RE: [EMAIL PROTECTED] Issue with SSL configuration.
I think you're not getting responses because your question is a bit muddled... By .. able to use the SSL at the apache level .. I am assuming that https://server/filepath returns the file at DocumentRoot/filepath - i.e. you can get local content via HTTPS. Is this so? If so, all you need to do now is proxy this VH to the back-end server (i.e. the weblogic thingy). For this you need Proxy directives,e.g. ProxyPass / http://back-end-server/ then a request for https://server/filepath will cause apache to fetch http://back-end-server/filepath and return it, via HTTPS, to the client. I don't quite understand why you have paths like /OPSWeb/neo... That makes it look like apache is fetching the back-end content via the filesystem (e.g. shared disks). If so, that's not right - a proxy is simply a way of forwarding HTTP requests so that all data are transferred by HTTP. No need for the servers to see each other's files. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. From: Vasanth Kumar ravi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 6:30 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Issue with SSL configuration. All, Can someone throw light on this issue. Thanks. On Wed, Oct 29, 2008 at 4:28 PM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: Thanks folks.. After posting this in the forum , I did an extensive research on the internet and it was resolved. Major problem was due to the Virtual host configuration..Now i am able to use the SSL at the apache level. wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:362) port 443 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:362) port 443 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:376) *:80 is a NameVirtualHost default server gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:332) port 80 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:332) port 80 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:343) I need your help in some configuration ideas. I m trying to setup something like the below. Client ---SSL--- Apache ---HTTP--- WebLogic I request http://hostname/OPSWeb/neo from the browser and it goes to the login page and I am able to perform all the functions. When I request https://hostname/OPSWeb/neo , it doesnt give a login page, but it gives a pop-up in IE Access is Denied. Type Error As stated earlier, I need to have HTTPS between the browser and the web server and HTTP between the Apache and Weblogic. Also there is no SSL enabled at the Weblogic level. Do we have to write some ProxyReverse Parameters/Rewrite rules. Let me know if you need any further details. Please advise. On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien [EMAIL PROTECTED] wrote: On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: SSLCertificateFile /usr/share/ssl/certs/server.crt/ SSLCertificateKeyFile /usr/share/ssl/certs/server.key/ The argument to SSLCertifacateFile and SSLCertificateKeyFile is a _file_, not a directory. Just enter the full path to your cert and private key here. I had copied the certs to the openssl certs directory and created hashlinks for them. Creating hashkeys is not necessary. Apache knows where to find its cert if you give SSLCertificateFile the correct value. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting.
[EMAIL PROTECTED] 502 proxy error
Team, When I try to access an application using reverse proxy, most of the time I will end up with below error. Anybody have an idea what will be causing the issue? After few refresh on the page I will get actual page but most of the times end up with below proxy error Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /testingtool/. Reason: Error reading from remote server Apache/2.2.3 (Fedora) Server at testingserver.test.com Port 443 Thanks, Isha
RE: [EMAIL PROTECTED] 502 proxy error
