date:20090722

 -Original Message-
 From: Evan Platt [mailto:e...@espphotography.com] 
 Sent: Wednesday, July 22, 2009 1:56 AM
 To: users@httpd.apache.org
 Subject: [us...@httpd] 404's to robots.txt?

 So I've noticed quite a lot of connections from web spider programs. 
 I've had a robots.txt
 (User-agent: *
 Disallow: /)  For a long time. But looking closer in my apache logs, 
 am I reading right that it's giving a 404?

Yes.

How many VHs do you have? If you have robots.txt in one VH but the
request comes into another VH, then you will get a 404. Maybe put
%{Host}i into the log format to see the Host header sent by the client..

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

 65.55.106.173 - - [21/Jul/2009:09:44:43 -0700] GET /robots.txt 
 HTTP/1.1 404 208 - msnbot/2.0b 
 (+http://search.msn.com/msnbot.htm)
 65.55.106.112 - - [21/Jul/2009:10:11:43 -0700] GET /robots.txt 
 HTTP/1.1 404 208 - msnbot/2.0b 
 (+http://search.msn.com/msnbot.htm)
 65.55.106.166 - - [21/Jul/2009:11:03:35 -0700] GET /robots.txt 
 HTTP/1.1 404 208 - msnbot/2.0b 
 (+http://search.msn.com/msnbot.htm)
 65.55.106.160 - - [21/Jul/2009:11:09:07 -0700] GET /robots.txt 
 HTTP/1.1 200 28 - msnbot/2.0b (+http://search.msn.com/msnbot.htm)
 65.55.106.180 - - [21/Jul/2009:11:35:34 -0700] GET /robots.txt 
 HTTP/1.1 404 208 - msnbot/2.0b 
 (+http://search.msn.com/msnbot.htm)

 Same day, no changes made:
 X.X.X.X - - [21/Jul/2009:16:47:44 -0700] GET /robots.txt HTTP/1.1 
 304 - - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; 
 rv:1.9.1.1) Gecko/20090715 Firefox/3.0.7, Ant.com Toolbar 1.3 (.NET 
 CLR 3.5.30729)
 Z.Z.Z.Z- - [21/Jul/2009:16:49:10 -0700] GET /robots.txt HTTP/1.1 
 200 28 - Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) 
 AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.30 Safari/530.5

 Two different IP's. One myne, one a friends.

 Any suggestions as to why (if I'm reading the log right) I'm handing 
 out a 404 to it appears just web crawlers?

 # httpd -v
 Server version: Apache/2.2.3
 Server built:   Jun 16 2009 11:28:50

 Don't know what other information is needed to help troubleshoot... 
 Running on a os//x box.
 http://www.espphotography.com/robots.txt if you want to take a look...

 Thanks. :)

 Evan

 -
 The official User-To-User support forum of the Apache HTTP 
 Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org

This message is for the named person's use only. It may contain confidential, 
proprietary or legally privileged information. If you receive this message in 
error, please notify the sender urgently and then immediately delete the 
message and any copies of it from your system. Please also immediately destroy 
any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications 
through their networks.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [us...@httpd] Remote .htaccess

 -Original Message-
 From: Jos Chrispijn [mailto:apa...@webrz.net] 
 Sent: Wednesday, July 22, 2009 1:31 AM
 To: users@httpd.apache.org
 Subject: [us...@httpd] Remote .htaccess

 Is it possible to use a .htaccess in a folder in which I define a 
 htpasswd path that physically is located on a complete 
 different server?

Sure. As long as apache can follow the path, no problem.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

PS: It's also asking for trouble from a performance/reliability
perspective. I leave it as an exercise to the reader to work out why...

 Jos Chrispijn

 -
 The official User-To-User support forum of the Apache HTTP 
 Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org

This message is for the named person's use only. It may contain confidential, 
proprietary or legally privileged information. If you receive this message in 
error, please notify the sender urgently and then immediately delete the 
message and any copies of it from your system. Please also immediately destroy 
any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications 
through their networks.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Apache processor usage

2009-07-22 Thread Oliver Marshall

We've got a machine here showing high processor usage for the Apache process.

Apache runs a few minor sites, but mainly it runs the SVN module for our SVN 
setup so I'm assuming it's that.

However, is there a way in Apache that I can find out more about what module of 
Apache may be responsible ?

Olly

Re: [us...@httpd] Auth and server-side auto-login

* Pascal S. Clermont pas...@clermont.cc [2009-07-21 21:53]:
 I want to secure some content from unauthorized access by using :
 
 AuthType Basic
 AuthName Authentication Required
 AuthUserFile /etc/secret/auth.users
 Require valid-user
 
 in one of my virtualhost's
 
 I would like to know if there is a possible way for apache to auto-login 
 anyone coming from the 192.168.1 network to a specific user?
 This would be great if it required 0 client-side setup ( completely 
 transparent ) and for the 192.168.2 network a login/pass would be asked 
 to the user.

http://httpd.apache.org/docs/2.2/en/mod/core.html#satisfy

For example, if you wanted to let people on your network have
unrestricted access to a portion of your website, but require that
people outside of your network provide a password, you could use a
configuration similar to the following:

Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any

cheers,
-peter



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Low priced certificate?

* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]:
 I am thinking of securing part of my low volume
 web site with SSL.  I wend to some certificate
 authorities, and I was blown away by the prices.
 Are there that are both cheap and widely recognized?

