date:20070126

Re: [EMAIL PROTECTED] SSL on IP Address

2007-01-26 Thread Sander Temme



On Jan 26, 2007, at 9:42 PM, <[EMAIL PROTECTED]>  
wrote:


Please how do I install SSL certificate on a server that would be  
accessed by IP only? I mean something like https://10.l.10.241/.


Put the IP address instead of the hostname in the CN field of the  
certificate.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] SSL on IP Address

2007-01-26 Thread Darren Spruell


On 1/26/07, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:

Hi,

Please how do I install SSL certificate on a server that would be accessed by 
IP only? I mean something like https://10.l.10.241/.


The same way you would one that was used on a site you access via hostname.

DS

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] SSL on IP Address

2007-01-26 Thread tech.subscriptions

Hi,

Please how do I install SSL certificate on a server that would be accessed by 
IP only? I mean something like https://10.l.10.241/.

Regards.

Tope Akinniyi


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] SSL Certificate on Intranet Virtual Host

2007-01-26 Thread Jean-Yves Avenard


Hi

On 1/26/07, Chirouze Olivier <[EMAIL PROTECTED]> wrote:

Hi,

This is my first contribution to the list so please don't be too rude if
I'm wrong ;-)

But I think we have the same situation here:

Onename.server.com/
Othername.server.com
Somethingelse.server.com


That still won't work, as you can't use virtual host with SSL
certificate. Basically one port/IP address: one certificate.
As mentioned before, the SSL needs to be established before apache
http transaction gets established. So it is not aware as to which site
you're trying to get yet.

JY

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

2007-01-26 Thread Wm.A.Stafford


Sander,

   What progress I've made.  I've gone from Apache-clueless to 
answering my own questions.


   Well, not quite answering but at least shedding some light.  If I 
use url rewriting our Apache 1.3 does not recognize the url because it 
thinks the jsessionid is part of the context name, so a 404 results.  
Apparently, a rewriting rule can be used to avoid this.


 
 RewriteEngine on
 # Force URLs with a jsessionid to go to Tomcat. Necessary because
 # Apache doesn't recognise that the semi-colon is special.
 RewriteRule   ^(/.*;jsessionid=.*)$   $1 [T=jserv-servlet]
 

   Your original suggestion for making the proxy and proxied context 
the same solved our problem.  But perhaps this will be useful for those 
who must use url rewriting and Apache 1.3.


   Thanks again for your great support,
   -=bill

Sander Temme wrote:


On Jan 26, 2007, at 10:48 AM, Wm.A.Stafford wrote:

   I forgot to ask about one more aspect of this situation.  When we 
first realized that session cookies were not coming in to the app we 
tried url rewriting and that did not resolve the problem.  Does 
Apache 1.3 do something to urls that have an explicit session id?

ex. ip_and_context ;jsessionid=blah de blah de blah ¶ms.


This is not ringing a bell for me: mod_proxy should just forward the 
request query string unaltered.


   While searching for the solution to this I saw a web page that 
said a rewrite rule was required if url rewriting is used.  Is this 
the case and, if so, could you give me an example rule or direct me 
to a source for this rule.


Perhaps someone else has any direct experience with this.

S.


Sander Temme wrote:


On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL path, 
so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie 
paths, your only option is to change the ProxyPass local path to 
match the back-end (and connect to that), or have Tomcat match its 
mount path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache 
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest 
Apache but at this point I think that is probably not an option 
because there are a lot of other users of this system and they 
would all have to buy in.  So I will need to proceed with 
configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any 1.3 
version after that contains security fixes that you might want.  
As no other changes are made to that branch, an upgrade should not 
cause you any problems.


The proxy module that came with Apache 1.3 did not have the 
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your problem, 
I would like to learn from you whether the Cookie path mismatch is 
actually causing your issue.  Could you run the following test on 
your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and send 
us the
   contents of any JSESSIONID cookies. Feel free to obfuscate as 
you see
   fit, as long as we have enough information to work with (domain 
and path

   are of paramount interest, as well as the complete URL you used to
   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server 
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





[EMAIL PROTECTED]http://www.temme.

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

2007-01-26 Thread Sander Temme



On Jan 26, 2007, at 10:48 AM, Wm.A.Stafford wrote:

   I forgot to ask about one more aspect of this situation.  When  
we first realized that session cookies were not coming in to the  
app we tried url rewriting and that did not resolve the problem.   
Does Apache 1.3 do something to urls that have an explicit session id?

ex. ip_and_context ;jsessionid=blah de blah de blah ¶ms.