From: isha b [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 12:47 PM To: users@httpd.apache.org; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [EMAIL PROTECTED] 502 proxy error Team, When I try to access an application using reverse proxy, most of the time I will end up with below error. Anybody have an idea what will be causing the issue? After few refresh on the page I will get actual page but most of the times end up with below proxy error Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /testingtool/. Reason: Error reading from remote server Apache/2.2.3 (Fedora) Server at testingserver.test.com Port 443 Thanks, Isha Aoache is the proxy, is it? It could be the back-end server is not working reliably - what happens if you access it drectly? If it seems OK, how long does it take to respond? If it's a slow application it may take longer than apache is prepared to wait (see ProxyTimeout, KeepAlivetimeout) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] mod_ssl + basic auth
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient Try moving SSLVerifyClient outside of the Directory, just in your VirtualHost. Also, seems that optional is not supported by all browsers. You must use require. From: Ricardo Ramos [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 11:06 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] mod_ssl + basic auth Hi! I want to do this: check if the client sends me a certificate which my self-signed CA has signed or if the client is inside the same network or if the client enters a username+password. However, with this, I can't have my browser(s) prompting me for a certificate.. it just seems that that part is ignored... Any suggestions? PS - i've seen already the ssl_howto page (in fact this is a bit based from there) Thanks in advance for any help! Ricardo VirtualHost 10.254.0.54:443 ServerName intra54.dei.uc.pt DocumentRoot/var/www/intra54/html ServerAdmin [EMAIL PROTECTED] SSLEngine on SSLCertificateFile /var/www/intra54/ssl/intra54.crt SSLCertificateKeyFile /var/www/intra54/ssl/intra54.key SSLCACertificateFile/etc/pki/SSC_CA/ssc_ca.crt Directory /var/www/intra54/html Order deny,allow Denyfrom all Allow from 10.254.0.0/24 AuthTypebasic AuthNameArea intra54.dei.uc.pt AuthUserFile/var/www/intra54/passwd/passwd Require valid-user Satisfy any SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions -StrictRequire # SSLRequireSSL /Directory /VirtualHost
[us...@httpd] Apache 1.3.33 + suexec upgrade
Hi - I'm trying to upgrade a 1.3.33 Apache server to 1.3.41 with SuEXEC and am struggling with SuEXEC, the server is several years old with no documentation or any of the old software / config logs at all. I've got Apache installing just fine with suexec but it's the --suexec-docroot + --suexec-userdir I'm struggling with. The suexec docs examples are very good but with this particular server the websites are all under the following directory structure: /home/[a-z]/[a-z]/username/public_html/ so the same as /home/*/*/*/public_html/ I suppose. The docs don't give an example for this kind of setup and I've been unable to find an example, I thought this would be the correct configure line for Apache: ./configure --prefix= --enable-module=vhost_alias --enable-module=ssl \ --enable-suexec --suexec-caller=nobody --suexec-logfile=/var/log/suexec.log \ --suexec-safepath=/bin:/usr/bin --server-uid=nobody --server-gid=nobody \ --suexec-docroot=home --suexec-userdir=public_html Server version: Apache/1.3.41 (Unix) Server built: Oct 30 2008 13:10:03 Server's Module Magic Number: 19990320:18 Server compiled with -D EAPI -D HAVE_MMAP -D USE_MMAP_SCOREBOARD -D USE_MMAP_FILES -D HAVE_FLOCK_SERIALIZED_ACCEPT -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D DYNAMIC_MODULE_LIMIT=64 -D HARD_SERVER_LIMIT=256 -D SO_ACCEPTFILTER -D ACCEPT_FILTER_NAME=httpready -D HTTPD_ROOT= -D SUEXEC_BIN=/bin/suexec -D DEFAULT_PIDLOG=logs/httpd.pid -D DEFAULT_SCOREBOARD=logs/httpd.scoreboard -D DEFAULT_LOCKFILE=logs/httpd.lock -D DEFAULT_ERRORLOG=logs/error_log -D TYPES_CONFIG_FILE=conf/mime.types -D SERVER_CONFIG_FILE=conf/httpd.conf -D ACCESS_CONFIG_FILE=conf/access.conf -D RESOURCE_CONFIG_FILE=conf/srm.conf ./suexec -V -D DOC_ROOT=/home -D GID_MIN=100 -D HTTPD_USER=nobody -D LOG_EXEC=/var/log/suexec.log -D SAFE_PATH=/bin:/usr/bin -D UID_MIN=100 -D USERDIR_SUFFIX=public_html But when I try my php test script I get the following in the suexec logfile: [2008-10-30 12:36:24]: info: (target/actual) uid: (nobody/nobody) gid: (sites/sites) cmd: php.cgi [2008-10-30 12:36:24]: emerg: cannot get docroot information (home) But home is there ... I checked. I thought this might be because I didn't put a / in front of home for --suexec-docroot=home, but when I did the error changed to: [2008-10-30 13:11:07]: info: (target/actual) uid: (nobody/nobody) gid: (sites/sites) cmd: php.cgi [2008-10-30 13:11:07]: error: command not in docroot (/execscriptdir/php.cgi) Yes I suppose strictly speaking it is not in docroot but it is under docroot: So in a last ditch effort I amended --suexec-docroot= to be --suexec-docroot=/home/*/*/*/ but this causes the make of Apache to fail at this stage: gcc -c -I../os/unix -I../include -funsigned-char -DMOD_SSL=208131 -DEAPI -DUSE_EXPAT -I../lib/expat-lite -DNO_DL_NEEDED -DHTTPD_USER=\nobody\ -DUID_MIN=100 -DGID_MIN=100 -DUSERDIR_SUFFIX=\public_html\ -DLOG_EXEC=\/var/log/suexec.log\ -DDOC_ROOT=\/home/a/a/aaabbb/ /home/f/i/fiftyfive/ /home/f/i/fiftytwotest/ /home/t/e/testdon/ /home/t/e/testtest\ -DSAFE_PATH=\/bin:/usr/bin\ suexec.c gcc: /home/t/e/testtest: No such file or directory suexec.c: In function `main': suexec.c:277: error: missing terminating character suexec.c:277: error: syntax error before ')' token suexec.c:487: error: missing terminating character suexec.c:487: error: too few arguments to function `chdir' suexec.c:490: error: missing terminating character suexec.c:490: error: syntax error before ')' token *** Error code 1 Stop in /usr/fs/src/apache_1.3.41/src/support. *** Error code 1 Stop in /usr/fs/src/apache_1.3.41. *** Error code 1 Stop in /usr/fs/src/apache_1.3.41. It seems to be expanding out ALL the folders under /home for some reason? The error about No such file or directory is also odd as this and the ones mentioned before ALL exist. Any help would be greatly appreciated - Julian. Julian Grunnell UNIX Systems Administrator (Leeds) Webfusion Tel: 0208 587 7212 Mob: 07803 649593 Web: http://www.webfusion.co.uk/
RE: [EMAIL PROTECTED] 502 proxy error
Are you using mod_proxy_ajp and load balancing between backend servers? We used to see this error a lot but when we added timeout parameter to BalancerMember directive if went away. You may also want to try this or add the same parameter to ProxyPass directive (timeout=300). Regards, AM -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 9:31 AM To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] 502 proxy error From: isha b [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 12:47 PM To: users@httpd.apache.org; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [EMAIL PROTECTED] 502 proxy error Team, When I try to access an application using reverse proxy, most of the time I will end up with below error. Anybody have an idea what will be causing the issue? After few refresh on the page I will get actual page but most of the times end up with below proxy error Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /testingtool/. Reason: Error reading from remote server Apache/2.2.3 (Fedora) Server at testingserver.test.com Port 443 Thanks, Isha Aoache is the proxy, is it? It could be the back-end server is not working reliably - what happens if you access it drectly? If it seems OK, how long does it take to respond? If it's a slow application it may take longer than apache is prepared to wait (see ProxyTimeout, KeepAlivetimeout) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] mod_ssl + basic auth
That doesn't seem to work for me. I mean, it asks me for the certificate, however if the certificate is accepted, it will still check if it is inside the lan or if the user/pass is ok. What I really wanted would be if a valid certificate is received, then promptly accept the client. Yeah I read about that.. But is there another way then I can solve my problem? Thanks! Ricardo On Thu, Oct 30, 2008 at 1:55 PM, Jorge Medina [EMAIL PROTECTED] wrote: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient Try moving SSLVerifyClient outside of the Directory, just in your VirtualHost. Also, seems that optional is not supported by all browsers. You must use require. -- *From:* Ricardo Ramos [mailto:[EMAIL PROTECTED] *Sent:* Wednesday, October 29, 2008 11:06 PM *To:* users@httpd.apache.org *Subject:* [EMAIL