HTTP headers (especially the Host: header) are transferred. So my guess is that apache just picks the first SSL certificate applicable for a given IP. In other words, it makes no sense to use NameVirtualHost for SSL / port 443. I don't think your *:80 stuff makes any difference either way as that sould be independent of anything on :443. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
Thank you for that answer. I'm just beginning to use SSL, and at the moment I'm using the self-signed certificate that was installed for my server during the original apache installation. For my testing I'll need to generate additional certificates/Sever keys for the Virtual Hosts I define in ssl.conf On 28/11/06, Frode E. Moe [EMAIL PROTECTED] wrote: You need a separate IP for each SSL virtualhost, since SSL certificates are exchanged before any HTTP headers (especially the Host: header) are transferred. So my guess is that apache just picks the first SSL certificate applicable for a given IP. In other words, it makes no sense to use NameVirtualHost for SSL / port 443. I don't think your *:80 stuff makes any difference either way as that sould be independent of anything on :443. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Steve Swift http://www.swiftys.org.uk
RE: [EMAIL PROTECTED] Apache accessible only from localhost on Windows XP
-Original Message- From: Lorenzo Marcon [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 5:16 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache accessible only from localhost on Windows XP ... A FW problem wouldn't also explain why rebooting the machine I can gain access to the server even if just for a single time. This is new information (not in original post) - Are you saying that after a reboot, you get a single response with the first hit but after that a timeout? Other things to check out: - try using IP address in browser to eliminate DNS issues - what is on the homepage? I hope it's a plain HTML page... If it's some clever dynamic content, are you sure it works with an external request? (eg, if it does something clever with the client-IP, like a reverse DNS lookup... you might have problems). - what browser are you using? Get Firefox with the LiveHTTPheaders extension and look at the request-response headers for more clues. The point about quadruple-checking the FW is that, for security reasons, a FW usually *drops* disallowed packets (as opposed to refusing the connection). So timeout problems are often due to FWs (if you hear hoof-beats, think horses, not zebras). Are you sure you only have one FW? Check the process table... ... Listen 80 As you can see, this is not the problem. *Now* I can see, since this is the first time you post any config snippets. The point I was making is that you should be clear that if you do not define a Listen, apache listens by default to port 80 on *all* IPs. However, once you define one Listen with an IP, apache listens *only* to that IP. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Failed downloads: Could not get next bucket brigade
-Original Message- From: Todd Hivnor [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 11:10 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Failed downloads: Could not get next bucket brigade I've got one user who always seems to have problems downloading files from my Apache server. She reports that the download process hangs, often with 1% of the file remaining to download. The server logs have this error: (104)Connection reset by peer: Could not get next bucket brigade [500, #0] I'm running Apache 2.0.51 on Fedora Core 2. Does anyone know how to address this bug ? Imaginatively... If it's only one user and can't be reproduced with a standard browser at your end, it looks like a client-side issue (especially with Connection reset by peer - ie the client broke the connection). - is it size dependent, can she download smaller files? - how is she connected to internet (eg, ADSL, dial-up?) do they have a size limit? - does the file contain anything that a virus-scanner on the client might reject? (try replacing the file with plain ascii of same size or ask her to switch off any virus-scannners). Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. - Todd Check out the all-new Yahoo! Mail beta http://us.rd.yahoo.com/evt=43257/*http://advision.webevents.y ahoo.com/mailbeta - Fire up a more powerful email and get things done faster. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache accessible only from localhost on Windows XP
This is new information (not in original post) - Are you saying that after a reboot, you get a single response with the first hit but after that a timeout? Precisely. I'm experiencing this behaviour not only with Apache. It seems that if I run a generic sever program listening for incoming connections I'm able to connect to it only at the first hit. Other things to check out: - try using IP address in browser to eliminate DNS issues Already done. No result. - what is on the homepage? I hope it's a plain HTML page... If it's some clever dynamic content, are you sure it works with an external request? (eg, if it does something clever with the client-IP, like a reverse DNS lookup... you might have problems). The page is the default plain HTML apache homepage. what browser are you using? Get Firefox with the LiveHTTPheaders extension and look at the request-response headers for more clues. I tried Firefox 2, Internet Explorer 7, Opera 9 and Konqueror. I always get the same behaviour. I'm going to get LiveHTTPheaders and let you know if I made some progress. Are you interested in a packet sniffing capture too? The point about quadruple-checking the FW is that, for security reasons, a FW usually *drops* disallowed packets (as opposed to refusing the connection). So timeout problems are often due to FWs (if you hear hoof-beats, think horses, not zebras). Are you sure you only have one FW? Check the process table... Completely sure. Maybe this problem is related to Windows Xp inbound connection limit? See http://support.microsoft.com/?scid=kb%3Ben-us%3B314882x=10y=11 for details. I really appreciate your help. Thank you. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Where are Apache start|stop logs?
Hi. Using Apache 2.0 on Linux, it doesn't start, and I'd like to find the start|stop logs. I want to browse start logs, not access logs. Apache is installed at '/usr/local/httpd' Thank you very much. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache accessible only from localhost on Windows XP
I made a traffic capture on the machine running Apache. You can find it at: http://losko.altervista.org/capture/capture.html Server ip is: 41.10.215.60. Client ip is: 41.10.215.58 Packets from 3rd to 15th show that the first request is correctly accepted and served. Packets from 16th and on show how next requests doesn't get any answer. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Where are Apache start|stop logs?
-Original Message- From: thomas Armstrong [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 1:51 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Where are Apache start|stop logs? Hi. Using Apache 2.0 on Linux, it doesn't start, and I'd like to find the start|stop logs. I want to browse start logs, not access logs. Apache is installed at '/usr/local/httpd' It's in the error log... Thank you very much. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Where are Apache start|stop logs?