This is not ringing a bell for me: mod_proxy should just forward the  
request query string unaltered.


   While searching for the solution to this I saw a web page that  
said a rewrite rule was required if url rewriting is used.  Is this  
the case and, if so, could you give me an example rule or direct me  
to a source for this rule.


Perhaps someone else has any direct experience with this.

S.


Sander Temme wrote:


On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL  
path, so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie  
paths, your only option is to change the ProxyPass local path to  
match the back-end (and connect to that), or have Tomcat match its  
mount path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache  
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest  
Apache but at this point I think that is probably not an  
option because there are a lot of other users of this system  
and they would all have to buy in.  So I will need to proceed  
with configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any  
1.3 version after that contains security fixes that you might  
want.  As no other changes are made to that branch, an upgrade  
should not cause you any problems.


The proxy module that came with Apache 1.3 did not have the  
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your  
problem, I would like to learn from you whether the Cookie path  
mismatch is actually causing your issue.  Could you run the  
following test on your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and  
send us the
   contents of any JSESSIONID cookies. Feel free to obfuscate as  
you see
   fit, as long as we have enough information to work with  
(domain and path
   are of paramount interest, as well as the complete URL you  
used to

   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





 
-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

2007-01-26 Thread Wm.A.Stafford


Sander,

   I forgot to ask about one more aspect of this situation.  When we 
first realized that session cookies were not coming in to the app we 
tried url rewriting and that did not resolve the problem.  Does Apache 
1.3 do something to urls that have an explicit session id?

ex. ip_and_context ;jsessionid=blah de blah de blah ¶ms.

   While searching for the solution to this I saw a web page that said 
a rewrite rule was required if url rewriting is used.  Is this the case 
and, if so, could you give me an example rule or direct me to a source 
for this rule.


   Thanks again,
   -=bill

Sander Temme wrote:


On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL path, 
so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie 
paths, your only option is to change the ProxyPass local path to match 
the back-end (and connect to that), or have Tomcat match its mount 
path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache 
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest 
Apache but at this point I think that is probably not an option 
because there are a lot of other users of this system and they 
would all have to buy in.  So I will need to proceed with 
configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any 1.3 
version after that contains security fixes that you might want.  As 
no other changes are made to that branch, an upgrade should not 
cause you any problems.


The proxy module that came with Apache 1.3 did not have the 
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your problem, I 
would like to learn from you whether the Cookie path mismatch is 
actually causing your issue.  Could you run the following test on 
your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and send us 
the
   contents of any JSESSIONID cookies. Feel free to obfuscate as you 
see
   fit, as long as we have enough information to work with (domain 
and path

   are of paramount interest, as well as the complete URL you used to
   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server 
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] apache + ssl: client denied by server configuration

2007-01-26 Thread Sander Temme

Your VirtualHost has a DocumentRoot, but your main server doesn't.  
This means that when requests are not matched to your virtual host,  
the main server will use the compiled-in default.


Your problem is that your VirtualHost has port number 433: that needs  
to be 443.


S.

On Jan 26, 2007, at 9:04 AM, Sam Carleton wrote:


I am trying to get SSL up and running on my new apache server.  The
server starts up just fine and serves up regular pages on port 80, but
when I direct it towards the SSL port, Firefox give me an error:

"bv..com has sent an incorrect or unexpected message.
Error Code: -12263"

When I look at the apache error log, I get this:

client denied by server configuration: /usr/local/apache2/htdocs/

what is strange is that I am not using /usr/local/apache2/htdocs/
anywhere in the httpd.conf file. I have searched and searched the
config file for htdocs and it simply is not there.  Any thoughts?

Sam

P.S.  Here is my complete httpd.conf file:

ServerRoot /usr/local/apache2
PidFile /usr/local/apache2/logs/httpd.pid

Listen 80
ServerAdmin scarleton@.com
ServerSignature Off
User httpd
Group httpd
HostNameLookups Off
TimeOut 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 1000
ServerTokens ProductOnly

LoadModule php5_modulemodules/libphp5.so

AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .inc
AddHandler application/x-httpd-php .class
AddHandler application/x-httpd-php .module

DefaultType text/plain


  TypesConfig conf/mime.types
  AddType application/x-compress .Z
  AddType application/x-gzip .gz .tgz


DirectoryIndex index.html index.php


  Order Allow,Deny
  Deny from all



  Order Allow,Deny
  Deny from all



  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None



  Order Allow,Deny
  Allow from all


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
CustomLog /var/log/httpd/access_log combined

