RE: [us...@httpd] 404's to robots.txt?
-Original Message- From: Evan Platt [mailto:e...@espphotography.com] Sent: Wednesday, July 22, 2009 1:56 AM To: users@httpd.apache.org Subject: [us...@httpd] 404's to robots.txt? So I've noticed quite a lot of connections from web spider programs. I've had a robots.txt (User-agent: * Disallow: /) For a long time. But looking closer in my apache logs, am I reading right that it's giving a 404? Yes. How many VHs do you have? If you have robots.txt in one VH but the request comes into another VH, then you will get a 404. Maybe put %{Host}i into the log format to see the Host header sent by the client.. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. 65.55.106.173 - - [21/Jul/2009:09:44:43 -0700] GET /robots.txt HTTP/1.1 404 208 - msnbot/2.0b (+http://search.msn.com/msnbot.htm) 65.55.106.112 - - [21/Jul/2009:10:11:43 -0700] GET /robots.txt HTTP/1.1 404 208 - msnbot/2.0b (+http://search.msn.com/msnbot.htm) 65.55.106.166 - - [21/Jul/2009:11:03:35 -0700] GET /robots.txt HTTP/1.1 404 208 - msnbot/2.0b (+http://search.msn.com/msnbot.htm) 65.55.106.160 - - [21/Jul/2009:11:09:07 -0700] GET /robots.txt HTTP/1.1 200 28 - msnbot/2.0b (+http://search.msn.com/msnbot.htm) 65.55.106.180 - - [21/Jul/2009:11:35:34 -0700] GET /robots.txt HTTP/1.1 404 208 - msnbot/2.0b (+http://search.msn.com/msnbot.htm) Same day, no changes made: X.X.X.X - - [21/Jul/2009:16:47:44 -0700] GET /robots.txt HTTP/1.1 304 - - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.0.7, Ant.com Toolbar 1.3 (.NET CLR 3.5.30729) Z.Z.Z.Z- - [21/Jul/2009:16:49:10 -0700] GET /robots.txt HTTP/1.1 200 28 - Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.30 Safari/530.5 Two different IP's. One myne, one a friends. Any suggestions as to why (if I'm reading the log right) I'm handing out a 404 to it appears just web crawlers? # httpd -v Server version: Apache/2.2.3 Server built: Jun 16 2009 11:28:50 Don't know what other information is needed to help troubleshoot... Running on a os//x box. http://www.espphotography.com/robots.txt if you want to take a look... Thanks. :) Evan - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Remote .htaccess
-Original Message- From: Jos Chrispijn [mailto:apa...@webrz.net] Sent: Wednesday, July 22, 2009 1:31 AM To: users@httpd.apache.org Subject: [us...@httpd] Remote .htaccess Is it possible to use a .htaccess in a folder in which I define a htpasswd path that physically is located on a complete different server? Sure. As long as apache can follow the path, no problem. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. PS: It's also asking for trouble from a performance/reliability perspective. I leave it as an exercise to the reader to work out why... Jos Chrispijn - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache processor usage
We've got a machine here showing high processor usage for the Apache process. Apache runs a few minor sites, but mainly it runs the SVN module for our SVN setup so I'm assuming it's that. However, is there a way in Apache that I can find out more about what module of Apache may be responsible ? Olly
Re: [us...@httpd] Auth and server-side auto-login
* Pascal S. Clermont pas...@clermont.cc [2009-07-21 21:53]: I want to secure some content from unauthorized access by using : AuthType Basic AuthName Authentication Required AuthUserFile /etc/secret/auth.users Require valid-user in one of my virtualhost's I would like to know if there is a possible way for apache to auto-login anyone coming from the 192.168.1 network to a specific user? This would be great if it required 0 client-side setup ( completely transparent ) and for the 192.168.2 network a login/pass would be asked to the user. http://httpd.apache.org/docs/2.2/en/mod/core.html#satisfy For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any cheers, -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Low priced certificate?
* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]: I am thinking of securing part of my low volume web site with SSL. I wend to some certificate authorities, and I was blown away by the prices. Are there that are both cheap and widely recognized? Jfyi: you might also try free and not widely recognized, http://cacert.org/ Or STFW for cheap SSL certs. But you won't get below 60-80USD for a year, I guess. -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
Peter Schober wrote: * Pascal S. Clermont pas...@clermont.cc [2009-07-21 21:53]: I want to secure some content from unauthorized access by using : AuthType Basic AuthName Authentication Required AuthUserFile /etc/secret/auth.users Require valid-user in one of my virtualhost's I would like to know if there is a possible way for apache to auto-login anyone coming from the 192.168.1 network to a specific user? This would be great if it required 0 client-side setup ( completely transparent ) and for the 192.168.2 network a login/pass would be asked to the user. http://httpd.apache.org/docs/2.2/en/mod/core.html#satisfy For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any I don't think that this is exactly what the OP wanted. With the configuration above, requests from 192.168.1.* will get through, but unauthenticated. What the OP seemed to want, is that these requests /would/ be authenticated automatically as from user LOCAL-GUY e.g. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Low priced certificate?