PROTECTED] mod_ssl + basic auth Hi! I want to do this: check if the client sends me a certificate which my self-signed CA has signed or if the client is inside the same network or if the client enters a username+password. However, with this, I can't have my browser(s) prompting me for a certificate.. it just seems that that part is ignored... Any suggestions? PS - i've seen already the ssl_howto page (in fact this is a bit based from there) Thanks in advance for any help! Ricardo VirtualHost 10.254.0.54:443 ServerName intra54.dei.uc.pt DocumentRoot/var/www/intra54/html ServerAdmin [EMAIL PROTECTED] SSLEngine on SSLCertificateFile /var/www/intra54/ssl/intra54.crt SSLCertificateKeyFile /var/www/intra54/ssl/intra54.key SSLCACertificateFile/etc/pki/SSC_CA/ssc_ca.crt Directory /var/www/intra54/html Order deny,allow Denyfrom all Allow from 10.254.0.0/24 AuthTypebasic AuthNameArea intra54.dei.uc.pt AuthUserFile/var/www/intra54/passwd/passwd Require valid-user Satisfy any SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions -StrictRequire # SSLRequireSSL /Directory /VirtualHost
RE: [EMAIL PROTECTED] Issue with SSL configuration.
Define following in your httpd.conf. This will change the URL to HTTPS
even if someone types in HTTP.
Listen *:80
VirtualHost *:80
ServerAdmin [EMAIL PROTECTED]
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]
Header unset X-Powered-By
/VirtualHost
Then make changes to your httpd/conf.d/ssl.conf VirtualHost
configuration as follows:
VirtualHost _default_:443
# General setup for the virtual host, inherited from global
configuration
DocumentRoot /var/www/html
ServerName IP address of the web server:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /var/www/cgi-bin
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]
/VirtualHost
If your application was working without SSL, it should work with SSL
(HTTPS URL) after you make these changes
Regards,
AM
From: Vasanth Kumar ravi [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 30, 2008 1:30 AM
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Issue with SSL configuration.
All,
Can someone throw light on this issue.
Thanks.
On Wed, Oct 29, 2008 at 4:28 PM, Vasanth Kumar ravi
[EMAIL PROTECTED] wrote:
Thanks folks..
After posting this in the forum , I did an extensive research on the
internet and it was resolved.
Major problem was due to the Virtual host configuration..Now i am able
to use the SSL at the apache level.
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:362)
port 443 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:362)
port 443 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:376)
*:80 is a NameVirtualHost
default server gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:332)
port 80 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:332)
port 80 namevhost gelxd002.sony.com.sg
(/home/apache/conf/httpd.conf:343)
I need your help in some configuration ideas.
I m trying to setup something like the below.
Client ---SSL--- Apache ---HTTP--- WebLogic
I request http://hostname/OPSWeb/neo from the browser and it goes to
the login page and I am able to perform all the functions.
When I request https://hostname/OPSWeb/neo , it doesnt give a login
page, but it gives a pop-up in IE Access is Denied. Type Error
As stated earlier, I need to have HTTPS between the browser and the web
server and HTTP between the Apache and Weblogic.
Also there is no SSL enabled at the Weblogic level.
Do we have to write some ProxyReverse Parameters/Rewrite rules.
Let me know if you need any further details.
Please advise.
On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien
[EMAIL PROTECTED] wrote:
On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi
[EMAIL PROTECTED] wrote:
SSLCertificateFile /usr/share/ssl/certs/server.crt/
SSLCertificateKeyFile /usr/share/ssl/certs/server.key/
The argument to SSLCertifacateFile and SSLCertificateKeyFile is a
_file_, not a directory. Just enter the full path to your cert and
private key here.
I had copied the certs to the openssl certs directory and created
hashlinks
for them.
Creating hashkeys is not necessary. Apache knows where to find its
cert if you give SSLCertificateFile the correct value.