LogLevel info
ErrorLog /var/log/httpd/error_log


  DocumentRoot /home/www/mainroot


Listen 443


  AddType application/x-x509-ca-cert  .crt
  AddType application/x-pkcs7-crl .crl


SSLPassPhraseDialog builtin
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024


  DocumentRoot "/home/www/subversion"
  ServerName bv..com
  SSLEngine on
  #SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  #SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCipherSuite HIGH:MEDIUM
  SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
  SSLOptions +StrictRequire
  SSLProtocol -all +TLSv1 +SSLv3
  SetEnvIf User-Agent ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0


-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

2007-01-26 Thread Sander Temme


Chirouze,

On Jan 26, 2007, at 8:41 AM, Chirouze Olivier wrote:


Thanks for your prompt reply. We will definitively upgrade soon, just
"to be up to date"... But because nothing is said about that point in
docs I'm wondering if that will make any difference...


I doubt it. The Apache 2.0.x branch at this moment mainly gets  
security fixes, and not a lot else.  The difference between  
subsequent versions tends to be fairly small, and we tend to tell you  
what the fixes are.


You tell us that you are seeing an unusually high number of children  
sitting in 'R' stage, which means they are attempting to read a full  
request.  Reading requests *should* not take very long (this also  
depends on the kind of requests you expect to get), and it may be  
that you are under attack.  This may be deliberate or accidental.


Do you have something like a Firewall in front of your server that  
drops idle TCP connections?  If this happens, your Apache server will  
not notice this and keep trying to read the incoming data.


In any case, you may try to reduce the value of the Timeout directive  
in your configuration file.


The high number of FIN_WAIT_2 connections you observe may be normal,  
but it may be the result of the situation sketched above.  Once  
Apache is done with a connection, it'll close that and forget about  
it.  The Apache child will then get ready to accept a new connection,  
and the kernel takes care of closing the TCP connection.  It does  
this by sending a FIN packet to the client, who sends an ACK back.   
Then the client is supposed to send its own FIN, and while this  
happens the server will have that socket in FIN_WAIT_2 state.  After  
the client sends its FIN, the server ACKnowledges and puts the socket  
into TIME_WAIT before it can be re-used.  You can see a full diagram  
of this process in Figure 18.12 in TCP Illustrated, Volume 1 by W.  
Richard Stevens.


If you are dealing with clients that don't bother sending their FIN,  
or have something in-between that messes with the connection and its  
termination, you may be stuck with this.  You can use kernel tunables  
like the ones you mention below to reduce the overhead.


Once again, Apache has nothing to do with the TCP handshake process.   
However, you may be able to reduce the effect of these 'R'  
connections by reducing the timeout and raising the number of  
available child processes (if your log file tells you that the server  
reached MaxClients).


Regards,

Sander

Anyway, we're providing both HTTP and HTTPS. Might be interesting  
to try

recognize if this happens on both? I will have a look at it.

Do you think you might give me the values of the following Unix params
on your Solaris 9 installs?

tcp_fin_wait_2_flush_interval
tcp_keepalive_interval
tcp_ip_abort_interval

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Richard de Vries [mailto:[EMAIL PROTECTED]
Sent: 26 January 2007 17:35
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"

Interesting problem.

I am running Apache 2.0.59 as a reverse proxy on multiple Solaris 9  
and

AIX servers and have never encountered these types of issues. Perhaps
you should try upgrading to 2.0.59 on one of your development machines
and see if that makes a difference. If not, it is most likely an OS
and/or configuration issue.

What other plugins are you running? Also, is this HTTP proxying, or
HTTPS?

- Original Message 
From: Chirouze Olivier <[EMAIL PROTECTED]>
To: users@httpd.apache.org
Sent: Friday, January 26, 2007 9:56:46 AM
Subject: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"


Hi all,

I'm facing a quite tricky situation with Apache 2.0.58 running on
Solaris 5.9.

Apache is running as a reverse proxy (mod_proxy + mod_rewrite).
The maximum concurrent connections is set to 150.

Because we reached the maximum a few times and got the reverse proxy
saturated, we started monitoring the Apache status page (/status).
We noticed that many requests were in the "..reading.." state (up to
40!), and they block a lot of slots.

At first, we upgraded from 2.0.47 to 2.0.58 because it seemed there  
was

a security hole in the earlier, fixed in 2.0.48.
I found some explanation here:
http://www.monkeybrains.net/~rudy/example/server_busy_state.html.

The thing is, the situation is starting to appear again with 2.0.58.

We've gone down to Unix and found that most of these requests were in
"FIN_WAIT_2" TCP state, and for a while (approx. 8min!!).