Jfyi: you might also try free and not widely recognized,
http://cacert.org/

Or STFW for cheap SSL certs. But you won't get below 60-80USD for a
year, I guess.
-peter

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


Peter Schober wrote:

* Pascal S. Clermont pas...@clermont.cc [2009-07-21 21:53]:

I want to secure some content from unauthorized access by using :

AuthType Basic
AuthName Authentication Required
AuthUserFile /etc/secret/auth.users
Require valid-user

in one of my virtualhost's

I would like to know if there is a possible way for apache to auto-login 
anyone coming from the 192.168.1 network to a specific user?
This would be great if it required 0 client-side setup ( completely 
transparent ) and for the 192.168.2 network a login/pass would be asked 
to the user.


http://httpd.apache.org/docs/2.2/en/mod/core.html#satisfy

For example, if you wanted to let people on your network have
unrestricted access to a portion of your website, but require that
people outside of your network provide a password, you could use a
configuration similar to the following:

Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any


I don't think that this is exactly what the OP wanted.
With the configuration above, requests from 192.168.1.* will get 
through, but unauthenticated.
What the OP seemed to want, is that these requests /would/ be 
authenticated automatically as from user LOCAL-GUY e.g.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Low priced certificate?


Peter Schober wrote:

* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]:

I am thinking of securing part of my low volume
web site with SSL.  I wend to some certificate
authorities, and I was blown away by the prices.
Are there that are both cheap and widely recognized?


Jfyi: you might also try free and not widely recognized,
http://cacert.org/

Or STFW for cheap SSL certs. But you won't get below 60-80USD for a
year, I guess.


Just by personal curiosity, what are the normal price ranges for HTTP 
host certificates ?




-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login

* André Warnier a...@ice-sa.com [2009-07-22 13:29]:
  Require valid-user
  Order allow,deny
  Allow from 192.168.1
  Satisfy Any
  
 I don't think that this is exactly what the OP wanted.

Then maybe Jim Fox's mod_auth_location will do?
http://staff.washington.edu/fox/authlocation/
-peter

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Low priced certificate?

* Peter Schober peter.scho...@univie.ac.at [2009-07-22 12:29]:
 Or STFW for cheap SSL certs. But you won't get below 60-80USD for a
 year, I guess.

FWIW, I think GoDaddy's TurboSSL seems to be as cheap as it gets
(27USD per year, starting with 2 years). Don't know anything about
their services or browser compatibility though.
-peter

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Virtual Hosts and mod_cache

2009-07-22 Thread Fábio Jr.


Hello all.

How can I set mod_cache to works in different ways in my different 
Virtual Hosts? I just put the IfModule directive and the options inside 
the VirtualHost or I must make a default config for all of them?


Att.
   Fábio Jr.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Nicholas Sherlock


Peter Schober wrote:

* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]:

I am thinking of securing part of my low volume
web site with SSL.  I wend to some certificate
authorities, and I was blown away by the prices.
Are there that are both cheap and widely recognized?


Jfyi: you might also try free and not widely recognized,
http://cacert.org/


Won't certificates signed by them be only useful for internally-deployed 
apps? They're not a trusted root on Windows so random browsers on the 
web will just get an UNTRUSTED SITE! Get me out of here! message.


Cheers,
Nicholas Sherlock


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Re: Virtual Hosts and mod_cache

2009-07-22 Thread Dan Poirier

Fábio Jr. fjuniorli...@gmail.com writes:

 Hello all.

 How can I set mod_cache to works in different ways in my different
 Virtual Hosts? I just put the IfModule directive and the options

The same as most anything in an Apache config.  See
http://httpd.apache.org/docs/2.2/sections.html

-- 
Dan Poirier poir...@pobox.com


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


Peter Schober wrote:

* André Warnier a...@ice-sa.com [2009-07-22 13:29]:

Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any


I don't think that this is exactly what the OP wanted.


Then maybe Jim Fox's mod_auth_location will do?
http://staff.washington.edu/fox/authlocation/


Yes.  That looks very close.
Thanks for the link, I did not know this module, and it looks interesting.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [us...@httpd] Re: Low priced certificate?

 -Original Message-
 From: news [mailto:n...@ger.gmane.org] On Behalf Of Nicholas Sherlock
  
  Jfyi: you might also try free and not widely recognized,
  http://cacert.org/
 
 Won't certificates signed by them be only useful for 
 internally-deployed 
 apps? They're not a trusted root on Windows so random browsers on the 
 web will just get an UNTRUSTED SITE! Get me out of here! message.

Hopefully...

It's worth remembering what a certificate is for; it is a document,
undersigned by a third-party, that confirms that you are who you say you
are. The third-party certificate signing authority is putting their
reputation on the line and has a moral (even a legal) obligation to be
certain you are bona fide.

A certificate is not some random obstacle that makes SSL websites pesky
to set up - it is an essential security feature that protects web-users
from fraud. So, of course it should cost you (as e-commerce operator)
money and effort.

Trying to get a cheap cert for your site is like a bus company getting
cheap tyres for their buses...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

 
 Cheers,
 Nicholas Sherlock
 
 
 -
 The official User-To-User support forum of the Apache HTTP 
 Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 
 
 
This message is for the named person's use only. It may contain confidential, 
proprietary or legally privileged information. If you receive this message in 
error, please notify the sender urgently and then immediately delete the 
message and any copies of it from your system. Please also immediately destroy 
any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications 
through their networks.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Low priced certificate?


Boyle Owen wrote:
...



It's worth remembering what a certificate is for; it is a document,
undersigned by a third-party, that confirms that you are who you say you
are. The third-party certificate signing authority is putting their
reputation on the line and has a moral (even a legal) obligation to be
certain you are bona fide.

A certificate is not some random obstacle that makes SSL websites pesky
to set up - it is an essential security feature that protects web-users
from fraud. So, of course it should cost you (as e-commerce operator)
money and effort.

Trying to get a cheap cert for your site is like a bus company getting
cheap tyres for their buses...



While not contradicting the essence of the above, I would like to know 
something for my own edification, if some expert could comment.