Thanks. 2 min and 2 seconds! O_O On 11/28/06, Boyle Owen [EMAIL PROTECTED] wrote: -Original Message- From: thomas Armstrong [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 1:51 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Where are Apache start|stop logs? Hi. Using Apache 2.0 on Linux, it doesn't start, and I'd like to find the start|stop logs. I want to browse start logs, not access logs. Apache is installed at '/usr/local/httpd' It's in the error log... Thank you very much. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
On 11/28/06, Steve Swift [EMAIL PROTECTED] wrote: What puzzles me is this: The VirtualHost definition above seems to be working as SSL is finding the Certificate File (otherwise how would SSL work at all?) How is this VirtualHost definition working in conjunction with NameVirtualHost *:80 ? It has no relation with the NameVirtualHost directive. Notice that NameVirtualHost applies to only the IP-Address:ports matching *:80 -- so it only affects port-80 hosts. The SSL vhost is on port _default_:443, meaning that it catches all IP addresses (not otherwise mapped) on port 443. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
You only need a separate IP for every virtual host if you are not using a wildcard certificate. Wildcard certs cost a little more, but they are good for all hosts within a particular domain. Then, you can run all of your vhosts on port 443 with the same IP, and the cert will work for all of the vhosts. Also, if you choose to go with a non-wildcard cert, you can actually run several virtual hosts on the same IP, using different certs for each vhost, but then you are forced to run SSL over a non-standard port. At that point, you need to tell Apache to listen on that port, and configure each of your virtual hosts to listen on both port 80 and whatever port you assign it for SSL transactions. SSL binds to a particular socket, so it's a combination of IP + port number that is unique. And, it's always necessary to have a separate and complete set of configuration directives for each port that a vhost runs under. Rob Frode E. Moe wrote: On Tue, Nov 28, 2006 at 09:09:20 +, Steve Swift wrote: Where should I go to learn about configuring Virtual Hosts and SSL in the same apache? I have virtual hosts woking using NameVirtualHost *:80 SSL works for the Virtual Hosts *I* have defined But in the (default) ssl.conf file installed with apache I find: VirtualHost _default_:443 SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key ... (other, less interesting lines) /VirtualHost What puzzles me is this: The VirtualHost definition above seems to be working as SSL is finding the Certificate File (otherwise how would SSL work at all?) How is this VirtualHost definition working in conjunction with NameVirtualHost *:80 ? You need a separate IP for each SSL virtualhost, since SSL certificates are exchanged before any HTTP headers (especially the Host: header) are transferred. So my guess is that apache just picks the first SSL certificate applicable for a given IP. In other words, it makes no sense to use NameVirtualHost for SSL / port 443. I don't think your *:80 stuff makes any difference either way as that sould be independent of anything on :443. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
I have a system running Apache 2.2.0 that wasn't set up by me, and there seems to be no documentation regarding how Apache was installed on the system from the previous admin. Can anyone think of any possible way, based on the running installation on the machine (or based on the makefile that's still in the source directory), to determine what options were passed to the configure script when it was compiled from source? Regards, David - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] apache 2.2.3 and weblogic
i heard weblogic does now support apache 2.2.3..is there is any to integrate apache 2.2.3 with weblogic other than weblogic plugin and if possible then how to do load balancing Regards, Arun __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
'head config.log' in the source directory On Tue, 28 Nov 2006, David P. Donahue wrote: I have a system running Apache 2.2.0 that wasn't set up by me, and there seems to be no documentation regarding how Apache was installed on the system from the previous admin. Can anyone think of any possible way, based on the running installation on the machine (or based on the makefile that's still in the source directory), to determine what options were passed to the configure script when it was compiled from source? Regards, David - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Craig Dunigan IS Technical Services Specialist Middleware - EIS - DoIT University of Wisconsin, Madison opinions expressed are my own, not the University's - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Using HttpClient with Web Start - Security Error or Source not found Error ?
Hi All, I am trying to run a client application over webstart, where the application uses HttpClient to get data from the server where it was downloaded. But the access attempt results in the following errors below. Note: HttpClient2 is my main class. The jar file run's locally. Only fails when downloaded from the server with Web Start. _ java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.sun.javaws.Launcher.executeApplication(Unknown Source) at com.sun.javaws.Launcher.executeMainClass(Unknown Source) at com.sun.javaws.Launcher.continueLaunch(Unknown Source) at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source) at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source) at com.sun.javaws.Launcher.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.ExceptionInInitializerError at org.apache.commons.httpclient.HttpClient.clinit(Unknown Source) at test.HttpClient2.init(HttpClient2.java:25) at test.HttpClient2.main(HttpClient2.java:17) ... 11 more Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.apache.commons.logging.LogFactory.HashtableImpl read) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) at java.lang.System.getProperty(Unknown Source) at org.apache.commons.logging.LogFactory.createFactoryStore(LogFactory.java:320) at org.apache.commons.logging.LogFactory.clinit(LogFactory.java:1725) ... 14 more _ Q1.Are these security errors or 'Unknown Source' errors. I have a jar file created with Jar-Fat from eclipse. The jar can be started locally with 'java -jar Http2.jar' so it must contain all its own source code. I also tested a home-made jar to be included inside my main jar and that was found. So I am thinking it is a security problem.. Q1. The jar file is unsigned but according to Web-Start white paper from Sun the jarfile should be allowed to Use the network to access the host from which the application was downloaded, which I am trying to do. Also, the error accurs even when I only create an instance of HttpClient ( new HttpClient() ) without making any connections to the server. Is this normal for HttpClient constructor to generate such an error? This leads me back to thinking the source is not found I am hoping to be able to keep the application unsigned although my next step would be to try that and see what happens. I have tried google and google-groups plus made many differnt tests. But I am coming up blank at the moment so any pointers are help would be much appreciated. Thanks for any help in advance. Alan - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
'head config.log' in the source directory Interesting. If that line I'm seeing is what I think it is, then it was just ./configure with no parameters. The same seems true of the MySQL compilation as well. I would have thought there'd be something passed, but maybe it was just default everything. But PHP's config.log doesn't have that line... I guess I'll ask them what they'd recommend. Thanks! Regards, David - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
You only need a separate IP for every virtual host if you are not using a wildcard certificate. Wildcard certs cost a little more, but they are good for all hosts within a particular domain. Then, you can run all of your vhosts on port 443 with the same IP, and the cert will work for all of the vhosts. Also, if you choose to go with a non-wildcard cert, you can actually run several virtual hosts on the same IP, using different certs for each vhost, but then you are forced to run SSL over a non-standard port. At that point, you need to tell Apache to listen on that port, and configure each of your virtual hosts to listen on both port 80 and whatever port you assign it for SSL transactions. SSL binds to a particular socket, so it's a combination of IP + port number that is unique. And, it's always necessary to have a separate and complete set of configuration directives for each port that a vhost runs under. Rob Frode E. Moe wrote: On Tue, Nov 28, 2006 at 09:09:20 +, Steve Swift wrote: Where should I go to learn about configuring Virtual Hosts and SSL in the same apache? I have virtual hosts woking using NameVirtualHost *:80 SSL works for the Virtual Hosts *I* have defined But in the (default) ssl.conf file installed with apache I find: VirtualHost _default_:443 SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key ... (other, less interesting lines) /VirtualHost What puzzles me is this: The VirtualHost definition above seems to be working as SSL is finding the Certificate File (otherwise how would SSL work at all?) How is this VirtualHost definition working in conjunction with NameVirtualHost *:80 ? You need a separate IP for each SSL virtualhost, since SSL certificates are exchanged before any HTTP headers (especially the Host: header) are transferred. So my guess is that apache just picks the first SSL certificate applicable for a given IP. In other words, it makes no sense to use NameVirtualHost for SSL / port 443. I don't think your *:80 stuff makes any difference either way as that sould be independent of anything on :443. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- Robert Fox Systems Administrator University Libraries of Notre Dame Phone: (574)631-3353 211 Hesburgh Library Email: [EMAIL PROTECTED] Notre Dame, IN 46556 Sufficit tibi gratia mea nam virtus in infirmitate perficitur - 2 Corinthians 12:9 --- - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk--ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk--ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
I did uncomment that earlier this morning... SSLOptions +StdEnvVars +ExportCertData And it blew up Jetty, nice huh? Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk-- ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I did uncomment that earlier this morning... SSLOptions +StdEnvVars +ExportCertData And it blew up Jetty, nice huh? Not nice at all :-) But without that Apache wont put cert data to env and mod_jk won't see it. What is Jetty? And what do you mean by blew it up? Did you get any error messages? Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk-- ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For
RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
-Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 11:18 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I did uncomment that earlier this morning... SSLOptions +StdEnvVars +ExportCertData And it blew up Jetty, nice huh? Not nice at all :-) But without that Apache wont put cert data to env and mod_jk won't see it. What is Jetty? And what do you mean by blew it up? Did you get any error messages? Jetty = http://www.mortbay.org/ Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk- - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost --- -- The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official
[EMAIL PROTECTED] spawned processes using new config files.