We found this: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html.
What it says, in a word, is that these things can happen and are
"normal": the connection stays in "FIN_WAIT_2" state until the  
timeout,

if clients do not close it properly. They just say it can be a problem
on the Unix point of view because.
I don't

Re: [EMAIL PROTECTED] apache + ssl: client denied by server configuration

2007-01-26 Thread Serge Dubrouski


Have you tried to add


 Order Allow,Deny
 Allow from all


into your config?

On 1/26/07, Sam Carleton <[EMAIL PROTECTED]> wrote:

I am trying to get SSL up and running on my new apache server.  The
server starts up just fine and serves up regular pages on port 80, but
when I direct it towards the SSL port, Firefox give me an error:

"bv..com has sent an incorrect or unexpected message.
Error Code: -12263"

When I look at the apache error log, I get this:

client denied by server configuration: /usr/local/apache2/htdocs/

what is strange is that I am not using /usr/local/apache2/htdocs/
anywhere in the httpd.conf file. I have searched and searched the
config file for htdocs and it simply is not there.  Any thoughts?

Sam

P.S.  Here is my complete httpd.conf file:

ServerRoot /usr/local/apache2
PidFile /usr/local/apache2/logs/httpd.pid

Listen 80
ServerAdmin scarleton@.com
ServerSignature Off
User httpd
Group httpd
HostNameLookups Off
TimeOut 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 1000
ServerTokens ProductOnly

LoadModule php5_modulemodules/libphp5.so

AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .inc
AddHandler application/x-httpd-php .class
AddHandler application/x-httpd-php .module

DefaultType text/plain


   TypesConfig conf/mime.types
   AddType application/x-compress .Z
   AddType application/x-gzip .gz .tgz


DirectoryIndex index.html index.php


   Order Allow,Deny
   Deny from all



   Order Allow,Deny
   Deny from all



   Order Deny,Allow
   Deny from all
   Options None
   AllowOverride None



   Order Allow,Deny
   Allow from all


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
CustomLog /var/log/httpd/access_log combined

LogLevel info
ErrorLog /var/log/httpd/error_log


   DocumentRoot /home/www/mainroot


Listen 443


   AddType application/x-x509-ca-cert  .crt
   AddType application/x-pkcs7-crl .crl


SSLPassPhraseDialog builtin
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024


   DocumentRoot "/home/www/subversion"
   ServerName bv..com
   SSLEngine on
   #SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
   #SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCipherSuite HIGH:MEDIUM
   SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
   SSLOptions +StrictRequire
   SSLProtocol -all +TLSv1 +SSLv3
   SetEnvIf User-Agent ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] special chars in URLS

2007-01-26 Thread Octavian Rasnita

Yes I've tried adding a \ before the % char, but this just adds another %5c 
before %25.


Thanks.

Octavian

- Original Message - 
From: "Chirouze Olivier" <[EMAIL PROTECTED]>

To: 
Sent: Friday, January 26, 2007 5:43 PM
Subject: RE: [EMAIL PROTECTED] special chars in URLS


Did you try adding \ before the % char?

Olivier


Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Octavian Rasnita [mailto:[EMAIL PROTECTED]
Sent: 26 January 2007 16:38
To: users@httpd.apache.org
Subject: [EMAIL PROTECTED] special chars in URLS

Hi,

I am trying to make a server side redirect using:

RedirectMatch ^/$ http://www.site.com/index.php/test%C4%83

But the server redirects to another address:
http://www.site.com/index.php/test%25C4%2583

So it replaces the % char with %25.

Is it possible to make a server side redirect to an address that
contains
special chars?

Thanks.

Octavian


-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] apache + ssl: client denied by server configuration

2007-01-26 Thread Sam Carleton


I am trying to get SSL up and running on my new apache server.  The
server starts up just fine and serves up regular pages on port 80, but
when I direct it towards the SSL port, Firefox give me an error:

"bv..com has sent an incorrect or unexpected message.
Error Code: -12263"

When I look at the apache error log, I get this:

client denied by server configuration: /usr/local/apache2/htdocs/

what is strange is that I am not using /usr/local/apache2/htdocs/
anywhere in the httpd.conf file. I have searched and searched the
config file for htdocs and it simply is not there.  Any thoughts?