Krist
--
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
-
The official User-To-User support forum of the Apache HTTP Server
Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
RegardsThanks,
Vasanth Kumar Ravi
--
RegardsThanks,
Vasanth Kumar Ravi
RE: [EMAIL PROTECTED] mod_auth_ldap
I'm not sure I am understanding your question: By for another domain, do you mean another site ? If so, use VirtualHost to define each domain and use the appropiate LDAP server for each one. If you want to authenticate users against two unrelated LDAP domains, then you may look if there is a way to specify multiple servers in the authLDAPUrl directive. I think this is not possible. From: Juan Pablo Roig [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2008 10:05 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] mod_auth_ldap Hi everyone!! I am using this modue to auth the users thru an LDAP server, but know i have more users in another LDAP server for another domain, does anyone knows how to do this? This is my config now: Directory /opt/globant/mediawiki-1.6.9-infra Options Indexes FollowSymLinks AllowOverride None order allow,deny AuthName Infra Login Users AuthType Basic AuthLDAPURL ldap://10.90.0.2/DC=com?sAMAccountName?sub?(objectClass=user) AuthLDAPBindDN ACCF165\ldapusr AuthLDAPBindPassword globant25k AuthType Basic Require group cn=wiki_acc_usrs,OU=People,DC=accendra,DC=com Satisfy Any /Directory
RE: [EMAIL PROTECTED] mod_ssl + basic auth
Maybe you need to specify SSLOptions +FakeBasicAuth http://httpd.apache.org/docs/2.2/en/ssl/ssl_howto.html#accesscontrol http://httpd.apache.org/docs/2.2/en/ssl/ssl_howto.html#accesscontrol From: Ricardo Ramos [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 10:21 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] mod_ssl + basic auth That doesn't seem to work for me. I mean, it asks me for the certificate, however if the certificate is accepted, it will still check if it is inside the lan or if the user/pass is ok. What I really wanted would be if a valid certificate is received, then promptly accept the client. Yeah I read about that.. But is there another way then I can solve my problem? Thanks! Ricardo On Thu, Oct 30, 2008 at 1:55 PM, Jorge Medina [EMAIL PROTECTED] wrote: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient Try moving SSLVerifyClient outside of the Directory, just in your VirtualHost. Also, seems that optional is not supported by all browsers. You must use require. From: Ricardo Ramos [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 11:06 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] mod_ssl + basic auth Hi! I want to do this: check if the client sends me a certificate which my self-signed CA has signed or if the client is inside the same network or if the client enters a username+password. However, with this, I can't have my browser(s) prompting me for a certificate.. it just seems that that part is ignored... Any suggestions? PS - i've seen already the ssl_howto page (in fact this is a bit based from there) Thanks in advance for any help! Ricardo VirtualHost 10.254.0.54:443 http://10.254.0.54:443/ ServerName intra54.dei.uc.pt http://intra54.dei.uc.pt/ DocumentRoot/var/www/intra54/html ServerAdmin [EMAIL PROTECTED] SSLEngine on SSLCertificateFile /var/www/intra54/ssl/intra54.crt SSLCertificateKeyFile /var/www/intra54/ssl/intra54.key SSLCACertificateFile/etc/pki/SSC_CA/ssc_ca.crt Directory /var/www/intra54/html Order deny,allow Denyfrom all Allow from 10.254.0.0/24 AuthTypebasic AuthNameArea intra54.dei.uc.pt http://intra54.dei.uc.pt/ AuthUserFile /var/www/intra54/passwd/passwd Require valid-user Satisfy any SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions -StrictRequire # SSLRequireSSL /Directory /VirtualHost
Re: AW: AW: [EMAIL PROTECTED] Stripping or setting certain http response headerrs