Hi all, I have situation where i have Apache 2.0.55 configured using the worker process model and this is running using a particular configuration file. Prior to an outage i want to deliver a new config file to the server in readiness for a server restart during my outage window. my question though is if we are using a process model that spawns new processes do these spawned processes read the new config file from disk or do they read it from the parent processes memory , if they read from memory then i am cool because i can update the config prior to the outage and then just restart to read it in, otherwise if it reads from disk i am going to have to deliver during the outage. any help would be greatly appreciated. cheers Steve Steve Foster | Capgemini | Telford Shared Technology Services T. +44 (0) 1952 296664 | www.capgemini.com Internal: 46664 Join the Collaborative Business Experience === Our e-mail domain has now changed from iraspire.com to hmrcaspire.com. Please update your address books. === - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
On 11/28/06, David P. Donahue [EMAIL PROTECTED] wrote: I have a system running Apache 2.2.0 that wasn't set up by me, and there seems to be no documentation regarding how Apache was installed on the system from the previous admin. Can anyone think of any possible way, based on the running installation on the machine (or based on the makefile that's still in the source directory), to determine what options were passed to the configure script when it was compiled from source? You can also look for the file config.nice in the source directory or in the build/ directory of the installed server. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Re: Help with mod_proxy
Todd Nine schrieb: I have another question on the efficiency side. I'd like to use domain name for ease of configuration, however I know it is less efficient than using IP. Is it less efficient for the first proxy request (IE does apache cache the IP after the first lookup?), or does it look up the server every time? I can't answer this for sure but it seems lookups are not cached by apache. However the client (XP, linux) does cache lookups. The cachetime for positive lookups on XP is rather high (24 hours or so). If you don't need the added flexibility of dns names, IPs are fine. If that really makes a difference wrt performance I don't know. cheers Paul - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] spawned processes using new config files.
On 11/28/06, Foster, Stephen (ASPIRE) [EMAIL PROTECTED] wrote: Hi all, I have situation where i have Apache 2.0.55 configured using the worker process model and this is running using a particular configuration file. Prior to an outage i want to deliver a new config file to the server in readiness for a server restart during my outage window. my question though is if we are using a process model that spawns new processes do these spawned processes read the new config file from disk or do they read it from the parent processes memory , if they read from memory then i am cool because i can update the config prior to the outage and then just restart to read it in, otherwise if it reads from disk i am going to have to deliver during the outage. any help would be greatly appreciated. Config file on disk is not reread during normal operations. Config info for new child processes is inherited from the parent. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 11:18 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I did uncomment that earlier this morning... SSLOptions +StdEnvVars +ExportCertData And it blew up Jetty, nice huh? Not nice at all :-) But without that Apache wont put cert data to env and mod_jk won't see it. What is Jetty? And what do you mean by blew it up? Did you get any error messages? Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk- - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost --- -- The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL
[EMAIL PROTECTED] mod_isapi 500 errors
Does anyone have a compiled mod_isapi.so that will work with the Devside 1.91 build? I do not have the development tools or skills to compile the fixed module and we're really stuck without a fix for the 500 error problem. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty is the HTTP servlet engine for Jboss. Just like Tomcat is the HTTP servelet engine for Jboss 4.x Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP interface. Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in front of it to do the HTTP. Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk - - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost --- -- The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official
Re: [EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
On Tue, Nov 28, 2006 at 10:19:32 -0500, David P. Donahue wrote: 'head config.log' in the source directory Interesting. If that line I'm seeing is what I think it is, then it was just ./configure with no parameters. The same seems true of the MySQL compilation as well. I would have thought there'd be something passed, but maybe it was just default everything. But PHP's config.log doesn't have that line... PHP's configure options are available both in the ?phpinfo();? output as well as 'head config.status' IIRC. signature.asc Description: Digital signature
Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty is the HTTP servlet engine for Jboss. Just like Tomcat is the HTTP servelet engine for Jboss 4.x Got you. I thought you had JBoss with Tomcat + Jetty. Then I'm not sure that it'd work at all because I'm not sure that Jetty support AJP 1.3. Why not to upgrade JBoss and replace Jetty with Tomcat? Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP interface. Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in front of it to do the HTTP. Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk - - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData Uncomment this. JkMount /* jetty # General setup for the virtual host DocumentRoot /data/dir/dir/tools/web/apache/server/htdocs ServerName kftcsu14.ftc.lab:5443 ServerAdmin [EMAIL PROTECTED] ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProxyEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem SSLCertificateKeyFile /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem SSLCACertificateFile /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem SSLVerifyClient optional /VirtualHost --- -- The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To
RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
-Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:08 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty is the HTTP servlet engine for Jboss. Just like Tomcat is the HTTP servelet engine for Jboss 4.x Got you. I thought you had JBoss with Tomcat + Jetty. Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 to be exact Then I'm not sure that it'd work at all because I'm not sure that Jetty support AJP 1.3. It does, have confirmed with setting up mod_jk and doing HTTPS round trips ( IE-Apache-Jetty-Apache-IE ). There is a index.html on Jetty that I am able to see via HTTPS when using mod_jk. Jetty config file had an AJP port setting. IT is just when Jetty tries to get the client certificate in Jetty that I begin to have peblems. Why not to upgrade JBoss and replace Jetty with Tomcat? Ah, yes, why not! Well, I can't, we are running some COTS software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 and Jetty 4.2.9. I am going to try some more things this afternoon, if I get it to work, I will post the fix. Thanks much for your time and help! Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP interface. Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in front of it to do the HTTP. Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk - - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT /IfModule ### In my worker.properties I have... worker.list=jetty #worker.jetty.port=8009 worker.jetty.port=5309 worker.jetty.host=servera worker.jetty.type=ajp13 worker.jetty.lbfactor=1 ### In my httpd-ssl.conf I have... VirtualHost _default_:5443 #SSLOptions +StdEnvVars +ExportCertData