Sam

P.S.  Here is my complete httpd.conf file:

ServerRoot /usr/local/apache2
PidFile /usr/local/apache2/logs/httpd.pid

Listen 80
ServerAdmin scarleton@.com
ServerSignature Off
User httpd
Group httpd
HostNameLookups Off
TimeOut 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 1000
ServerTokens ProductOnly

LoadModule php5_modulemodules/libphp5.so

AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .inc
AddHandler application/x-httpd-php .class
AddHandler application/x-httpd-php .module

DefaultType text/plain


  TypesConfig conf/mime.types
  AddType application/x-compress .Z
  AddType application/x-gzip .gz .tgz


DirectoryIndex index.html index.php


  Order Allow,Deny
  Deny from all



  Order Allow,Deny
  Deny from all



  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None



  Order Allow,Deny
  Allow from all


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
CustomLog /var/log/httpd/access_log combined

LogLevel info
ErrorLog /var/log/httpd/error_log


  DocumentRoot /home/www/mainroot


Listen 443


  AddType application/x-x509-ca-cert  .crt
  AddType application/x-pkcs7-crl .crl


SSLPassPhraseDialog builtin
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024


  DocumentRoot "/home/www/subversion"
  ServerName bv..com
  SSLEngine on
  #SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  #SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCipherSuite HIGH:MEDIUM
  SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
  SSLOptions +StrictRequire
  SSLProtocol -all +TLSv1 +SSLv3
  SetEnvIf User-Agent ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

2007-01-26 Thread Chirouze Olivier

Hi,

Thanks for your prompt reply. We will definitively upgrade soon, just
"to be up to date"... But because nothing is said about that point in
docs I'm wondering if that will make any difference...

Anyway, we're providing both HTTP and HTTPS. Might be interesting to try
recognize if this happens on both? I will have a look at it.

Do you think you might give me the values of the following Unix params
on your Solaris 9 installs?

tcp_fin_wait_2_flush_interval
tcp_keepalive_interval
tcp_ip_abort_interval

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Richard de Vries [mailto:[EMAIL PROTECTED] 
Sent: 26 January 2007 17:35
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"

Interesting problem.

I am running Apache 2.0.59 as a reverse proxy on multiple Solaris 9 and
AIX servers and have never encountered these types of issues. Perhaps
you should try upgrading to 2.0.59 on one of your development machines
and see if that makes a difference. If not, it is most likely an OS
and/or configuration issue.

What other plugins are you running? Also, is this HTTP proxying, or
HTTPS?

- Original Message 
From: Chirouze Olivier <[EMAIL PROTECTED]>
To: users@httpd.apache.org
Sent: Friday, January 26, 2007 9:56:46 AM
Subject: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"


Hi all,

I'm facing a quite tricky situation with Apache 2.0.58 running on
Solaris 5.9.

Apache is running as a reverse proxy (mod_proxy + mod_rewrite).
The maximum concurrent connections is set to 150.

Because we reached the maximum a few times and got the reverse proxy
saturated, we started monitoring the Apache status page (/status).
We noticed that many requests were in the "..reading.." state (up to
40!), and they block a lot of slots.

At first, we upgraded from 2.0.47 to 2.0.58 because it seemed there was
a security hole in the earlier, fixed in 2.0.48.
I found some explanation here:
http://www.monkeybrains.net/~rudy/example/server_busy_state.html.

The thing is, the situation is starting to appear again with 2.0.58.

We've gone down to Unix and found that most of these requests were in
"FIN_WAIT_2" TCP state, and for a while (approx. 8min!!).

We found this: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html.
What it says, in a word, is that these things can happen and are
"normal": the connection stays in "FIN_WAIT_2" state until the timeout,
if clients do not close it properly. They just say it can be a problem
on the Unix point of view because.
I don't know if this is still true for 2.0 because the article was just
copied from 1.3. The thing is, it says that "The connections in
FIN_WAIT_2 do not tie up an httpd process". For us, IT DOES! Every
"..reading.." request happend to be in the "FIN_WAIT_2" state.

We have contacted Sun to get their opinion. The short answer is "you can
change the FIN_WAIT_2 timeout but be careful because wrong tuning will
have negative impact. Maybe you should wonder why these connections stay
alive". As far as I understood, the connection is not closed by the
client. The server (Apache) does nothing wrong. But maybe it does, as it
doesn't leave the process free?

My questions are:
Does anyone have heard about similar problems?
Why do these connections hold a process of Apache while the
documentation says it doesn't?
Do you recon tuning the Unix timeout would help? (current value of
tcp_fin_wait_2_flush_interval: 675000 ms - 11min!! This looks just
huge!)

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure

Volvo Information Technology




-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


 


Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

2007-01-26 Thread Richard de Vries

Interesting problem.

I am running Apache 2.0.59 as a reverse proxy on multiple Solaris 9 and AIX 
servers and have never encountered these types of issues. Perhaps you should 
try upgrading to 2.0.59 on one of your development machines and see if that 
makes a difference. If not, it is most likely an OS and/or configuration issue.