Peter Schober wrote: * Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]: I am thinking of securing part of my low volume web site with SSL. I wend to some certificate authorities, and I was blown away by the prices. Are there that are both cheap and widely recognized? Jfyi: you might also try free and not widely recognized, http://cacert.org/ Or STFW for cheap SSL certs. But you won't get below 60-80USD for a year, I guess. Just by personal curiosity, what are the normal price ranges for HTTP host certificates ? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
* André Warnier a...@ice-sa.com [2009-07-22 13:29]: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any I don't think that this is exactly what the OP wanted. Then maybe Jim Fox's mod_auth_location will do? http://staff.washington.edu/fox/authlocation/ -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Low priced certificate?
* Peter Schober peter.scho...@univie.ac.at [2009-07-22 12:29]: Or STFW for cheap SSL certs. But you won't get below 60-80USD for a year, I guess. FWIW, I think GoDaddy's TurboSSL seems to be as cheap as it gets (27USD per year, starting with 2 years). Don't know anything about their services or browser compatibility though. -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Virtual Hosts and mod_cache
Hello all. How can I set mod_cache to works in different ways in my different Virtual Hosts? I just put the IfModule directive and the options inside the VirtualHost or I must make a default config for all of them? Att. Fábio Jr. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Low priced certificate?
Peter Schober wrote: * Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 01:46]: I am thinking of securing part of my low volume web site with SSL. I wend to some certificate authorities, and I was blown away by the prices. Are there that are both cheap and widely recognized? Jfyi: you might also try free and not widely recognized, http://cacert.org/ Won't certificates signed by them be only useful for internally-deployed apps? They're not a trusted root on Windows so random browsers on the web will just get an UNTRUSTED SITE! Get me out of here! message. Cheers, Nicholas Sherlock - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Virtual Hosts and mod_cache
Fábio Jr. fjuniorli...@gmail.com writes: Hello all. How can I set mod_cache to works in different ways in my different Virtual Hosts? I just put the IfModule directive and the options The same as most anything in an Apache config. See http://httpd.apache.org/docs/2.2/sections.html -- Dan Poirier poir...@pobox.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
Peter Schober wrote: * André Warnier a...@ice-sa.com [2009-07-22 13:29]: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any I don't think that this is exactly what the OP wanted. Then maybe Jim Fox's mod_auth_location will do? http://staff.washington.edu/fox/authlocation/ Yes. That looks very close. Thanks for the link, I did not know this module, and it looks interesting. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Re: Low priced certificate?
-Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Nicholas Sherlock Jfyi: you might also try free and not widely recognized, http://cacert.org/ Won't certificates signed by them be only useful for internally-deployed apps? They're not a trusted root on Windows so random browsers on the web will just get an UNTRUSTED SITE! Get me out of here! message. Hopefully... It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. A certificate is not some random obstacle that makes SSL websites pesky to set up - it is an essential security feature that protects web-users from fraud. So, of course it should cost you (as e-commerce operator) money and effort. Trying to get a cheap cert for your site is like a bus company getting cheap tyres for their buses... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Cheers, Nicholas Sherlock - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Low priced certificate?
Boyle Owen wrote: ... It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. A certificate is not some random obstacle that makes SSL websites pesky to set up - it is an essential security feature that protects web-users from fraud. So, of course it should cost you (as e-commerce operator) money and effort. Trying to get a cheap cert for your site is like a bus company getting cheap tyres for their buses... While not contradicting the essence of the above, I would like to know something for my own edification, if some expert could comment. We are a services company, and provide websites to select customers, for their own usage. We know these customers, they know us, and there are not thousands of them (merely hundreds). We store information in these websites for those customers. Sometimes this information is relatively private, for the customer. (It is not however of the top secret - defense variety, nor banking etc...) We would like to offer to our customers, the possibility of connecting to their websites using HTTPS instead of HTTP. This is merely so that it would be harder for foreign people to easily intercept the data being exchanged between the webserver and the browsers of our customers. It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) Is anything wrong with the above thinking ? Thanks for comments. (*) because each customer application is specific, and in order to fool a customer, the miscreant would haver to duplicate this application, the data etc.. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
André Warnier wrote: Peter Schober wrote: * André Warnier a...@ice-sa.com [2009-07-22 13:29]: Require valid-user Order allow,deny Allow from 192.168.1 Satisfy Any I don't think that this is exactly what the OP wanted. Then maybe Jim Fox's mod_auth_location will do? http://staff.washington.edu/fox/authlocation/ Yes. That looks very close. Thanks for the link, I did not know this module, and it looks interesting. A conjunction of network based auth + SetEnvIf Remote_Addr ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my current needs. I will look into mod_auth_location. Thanks for all the insight, Pascal - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Re: Low priced certificate?
