[us...@httpd] Apache under DOS
Hi Recently attackers use new attack for DOS apache.for example see http://isc.sans.org/diary.html?storyid=6601rss . Is there any solution for prevent this DOS attack? what solution do you suggest for limit concurrent connection? thanks for any help or guidance -- N.Chavoshi
[us...@httpd] apache monitoring
Hi I want to monitor apache status (amount of requests,ram usage,amount of apache daemons and etc)as real time, Is there any tools that justify these needs? thanks for any help or guidance -- N.Chavoshi
[us...@httpd] apache modules
Hi I have one question about Apache modules.with loading more modules on apache, may apache responses with more delay ?? -- N.Chavoshi
[us...@httpd] SSI - file not included
Hi, I tried a simple include with SSI. In the root directory I added a .htaccess file with AddType text/html .shtml AddOutputFilter INCLUDES .html In index-test.html i added !--#include virtual=./footer.html -- This works fine. Now I moved the footer.html to another directory. !--#include virtual=./foo/footer.html -- This works fine, too. Now I moved the file again and it stops working. !--#include virtual=./bar/footer.html -- foo/ and bar/ are both DAV on. foo/ is accessable without authencitation. bar/ is basic auth protected (file and ldap). Can the included file not be placed in an authentictaion protected directory or is there something else? Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] SSI - file not included
-Original Message- From: Marc Patermann [mailto:hans.mo...@ofd-sth.niedersachsen.de] Sent: Wednesday, July 08, 2009 9:07 AM To: users@httpd.apache.org Subject: [us...@httpd] SSI - file not included Hi, I tried a simple include with SSI. In the root directory I added a .htaccess file with AddType text/html .shtml AddOutputFilter INCLUDES .html In index-test.html i added !--#include virtual=./footer.html -- This works fine. Now I moved the footer.html to another directory. !--#include virtual=./foo/footer.html -- This works fine, too. Now I moved the file again and it stops working. !--#include virtual=./bar/footer.html -- foo/ and bar/ are both DAV on. foo/ is accessable without authencitation. bar/ is basic auth protected (file and ldap). Can the included file not be placed in an authentictaion protected directory ? Apparently not... Otherwise, it would be a way to circumvent authentication. Check what it says in the error_log; that should tell you more than ..stops working.. If there is a 401 Unauthorized then that's the problem. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. or is there something else? Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] apache monitoring
http://httpd.apache.org/docs/2.2/mod/mod_status.html From: nima chavooshi [mailto:nima0...@gmail.com] Sent: Wednesday, July 08, 2009 8:51 AM To: users@httpd.apache.org Subject: [us...@httpd] apache monitoring Hi I want to monitor apache status (amount of requests,ram usage,amount of apache daemons and etc)as real time, Is there any tools that justify these needs? thanks for any help or guidance -- N.Chavoshi This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
RE: [us...@httpd] apache modules
If you just load modules but don't actually use them (ie, no directives in config), then no. From: nima chavooshi [mailto:nima0...@gmail.com] Sent: Wednesday, July 08, 2009 8:59 AM To: users@httpd.apache.org Subject: [us...@httpd] apache modules Hi I have one question about Apache modules.with loading more modules on apache, may apache responses with more delay ?? -- N.Chavoshi This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
Re: [us...@httpd] apache modules
nima chavooshi wrote: Hi I have one question about Apache modules.with loading more modules on apache, may apache responses with more delay ?? Re these recent threads : - [us...@httpd] Apache under DOS - [us...@httpd] apache monitoring - [us...@httpd] apache modules It is always a good idea, indicative of the intelligent and considerate poster to a user's support list, to start by reading the available on-line documentation. For example, at http://httpd.apache.org/, one finds links to Documentation Version 2.2 which leads to a page full of information about Security Tips Authentication, Authorization, and Access Control Performance Tuning Log Files Modules (see S for mod_Status) and Frequently Asked Questions (FAQ) Reading this documentation beforehand is also a sign of respect and appreciation for the work of the many competent volunteers who have spent a lot of their time composing it and making it available. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSI - file not included