We are a services company, and provide websites to select customers, for 
their own usage. We know these customers, they know us, and there are 
not thousands of them (merely hundreds).
We store information in these websites for those customers.  Sometimes 
this information is relatively private, for the customer.
(It is not however of the top secret - defense variety, nor banking 
etc...)


We would like to offer to our customers, the possibility of connecting 
to their websites using HTTPS instead of HTTP.
This is merely so that it would be harder for foreign people to easily 
intercept the data being exchanged between the webserver and the 
browsers of our customers.


It is my understanding that we could set up our own certificate 
authority (CA) and create our own server certificates.  A customer 
browser, upon the first connection, would pop up some message indicating 
that it cannot verify this certificate, and offering maybe to 
authorise our own CA as a valid one.  Once they did this, the popup 
would not happen again, and their communications with the website would 
be encrypted (which is the main point of the exercise).


I understand that, in case their DNS system is compromised, they could 
land onto another website pretending to be ours, and thus accept this 
other website certificate and CA.
But I consider this possibility as relatively unlikely, and easily 
detected by the customers themselves once they proceed. (*)


Is anything wrong with the above thinking ?

Thanks for comments.


(*) because each customer application is specific, and in order to fool 
a customer, the miscreant would haver to duplicate this application, the 
data etc..


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login

2009-07-22 Thread Pascal S. Clermont


André Warnier wrote:

Peter Schober wrote:

* André Warnier a...@ice-sa.com [2009-07-22 13:29]:

Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any


I don't think that this is exactly what the OP wanted.


Then maybe Jim Fox's mod_auth_location will do?
http://staff.washington.edu/fox/authlocation/


Yes.  That looks very close.
Thanks for the link, I did not know this module, and it looks 
interesting.
A conjunction of network based auth + SetEnvIf Remote_Addr 
^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my 
current needs.

I will look into mod_auth_location.

Thanks for all the insight,

Pascal

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [us...@httpd] Re: Low priced certificate?

 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com] 
 Sent: Wednesday, July 22, 2009 3:09 PM
 To: users@httpd.apache.org
 Subject: Re: [us...@httpd] Re: Low priced certificate?

 We are a services company, and provide websites to select 
 customers, for 
 their own usage. We know these customers, they know us, and there are 
 not thousands of them (merely hundreds).
 We store information in these websites for those customers.  
 Sometimes 
 this information is relatively private, for the customer.
 (It is not however of the top secret - defense variety, nor banking 
 etc...)

 We would like to offer to our customers, the possibility of 
 connecting 
 to their websites using HTTPS instead of HTTP.
 This is merely so that it would be harder for foreign 
 people to easily 
 intercept the data being exchanged between the webserver and the 
 browsers of our customers.

If you have a private application (in the sense that server-owner and clients 
already know each other and only want to encrypt traffic), then of course you 
can use a self-signed cert. In this case you are getting encryption (protection 
from eavesdropping) but no authentication (which you don't care about because 
you already know each other).

The cause of much of the confusion is the fact that SSL certs provide *two* 
functions; they contain a key that allows you to set up an encrypted channel, 
but they also contain a document that attests the ownership of the domain. This 
second feature is essential in an e-commerce environment where the server and 
client are not known to each other a priori. 

If you were a shopkeeper and wanted to send your takings off to the bank, you 
might request the bank to send round a security van. When the van arrives, 
would you check the driver's credentials? Obviously you should in case some 
crooks were tapping your phone line and had turned up first in a stolen van 
with fake uniforms. If you don't check the credentials, your money will be safe 
in transit, but might not actually be going to the bank :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

 It is my understanding that we could set up our own certificate 
 authority (CA) and create our own server certificates.  A customer 
 browser, upon the first connection, would pop up some message 
 indicating 
 that it cannot verify this certificate, and offering maybe to 
 authorise our own CA as a valid one.  Once they did this, the popup 
 would not happen again, and their communications with the 
 website would 
 be encrypted (which is the main point of the exercise).

 I understand that, in case their DNS system is compromised, 
 they could 
 land onto another website pretending to be ours, and thus accept this 
 other website certificate and CA.
 But I consider this possibility as relatively unlikely, and easily 
 detected by the customers themselves once they proceed. (*)

 Is anything wrong with the above thinking ?

 Thanks for comments.

 (*) because each customer application is specific, and in 
 order to fool 
 a customer, the miscreant would haver to duplicate this 
 application, the 
 data etc..

 -
 The official User-To-User support forum of the Apache HTTP 
 Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org

This message is for the named person's use only. It may contain confidential, 
proprietary or legally privileged information. If you receive this message in 
error, please notify the sender urgently and then immediately delete the 
message and any copies of it from your system. Please also immediately destroy 
any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications 
through their networks.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] [OT] [us...@httpd] Re: Low priced certificate?

* Boyle Owen owen.bo...@six-group.com [2009-07-22 14:43]:
  -Original Message-
  From: news [mailto:n...@ger.gmane.org] On Behalf Of Nicholas Sherlock
   
   Jfyi: you might also try free and not widely recognized,
   http://cacert.org/
  
  Won't certificates signed by them be only useful for 
  internally-deployed 
  apps? They're not a trusted root on Windows so random browsers on the 
  web will just get an UNTRUSTED SITE! Get me out of here! message.

You certainly can use any CA you want for anything you want.
For internal deployments you might as well skip SSL or roll your own
CA or whatever.
Either way, people have found cacert to be useful for their
requirements.

 It's worth remembering what a certificate is for; it is a document,
 undersigned by a third-party, that confirms that you are who you say you
 are. The third-party certificate signing authority is putting their
 reputation on the line and has a moral (even a legal) obligation to be
 certain you are bona fide.

In contrast to the checks most commercial offerings provide cacert
actually does verify who you are, via a web of trust (cf. pgp web of
trust), rules and documented procedures (afaik not RFC 3647-style, but
still).