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, July 22, 2009 3:09 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Re: Low priced certificate? We are a services company, and provide websites to select customers, for their own usage. We know these customers, they know us, and there are not thousands of them (merely hundreds). We store information in these websites for those customers. Sometimes this information is relatively private, for the customer. (It is not however of the top secret - defense variety, nor banking etc...) We would like to offer to our customers, the possibility of connecting to their websites using HTTPS instead of HTTP. This is merely so that it would be harder for foreign people to easily intercept the data being exchanged between the webserver and the browsers of our customers. If you have a private application (in the sense that server-owner and clients already know each other and only want to encrypt traffic), then of course you can use a self-signed cert. In this case you are getting encryption (protection from eavesdropping) but no authentication (which you don't care about because you already know each other). The cause of much of the confusion is the fact that SSL certs provide *two* functions; they contain a key that allows you to set up an encrypted channel, but they also contain a document that attests the ownership of the domain. This second feature is essential in an e-commerce environment where the server and client are not known to each other a priori. If you were a shopkeeper and wanted to send your takings off to the bank, you might request the bank to send round a security van. When the van arrives, would you check the driver's credentials? Obviously you should in case some crooks were tapping your phone line and had turned up first in a stolen van with fake uniforms. If you don't check the credentials, your money will be safe in transit, but might not actually be going to the bank :-) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) Is anything wrong with the above thinking ? Thanks for comments. (*) because each customer application is specific, and in order to fool a customer, the miscreant would haver to duplicate this application, the data etc.. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] [OT] [us...@httpd] Re: Low priced certificate?
* Boyle Owen owen.bo...@six-group.com [2009-07-22 14:43]: -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Nicholas Sherlock Jfyi: you might also try free and not widely recognized, http://cacert.org/ Won't certificates signed by them be only useful for internally-deployed apps? They're not a trusted root on Windows so random browsers on the web will just get an UNTRUSTED SITE! Get me out of here! message. You certainly can use any CA you want for anything you want. For internal deployments you might as well skip SSL or roll your own CA or whatever. Either way, people have found cacert to be useful for their requirements. It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. In contrast to the checks most commercial offerings provide cacert actually does verify who you are, via a web of trust (cf. pgp web of trust), rules and documented procedures (afaik not RFC 3647-style, but still). A bit dated, but I'm sure you can find more recent similar exploits: http://www.cert.org/advisories/CA-2001-04.html This problem is the result of a failure by the certificate authority to correctly authenticate the recipient of a certificate. Verisign has taken the appropriate action by revoking the certificates in question. However, this in itself is insufficient to prevent the malicious use of these certificates until a patch has been installed, because Internet Explorer does not check for such revocations automatically. Indeed, because the Certificates issued by Verisign do not contain any information regarding where to check for a revocation, Internet Explorer, or any browser, is unable to check for revocations of these certificates. Only recently the commercial offerings started offering the checks they should always have done in the first place. But now with a special price tag for extended validation certs... But of course cacert only works where people import their root ca (and/or intermediate ca) themselfs or have this some by someone. At least until cacert manages to be included in webbrowser and/or OS distribtions. Also their policy states what kind of transactions you may or may not rely on using their certs. All this for a simple jfyi... Trying to get a cheap cert for your site is like a bus company getting cheap tyres for their buses... Only that all bits are created equal (tyres are not, I suppose). At least as long as MD5 is not used for the certs anymore[1] :) The difference is in the checks performed by the CAs prior to issuing any certificates, not the resulting artefact (cert, tyre). -peter [1] http://www.phreedom.org/research/rogue-ca/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
Pascal S. Clermont wrote: A conjunction of network based auth + SetEnvIf Remote_Addr ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my current needs. That looks like a re-invention of Satisfy Any. If you are re-inventing a wheel, kudos for NOT doing the usual thing and hacking it with mod_rewrite! But I could be missing something from earlier in the thread :) -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Low priced certificate?