Boyle Owen schrieb: Can the included file not be placed in an authentictaion protected directory ? Apparently not... Otherwise, it would be a way to circumvent authentication. Check what it says in the error_log; that should tell you more than ..stops working.. If there is a 401 Unauthorized then that's the problem. I can't see any 401 errors in access or error log. There are only unable to include ./bar/footer.html in parsed file /opt/www/index-test.html messages. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] SSI - file not included
-Original Message- From: Marc Patermann [mailto:hans.mo...@ofd-sth.niedersachsen.de] Sent: Wednesday, July 08, 2009 10:47 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] SSI - file not included Boyle Owen schrieb: Can the included file not be placed in an authentictaion protected directory ? Apparently not... Otherwise, it would be a way to circumvent authentication. Check what it says in the error_log; that should tell you more than ..stops working.. If there is a 401 Unauthorized then that's the problem. I can't see any 401 errors in access or error log. There are only unable to include ./bar/footer.html in parsed file /opt/www/index-test.html messages. Try removing the basic auth from bar - if it then starts working, then that's the problem. BTW, if that *is* the problem, then there's no solution; you won't be able to include protected content. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] apache monitoring
Be sure to configure it with Extended Status on to get a wealth of info. -Tony From: Boyle Owen [mailto:owen.bo...@six-group.com] Sent: Wednesday, July 08, 2009 3:36 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] apache monitoring http://httpd.apache.org/docs/2.2/mod/mod_status.html From: nima chavooshi [mailto:nima0...@gmail.com] Sent: Wednesday, July 08, 2009 8:51 AM To: users@httpd.apache.org Subject: [us...@httpd] apache monitoring Hi I want to monitor apache status (amount of requests,ram usage,amount of apache daemons and etc)as real time, Is there any tools that justify these needs? thanks for any help or guidance -- N.Chavoshi This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
RE: [us...@httpd] apache monitoring
On Wed, 2009-07-08 at 09:57 -0400, Tony Rice (trice) wrote: Be sure to configure it with Extended Status on to get a wealth of info. (Obvious self-promotion) We have a free (as in speech) tool, which might help you get the information out of mod_status if the server is unresponsive. http://fabletech.com/ftasv Morten -- Morten K. Poulsen m...@fabletech.com CTO, FableTech http://fabletech.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] apache monitoring
Hi, There is a Perl program to extract information. The program requests a page created for mod_status and write in a file Ricardo On Wed, Jul 8, 2009 at 12:03 PM, Morten K. Poulsen m...@fabletech.comwrote: On Wed, 2009-07-08 at 09:57 -0400, Tony Rice (trice) wrote: Be sure to configure it with Extended Status on to get a wealth of info. (Obvious self-promotion) We have a free (as in speech) tool, which might help you get the information out of mod_status if the server is unresponsive. http://fabletech.com/ftasv Morten -- Morten K. Poulsen m...@fabletech.com CTO, FableTech http://fabletech.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Muito Obrigado Ricardo
Re: [us...@httpd] apache monitoring
On Wed, 2009-07-08 at 12:12 -0300, ricardo figueiredo wrote: There is a Perl program to extract information. The program requests a page created for mod_status and write in a file Yes, and it's the requests a page part which can be a problem, if the server is not responding. Morten -- Morten K. Poulsen m...@fabletech.com CTO, FableTech http://fabletech.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] apache monitoring
On Wed, Jul 8, 2009 at 12:24 PM, Morten K. Poulsen m...@fabletech.comwrote: On Wed, 2009-07-08 at 12:12 -0300, ricardo figueiredo wrote: There is a Perl program to extract information. The program requests a page created for mod_status and write in a file Yes, and it's the requests a page part which can be a problem, if the server is not responding. It's true Ricardo Morten -- Morten K. Poulsen m...@fabletech.com CTO, FableTech http://fabletech.com/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Muito Obrigado Ricardo
Re: [us...@httpd] apache modules
Boyle Owen wrote: If you just load modules but don't actually use them (ie, no directives in config), then no. That is not entirely true. Most register a hook provider to evaluate if they are the candidate for providing auth, injecting filters or handling the request. Those hooks do cost some cycles to evaluate and answer, even if the answer is always 'no, not this module'. So you are wise to remove modules that are not used. Also, some security flaws in the past have exploited only one module of httpd. The users who had not loaded or enabled that module were not affected. So it is also a courtesy to the next administrator down the road (or yourself) to simplify the number of modules loaded. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Windows rotatelogs, cmd.exe permission