RE: [EMAIL PROTECTED] Failed downloads: Could not get next bucket brigade
I've got one user who always seems to have problems downloading files from my Apache server. She reports that the download process hangs, often with 1% of the file remaining to download. The server logs have this error: (104)Connection reset by peer: Could not get next bucket brigade [500, #0] I'm running Apache 2.0.51 on Fedora Core 2. Does anyone know how to address this bug ? Imaginatively... If it's only one user and can't be reproduced with a standard browser at your end, it looks like a client-side issue (especially with Connection reset by peer - ie the client broke the connection). - is it size dependent, can she download smaller files? - how is she connected to internet (eg, ADSL, dial-up?) do they have a size limit? - does the file contain anything that a virus-scanner on the client might reject? (try replacing the file with plain ascii of same size or ask her to switch off any virus-scannners). We have tried determining if there is a pattern to when the download fails. We haven't been able to find a pattern to it: she can often download large files, while smaller files fail. There might be a virus checking problem ... I will follow up on that idea. In terms of network connections, I've got this very same error popping up with a long list of diffent IP addresses. And I know it happens with her, when she logs in from home, or when she uses an office network. So the error sure sounds network related, the logs show it happening on a lot of different networks. - Todd - Access over 1 million songs - Yahoo! Music Unlimited.
RE: [EMAIL PROTECTED] Limiting COPY method for WebDAV to one direction
Updating the permissions on the file system will work for folders which are strictly read-only. But in a lot of cases, I want the folder to be readable by group X and writable by group Y. Mark Lavi [EMAIL PROTECTED] wrote:v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } I dont know of an Apache/WebDAV solution off the top of my head for your requirement, but it is probably easiest to address this from the filesystem: change the permissions on the directory to be read only. --Mark Mark Lavi, Enterprise Web Management Team @ SGI mailto:[EMAIL PROTECTED] || phone:+1-650-933-7707 - From: Todd Hivnor [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 3:44 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Limiting COPY method for WebDAV to one direction I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2. I would like to allow users to copy files _from_ a certain directory, but not _into_ it. However, if I allow the COPY method (via a the LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't seem to be able to any means to control the direction of the copy method. Is there are way to configure this? It seems like a fairly basic requirement: a read-only WebDAV folder which allows users to copy files into their personal directories, with a direct HTTP COPY call. - Todd - Everyone is raving about the all-new Yahoo! Mail beta.
[EMAIL PROTECTED] apache client authentication problem (somewhat long)
I posted this on the Redhat Enterprise Linux 4 (Nahant) list, but I didn't get sufficient help to solve my problem, so I'm trying here. I apologize in advance if any of you have seen this before. I am having a problem with client authentication with apache and openssl. I have been ordered to get this working, or I will have to be shut down. I think this is a complex problem (because my web site is somewhat complex, at least for me) but I will try to simplify it as much as possible. I am trying to set up a test directory that requires client authentication, while the parent directory (which is used for web email) does not. I also have non-encrypted web sites, and that may be what is bollixing up this process, I don't know. When I use Internet Explorer to access this test directory, I am successfully presented with the certificate, and required to provide my client certificate. After I do so, however, I get a The page cannot be displayed. The page is currently unavailable... Nothing shows up in /var/log/httpd/ssl_error_log, or in /var/log/httpd/ssl_access_log. However, /var/log/httpd/webmail_error_log shows this: [Wed Nov 22 11:00:56 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate [Wed Nov 22 11:00:56 2006] [error] Re-negotiation handshake failed: Not accepted by client!? /var/log/httpd/webmail_access_log indicates an apache 103 error: schwarzschild.usno.navy.mil - - [22/Nov/2006:11:00:55 -0500] GET /pkitest/ HTTP/1.0 103 - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727) I've never heard of a 103 error. The apache error codes seem to start in the 200's (http://bignosebird.com/apache/a5.shtml). Googling comes up with this: http://www.mail-archive.com/modssl-users@modssl.org/msg17064.html which indicated a number of things, which I tried without success. Googling on the renegotiation handshake error yielded quite a bit on use of KeepAlive, but I don't use it, and turning it on didn't help. There are other, simpler, web sites here at work that only have this client authentication, and they were able to implement it without trouble. They are, however, on a fedora core 5 system running apache 2.2.x. I run httpd-2.0.52-28 and openssl-0.9.7a-43.14 on a RHEL ES 4 system. My *httpd.conf* contains (in part) VirtualHost aa.usno.navy.mil:443 ServerAdmin [EMAIL PROTECTED] ServerName aa.usno.navy.mil ErrorLog /var/log/httpd/webmail_error_log CustomLog /var/log/httpd/webmail_access_log combined TransferLog /var/log/httpd/access_log SSLEngine on SSLCertificateFile/etc/httpd/conf/ssl.crt/AA_PKI.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLVerifyClient none Files ~ \.(cgi|shtml)$ SSLOptions +StdEnvVars /Files ScriptAlias /cgi-bin/ /var/www/cgi-bin/ Directory /var/www/cgi-bin SSLOptions +StdEnvVars AllowOverride None Options None Order allow,deny Allow from all /Directory Directory /var/www/html/pkitest Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Order allow,deny Allow from all SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 /Directory SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /etc/httpd/logs/ssl_request_log %t %h %{SSL_PROTOCOL}x \ %{SSL_CIPHER}x \%r\ %b DocumentRoot /var/www/html Directory /var/www Options -Indexes FollowSymLinks MultiViews Includes AllowOverride None Order allow,deny Allow from all /Directory Alias /webmail /usr/share/squirrelmail /VirtualHost My *ssl.conf* contains LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin VirtualHost _default_:443 ServerName aa.usno.navy.mil:443 ServerAdmin [EMAIL PROTECTED] RewriteEngine on RewriteRule ^https://aa/$ https://aa.usno.navy.mil/ ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/AA_PKI.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLCACertificatePath /etc/httpd/conf/ssl.crt SSLVerifyClient optional SSLVerifyDepth 10 Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /var/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \
Re: [EMAIL PROTECTED] apache client authentication problem (somewhat long)