It sounds to me like you are hosting their sites... meaning you have virtual hosts, etc.? If I go to my bank and open a checking account... fine... it's free. However, if I want a safe deposit box, I'll have to pay... unless... maybe if I keep X amount of money deposit accounts with the bank... Then why not just pass the cost of obtaining legitimate certs onto those customers, unless they're a big money customer... then what do you care the cost? Wouldn't that solve all of your problems? André Warnier wrote: Boyle Owen wrote: ... It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. A certificate is not some random obstacle that makes SSL websites pesky to set up - it is an essential security feature that protects web-users from fraud. So, of course it should cost you (as e-commerce operator) money and effort. Trying to get a cheap cert for your site is like a bus company getting cheap tyres for their buses... While not contradicting the essence of the above, I would like to know something for my own edification, if some expert could comment. We are a services company, and provide websites to select customers, for their own usage. We know these customers, they know us, and there are not thousands of them (merely hundreds). We store information in these websites for those customers. Sometimes this information is relatively private, for the customer. (It is not however of the top secret - defense variety, nor banking etc...) We would like to offer to our customers, the possibility of connecting to their websites using HTTPS instead of HTTP. This is merely so that it would be harder for foreign people to easily intercept the data being exchanged between the webserver and the browsers of our customers. It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) Is anything wrong with the above thinking ? Thanks for comments. (*) because each customer application is specific, and in order to fool a customer, the miscreant would haver to duplicate this application, the data etc.. - The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org _ Windows Live™ SkyDrive™: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009
Re: [us...@httpd] Auth and server-side auto-login
* Nick Kew n...@webthing.com [2009-07-22 15:41]: Pascal S. Clermont wrote: A conjunction of network based auth + SetEnvIf Remote_Addr ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my current needs. That looks like a re-invention of Satisfy Any. If you are re-inventing a wheel, kudos for NOT doing the usual thing and hacking it with mod_rewrite! But I could be missing something from earlier in the thread :) Besides a recommendation to use satisfy any: question was whether it's important to have some identifier in REMOTE_USER (speaking CGI-ly). If you can't modify the application (to use REMOTE_ADDR unless REMOTE_USER was set) doing this mapping in the webserver might help. -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
Nick Kew wrote: Pascal S. Clermont wrote: A conjunction of network based auth + SetEnvIf Remote_Addr ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my current needs. That looks like a re-invention of Satisfy Any. If you are re-inventing a wheel, kudos for NOT doing the usual thing and hacking it with mod_rewrite! But I could be missing something from earlier in the thread :) Ah, we got an expert on the line ! Rephrasing the original question : - an Apache application of which we do not have the source code and cannot thus modify, requires an Apache authenticated user-id - however, for the select group of users accessing the application from the network 192.168.1.0, we want to save them the bother of logging in, and automatically attribute them the user-id of internal. Question : is there any combination of standard Apache directives/modules which can achieve that ? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
André Warnier wrote: Nick Kew wrote: Pascal S. Clermont wrote: A conjunction of network based auth + SetEnvIf Remote_Addr ^192\.168\.1\.\d{1,3}$ REMOTE_USER=LOCAL_IP might be suitable for my current needs. That looks like a re-invention of Satisfy Any. If you are re-inventing a wheel, kudos for NOT doing the usual thing and hacking it with mod_rewrite! But I could be missing something from earlier in the thread :) Ah, we got an expert on the line ! Rephrasing the original question : - an Apache application of which we do not have the source code and cannot thus modify, requires an Apache authenticated user-id - however, for the select group of users accessing the application from the network 192.168.1.0, we want to save them the bother of logging in, and automatically attribute them the user-id of internal. Question : is there any combination of standard Apache directives/modules which can achieve that ? .. and to explicit the question even more : Deep down in Apache's request record for the current request, there is a field which contains the authenticated user-id for this request, thus available to any other Apache module (not only to cgi scripts). I have a doubt that merely setting the Apache variable REMOTE_USER would auto-magically set this field. But maybe I'm wrong. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Auth and server-side auto-login
André Warnier wrote: .. and to explicit the question even more : Deep down in Apache's request record for the current request, there is a field which contains the authenticated user-id for this request, thus available to any other Apache module (not only to cgi scripts). I have a doubt that merely setting the Apache variable REMOTE_USER would auto-magically set this field. That's r-user, which is presented to CGI (and things that adopt or embrace and extend CGI) as REMOTE_USER. Most applications (except authz modules) use REMOTE_USER, so won't need r-user. Is your application implemented a a module or modules, or is it external to the server? -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] ldap: Removing controls in sublocations
Hi! After digging hard through docs and other resources it still remains unclear to me how to relax access restrictions in sublocations. From http://httpd.apache.org/docs/2.2/en/mod/core.html#require I learned how to do this for directories, but after some tries I get the impression this works only in the way shown: Directory /path/to/protected/ Require user david /Directory Directory /path/to/protected/unprotected # All access controls and authentication are disabled # in this directory Satisfy Any Allow from all /Directory What I want is the reverse thing *and* the usage of Location: Something along the lines Location /svn # ... LDAP via AD stuff cut off ... Order deny,allow Deny from all /Location Location /svn/SOME_REPO Satisfy Any Require ldap-attribute distinguishedName=WHATEVER /Location This kind of thing did not work for me. Am I missing something? (I am using Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i SVN/1.6.1 PHP/5.2.9) __ Verschicken Sie SMS direkt vom Postfach aus - in alle deutschen und viele ausländische Netze zum gleichen Preis! https://produkte.web.de/webde_sms/sms - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Low priced certificate?