What other plugins are you running? Also, is this HTTP proxying, or HTTPS?

- Original Message 
From: Chirouze Olivier <[EMAIL PROTECTED]>
To: users@httpd.apache.org
Sent: Friday, January 26, 2007 9:56:46 AM
Subject: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." 
& TCP state "FIN_WAIT_2"


Hi all,

I'm facing a quite tricky situation with Apache 2.0.58 running on
Solaris 5.9.

Apache is running as a reverse proxy (mod_proxy + mod_rewrite).
The maximum concurrent connections is set to 150.

Because we reached the maximum a few times and got the reverse proxy
saturated, we started monitoring the Apache status page (/status).
We noticed that many requests were in the "..reading.." state (up to
40!), and they block a lot of slots.

At first, we upgraded from 2.0.47 to 2.0.58 because it seemed there was
a security hole in the earlier, fixed in 2.0.48.
I found some explanation here:
http://www.monkeybrains.net/~rudy/example/server_busy_state.html.

The thing is, the situation is starting to appear again with 2.0.58.

We've gone down to Unix and found that most of these requests were in
"FIN_WAIT_2" TCP state, and for a while (approx. 8min!!).

We found this: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html.
What it says, in a word, is that these things can happen and are
"normal": the connection stays in "FIN_WAIT_2" state until the timeout,
if clients do not close it properly. They just say it can be a problem
on the Unix point of view because.
I don't know if this is still true for 2.0 because the article was just
copied from 1.3. The thing is, it says that "The connections in
FIN_WAIT_2 do not tie up an httpd process". For us, IT DOES! Every
"..reading.." request happend to be in the "FIN_WAIT_2" state.

We have contacted Sun to get their opinion. The short answer is "you can
change the FIN_WAIT_2 timeout but be careful because wrong tuning will
have negative impact. Maybe you should wonder why these connections stay
alive". As far as I understood, the connection is not closed by the
client. The server (Apache) does nothing wrong. But maybe it does, as it
doesn't leave the process free?

My questions are:
Does anyone have heard about similar problems?
Why do these connections hold a process of Apache while the
documentation says it doesn't?
Do you recon tuning the Unix timeout would help? (current value of
tcp_fin_wait_2_flush_interval: 675000 ms - 11min!! This looks just
huge!)

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure

Volvo Information Technology




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


 

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

2007-01-26 Thread Chirouze Olivier

Hi all,

I'm facing a quite tricky situation with Apache 2.0.58 running on
Solaris 5.9.

Apache is running as a reverse proxy (mod_proxy + mod_rewrite).
The maximum concurrent connections is set to 150.

Because we reached the maximum a few times and got the reverse proxy
saturated, we started monitoring the Apache status page (/status).
We noticed that many requests were in the "..reading.." state (up to
40!), and they block a lot of slots.

At first, we upgraded from 2.0.47 to 2.0.58 because it seemed there was
a security hole in the earlier, fixed in 2.0.48.
I found some explanation here:
http://www.monkeybrains.net/~rudy/example/server_busy_state.html.

The thing is, the situation is starting to appear again with 2.0.58.

We've gone down to Unix and found that most of these requests were in
"FIN_WAIT_2" TCP state, and for a while (approx. 8min!!).

We found this: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html.
What it says, in a word, is that these things can happen and are
"normal": the connection stays in "FIN_WAIT_2" state until the timeout,
if clients do not close it properly. They just say it can be a problem
on the Unix point of view because.
I don't know if this is still true for 2.0 because the article was just
copied from 1.3. The thing is, it says that "The connections in
FIN_WAIT_2 do not tie up an httpd process". For us, IT DOES! Every
"..reading.." request happend to be in the "FIN_WAIT_2" state.

We have contacted Sun to get their opinion. The short answer is "you can
change the FIN_WAIT_2 timeout but be careful because wrong tuning will
have negative impact. Maybe you should wonder why these connections stay
alive". As far as I understood, the connection is not closed by the
client. The server (Apache) does nothing wrong. But maybe it does, as it
doesn't leave the process free?

My questions are:
Does anyone have heard about similar problems?
Why do these connections hold a process of Apache while the
documentation says it doesn't?
Do you recon tuning the Unix timeout would help? (current value of
tcp_fin_wait_2_flush_interval: 675000 ms - 11min!! This looks just
huge!)

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure
 
Volvo Information Technology




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] special chars in URLS

2007-01-26 Thread Chirouze Olivier

Did you try adding \ before the % char?