A bit dated, but I'm sure you can find more recent similar exploits:

http://www.cert.org/advisories/CA-2001-04.html
This problem is the result of a failure by the certificate authority
to correctly authenticate the recipient of a certificate. Verisign has
taken the appropriate action by revoking the certificates in
question. However, this in itself is insufficient to prevent the
malicious use of these certificates until a patch has been installed,
because Internet Explorer does not check for such revocations
automatically. Indeed, because the Certificates issued by Verisign do
not contain any information regarding where to check for a revocation,
Internet Explorer, or any browser, is unable to check for revocations
of these certificates.

Only recently the commercial offerings started offering the checks
they should always have done in the first place. But now with a
special price tag for extended validation certs...

But of course cacert only works where people import their root ca
(and/or intermediate ca) themselfs or have this some by someone.
At least until cacert manages to be included in webbrowser and/or OS
distribtions.
Also their policy states what kind of transactions you may or may
not rely on using their certs.

All this for a simple jfyi...

 Trying to get a cheap cert for your site is like a bus company
 getting cheap tyres for their buses...

Only that all bits are created equal (tyres are not, I suppose).
At least as long as MD5 is not used for the certs anymore[1] :)
The difference is in the checks performed by the CAs prior to issuing
any certificates, not the resulting artefact (cert, tyre).
-peter

[1] http://www.phreedom.org/research/rogue-ca/

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


Pascal S. Clermont wrote:

A conjunction of network based auth + SetEnvIf Remote_Addr 
^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my 
current needs.


That looks like a re-invention of Satisfy Any.
If you are re-inventing a wheel, kudos for NOT doing
the usual thing and hacking it with mod_rewrite!

But I could be missing something from earlier in the thread :)

--
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Joseph Morgan


It sounds to me like you are hosting their sites... meaning you have 
virtual hosts, etc.? 

If I go to my bank and open a checking account... fine... it's free.  
However, if I want a safe deposit box, I'll have to pay... unless... 
maybe if I keep X amount of money deposit accounts with the bank...

Then why not just pass the cost of obtaining legitimate certs onto those 
customers, unless they're a big money customer... then what do you care 
the cost?   Wouldn't that solve all of your problems?


André Warnier wrote:
 Boyle Owen wrote:
 ...


 It's worth remembering what a certificate is for; it is a document,
 undersigned by a third-party, that confirms that you are who you say you
 are. The third-party certificate signing authority is putting their
 reputation on the line and has a moral (even a legal) obligation to be
 certain you are bona fide.

 A certificate is not some random obstacle that makes SSL websites pesky
 to set up - it is an essential security feature that protects web-users
 from fraud. So, of course it should cost you (as e-commerce operator)
 money and effort.

 Trying to get a cheap cert for your site is like a bus company getting
 cheap tyres for their buses...


 While not contradicting the essence of the above, I would like to know 
 something for my own edification, if some expert could comment.

 We are a services company, and provide websites to select customers, 
 for their own usage. We know these customers, they know us, and there 
 are not thousands of them (merely hundreds).
 We store information in these websites for those customers.  Sometimes 
 this information is relatively private, for the customer.
 (It is not however of the top secret - defense variety, nor banking 
 etc...)

 We would like to offer to our customers, the possibility of connecting 
 to their websites using HTTPS instead of HTTP.
 This is merely so that it would be harder for foreign people to 
 easily intercept the data being exchanged between the webserver and 
 the browsers of our customers.

 It is my understanding that we could set up our own certificate 
 authority (CA) and create our own server certificates.  A customer 
 browser, upon the first connection, would pop up some message 
 indicating that it cannot verify this certificate, and offering maybe 
 to authorise our own CA as a valid one.  Once they did this, the 
 popup would not happen again, and their communications with the 
 website would be encrypted (which is the main point of the exercise).

 I understand that, in case their DNS system is compromised, they could 
 land onto another website pretending to be ours, and thus accept this 
 other website certificate and CA.
 But I consider this possibility as relatively unlikely, and easily 
 detected by the customers themselves once they proceed. (*)

 Is anything wrong with the above thinking ?

 Thanks for comments.


 (*) because each customer application is specific, and in order to 
 fool a customer, the miscreant would haver to duplicate this 
 application, the data etc..

 -
 The official User-To-User support forum of the Apache HTTP Server 
 Project.
 See  for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org





_
Windows Live™ SkyDrive™: Store, access, and share your photos. See how.
http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009

Re: [us...@httpd] Auth and server-side auto-login

* Nick Kew n...@webthing.com [2009-07-22 15:41]:
 Pascal S. Clermont wrote:
 
  A conjunction of network based auth + SetEnvIf Remote_Addr 
  ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my 
  current needs.
 
 That looks like a re-invention of Satisfy Any.
 If you are re-inventing a wheel, kudos for NOT doing
 the usual thing and hacking it with mod_rewrite!
 
 But I could be missing something from earlier in the thread :)

Besides a recommendation to use satisfy any: question was whether
it's important to have some identifier in REMOTE_USER (speaking
CGI-ly). If you can't modify the application (to use REMOTE_ADDR
unless REMOTE_USER was set) doing this mapping in the webserver might
help.
-peter

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


Nick Kew wrote:

Pascal S. Clermont wrote:

A conjunction of network based auth + SetEnvIf Remote_Addr 
^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for 
my current needs.


That looks like a re-invention of Satisfy Any.
If you are re-inventing a wheel, kudos for NOT doing
the usual thing and hacking it with mod_rewrite!

But I could be missing something from earlier in the thread :)


Ah, we got an expert on the line !
Rephrasing the original question :
- an Apache application of which we do not have the source code and 
cannot thus modify, requires an Apache authenticated user-id
- however, for the select group of users accessing the application from 
the network 192.168.1.0, we want to save them the bother of logging in, 
and automatically attribute them the user-id of internal.