On Wed, Jul 22, 2009 at 02:43:10PM +0200, Boyle Owen wrote: It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. Hear, hear. It's about time there was some general awareness of what a certificate *means*. A certificate is not some random obstacle that makes SSL websites pesky to set up - it is an essential security feature that protects web-users from fraud. So, of course it should cost you (as e-commerce operator) money and effort. I want to second this, with a caveat. I don't see that a certificate should cost any particular sum. I do see that one reason for a good-quality certificate to cost so much is that it costs the issuer nearly that much to investigate your claim of identity. Some certificates don't cost very much because the assurance they actually represent is not worth very much. And a few of your customers *do* read cert. issuers' Certification Practice Statements. That said, the most expensive gold-plated cert. you can buy may not be worth much more, in your application, than one you could get for half as much. If it were my business I'd go for the midrange with a company I already know something about. You might want to talk to your lawyer about your duty of care in protecting your customers' transactions, too. He may have specific advice on what you need to look for to get a reasonable balance between cost and protection. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpUjqpUKhvmB.pgp Description: PGP signature
Re: [us...@httpd] Re: Low priced certificate?
On Wed, Jul 22, 2009 at 03:09:25PM +0200, André Warnier wrote: While not contradicting the essence of the above, I would like to know something for my own edification, if some expert could comment. I don't think of myself as an expert, but I'm free with my opinions. :-) [a desire to secure communication among a small, select group using SSL] It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) Is anything wrong with the above thinking ? I don't think there's anything wrong, since your judgment of your risk is your own to make, but I do want to suggest that you might consider delivering your CA certificate in advance by other means. A CA certificate, in isolation, is an *unsubstantiated*, *untestable* assertion of identity and authority. It should be delivered either directly from the CA to the trusting party, or via a mutually trusted third party. (If you have a site which is secured by a commercial certificate that your partners can verify, that might qualify as a trusted mechanism.) I dislike the idea of training people to accept identity proofs from sources that could turn out to be random strangers, or to bypass warnings. Unlikely though such an attack may be, such training sets people up to think in ways that tend to compromise security. It should be the norm to expect a verifiable exchange when agreeing to trust. I do think it is quite sensible to set up a private CA for the purpose you describe, and to rely on its certificates for privacy. I only think that the distribution of the CA's own certificate should be done very carefully, since it is the key to the whole security infrastructure that you want to build. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpCWe7rBybl8.pgp Description: PGP signature
Re: [us...@httpd] Re: Low priced certificate?
That said, the most expensive gold-plated cert. you can buy may not be worth much more, in your application, than one you could get for half as much. This is absolutely correct...except that some may appreciate the fact that you're using the gold-plated cert. That is, it sounds much better to say someone is protected by the Secret Service than Jim's Armed Guards, even though all of Jim's employees may indeed be ex-Secret Service. In the cert world, your customers would likely rather see that your certs are signed by Verisign than by pimpmycert.com Mark H. Wood wrote: On Wed, Jul 22, 2009 at 02:43:10PM +0200, Boyle Owen wrote: It's worth remembering what a certificate is for; it is a document, undersigned by a third-party, that confirms that you are who you say you are. The third-party certificate signing authority is putting their reputation on the line and has a moral (even a legal) obligation to be certain you are bona fide. Hear, hear. It's about time there was some general awareness of what a certificate *means*. A certificate is not some random obstacle that makes SSL websites pesky to set up - it is an essential security feature that protects web-users from fraud. So, of course it should cost you (as e-commerce operator) money and effort. I want to second this, with a caveat. I don't see that a certificate should cost any particular sum. I do see that one reason for a good-quality certificate to cost so much is that it costs the issuer nearly that much to investigate your claim of identity. Some certificates don't cost very much because the assurance they actually represent is not worth very much. And a few of your customers *do* read cert. issuers' Certification Practice Statements. That said, the most expensive gold-plated cert. you can buy may not be worth much more, in your application, than one you could get for half as much. If it were my business I'd go for the midrange with a company I already know something about. You might want to talk to your lawyer about your duty of care in protecting your customers' transactions, too. He may have specific advice on what you need to look for to get a reasonable balance between cost and protection. _ Windows Live™ Hotmail®: Celebrate the moment with your favorite sports pics. Check it out. http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_sports_photos_072009cat=sports
Re: [us...@httpd] Re: Low priced certificate?