Your client submits certificate signed by CA which certificate you don't have in your SSLCACertificatePath. Actually it looks like you incorrectly configured it. You have: SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLCACertificatePath /etc/httpd/conf/ssl.crt You should use just one of those options. If you use SSLCACertificateFile your file (stacked pem) should have certificates for all CA that issue certificates for you clients. If you use SSLCACertificatePath place all certs into that directory and create links like it's described here: http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html On 11/28/06, Bill Tangren [EMAIL PROTECTED] wrote: I posted this on the Redhat Enterprise Linux 4 (Nahant) list, but I didn't get sufficient help to solve my problem, so I'm trying here. I apologize in advance if any of you have seen this before. I am having a problem with client authentication with apache and openssl. I have been ordered to get this working, or I will have to be shut down. I think this is a complex problem (because my web site is somewhat complex, at least for me) but I will try to simplify it as much as possible. I am trying to set up a test directory that requires client authentication, while the parent directory (which is used for web email) does not. I also have non-encrypted web sites, and that may be what is bollixing up this process, I don't know. When I use Internet Explorer to access this test directory, I am successfully presented with the certificate, and required to provide my client certificate. After I do so, however, I get a The page cannot be displayed. The page is currently unavailable... Nothing shows up in /var/log/httpd/ssl_error_log, or in /var/log/httpd/ssl_access_log. However, /var/log/httpd/webmail_error_log shows this: [Wed Nov 22 11:00:56 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate [Wed Nov 22 11:00:56 2006] [error] Re-negotiation handshake failed: Not accepted by client!? /var/log/httpd/webmail_access_log indicates an apache 103 error: schwarzschild.usno.navy.mil - - [22/Nov/2006:11:00:55 -0500] GET /pkitest/ HTTP/1.0 103 - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727) I've never heard of a 103 error. The apache error codes seem to start in the 200's (http://bignosebird.com/apache/a5.shtml). Googling comes up with this: http://www.mail-archive.com/modssl-users@modssl.org/msg17064.html which indicated a number of things, which I tried without success. Googling on the renegotiation handshake error yielded quite a bit on use of KeepAlive, but I don't use it, and turning it on didn't help. There are other, simpler, web sites here at work that only have this client authentication, and they were able to implement it without trouble. They are, however, on a fedora core 5 system running apache 2.2.x. I run httpd-2.0.52-28 and openssl-0.9.7a-43.14 on a RHEL ES 4 system. My *httpd.conf* contains (in part) VirtualHost aa.usno.navy.mil:443 ServerAdmin [EMAIL PROTECTED] ServerName aa.usno.navy.mil ErrorLog /var/log/httpd/webmail_error_log CustomLog /var/log/httpd/webmail_access_log combined TransferLog /var/log/httpd/access_log SSLEngine on SSLCertificateFile/etc/httpd/conf/ssl.crt/AA_PKI.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLVerifyClient none Files ~ \.(cgi|shtml)$ SSLOptions +StdEnvVars /Files ScriptAlias /cgi-bin/ /var/www/cgi-bin/ Directory /var/www/cgi-bin SSLOptions +StdEnvVars AllowOverride None Options None Order allow,deny Allow from all /Directory Directory /var/www/html/pkitest Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Order allow,deny Allow from all SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 /Directory SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /etc/httpd/logs/ssl_request_log %t %h %{SSL_PROTOCOL}x \ %{SSL_CIPHER}x \%r\ %b DocumentRoot /var/www/html Directory /var/www Options -Indexes FollowSymLinks MultiViews Includes AllowOverride None Order allow,deny Allow from all /Directory Alias /webmail /usr/share/squirrelmail /VirtualHost My *ssl.conf* contains LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin VirtualHost _default_:443 ServerName
RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
GOT IT TO WORK!!! The old Jetty 4.2.9 server was blowing up when I sent the... ForwardKeySize In httpd.conf... JkOptions +ForwardKeySize +ForwardURICompat ForwardKeySize was not getting parsed in Jetty and was crapping out Jetty when sent to it. SO, I did this in the config... #JkOptions +ForwardKeySize +ForwardURICompat JkOptions +ForwardURICompat And of course, turned on the exporting of the SSL env in httpd-ssl.conf... SSLOptions +StdEnvVars +ExportCertData And it is working, Jetty is getting the client certificate and performing AA based on it. BUT, there is one thing I did forget about, currently the AJP port that Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at least I am making progress. Hope the above helps someone when they are googling for answers -Original Message- From: Lucuk, Pete [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:36 PM To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:08 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty is the HTTP servlet engine for Jboss. Just like Tomcat is the HTTP servelet engine for Jboss 4.x Got you. I thought you had JBoss with Tomcat + Jetty. Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 to be exact Then I'm not sure that it'd work at all because I'm not sure that Jetty support AJP 1.3. It does, have confirmed with setting up mod_jk and doing HTTPS round trips ( IE-Apache-Jetty-Apache-IE ). There is a index.html on Jetty that I am able to see via HTTPS when using mod_jk. Jetty config file had an AJP port setting. IT is just when Jetty tries to get the client certificate in Jetty that I begin to have peblems. Why not to upgrade JBoss and replace Jetty with Tomcat? Ah, yes, why not! Well, I can't, we are running some COTS software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 and Jetty 4.2.9. I am going to try some more things this afternoon, if I get it to work, I will post the fix. Thanks much for your time and help! Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP interface. Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in front of it to do the HTTP. Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk - - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the following... # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf IfModule !mod_jk.c #LoadModule jk_module modules/mod_jk.so LoadModule jk_module modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so /IfModule IfModule mod_jk.c JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel info
Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty
Congratulations! See down there... On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: GOT IT TO WORK!!! The old Jetty 4.2.9 server was blowing up when I sent the... ForwardKeySize In httpd.conf... JkOptions +ForwardKeySize +ForwardURICompat ForwardKeySize was not getting parsed in Jetty and was crapping out Jetty when sent to it. SO, I did this in the config... #JkOptions +ForwardKeySize +ForwardURICompat JkOptions +ForwardURICompat And of course, turned on the exporting of the SSL env in httpd-ssl.conf... SSLOptions +StdEnvVars +ExportCertData And it is working, Jetty is getting the client certificate and performing AA based on it. BUT, there is one thing I did forget about, currently the AJP port that Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at least I am making progress. AJP is not HTTPS but it's neither HTTP. It's a proprietary protocol and I'm not sure that you can secure it any way besides port forwarding through SSH. On my system I have Tomcat and Apache on th same box so I made Tomcat listening on localhost address only and use clear AJP. In case of separate boxes I'd try ssh tunneling for AJP. Hope the above helps someone when they are googling for answers -Original Message- From: Lucuk, Pete [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:36 PM To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:08 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: Jetty = http://www.mortbay.org/ Just for my curiosity: why do you need 3 Web servers: Apache - JBoss - Jetty ? What Jetty does that JBoss can't do? Jetty is the HTTP servlet engine for Jboss. Just like Tomcat is the HTTP servelet engine for Jboss 4.x Got you. I thought you had JBoss with Tomcat + Jetty. Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 to be exact Then I'm not sure that it'd work at all because I'm not sure that Jetty support AJP 1.3. It does, have confirmed with setting up mod_jk and doing HTTPS round trips ( IE-Apache-Jetty-Apache-IE ). There is a index.html on Jetty that I am able to see via HTTPS when using mod_jk. Jetty config file had an AJP port setting. IT is just when Jetty tries to get the client certificate in Jetty that I begin to have peblems. Why not to upgrade JBoss and replace Jetty with Tomcat? Ah, yes, why not! Well, I can't, we are running some COTS software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 and Jetty 4.2.9. I am going to try some more things this afternoon, if I get it to work, I will post the fix. Thanks much for your time and help! Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP interface. Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in front of it to do the HTTP. Jetty Server died, gave some bogus java error that told you nothing Could the way I have my ordering things in httpd.conf and httpd-ssl.conf be throwing something off? I don't thinks so. Where the httpd-ssl.conf comes first in the httpd.conf, before the acutual mod_jk stuff? I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters. I will try it and see if it works, once again, thank you Thanks for your responses, I appreciate your help -Original Message- From: Serge Dubrouski [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:53 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and Jetty On 11/28/06, Lucuk, Pete [EMAIL PROTECTED] wrote: I am trying to perform the following... Browser_client_with_client_certificate--https--apache_with_mod_jk - - ht tps--Jetty Also, the browser client is passing a client certificate that I want Jetty to have access to perform AA. Browser version = IE 6 Apache version = 2.2.3 Mod_jk version = 1.2.19 Jetty version = 4.2.9 I CAN get the full round trip working under HTTPS, that is not a problem. I CAN *** NOT *** get Jetty to have access to the client certificate, Jetty states that it can not find the client certificate. I am confident that Jetty is configured for AJP (round trip in HTTPS work)and client certificates (when the Browser_client_with_client_certificate hits it directly, it works). Not sure if it is a config thing on apache/mod_jk or what. Below is my Apache and mod_jk config, any ideas???... ### In my httpd.conf file I have the
[EMAIL PROTECTED] apche ajp error
hello all, I have apache 2.2.2 and tomcat 5.5.17 installed on my FC5 box. This past week our jsp application has been freezing many times giving the following error message in the apache log file [Tue Nov 28 12:36:56 2006] [error] ajp_read_header: ajp_ilink_receive failed [Tue Nov 28 12:36:56 2006] [error] (120006)APR does not understand this error code: proxy: I did a google and found that this might be a connection limit issue. I am using proxy_ajp module along with the proxypass directive to connect to my webapp. Please let me know if there are any suggestions. thanks
Re: [EMAIL PROTECTED] Figuring Out Previously-Used Compile Options?
With PHP, you can do a ? phpinfo(); ? and it'll give you the configure line used. Scott. David P. Donahue wrote: 'head config.log' in the source directory Interesting. If that line I'm seeing is what I think it is, then it was just ./configure with no parameters. The same seems true of the MySQL compilation as well. I would have thought there'd be something passed, but maybe it was just default everything. But PHP's config.log doesn't have that line... I guess I'll ask them what they'd recommend. Thanks! Regards, David - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Limiting COPY method for WebDAV to one direction
Ah, you've changed the scope of your question. :-) So long as you leverage an Apache authorization module with user and group permissions, I would think you could control permissions on who can do what per directory easily, but for this solution, you would not give both groups WebDAV access. One group (read only) could browse the web server and download contents of the autogenerated directory while the other group would be authenticated to have WebDAV privileges. It's simpler to manage and granular to the directory, but not exactly what you are asking for because not both groups are given WebDAV permissions. So the read only group could not do a select all files to download, much like a network drive operation, unless they used some sort of browser enhancement. Configuration would be something like (I'm doing this off the top of my head for illustration, please don't expect to cut and paste this without syntax correction and adaptation for your situation): Directory /www/docroot/projects/X Options Indexes AllowOverride None AuthType Basic AuthName Only group X can publish! AuthUserFile /home/www/acl/htpasswdfile AuthGroupFile /home/www/acl/groupfile DAV On LimitExcept GET HEAD OPTIONS Require group X /LimitExcept /Directory --Mark Mark Lavi, Enterprise Web Management Team @ SGI mailto:[EMAIL PROTECTED] || phone:+1-650-933-7707 From: Todd Hivnor [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 11:15 AM To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] Limiting COPY method for WebDAV to one direction Updating the permissions on the file system will work for folders which are strictly read-only. But in a lot of cases, I want the folder to be readable by group X and writable by group Y. Mark Lavi [EMAIL PROTECTED] wrote: I don't know of an Apache/WebDAV solution off the top of my head for your requirement, but it is probably easiest to address this from the filesystem: change the permissions on the directory to be read only. --Mark Mark Lavi, Enterprise Web Management Team @ SGI mailto:[EMAIL PROTECTED] || phone:+1-650-933-7707 From: Todd Hivnor [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 3:44 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Limiting COPY method for WebDAV to one direction I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2. I would like to allow users to copy files _from_ a certain directory, but not _into_ it. However, if I allow the COPY method (via a the LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't seem to be able to any means to control the direction of the copy method. Is there are way to configure this? It seems like a fairly basic requirement: a read-only WebDAV folder which allows users to copy files into their personal directories, with a direct HTTP COPY call. - Todd Everyone is raving about the all-new Yahoo! Mail beta. http://us.rd.yahoo.com/evt=45083/*http:/advision.webevents.yahoo.com/ma ilbeta
Re: [EMAIL PROTECTED] apache client authentication problem (somewhat long)
Serge Dubrouski wrote: Your client submits certificate signed by CA which certificate you don't have in your SSLCACertificatePath. Actually it looks like you incorrectly configured it. You have: SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLCACertificatePath /etc/httpd/conf/ssl.crt You should use just one of those options. If you use SSLCACertificateFile your file (stacked pem) should have certificates for all CA that issue certificates for you clients. If you use SSLCACertificatePath place all certs into that directory and create links like it's described here: http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html OK, I've read that. I may be stuck on this line: 1: # Make sure the new CA certificate is in PEM format. The CA's I obtained from a very user-hostile web site. It listed each CA separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, or download them. If you download them, I am given .cer files. If you view them, I am given a lot of text in between a -BEGIN CERTIFICATE- and an -END CERTIFICATE-, as well as the certificate contents in readable form. I don't know what .cer files are, except googling indicates they may be something that Microsoft uses, as MS has a utility that reads them, and will install the certificate. I copied each text certificate and concatenated them into a single root.crt file. This link: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm seems to indicate that what I did was correct. Also, removing the SSLCACertificatePath line in ssl.conf does not help. I have an emailed copy of another servers root.crt file, from a site that has this working, and I STILL get these errors. I had copied his ssl.conf as well. He used both lines given above. Thanks for responding. Any other ideas? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache 2.2.3 and SUDO
Is there any way to complie httpd statically. The rteason is I need to use SUDO and that wipes the LD_LIBRARY_PATH variable so apache cannot find its shared object libraries.