Apache 2.2.11 Windows Server 2003 R2 x64 Hello all, I've searched the archives and only found confirmation of what my problem is, but no solutions. I am trying to configure apache httpd in such a way that logs are rotated on a daily basis, and the server is not shut down when doing so. Currently I am using piped output to the rotatelogs.exe process to do so. So far so good, right? Not so fast... I currently have httpd running as a windows service, logging on as a restricted user called webserver. That account is very restricted in the folders that it can read/execute. In order to follow the security policy, the webserver account needs to be configured so that it cannot access cmd.exe. When httpd runs on windows and uses piped output to a log file, it creates a named piped and launches a shell (cmd.exe) to run the executable. FAIL! Windows does not seem to have the apachectl graceful command that unix does. The only solution that I see is to run apache, where it writes straight to a log file, write a script that shuts down httpd, moves the log file and restarts httpd. I'd rather not do that, as my server gets a lot of traffic during all hours of the day. Currently the server is not clustered. Any solutions? (and don't say move to Linux, I wish I could). -Phil - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Windows rotatelogs, cmd.exe permission
Philip J Dicke wrote: I currently have httpd running as a windows service, logging on as a restricted user called webserver. That account is very restricted in the folders that it can read/execute. In order to follow the security policy, the webserver account needs to be configured so that it cannot access cmd.exe. When httpd runs on windows and uses piped output to a log file, it creates a named piped and launches a shell (cmd.exe) to run the executable. FAIL! Ok; please explain how the process initially has rights to invoke cmd.exe and how these were subtracted after initialization? Windows does not seem to have the apachectl graceful command that unix does. That's right; every service control command 128 is a graceful today, which is what the ApacheMonitor taskbar-utility issues when you choose 'restart'. So does httpd.exe -k restart. But Windows OS only knows a hard restart, stop and then restart the parent. However the child process lives only one iteration, just as in unix. The new feature I have worked up uses ||realpipe args if you want to absolutely invoke realpipe without a command shell (on win or unix). The syntax |$pipecmd args works as today, sending the pipecmd args to the command shell. In 2.3 forward, realpipe will be the default. In 2.2, pipecmd stays the default as to not disrupt so many people. So offering both syntaxes should help you with an httpd.conf that will make the transition. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Windows rotatelogs, cmd.exe permission
Philip J Dicke wrote: Ok; please explain how the process initially has rights to invoke cmd.exe and how these were subtracted after initialization? Well it works now b/c the webserver user has access to the cmd.exe. Security review revealed that access needs to be removed. Ok; that's not what your post said... you implied it was restart-related :) syntax |$pipecmd args works as today, AWESOME!!! this is exactly the solution I was looking for! Just tried it and seems to be working. I will let you know if there any issues. Huh? That feature is not implemented yet. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache under DOS
On Tue, Jul 7, 2009 at 11:50 PM, nima chavooshinima0...@gmail.com wrote: Hi Recently attackers use new attack for DOS apache.for example see http://isc.sans.org/diary.html?storyid=6601rss . Is there any solution for prevent this DOS attack? what solution do you suggest for limit concurrent connection? thanks for any help or guidance -- N.Chavoshi This has been discussed extensively (within the last month), check the archives. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Windows rotatelogs, cmd.exe permission