On Jul 22, 2009, at 11:40 AM, Mark H. Wood wrote: On Wed, Jul 22, 2009 at 03:09:25PM +0200, André Warnier wrote: While not contradicting the essence of the above, I would like to know something for my own edification, if some expert could comment. I don't think of myself as an expert, but I'm free with my opinions. :-) [a desire to secure communication among a small, select group using SSL] It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) Is anything wrong with the above thinking ? I don't think there's anything wrong, since your judgment of your risk is your own to make, but I do want to suggest that you might consider delivering your CA certificate in advance by other means. A CA certificate, in isolation, is an *unsubstantiated*, *untestable* assertion of identity and authority. A good CA is similar to good wine. It is getting better with age. One of the oldest unsubstantiated and untestable assertion of identity and authority was announced by Jesus about 2000 years ago: I am who I am ..and with time about 2 billion people know it :) It should be delivered either directly from the CA to the trusting party, or via a mutually trusted third party. (If you have a site which is secured by a commercial certificate that your partners can verify, that might qualify as a trusted mechanism.) I dislike the idea of training people to accept identity proofs from sources that could turn out to be random strangers, or to bypass warnings. Unlikely though such an attack may be, such training sets people up to think in ways that tend to compromise security. It should be the norm to expect a verifiable exchange when agreeing to trust. I do think it is quite sensible to set up a private CA for the purpose you describe, and to rely on its certificates for privacy. I only think that the distribution of the CA's own certificate should be done very carefully, since it is the key to the whole security infrastructure that you want to build. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Low priced certificate?
* Joseph Morgan josephmmor...@hotmail.com [2009-07-22 17:47]: In the cert world, your customers would likely rather see that your certs are signed by Verisign than by pimpmycert.com As if they could tell the difference. If both root CAs are in the browser's root chain, why shouldn't they trust a certificate signed by pimpmycert.com as well? If the only competitive edge your business has is the brand recognition of the CA that signed your webserves public key you're in trouble. @André: By all means get a commercial cert with decent browser coverage and be done with it. The money spent (see previous mails) is nothing compared to getting hundreds of customers to accept your homegrown CA (and manage that in the future, as well), -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Low priced certificate?
André Warnier wrote: It is my understanding that we could set up our own certificate authority (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to authorise our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise). An attacker can use precisely the same mechanism to serve their own certificate. Your website will have carefully trained the user in advance to ignore all security warnings and accept the rogue certificate. What a waste of time. The only thing you're protecting against is a passive attacker. Cheers, Nicholas Sherlock - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Falling off the end of a directory listing
I've spent the last hour Googling this, without success... Problem: is there some way to allow a directory listing which includes a 'parent' link, but *only* up to a specified top level? In more detail, I have a site which is rooted at /var/www/html/foo. There are some download files, which I've placed in a directory structure at /var/www/html/foo/downloads. The user can reach the download directory at http://www.bar.com/downloads. There is quite a complex directory structure at 'downloads', so I've enabled directory listing. The problem is that the user can navigate up through the parent links all the way up to /var/www/html/foo, at which point they get a canned version of the main site in the download window. This doesn't really matter if the user entered the downloads URL directly in a full-sized browser window; they just see the website. However, the normal way to get to the downloads is via a link on the site, which opens a small pop-up window. If they navigate up too far in this pop-up then they just see a mess. Ideally, the 'parent' link should disappear when the user reaches /var/www/html/foo/downloads. Any ideas? Thanks - Paul - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Low priced certificate?
Mike -- EMAIL IGNORED wrote: I am thinking of securing part of my low volume web site with SSL. I wend to some certificate authorities, and I was blown away by the prices. Are there that are both cheap and widely recognized? Thanks for your help. Mike. So, all this education/lecturing on certificates, but very little that is in reply to the OP's question. ;-) I use geotrust quite a bit, but have a project where I could use the same information that the OP posed. ...currently looking into: RapidSSL register.com GoDaddy DigiCert comodo.com www.instantssl.com and now: cacert.org I only have a little experience with comodo and there were a few hiccups along the way (transfering/renewing). The rest I know little to nothing about, so would appreciate any feedback. Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o D. BROOKE EUCA Design Center WebDNA Software Corp. WEB: http://www.euca.us | http://www.webdna.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o WebDNA: [** Square Bracket Utopia **] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Low priced certificate?