Olivier 


Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Octavian Rasnita [mailto:[EMAIL PROTECTED] 
Sent: 26 January 2007 16:38
To: users@httpd.apache.org
Subject: [EMAIL PROTECTED] special chars in URLS

Hi,

I am trying to make a server side redirect using:

RedirectMatch ^/$ http://www.site.com/index.php/test%C4%83

But the server redirects to another address:
http://www.site.com/index.php/test%25C4%2583

So it replaces the % char with %25.

Is it possible to make a server side redirect to an address that
contains 
special chars?

Thanks.

Octavian


-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] special chars in URLS

2007-01-26 Thread Octavian Rasnita


Hi,

I am trying to make a server side redirect using:

RedirectMatch ^/$ http://www.site.com/index.php/test%C4%83

But the server redirects to another address:
http://www.site.com/index.php/test%25C4%2583

So it replaces the % char with %25.

Is it possible to make a server side redirect to an address that contains 
special chars?


Thanks.

Octavian


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

2007-01-26 Thread Wm.A.Stafford


Sander,

   Thanks a million for all your help! 


   -=bill

Sander Temme wrote:


On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL path, 
so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie 
paths, your only option is to change the ProxyPass local path to match 
the back-end (and connect to that), or have Tomcat match its mount 
path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache 
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest 
Apache but at this point I think that is probably not an option 
because there are a lot of other users of this system and they 
would all have to buy in.  So I will need to proceed with 
configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any 1.3 
version after that contains security fixes that you might want.  As 
no other changes are made to that branch, an upgrade should not 
cause you any problems.


The proxy module that came with Apache 1.3 did not have the 
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your problem, I 
would like to learn from you whether the Cookie path mismatch is 
actually causing your issue.  Could you run the following test on 
your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and send us 
the
   contents of any JSESSIONID cookies. Feel free to obfuscate as you 
see
   fit, as long as we have enough information to work with (domain 
and path

   are of paramount interest, as well as the complete URL you used to
   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server 
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] SSL Certificate on Intranet Virtual Host

2007-01-26 Thread Chirouze Olivier

Hi,

This is my first contribution to the list so please don't be too rude if
I'm wrong ;-)

But I think we have the same situation here:

Onename.server.com/
Othername.server.com
Somethingelse.server.com

And our SSL certificate is for *.server.com

** WE ** did provide this certificate from ** our own ** certificate
authority (not from Verisign or else).
That's what causes a warning to pop up ("the certificate can't be
verified)

If you're in the same situation, you need to provide your clients with
the certificate of the certificate authority. This should be a .crt file
that you can publish on http => this way, clients can just access the
url (http://Onename.server.com/thecertificate.crt,
http://Othername.server.com/thecertificate.crt, etc.) and the web
browser (IE or Firefox at least) will automaticaly suggest to import the
certificate of the certificate authority => do this once and you'll
never have the warning anymore.

Hope I helped,

Olivier 

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Serge Dubrouski [mailto:[EMAIL PROTECTED] 
Sent: 25 January 2007 19:56
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] SSL Certificate on Intranet Virtual Host

For SSL it won't work because SSL session gets established before URL is
parsed.

On 1/25/07, Rob Sterenborg <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED]  wrote:
> > I run several intranet sites for our company on a linux
> > server using VirtualHosts.  I've created a wildcard SSL
> > certificate for our intranet sites which work when I browse
> > to the fully qualified domain name (i.e.
> > https://home.domain.org) but most of our users use the short
> > name to get around (https://home) which causes a security
> > warning.  Is there a way to fix this or am I doomed to
> > require users to use the fully qualified domain name?
>
> Perhaps you can use a rewrite rule to point the to the FQDN.
> http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond
>
> This may or may not work for you; I'm not exactly a rewrite-guru, but
> *something* along these lines is what I'm using to do some rewriting
> (and this is my only experience with it):
>
> 
> RewriteEngine on
> RewriteCond %{SERVER_NAME} !^$
> RewriteRule ^.*$ https://%{REQUEST_URI} [L,R]
> ...
> 
>
>
> Grts,
> Rob
>
>
> -
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>"   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] is it possible ? (ssl-tunneling)

2007-01-26 Thread arry



Hi,

Tnanks for the reply and the configurations.
I made a similar configuration - but just without virtualhost directive -
and it works.

But with firefox it shows the locker (ssl picture on the browser)  
crossed by a line.


With IE it doesn't show the locker but everytime a connection is innitiated
it shows a message that ssl starts and then immediately it shows a  
message that

ssl ends.