Re: [EMAIL PROTECTED] apache client authentication problem (somewhat long)
So you have a bunch of .cer files. Then you have to use SSLCACertificatePath and links with hashes as names. It can't be just one file with once certificate unless all your client have certificates signed by one CA. On 11/28/06, Bill Tangren [EMAIL PROTECTED] wrote: Serge Dubrouski wrote: Your client submits certificate signed by CA which certificate you don't have in your SSLCACertificatePath. Actually it looks like you incorrectly configured it. You have: SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLCACertificatePath /etc/httpd/conf/ssl.crt You should use just one of those options. If you use SSLCACertificateFile your file (stacked pem) should have certificates for all CA that issue certificates for you clients. If you use SSLCACertificatePath place all certs into that directory and create links like it's described here: http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html OK, I've read that. I may be stuck on this line: 1: # Make sure the new CA certificate is in PEM format. The CA's I obtained from a very user-hostile web site. It listed each CA separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, or download them. If you download them, I am given .cer files. If you view them, I am given a lot of text in between a -BEGIN CERTIFICATE- and an -END CERTIFICATE-, as well as the certificate contents in readable form. I don't know what .cer files are, except googling indicates they may be something that Microsoft uses, as MS has a utility that reads them, and will install the certificate. I copied each text certificate and concatenated them into a single root.crt file. This link: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm seems to indicate that what I did was correct. Also, removing the SSLCACertificatePath line in ssl.conf does not help. I have an emailed copy of another servers root.crt file, from a site that has this working, and I STILL get these errors. I had copied his ssl.conf as well. He used both lines given above. Thanks for responding. Any other ideas? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] apache client authentication problem (somewhat long)
On 11/28/06, Bill Tangren [EMAIL PROTECTED] wrote: Serge Dubrouski wrote: Your client submits certificate signed by CA which certificate you don't have in your SSLCACertificatePath. Actually it looks like you incorrectly configured it. You have: SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt SSLCACertificatePath /etc/httpd/conf/ssl.crt You should use just one of those options. If you use SSLCACertificateFile your file (stacked pem) should have certificates for all CA that issue certificates for you clients. If you use SSLCACertificatePath place all certs into that directory and create links like it's described here: http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html OK, I've read that. I may be stuck on this line: 1: # Make sure the new CA certificate is in PEM format. The CA's I obtained from a very user-hostile web site. It listed each CA separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, or download them. If you download them, I am given .cer files. If you view them, I am given a lot of text in between a -BEGIN CERTIFICATE- and an -END CERTIFICATE-, as well as the certificate contents in readable form. I don't know what .cer files are, except googling indicates they may be something that Microsoft uses, as MS has a utility that reads them, and will install the certificate. I copied each text certificate and concatenated them into a single root.crt file. This link: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm seems to indicate that what I did was correct. Also, removing the SSLCACertificatePath line in ssl.conf does not help. I have an emailed copy of another servers root.crt file, from a site that has this working, and I STILL get these errors. I had copied his ssl.conf as well. He used both lines given above. And that's not a problem with your server certificate. That's a problem with client certificates. You have to have certs for CAs that issued client certificates. Thanks for responding. Any other ideas? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache 2.2.3 and SUDO
You can just edit the apachectl script and add this: LD_LIBRARY_PATH=/path/to/libraries export LD_LIBRARY_PATH or You can edit /etc/profile and add those two lines. Not sure how compiling apache statically would help (maybe someone else can enlighten me). On 11/28/06, Dave Templeton [EMAIL PROTECTED] wrote: Is there any way to complie httpd statically. The rteason is I need to use SUDO and that wipes the LD_LIBRARY_PATH variable so apache cannot find its shared object libraries.