Hi, thank you for this information. Yes, this works so far. Unfortunately the env=... switch is not available for mod_expires derictives. Have you an idea how to generate a valid time stamp for the expires response header? %d and %t seem not to help here? I would like generate something like: setenvif User-Agent myagent_value match_agent header set expires current_time +shift env=match_agent regards Harald On Wed, 29 Oct 2008 [EMAIL PROTECTED] wrote: In such cases, you work with environment variables. The doc lists the following example: SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader Header set MyHeader %D %t mytext env=HAVE_MyRequestHeader Alternatively you can set the environment variable via mod_rewrite to allow for more complicated conditions. hope this helps, Christian -- Christian Folini, IT 222 Webserver Security Engineer -Ursprüngliche Nachricht- Von: Harald Falkenberg [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 29. Oktober 2008 15:14 An: Folini Christian, IT222 extern Cc: users@httpd.apache.org Betreff: Re: AW: [EMAIL PROTECTED] Stripping or setting certain http response headerrs Hi, yes, I saw it already. But how to change http response headers only in certain cases? For certain user agents? If you can give me an example, that would be nice. regards Harald - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[us...@httpd] q: transfer encoding request header te: chunked
Hi, I found that some agents sent http request headers as follows: te: chunked questions: 1. What is the meaning of this header? I still didn't found any description of it. 2. it looks like that this requests header (te: chunked) leads to passing by request in respect to the apache cache, and all request were send to the back-end web servers (like using force reload in the browser). Can the header te: chunked explain such behaviour or is there something else wrong? regards Harald Falkenberg and requests always - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [us...@httpd] q: transfer encoding request header te: chunked
On Thu, Oct 30, 2008 at 12:24 PM, Harald Falkenberg [EMAIL PROTECTED] wrote: Hi, I found that some agents sent http request headers as follows: te: chunked questions: 1. What is the meaning of this header? I still didn't found any description of it. rfc 2616 section 3.6.1 2. it looks like that this requests header (te: chunked) leads to passing by request in respect to the apache cache, and all request were send to the back-end web servers (like using force reload in the browser). Can the header te: chunked explain such behaviour or is there something else wrong? If it's a chunked request body, it's likely not a GET -- so it won't be cached. See what can be cached here: http://httpd.apache.org/docs/2.2/caching.html#overview -- Eric Covener [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [us...@httpd] q: transfer encoding request header te: chunked
On Thu, 2008-10-30 at 17:24 +0100, Harald Falkenberg wrote: Hi, I found that some agents sent http request headers as follows: te: chunked For some secret definition of some? Can we know which UAs send this? questions: 1. What is the meaning of this header? I still didn't found any description of it. RTFRFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.39 2. it looks like that this requests header (te: chunked) leads to passing by request in respect to the apache cache, and all request were send to the back-end web servers (like using force reload in the browser). Can the header te: chunked explain such behaviour or is there something else wrong? Doubt it. It simply negotiates how the client and server are prepared to talk to each other, it shouldn't have any effect on cacheing. If the exact same request is repeated, but without the TE header, does it then hit the cache? telnet is your friend. regards Harald Falkenberg and requests always Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Issue with SSL configuration.