Does this mean that the data between the client and the reversed
proxy is in ssl?

my config:

 SSLEngine on
 SSLProtocol -all +TLSv1 +SSLv3
 SSLCertificateFile/etc/apache2/server.crt
 SSLCertificateKeyFile /etc/apache2/server.key



 SSLCipherSuite MEDIUM
 SSLRequireSSL


 ## Digest 
 AuthType Digest
 AuthName "Restricted Area"
 AuthDigestDomain /arena/
 AuthDigestProvider file
 AuthUserFile /var/www/.digestpwd
 Require valid-user

 ProxyPass  http://arena.com/
 ProxyPassReverse http://arena.com/








On 1/22/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

Hi,

is it possible to have the connection between the client and the  
reverse proxy

encrypted with ssl and authorization basic ? smth like ssh-tunneling ?

example :

   client < SSL  >  Apache  <-> origin server
  reversed
  proxy


Yes. This is even a very common setup.


ServerName wsecure.foo.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/web.cert
SSLCertificateKeyFile conf/ssl/server.key
SSLCertificateChainFile conf/ssl/web.cert



 ProxyPass http://insecure.foo.com/app
  AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName

   



--
[EMAIL PROTECTED]
Bremgarten b. Bern, Switzerland
--


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Apache mod_dbd and Oracle

2007-01-26 Thread Garnier, Jeremie

Hi all,



I try to use connection pooling in apache using mod_dbd...

I test APR/APU and so the connection with the database is ok but I want to know 
how use mod_dbd?

I make all configurations in httpd.conf (DBDriver oracle,...). The module 
mod_dbd is well loaded ...

Now, I will use mod_dbd... Do you know how include mod_dbd API in a cgi script 
(or C program) as there no example or documentation of mod_dbd...

Thanks all for your help...





Jérémie



***
Information contained in this email message is confidential and may be 
privileged, and is intended only for use of the individual or entity named 
above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please immediately notify the [EMAIL PROTECTED] and destroy the 
original message.
***

[EMAIL PROTECTED] Content negotiation with parameters in mimetype

2007-01-26 Thread Richard Kaye

Hi,

I'm new to this list (hello!).  Hope this is the right place to ask
my question. I have searched the web quite extensively for answers
but not got any.

I want to do Content Negotiation with a mime type (application/xhtml+xml)
using its "profile" parameter. My server is a Apache 2.2.3, and
currently I am using the +MultViews flavour of Content Negotiation.

I want to associate a filename extension .mhtml to

  application/xhtml+xml;profile="FOO"

so that:

1. a web client requesting "...application/xhtml+xml;profile="FOO"..."
in its HTTP Accept header will receive such a file if it exists
but will NOT receive other application/xhtml+xml documents from
existing servers across the web unless that document has the
parameter value profile="FOO" explicitly set at the server.

2. a web client requesting plain old "...application/xhtml+xml..."
in its HTTP Accept header will also receive such a file if it exists
whatever the parameter values at the server are;

3. clients not asking for application/xhtml+xml or asking for
"...application/xhtml+xml;profile="BAR"..." will not get these files.
(If they ask for */* only I will provide a text/html file as the default
according to the usual Apache rules.)

My understanding of the specs (
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.1
and
  http://www.rfc-editor.org/rfc/rfc3236.txt
) tells me that this should be possible and that it has already been
forseen that people like me would need this feature, but I can't
seem to configure my Apache to do it.  All the obvious attempts
at an AddType directive fail.  I'd be grateful for any pointers
or help, even (sadly) if you have to tell me that I have misread
the specs and what I want is not possible.

Many thanks

Richard

(Richard Kaye)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] SSL on IP Address

Re: [EMAIL PROTECTED] SSL on IP Address

[EMAIL PROTECTED] SSL on IP Address

Re: [EMAIL PROTECTED] SSL Certificate on Intranet Virtual Host

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

Re: [EMAIL PROTECTED] apache + ssl: client denied by server configuration

Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

Re: [EMAIL PROTECTED] apache + ssl: client denied by server configuration

Re: [EMAIL PROTECTED] special chars in URLS

[EMAIL PROTECTED] apache + ssl: client denied by server configuration

RE: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

[EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

RE: [EMAIL PROTECTED] special chars in URLS

[EMAIL PROTECTED] special chars in URLS

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

RE: [EMAIL PROTECTED] SSL Certificate on Intranet Virtual Host

Re: [EMAIL PROTECTED] is it possible ? (ssl-tunneling)

[EMAIL PROTECTED] Apache mod_dbd and Oracle

[EMAIL PROTECTED] Content negotiation with parameters in mimetype

22 matches

Site Navigation

Mail list logo

Footer information