Question : is there any combination of standard Apache 
directives/modules which can achieve that ?



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


André Warnier wrote:

Nick Kew wrote:

Pascal S. Clermont wrote:

A conjunction of network based auth + SetEnvIf Remote_Addr 
^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for 
my current needs.


That looks like a re-invention of Satisfy Any.
If you are re-inventing a wheel, kudos for NOT doing
the usual thing and hacking it with mod_rewrite!

But I could be missing something from earlier in the thread :)


Ah, we got an expert on the line !
Rephrasing the original question :
- an Apache application of which we do not have the source code and 
cannot thus modify, requires an Apache authenticated user-id
- however, for the select group of users accessing the application from 
the network 192.168.1.0, we want to save them the bother of logging in, 
and automatically attribute them the user-id of internal.


Question : is there any combination of standard Apache 
directives/modules which can achieve that ?



.. and to explicit the question even more :
Deep down in Apache's request record for the current request, there is 
a field which contains the authenticated user-id for this request, thus 
available to any other Apache module (not only to cgi scripts).
I have a doubt that merely setting the Apache variable REMOTE_USER 
would auto-magically set this field.

But maybe I'm wrong.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Auth and server-side auto-login


André Warnier wrote:


.. and to explicit the question even more :
Deep down in Apache's request record for the current request, there is 
a field which contains the authenticated user-id for this request, thus 
available to any other Apache module (not only to cgi scripts).
I have a doubt that merely setting the Apache variable REMOTE_USER 
would auto-magically set this field.


That's r-user, which is presented to CGI (and things that adopt or
embrace and extend CGI) as REMOTE_USER.  Most applications (except
authz modules) use REMOTE_USER, so won't need r-user.

Is your application implemented a a module or modules, or is it
external to the server?

--
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] ldap: Removing controls in sublocations

2009-07-22 Thread Markus Werle

Hi!

After digging hard through docs and other resources it still remains unclear to 
me 
how to relax access restrictions in sublocations.

From http://httpd.apache.org/docs/2.2/en/mod/core.html#require I learned how 
to do this
for directories, but after some tries I get the impression this works only in 
the way shown:

Directory /path/to/protected/
Require user david
/Directory
Directory /path/to/protected/unprotected
# All access controls and authentication are disabled
# in this directory
 Satisfy Any
 Allow from all
/Directory


What I want is the reverse thing *and* the usage of Location:
Something along the lines

Location /svn
  # ... LDAP via AD stuff cut off ...
  Order deny,allow
  Deny from all
/Location
Location /svn/SOME_REPO
  Satisfy Any
  Require ldap-attribute distinguishedName=WHATEVER
/Location

This kind of thing did not work for me.
Am I missing something?

(I am using Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i SVN/1.6.1 
PHP/5.2.9)

__
Verschicken Sie SMS direkt vom Postfach aus - in alle deutschen und viele 
ausländische Netze zum gleichen Preis! 
https://produkte.web.de/webde_sms/sms




-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Mark H. Wood

On Wed, Jul 22, 2009 at 02:43:10PM +0200, Boyle Owen wrote:
 It's worth remembering what a certificate is for; it is a document,
 undersigned by a third-party, that confirms that you are who you say you
 are. The third-party certificate signing authority is putting their
 reputation on the line and has a moral (even a legal) obligation to be
 certain you are bona fide.

Hear, hear.  It's about time there was some general awareness of what a
certificate *means*.
 
 A certificate is not some random obstacle that makes SSL websites pesky
 to set up - it is an essential security feature that protects web-users
 from fraud. So, of course it should cost you (as e-commerce operator)
 money and effort.

I want to second this, with a caveat.  I don't see that a certificate
should cost any particular sum.  I do see that one reason for a
good-quality certificate to cost so much is that it costs the issuer
nearly that much to investigate your claim of identity.

Some certificates don't cost very much because the assurance they
actually represent is not worth very much.  And a few of your
customers *do* read cert. issuers' Certification Practice Statements.

That said, the most expensive gold-plated cert. you can buy may not be
worth much more, in your application, than one you could get for half
as much.  If it were my business I'd go for the midrange with a
company I already know something about.

You might want to talk to your lawyer about your duty of care in
protecting your customers' transactions, too.  He may have specific
advice on what you need to look for to get a reasonable balance
between cost and protection.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpUjqpUKhvmB.pgp
Description: PGP signature

Re: [us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Mark H. Wood

On Wed, Jul 22, 2009 at 03:09:25PM +0200, André Warnier wrote:
 While not contradicting the essence of the above, I would like to know 
 something for my own edification, if some expert could comment.

I don't think of myself as an expert, but I'm free with my opinions. :-)

[a desire to secure communication among a small, select group using SSL]
 It is my understanding that we could set up our own certificate authority 
 (CA) and create our own server certificates.  A customer browser, upon the 
 first connection, would pop up some message indicating that it cannot verify 
 this certificate, and offering maybe to authorise our own CA as a valid 
 one.  Once they did this, the popup would not happen again, and their 
 communications with the website would be encrypted (which is the main point 
 of the exercise).

 I understand that, in case their DNS system is compromised, they could land 
 onto another website pretending to be ours, and thus accept this other 
 website certificate and CA.
 But I consider this possibility as relatively unlikely, and easily detected 
 by the customers themselves once they proceed. (*)

 Is anything wrong with the above thinking ?

I don't think there's anything wrong, since your judgment of your risk
is your own to make, but I do want to suggest that you might consider
delivering your CA certificate in advance by other means.

A CA certificate, in isolation, is an *unsubstantiated*, *untestable*
assertion of identity and authority.  It should be delivered either
directly from the CA to the trusting party, or via a mutually trusted
third party.  (If you have a site which is secured by a commercial
certificate that your partners can verify, that might qualify as a
trusted mechanism.)