This sounds like the solution until the new real pipes solution is implemented. Thank you all. On Wed, Jul 8, 2009 02:59 PM Sander Temme scte...@apache.org wrote: On Jul 8, 2009, at 11:09 AM, Philip J Dicke wrote: Windows does not seem to have the apachectl graceful command that unix does. The only solution that I see is to run apache, where it writes straight to a log file, write a script that shuts down httpd, moves the log file and restarts httpd. I've had good success using the following approach: 1) move the logfiles(s) to a new name, with a timestamp or whatever 2) Send httpd.exe -n ServiceName -k graceful (wrowe tells us that restart and graceful are the same thing on Windows) 3) Wait a second, a minute, an hour or whatever you need to make sure the old httpd child has in fact gone away and has stopped writing to the open file descriptor of the old logfile. 4) Do what you need to do to the old logfile (compress, explode into vhosts, analyze, whatever, it's yours now) The fact that httpd keeps writing to the old logfile ensures that you don't miss any log entries, and the graceful restart ensures uninterrupted service. As wrowe says, the service interface only knows to kill the program under consideration entirely, and then start it up again. This is obviously too harsh if you expect to keep serving requests, and fortunately not necessary. S. -- Sander Temme scte...@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF Philip J. Dicke Penn State ARL JIATFS Support pjd...@psu.edu 305-293-5481 - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Using SetEnvIf on response headers
Hi all; I'm trying to strip out NTLM as an authentication option from response packets (my Apache is acting as a reverse proxy). At first I did this blindly with the Header command: Header always unset WWW-Authenticate Header always set WWW-Authenticate Basic realm='%{SERVER_NAME}e' Header onsuccess unset WWW-Authenticate However, this has the side effect of setting WWW-Authenticate: Basic .. on *every* response. Ideally I'd like to only do the replacement on response headers that contain WWW-Authenticate: NTLM. I thought perhaps I could do this with SetEnvIf: SetEnvIfNoCase WWW-Authenticate ^NTLM$ HAS_NTLM Header always unset WWW-Authenticate env=HAS_NTLM Header always set WWW-Authenticate Basic realm='%{SERVER_NAME}e' env=HAS_NTLM This would work much better except that it appears SetEnfIf* only works on request headers and not on response headers. I came across this[1] patch from a few years back that would seem to address this, but no indication of whether or not it was ever seriously considered for inclusion in Apache. Maybe there's an alternate, elegant way to do what I'm wanting? I realize I could probalby use an external output filter of some sort, but that's not an ideal solution in my case (too much overhead). Any suggestions? Ray [1] http://marc.info/?l=apache-httpd-devm=114839705130894w=2 - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Using SetEnvIf on response headers
Ray Van Dolson wrote: Hi all; I'm trying to strip out NTLM as an authentication option from response packets (my Apache is acting as a reverse proxy). By curiosity, what does this achieve ? If the origin server requires NTLM authentication for a resource, it is unlikely to be happy with a Basic authentication coming back from the browser. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Using SetEnvIf on response headers
On Wed, Jul 08, 2009 at 03:35:58PM -0700, André Warnier wrote: Ray Van Dolson wrote: Hi all; I'm trying to strip out NTLM as an authentication option from response packets (my Apache is acting as a reverse proxy). By curiosity, what does this achieve ? If the origin server requires NTLM authentication for a resource, it is unlikely to be happy with a Basic authentication coming back from the browser. The server allows both NTLM and Basic (multiple WWW-Authenticate headers are transmitted). The client insists on using NTLM if it's available which doesn't work properly in a reverse proxy setup (at least as far as I understand it). If I remove the NTLM header, the client falls back to Basic and all works correctly. The client is BIS (Blackberry) so unfortunately I can't change its behavior. :) Ray - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Reload httpd.conf on Windows
Hi, From your query, I observed that we can reload apache configuration file without restarting the apache web server on Linux. I would like to know, how can we do it? Thanks in advance. --Vamshi :) -Original Message- From: dbezerra [mailto:dbeze...@accesssoftek.com] Sent: Tuesday, January 27, 2009 2:54 AM To: users@httpd.apache.org Subject: [us...@httpd] Reload httpd.conf on Windows I would like to know if it is possible to reload the Apache configuration on Windows without restarting the Apache, like we do on UNIX/Linux version. -- View this message in context: http://www.nabble.com/Reload-httpd.conf-on-Windows-tp21673974p21673974.h tml Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org