Nicholas Sherlock wrote: An attacker can use precisely the same mechanism to serve their own certificate. Your website will have carefully trained the user in advance to ignore all security warnings and accept the rogue certificate. What a waste of time. The only thing you're protecting against is a passive attacker. Verified by Visa is blazing the trail in training users to give their credentials to any tom, dick and harry who asks for them under the right-looking banner. Who can compete with that? -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
Hi. As Andre mentioned, the browser needs a configuration for proxy. However, the transparent proxy allows users to access WWW without any configuration. In fact, I am suing Forward Proxy now and the reverse proxy seems to be the proxy that I meant. Am I right? Can anybody make it sure? On Tue, Jul 21, 2009 at 6:24 PM, André Warniera...@ice-sa.com wrote: Brian Kim wrote: ... I don't know about transparent proxy, but I think what you are talking about is a forward proxy. Have you read this on-line Apache documentation ? http://httpd.apache.org/docs/2.2/mod/mod_proxy.html and in particular the section : Forward Proxies and Reverse Proxies/Gateways ? You don't need to play with IPTables for this, at least not between your internal client stations and the Apache forward proxy server. But your client workstations browsers need to be configured to use the Apache server as a HTTP proxy. Note that if this Apache server is directly connected to the internet, you must protect this forward proxy function, so that it will be *only* available to your internal clients. Otherwise anyone could use your proxy to access other sites, and these accesses would be traced back to you. Read the above documentation carefully. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
Brian Kim wrote: Hi. All. I am a beginner. So I really need somebody's help. I have asked a question about the transparent http apache server. Nobody answers it yet, so I ask it again and add what I have done until now. I haven't answered, because I'd need to look it up, and I haven't found time. Last I recollect, transparent proxying support isn't in mod_proxy. However, there's a simple patch somewhere in bugzilla.As I recollect it, I didn't add the patch myself because I had no time to test or document it. It may have been added since then, but if so I've either missed or forgotten it. You're now showing evidence of demand for the feature, which could possibly raise the motivation to get a round tuit. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] [Fwd: Application Period for Travel Assistance to ApacheCon US 2009 Opens Soon]
For our communities' attention, this is a few day's heads up before the applications actually open... Original Message Subject: Application Period for Travel Assistance to ApacheCon US 2009 Opens Soon Date: Wed, 22 Jul 2009 19:46:15 +1000 From: Gav... gmcdon...@apache.org The Travel Assistance Committee is taking in applications for those wanting to attend ApacheCon US 2009 (Oakland) which takes place between the 2nd and 6th November 2009. The Travel Assistance Committee is looking for people who would like to be able to attend ApacheCon US 2009 who may need some financial support in order to get there. There are limited places available, and all applications will be scored on their individual merit. Applications are open to all open source developers who feel that their attendance would benefit themselves, their project(s), the ASF and open source in general. Financial assistance is available for flights, accommodation, subsistence and Conference fees either in full or in part, depending on circumstances. It is intended that all our ApacheCon events are covered, so it may be prudent for those in Europe and/or Asia to wait until an event closer to them comes up - you are all welcome to apply for ApacheCon US of course, but there should be compelling reasons for you to attend an event further away that your home location for your application to be considered above those closer to the event location. More information can be found on the main Apache website at http://www.apache.org/travel/index.html - where you will also find a link to the online application and details for submitting. Applications for applying for travel assistance will open on 27th July 2009 and close of the 17th August 2009. Good luck to all those that will apply. Regards, The Travel Assistance Committee - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
The big picture for my http proxy is to install it to ISP level. It means users must not need to set up the proxy configuration In that sense, I thought a reverse proxy seems to be the transparent proxy. Is it right? On Wed, Jul 22, 2009 at 1:20 PM, Nick Kewn...@webthing.com wrote: Brian Kim wrote: Hi. All. I am a beginner. So I really need somebody's help. I have asked a question about the transparent http apache server. Nobody answers it yet, so I ask it again and add what I have done until now. I haven't answered, because I'd need to look it up, and I haven't found time. Last I recollect, transparent proxying support isn't in mod_proxy. However, there's a simple patch somewhere in bugzilla. As I recollect it, I didn't add the patch myself because I had no time to test or document it. It may have been added since then, but if so I've either missed or forgotten it. You're now showing evidence of demand for the feature, which could possibly raise the motivation to get a round tuit. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] httpd.config subroutine
I have several VirtualHost and numerous Directory sections that have large sets of identical directives. If there a way to define a subroutine in httpd.config that can be called in these sections? Thanks for your help. Mike. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] httpd.config subroutine
* Mike -- EMAIL IGNORED m_d_berger_1...@yahoo.com [2009-07-22 20:02]: I have several VirtualHost and numerous Directory sections that have large sets of identical directives. If there a way to define a subroutine in httpd.config that can be called in these sections? There is http://httpd.apache.org/docs/2.2/en/mod/core.html#include -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: httpd.config subroutine
You can Include the same file repeatedly: http://httpd.apache.org/docs/2.2/mod/core.html#include -- Dan Poirier poir...@pobox.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
2009/7/22 Brian Kim 09su.resea...@gmail.com: It means users must not need to set up the proxy configuration In that sense, I thought a reverse proxy seems to be the transparent proxy. Is it right? IMHO yes. To get such a transparent proxy working with mod_proxy you'll need to work-around with mod_rewrite since mod_proxy does not provide a directive like take the host header and proxy to that server (yet) as Nick mentioned. RewriteEngine on # using the_request and NE to be safe from unescape/escape modifications (=unparsed_uri) RewriteCond %{THE_REQUEST} ^[A-Z]{3,5}\ (/[^?\ ]*) RewriteRule ^/ http://%{HTTP_HOST}%1 [NE,P] Bob - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] SOLVED Re: [us...@httpd] How do I follow the XHTML Content-Type recommendations?