Re: [EMAIL PROTECTED] Failed downloads: Could not get next bucket brigade
Do you have mod_dav enabled? Does upgrading to 2.0.59 fix the issue? I had issues with DAV and Sendfile. If its a sendfile() capable OS, have you tried putting EnabledSendfile Off in your configuration? On 11/28/06, Morgan Gangwere [EMAIL PROTECTED] wrote: try getting the file from a completely different machine, completely different internet connection, etc. if THAT fails, then its an apache problem, or a problem on the Server-Side. does the file work if you open it? does it pass md5 checks? On 11/28/06, Todd Hivnor [EMAIL PROTECTED] wrote: I've got one user who always seems to have problems downloading files from my Apache server. She reports that the download process hangs, often with 1% of the file remaining to download. The server logs have this error: (104)Connection reset by peer: Could not get next bucket brigade [500, #0] I'm running Apache 2.0.51 on Fedora Core 2. Does anyone know how to address this bug ? Imaginatively... If it's only one user and can't be reproduced with a standard browser at your end, it looks like a client-side issue (especially with Connection reset by peer - ie the client broke the connection). - is it size dependent, can she download smaller files? - how is she connected to internet (eg, ADSL, dial-up?) do they have a size limit? - does the file contain anything that a virus-scanner on the client might reject? (try replacing the file with plain ascii of same size or ask her to switch off any virus-scannners). We have tried determining if there is a pattern to when the download fails. We haven't been able to find a pattern to it: she can often download large files, while smaller files fail. There might be a virus checking problem ... I will follow up on that idea. In terms of network connections, I've got this very same error popping up with a long list of diffent IP addresses. And I know it happens with her, when she logs in from home, or when she uses an office network. So the error sure sounds network related, the logs show it happening on a lot of different networks. - Todd Access over 1 million songs - Yahoo! Music Unlimited. -- Morgan gangwere Space does not reflect society, it expresses it. -- Castells, M., Space of Flows, Space of Places: Materials for a Theory of Urbanism in the Information Age, in The Cybercities Reader, S. Graham, Editor. 2004, Routledge: London. p. 82-93. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Virtual Hosting / FTP Access / Perl - cgi scripting
I am currently running a single website on my own Linux Box for my ownsmall business and wish to Host a website for a Canoe Club that I am a member of. Virtual Hosting is very new to me and I don't want too much downtime for my current website whilst setting this up. I would be grateful if someone could point me in the right direction as to how to setup Virtual Hosting for the two Domain Names and allow remote FTP access for the Club Only. I already have two domain Names setup to access my current Website, how can this be maintained using Virtual Hosting. I effectively have three Domain Names to think about but two of them point to the same Host I use perl / cgi scripting to dynamically create my current website, will this be a problem and does Virtual Hosting create problems, how can I allow perl / cgi scripting to the clubs site too? Are there any serious security issues? Are there any serious Do's and Don'ts involved? Any Help and advice welcome. Mark Feather
Re: [EMAIL PROTECTED] Virtual Hosting / FTP Access / Perl - cgi scripting
Its pretty well all in the docs Mark. You can run each site in its own virtual host (your own site, plus the others). If you have a single dedicated IP address (the most common situation), you use name-based virtual hosting. Apache gives you a lot of configuration options. Each virtual host can include these... i.e. you can have a separate CGI-bin directory for each site. Everything is managed wihtin the virtual host directives. thus, once you get your own site working in its own virtual host -- working on the others should not give you down time. NOTE, that SSL and name-based virtual hosting gives some trouble to set up (this is described in detail in past content of the list). - Original Message - From: Mark Feather To: users@httpd.apache.org Sent: Tuesday, November 28, 2006 4:35 PM Subject: [EMAIL PROTECTED] Virtual Hosting / FTP Access / Perl - cgi scripting I am currently running a single website on my own Linux Box for my ownsmall business and wish to Host a website for a Canoe Club that I am a member of. Virtual Hosting is very new to me and I don't want too much downtime for my current website whilst setting this up. I would be grateful if someone could point me in the right direction as to how to setup Virtual Hosting for the two Domain Names and allow remote FTP access for the Club Only. I already have two domain Names setup to access my current Website, how can this be maintained using Virtual Hosting. I effectively have three Domain Names to think about but two of them point to the same Host I use perl / cgi scripting to dynamically create my current website, will this be a problem and does Virtual Hosting create problems, how can I allow perl / cgi scripting to the clubs site too? Are there any serious security issues? Are there any serious Do's and Don'ts involved? Any Help and advice welcome. Mark Feather
[EMAIL PROTECTED] Apache Error with mrtg-rrd
All, I am setting up mrgt-rrd under Apache for the first time. Actually, it is my first time with Apache..:-) I am getting the following error in the http logs: [Tue Nov 28 17:28:12 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-m.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ [Tue Nov 28 17:28:12 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-l.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ [Tue Nov 28 17:28:12 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-r.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ [Tue Nov 28 17:33:00 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-l.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ [Tue Nov 28 17:33:00 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-m.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ [Tue Nov 28 17:33:00 2006] [error] [client 68.5.102.101] client denied by server configuration: /var/www/mrtg/icons/mrtg-r.png, referer: http://mrtg.adn/cgi-bin/mrtg/mrtg-rrd.cgi/ I have Google'd this to death but not able to find exactly what I have misconfigured or not configured. Below is my virtual host configuration. Any help on getting this to work would be great appreciated. Thanks in advance. -Patrick --- VirtualHost *:80 ServerName www.mrtg.adn http://www.mrtg.adn ServerAlias mrtg.adn ServerAdmin [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] DocumentRoot /www/mrtg Location / Options All DirectoryIndex index.shtml /Location Options +Includes FollowSymLinks AddType text/html .shtml AddOutputFilter INCLUDES .shtml IndexStyleSheet /css/main.css ReadmeName footer.html ScriptAlias /cgi-bin/ /var/www/cgi-bin/ AddHandler cgi-script .cgi .pl ServerName dl380-003.adrenalinenetworks.net ErrorLog /var/log/httpd/mrtg.adn CustomLog /var/log/httpd/mrtg.adn-access_log common LogLevel debug /VirtualHost
Re: [EMAIL PROTECTED] Virtual Hosts and SSL
Thanks for that, perhaps I'll get a change to use it some time. However, the server in question in this case is inside IBM, and the only common part of its servername across the virtualhosts is .ibm.com so I won't rush off to get a certificate for that! On 28/11/06, Robert Fox [EMAIL PROTECTED] wrote: You only need a separate IP for every virtual host if you are not using a wildcard certificate. Wildcard certs cost a little more, but they are good for all hosts within a particular domain. Then, you can run all of your vhosts on port 443 with the same IP, and the cert will work for all of the vhosts. -- Steve Swift http://www.swiftys.org.uk
[EMAIL PROTECTED] memory comsumption in Apache
hi, I'm trying to predict how many memory should be used with Apache2.2.3 (worker) + Linux2.6.x. This setup is only serving static content, and trying to serve 1 simultaneous users (about 1 connections,500 simultaneous requests at the same time). I have several questions below. 1. How many memory is used for holding one connection across software layers (including kernel TCP/IP stack and apache)? 2. How many memory is used for holding one request across software layers (including kernel TCP/IP stack and apache)? 3. If memory is exhausted and total connections are not exceeded the MaxClients limit (that means Apache will return no mem), what happens if a new connection coming? Apache send 503 or 500 error? And also what happens if a new request coming in a keepalived connection? Apache send 503 or 500? Does Apache have a pending handling mechanism (I mean holding the connection or request till memory is available, and not sending error message to clients) when out of memory? Thanks in advance. Thx, Xuekun - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]