Alright. Let me make the requirements clear then. Currently we have an application hosted in weblogic and we do not have any web servers in the setup. This application is accessed by the url http://ip address/OPSWeb/neo. I have setup an Apache 2.0.63 web server in front of th weblogic , which will act to proxy all the client requests to weblogic. I do not have any static files / application hosted in the Apache(it has to fwd all requests to the weblogic). I have setup VH for both ports 80 and 443. The apache ssl setup has been completed. The client would request https://ip address/OPSWeb/neo from the browser which should be proxied to weblogic server. Also bear in mind that the weblogic is not running on* https.* Do I have to define a Directory/Document root for proxying all the requests. I have attached my httpd.conf file along with this, let me know if the settings I have done is correct. On Thu, Oct 30, 2008 at 7:27 PM, Boyle Owen [EMAIL PROTECTED]wrote: I think you're not getting responses because your question is a bit muddled... By .. able to use the SSL at the apache level .. I am assuming that https://server/filepath returns the file at DocumentRoot/filepath - i.e. you can get local content via HTTPS. Is this so? If so, all you need to do now is proxy this VH to the back-end server (i.e. the weblogic thingy). For this you need Proxy directives,e.g. ProxyPass / http://back-end-server/ then a request for https://server/filepath will cause apache to fetch http://back-end-server/filepath and return it, via HTTPS, to the client. I don't quite understand why you have paths like /OPSWeb/neo... That makes it look like apache is fetching the back-end content via the filesystem (e.g. shared disks). If so, that's not right - a proxy is simply a way of forwarding HTTP requests so that all data are transferred by HTTP. No need for the servers to see each other's files. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. From: Vasanth Kumar ravi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 6:30 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Issue with SSL configuration. All, Can someone throw light on this issue. Thanks. On Wed, Oct 29, 2008 at 4:28 PM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: Thanks folks.. After posting this in the forum , I did an extensive research on the internet and it was resolved. Major problem was due to the Virtual host configuration..Now i am able to use the SSL at the apache level. wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:362) port 443 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:362) port 443 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:376) *:80 is a NameVirtualHost default server gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:332) port 80 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:332) port 80 namevhost gelxd002.sony.com.sg (/home/apache/conf/httpd.conf:343) I need your help in some configuration ideas. I m trying to setup something like the below. Client ---SSL--- Apache ---HTTP--- WebLogic I request http://hostname/OPSWeb/neo from the browser and it goes to the login page and I am able to perform all the functions. When I request https://hostname/OPSWeb/neo , it doesnt give a login page, but it gives a pop-up in IE Access is Denied. Type Error As stated earlier, I need to have HTTPS between the browser and the web server and HTTP between the Apache and Weblogic. Also there is no SSL enabled at the Weblogic level. Do we have to write some ProxyReverse Parameters/Rewrite rules. Let me know if you need any further details. Please advise. On Tue, Oct 28, 2008 at 10:35 PM, Krist van Besien [EMAIL PROTECTED] wrote: On Tue, Oct 28, 2008 at 3:36 AM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: SSLCertificateFile /usr/share/ssl/certs/server.crt/ SSLCertificateKeyFile /usr/share/ssl/certs/server.key/ The argument to SSLCertifacateFile and SSLCertificateKeyFile is a _file_, not a directory. Just enter the full path to your cert and private key here. I had
Re: [EMAIL PROTECTED] Issue with SSL configuration.
On Thu, Oct 30, 2008 at 9:31 PM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: Alright. Let me make the requirements clear then. Currently we have an application hosted in weblogic and we do not have any web servers in the setup. This application is accessed by the url http://ip address/OPSWeb/neo. I have setup an Apache 2.0.63 web server in front of th weblogic , which will act to proxy all the client requests to weblogic. I do not have any static files / application hosted in the Apache(it has to fwd all requests to the weblogic). I have setup VH for both ports 80 and 443. The apache ssl setup has been completed. The client would request https://ip address/OPSWeb/neo from the browser which should be proxied to weblogic server. Also bear in mind that the weblogic is not running on https. Do I have to define a Directory/Document root for proxying all the requests. I have attached my httpd.conf file along with this, let me know if the settings I have done is correct. On Thu, Oct 30, 2008 at 7:27 PM, Boyle Owen [EMAIL PROTECTED] wrote: I think you're not getting responses because your question is a bit muddled... By .. able to use the SSL at the apache level .. I am assuming that https://server/filepath returns the file at DocumentRoot/filepath - i.e. you can get local content via HTTPS. Is this so? If so, all you need to do now is proxy this VH to the back-end server (i.e. the weblogic thingy). For this you need Proxy directives,e.g. ProxyPass / http://back-end-server/ then a request for https://server/filepath will cause apache to fetch http://back-end-server/filepath and return it, via HTTPS, to the client. I don't quite understand why you have paths like /OPSWeb/neo... That makes it look like apache is fetching the back-end content via the filesystem (e.g. shared disks). If so, that's not right - a proxy is simply a way of forwarding HTTP requests so that all data are transferred by HTTP. No need for the servers to see each other's files. You haven't configured Apache to proxy anything. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreverse Perhaps your application server has an apache module for this, or a configuration guide. -- Eric Covener [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Issue with SSL configuration.