I dislike the idea of training people to accept identity proofs from
sources that could turn out to be random strangers, or to bypass
warnings.  Unlikely though such an attack may be, such training sets
people up to think in ways that tend to compromise security.  It
should be the norm to expect a verifiable exchange when agreeing to
trust.

I do think it is quite sensible to set up a private CA for the purpose
you describe, and to rely on its certificates for privacy.  I only
think that the distribution of the CA's own certificate should be
done very carefully, since it is the key to the whole security
infrastructure that you want to build.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpCWe7rBybl8.pgp
Description: PGP signature

Re: [us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Joseph Morgan

That said, the most expensive gold-plated cert. you can buy may not be
worth much more, in your application, than one you could get for half
as much.

This is absolutely correct...except that some may appreciate the fact
that you're using the gold-plated cert.
That is, it sounds much better to say someone is protected by the Secret
Service than Jim's Armed Guards,
even though all of Jim's employees may indeed be ex-Secret Service.

In the cert world, your customers would likely rather see that your
certs are signed by Verisign than by
pimpmycert.com

Mark H. Wood wrote:
On Wed, Jul 22, 2009 at 02:43:10PM +0200, Boyle Owen wrote:

It's worth remembering what a certificate is for; it is a document,
undersigned by a third-party, that confirms that you are who you say you
are. The third-party certificate signing authority is putting their
reputation on the line and has a moral (even a legal) obligation to be
certain you are bona fide.

Hear, hear. It's about time there was some general awareness of what a
certificate *means*.

A certificate is not some random obstacle that makes SSL websites pesky
to set up - it is an essential security feature that protects web-users
from fraud. So, of course it should cost you (as e-commerce operator)
money and effort.

I want to second this, with a caveat. I don't see that a certificate
should cost any particular sum. I do see that one reason for a
good-quality certificate to cost so much is that it costs the issuer
nearly that much to investigate your claim of identity.

Some certificates don't cost very much because the assurance they
actually represent is not worth very much. And a few of your
customers *do* read cert. issuers' Certification Practice Statements.

That said, the most expensive gold-plated cert. you can buy may not be
worth much more, in your application, than one you could get for half
as much. If it were my business I'd go for the midrange with a
company I already know something about.

You might want to talk to your lawyer about your duty of care in
protecting your customers' transactions, too. He may have specific
advice on what you need to look for to get a reasonable balance
between cost and protection.

_
Windows Live™ Hotmail®: Celebrate the moment with your favorite sports pics.
Check it out.
http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_sports_photos_072009cat=sports

Re: [us...@httpd] Re: Low priced certificate?

2009-07-22 Thread János Löbb



On Jul 22, 2009, at 11:40 AM, Mark H. Wood wrote:


On Wed, Jul 22, 2009 at 03:09:25PM +0200, André Warnier wrote:
While not contradicting the essence of the above, I would like to  
know

something for my own edification, if some expert could comment.


I don't think of myself as an expert, but I'm free with my  
opinions. :-)


[a desire to secure communication among a small, select group using  
SSL]
It is my understanding that we could set up our own certificate  
authority
(CA) and create our own server certificates.  A customer browser,  
upon the
first connection, would pop up some message indicating that it  
cannot verify
this certificate, and offering maybe to authorise our own CA as a  
valid

one.  Once they did this, the popup would not happen again, and their
communications with the website would be encrypted (which is the  
main point

of the exercise).

I understand that, in case their DNS system is compromised, they  
could land
onto another website pretending to be ours, and thus accept this  
other

website certificate and CA.
But I consider this possibility as relatively unlikely, and easily  
detected

by the customers themselves once they proceed. (*)

Is anything wrong with the above thinking ?


I don't think there's anything wrong, since your judgment of your risk
is your own to make, but I do want to suggest that you might consider
delivering your CA certificate in advance by other means.

A CA certificate, in isolation, is an *unsubstantiated*, *untestable*
assertion of identity and authority.


A good CA is similar to good wine.  It is getting better with age.   
One of the oldest unsubstantiated and untestable assertion of identity  
and authority was announced by Jesus about 2000 years ago:  I am who  
I am ..and with time about 2 billion people know it :)




 It should be delivered either
directly from the CA to the trusting party, or via a mutually trusted
third party.  (If you have a site which is secured by a commercial
certificate that your partners can verify, that might qualify as a
trusted mechanism.)

I dislike the idea of training people to accept identity proofs from
sources that could turn out to be random strangers, or to bypass
warnings.  Unlikely though such an attack may be, such training sets
people up to think in ways that tend to compromise security.  It
should be the norm to expect a verifiable exchange when agreeing to
trust.

I do think it is quite sensible to set up a private CA for the purpose
you describe, and to rely on its certificates for privacy.  I only
think that the distribution of the CA's own certificate should be
done very carefully, since it is the key to the whole security
infrastructure that you want to build.

--
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Low priced certificate?

* Joseph Morgan josephmmor...@hotmail.com [2009-07-22 17:47]:
 In the cert world, your customers would likely rather see that your 
 certs are signed by Verisign than by
 pimpmycert.com

As if they could tell the difference.
If both root CAs are in the browser's root chain, why shouldn't they
trust a certificate signed by pimpmycert.com as well? If the only
competitive edge your business has is the brand recognition of the CA
that signed your webserves public key you're in trouble.

@André: By all means get a commercial cert with decent browser
coverage and be done with it. The money spent (see previous mails) is
nothing compared to getting hundreds of customers to accept your
homegrown CA (and manage that in the future, as well),
-peter




-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Re: Low priced certificate?