The application server has a plugin for apache and that has been installed in the apache . Apache is able to talk to the weblogic using http but not using https. as i mentioned earlier, i have not hosted any application files in the apache. the apache should act to proxy/pass all the requests to weblogic, where the application jar/war file is hosted. I did specify a ProxyPass parameter like the following. ProxyPass / http://ipaddress/OPSWeb/neo ProxyPass / http://ipaddress But both of them did not work. Thanks On Fri, Oct 31, 2008 at 9:45 AM, Eric Covener [EMAIL PROTECTED] wrote: On Thu, Oct 30, 2008 at 9:31 PM, Vasanth Kumar ravi [EMAIL PROTECTED] wrote: Alright. Let me make the requirements clear then. Currently we have an application hosted in weblogic and we do not have any web servers in the setup. This application is accessed by the url http://ip address/OPSWeb/neo. I have setup an Apache 2.0.63 web server in front of th weblogic , which will act to proxy all the client requests to weblogic. I do not have any static files / application hosted in the Apache(it has to fwd all requests to the weblogic). I have setup VH for both ports 80 and 443. The apache ssl setup has been completed. The client would request https://ip address/OPSWeb/neo from the browser which should be proxied to weblogic server. Also bear in mind that the weblogic is not running on https. Do I have to define a Directory/Document root for proxying all the requests. I have attached my httpd.conf file along with this, let me know if the settings I have done is correct. On Thu, Oct 30, 2008 at 7:27 PM, Boyle Owen [EMAIL PROTECTED] wrote: I think you're not getting responses because your question is a bit muddled... By .. able to use the SSL at the apache level .. I am assuming that https://server/filepath returns the file at DocumentRoot/filepath - i.e. you can get local content via HTTPS. Is this so? If so, all you need to do now is proxy this VH to the back-end server (i.e. the weblogic thingy). For this you need Proxy directives,e.g. ProxyPass / http://back-end-server/ then a request for https://server/filepath will cause apache to fetch http://back-end-server/filepath and return it, via HTTPS, to the client. I don't quite understand why you have paths like /OPSWeb/neo... That makes it look like apache is fetching the back-end content via the filesystem (e.g. shared disks). If so, that's not right - a proxy is simply a way of forwarding HTTP requests so that all data are transferred by HTTP. No need for the servers to see each other's files. You haven't configured Apache to proxy anything. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreverse Perhaps your application server has an apache module for this, or a configuration guide. -- Eric Covener [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- RegardsThanks, Vasanth Kumar Ravi
[EMAIL PROTECTED] Re: mod_auth_ldap
Yes the question is: two diferents ldaps. I've solved this issue with mod_authnz_external Thanks 2008/10/30, Jorge Medina [EMAIL PROTECTED]: I'm not sure I am understanding your question: By for another domain, do you mean another site ? If so, use VirtualHost to define each domain and use the appropiate LDAP server for each one. If you want to authenticate users against two unrelated LDAP domains, then you may look if there is a way to specify multiple servers in the authLDAPUrl directive. I think this is not possible. From: Juan Pablo Roig [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2008 10:05 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] mod_auth_ldap Hi everyone!! I am using this modue to auth the users thru an LDAP server, but know i have more users in another LDAP server for another domain, does anyone knows how to do this? This is my config now: Directory /opt/globant/mediawiki-1.6.9-infra Options Indexes FollowSymLinks AllowOverride None order allow,deny AuthName Infra Login Users AuthType Basic AuthLDAPURL ldap://10.90.0.2/DC=com?sAMAccountName?sub?(objectClass=user) AuthLDAPBindDN ACCF165\ldapusr AuthLDAPBindPassword globant25k AuthType Basic Require group cn=wiki_acc_usrs,OU=People,DC=accendra,DC=com Satisfy Any /Directory -- Enviado desde mi dispositivo móvil - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