2009-07-22 Thread Nicholas Sherlock


André Warnier wrote:
It is my understanding that we could set up our own certificate 
authority (CA) and create our own server certificates.  A customer 
browser, upon the first connection, would pop up some message indicating 
that it cannot verify this certificate, and offering maybe to 
authorise our own CA as a valid one.  Once they did this, the popup 
would not happen again, and their communications with the website would 
be encrypted (which is the main point of the exercise).


An attacker can use precisely the same mechanism to serve their own 
certificate. Your website will have carefully trained the user in 
advance to ignore all security warnings and accept the rogue 
certificate. What a waste of time. The only thing you're protecting 
against is a passive attacker.


Cheers,
Nicholas Sherlock


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Falling off the end of a directory listing

2009-07-22 Thread Paul Leder


I've spent the last hour Googling this, without success...

Problem: is there some way to allow a directory listing which includes a 
'parent' link, but *only* up to a specified top level?


In more detail, I have a site which is rooted at /var/www/html/foo. 
There are some download files, which I've placed in a directory 
structure at /var/www/html/foo/downloads. The user can reach the 
download directory at http://www.bar.com/downloads.


There is quite a complex directory structure at 'downloads', so I've 
enabled directory listing. The problem is that the user can navigate up 
through the parent links all the way up to /var/www/html/foo, at which 
point they get a canned version of the main site in the download window.


This doesn't really matter if the user entered the downloads URL 
directly in a full-sized browser window; they just see the website. 
However, the normal way to get to the downloads is via a link on the 
site, which opens a small pop-up window. If they navigate up too far in 
this pop-up then they just see a mess.


Ideally, the 'parent' link should disappear when the user reaches 
/var/www/html/foo/downloads.


Any ideas?

Thanks -

Paul

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Low priced certificate?

2009-07-22 Thread Lists


Mike -- EMAIL IGNORED wrote:

I am thinking of securing part of my low volume
web site with SSL.  I wend to some certificate
authorities, and I was blown away by the prices.
Are there that are both cheap and widely recognized?

Thanks for your help.
Mike.


So, all this education/lecturing on certificates, but
very little that is in reply to the OP's question. ;-)

I use geotrust quite a bit, but have a project where
I could use the same information that the OP posed.

...currently looking into:
RapidSSL
register.com
GoDaddy
DigiCert
comodo.com
www.instantssl.com
and now: cacert.org

I only have a little experience with comodo and
there were a few hiccups along the way (transfering/renewing).
The rest I know little to nothing about, so would appreciate
any feedback.

Donovan



--
  =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
  D. BROOKE   EUCA Design Center
   WebDNA Software Corp.
  WEB: http://www.euca.us  |   http://www.webdna.us
  =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
  WebDNA: [** Square Bracket Utopia **]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Low priced certificate?


Nicholas Sherlock wrote:

An attacker can use precisely the same mechanism to serve their own 
certificate. Your website will have carefully trained the user in 
advance to ignore all security warnings and accept the rogue 
certificate. What a waste of time. The only thing you're protecting 
against is a passive attacker.


Verified by Visa is blazing the trail in training users to give
their credentials to any tom, dick and harry who asks for them
under the right-looking banner.  Who can compete with that?

--
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Transparent Proxy Server Installation

2009-07-22 Thread Brian Kim

Hi.

As Andre mentioned, the browser needs a configuration for proxy.

However, the transparent proxy allows users to access WWW without any
configuration.

In fact, I am suing Forward Proxy now and the reverse proxy seems to
be the proxy that I meant.

Am I right? Can anybody make it sure?


On Tue, Jul 21, 2009 at 6:24 PM, André Warniera...@ice-sa.com wrote:
 Brian Kim wrote:
 ...
 I don't know about transparent proxy, but I think what you are talking
 about is a forward proxy.
 Have you read this on-line Apache documentation ?

 http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
 and in particular the section :
 Forward Proxies and Reverse Proxies/Gateways

 ?

 You don't need to play with IPTables for this, at least not between your
 internal client stations and the Apache forward proxy server.
 But your client workstations browsers need to be configured to use the
 Apache server as a HTTP proxy.

 Note that if this Apache server is directly connected to the internet, you
 must protect this forward proxy function, so that it will be *only*
 available to your internal clients.  Otherwise anyone could use your proxy
 to access other sites, and these accesses would be traced back to you.
 Read the above documentation carefully.


 -
 The official User-To-User support forum of the Apache HTTP Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Transparent Proxy Server Installation


Brian Kim wrote:

Hi. All. I am a beginner. So I really need somebody's help.

I have asked a question about the transparent http apache server.

Nobody answers it yet, so I ask it again and add what I have done until now.


I haven't answered, because I'd need to look it up, and I haven't
found time.

Last I recollect, transparent proxying support isn't in mod_proxy.
However, there's a simple patch somewhere in bugzilla.As I
recollect it, I didn't add the patch myself because I had no
time to test or document it.

It may have been added since then, but if so I've either missed
or forgotten it.

You're now showing evidence of demand for the feature, which
could possibly raise the motivation to get a round tuit.

--
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] [Fwd: Application Period for Travel Assistance to ApacheCon US 2009 Opens Soon]

2009-07-22 Thread William A. Rowe, Jr.

For our communities' attention, this is a few day's heads up before the
applications actually open...

 Original Message 
Subject: Application Period for Travel Assistance to ApacheCon US 2009 Opens
Soon
Date: Wed, 22 Jul 2009 19:46:15 +1000
From: Gav... gmcdon...@apache.org

The Travel Assistance Committee is taking in applications for those wanting
to attend ApacheCon US 2009 (Oakland) which takes place between the 2nd and
6th November 2009.

The Travel Assistance Committee is looking for people who would like to be
able to attend ApacheCon US 2009 who may need some financial support in
order to get there. There are limited places available, and all applications
will be scored on their individual merit. Applications are open to all open
source developers who feel that their attendance would benefit themselves,
their project(s), the ASF and open source in general.

Financial assistance is available for flights, accommodation, subsistence
and Conference fees either in full or in part, depending on circumstances.
It is intended that all our ApacheCon events are covered, so it may be
prudent for those in Europe and/or Asia to wait until an event closer to
them comes up - you are all welcome to apply for ApacheCon US of course, but
there should be compelling reasons for you to attend an event further away
that your home location for your application to be considered above those
closer to the event location.

More information can be found on the main Apache website at
http://www.apache.org/travel/index.html - where you will also find a link to
the online application and details for submitting.

Applications for applying for travel assistance will open on 27th July 2009
and close of the 17th August 2009.

Good luck to all those that will apply.

Regards,

The Travel Assistance Committee

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Transparent Proxy Server Installation

2009-07-22 Thread Brian Kim

The big picture for my http proxy is to install it to ISP level.

It means users must not need to set up the proxy configuration

In that sense, I thought a reverse proxy seems to be the transparent proxy.

Is it right?

On Wed, Jul 22, 2009 at 1:20 PM, Nick Kewn...@webthing.com wrote:
 Brian Kim wrote:

 Hi. All. I am a beginner. So I really need somebody's help.

 I have asked a question about the transparent http apache server.

 Nobody answers it yet, so I ask it again and add what I have done until
 now.

 I haven't answered, because I'd need to look it up, and I haven't
 found time.

 Last I recollect, transparent proxying support isn't in mod_proxy.
 However, there's a simple patch somewhere in bugzilla.    As I
 recollect it, I didn't add the patch myself because I had no
 time to test or document it.

 It may have been added since then, but if so I've either missed
 or forgotten it.

 You're now showing evidence of demand for the feature, which
 could possibly raise the motivation to get a round tuit.

 --
 Nick Kew

 -
 The official User-To-User support forum of the Apache HTTP Server Project.
 See URL:http://httpd.apache.org/userslist.html for more info.
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     from the digest: users-digest-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] httpd.config subroutine

2009-07-22 Thread Mike -- EMAIL IGNORED

I have several VirtualHost and numerous Directory
sections that have large sets of identical directives.
If there a way to define a subroutine in httpd.config
that can be called in these sections?

Thanks for your help.
Mike.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] httpd.config subroutine

* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 20:02]:
 I have several VirtualHost and numerous Directory
 sections that have large sets of identical directives.
 If there a way to define a subroutine in httpd.config
 that can be called in these sections?

There is http://httpd.apache.org/docs/2.2/en/mod/core.html#include
-peter

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Re: httpd.config subroutine

2009-07-22 Thread Dan Poirier

You can Include the same file repeatedly:

http://httpd.apache.org/docs/2.2/mod/core.html#include

-- 
Dan Poirier poir...@pobox.com

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Transparent Proxy Server Installation

2009-07-22 Thread Bob Ionescu

2009/7/22 Brian Kim 09su.resea...@gmail.com:
 It means users must not need to set up the proxy configuration

 In that sense, I thought a reverse proxy seems to be the transparent proxy.

 Is it right?

IMHO yes. To get such a transparent proxy working with mod_proxy
you'll need to work-around with mod_rewrite since mod_proxy does not
provide a directive like take the host header and proxy to that
server (yet) as Nick mentioned.

RewriteEngine on
# using the_request and NE to be safe from unescape/escape
modifications (=unparsed_uri)
RewriteCond %{THE_REQUEST} ^[A-Z]{3,5}\ (/[^?\ ]*)
RewriteRule ^/ http://%{HTTP_HOST}%1 [NE,P]

Bob

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] SOLVED Re: [us...@httpd] How do I follow the XHTML Content-Type recommendations?

2009-07-22 Thread Darxus

If a browser with a User-Agent containing MSIE requests a .html file,
change its Content-Type to text/html (because application/xhtml+xml works
in all other browsers):

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*MSIE.*
RewriteCond %{REQUEST_URI} \.html$
RewriteRule .* - [T=text/html]

 - http://www.ibm.com/developerworks/xml/library/x-tipapachexhtml/index.html

Use Content-Type application/xml and XSLT to get IE to convert XHTML to
HTML and parse it:  http://www.w3.org/MarkUp/2004/xhtml-faq#ie

-- 
I would believe only in a God that knows how to Dance. - Nietzsche
http://www.ChaosReigns.com Guns save lives.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] 404's to robots.txt?

2009-07-22 Thread Evan Platt


At 06:03 PM 7/21/2009, you wrote:


More than 1 docroot / log %{Host}i ?


Ahh.. I believe that's it! Thank you and the others who suggested 
that, I believe that's it - I have a few subdomains I rarely use...


My current httpd.conf is:

LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i \%{User-agent}i\ combined

Is there a better format for that so instead of:

1.2.3.4 - - [22/Jul/2009:13:31:28 -0700] GET /images/favicon.ico 
HTTP/1.1 200 1150


I'd get

1.2.3.4 - - [22/Jul/2009:13:31:28 -0700] GET 
www.mydomain.com/images/favicon.ico HTTP/1.1 200 1150


I do have a few rarely used subdomains - but anything .mydomain.com 
goest to my apache.


Thanks. :) 



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Transparent Proxy Server Installation


Brian Kim wrote:

The big picture for my http proxy is to install it to ISP level.

It means users must not need to set up the proxy configuration

In that sense, I thought a reverse proxy seems to be the transparent proxy.

Is it right?


Can you remind us exactly of what you want to do ?  I am getting a bit 
lost here...

Like,
- where are the users ?
- where is (are) the webserver(s) they are trying to reach ?
- where should Apache figure in all that ?

I mean, if you really mean transparent, then you mean a router (maybe 
with NAT), and you do not need Apache for that.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] SOLVED Re: [us...@httpd] How do I follow the XHTML Content-Type recommendations?