If a browser with a User-Agent containing MSIE requests a .html file, change its Content-Type to text/html (because application/xhtml+xml works in all other browsers): RewriteEngine on RewriteCond %{HTTP_USER_AGENT} .*MSIE.* RewriteCond %{REQUEST_URI} \.html$ RewriteRule .* - [T=text/html] - http://www.ibm.com/developerworks/xml/library/x-tipapachexhtml/index.html Use Content-Type application/xml and XSLT to get IE to convert XHTML to HTML and parse it: http://www.w3.org/MarkUp/2004/xhtml-faq#ie -- I would believe only in a God that knows how to Dance. - Nietzsche http://www.ChaosReigns.com Guns save lives. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] 404's to robots.txt?
At 06:03 PM 7/21/2009, you wrote: More than 1 docroot / log %{Host}i ? Ahh.. I believe that's it! Thank you and the others who suggested that, I believe that's it - I have a few subdomains I rarely use... My current httpd.conf is: LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i \%{User-agent}i\ combined Is there a better format for that so instead of: 1.2.3.4 - - [22/Jul/2009:13:31:28 -0700] GET /images/favicon.ico HTTP/1.1 200 1150 I'd get 1.2.3.4 - - [22/Jul/2009:13:31:28 -0700] GET www.mydomain.com/images/favicon.ico HTTP/1.1 200 1150 I do have a few rarely used subdomains - but anything .mydomain.com goest to my apache. Thanks. :) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
Brian Kim wrote: The big picture for my http proxy is to install it to ISP level. It means users must not need to set up the proxy configuration In that sense, I thought a reverse proxy seems to be the transparent proxy. Is it right? Can you remind us exactly of what you want to do ? I am getting a bit lost here... Like, - where are the users ? - where is (are) the webserver(s) they are trying to reach ? - where should Apache figure in all that ? I mean, if you really mean transparent, then you mean a router (maybe with NAT), and you do not need Apache for that. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SOLVED Re: [us...@httpd] How do I follow the XHTML Content-Type recommendations?
dar...@chaosreigns.com wrote: If a browser with a User-Agent containing MSIE there seems to be a contradiction in terms here.. ;-) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Proxying SSL
I believe I need to proxy SSL. I have one Apache server, with SSL, and am using ProxyPass to get https://server1/app/ to proxy to https://server2/app/ server2 is set up to use certificate details for authorization. I found http://httpd.apache.org/docs/2.2/mod/mod_ssl.html There are an awful lot of SSLProxy* directives, and I'm not sure what all I need to get this working. I added SSLProxyEngine on and got errors like: [Wed Jul 22 23:02:56 2009] [warn] Proxy client certificate callback: (server1:443) downstream server wanted client certificate but none are configured [Wed Jul 22 23:02:56 2009] [error] (502)Unknown error 502: proxy: pass request body failed to [2001:480:10:61:250:56ff:fe2f:f1c3]:443 (server2) I'm not sure why it's trying to talk IPv6 to server2 I added a hosts entry with the correct IPv4 address, just to eliminate that issue, but I get the same error. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Transparent Proxy Server Installation
Hi all. The basic configuration is as follows (1) (2) (3)(4) Users switch (eth2 -- eth0) -- WWW Users located in (1) will access WWW via http Apache server in (3). For non-transparent proxy, every user across the proxy has to set up proxy configuration by putting proxy IP address. Again, I just want to make users access WWW without the setup. In other words, (3) proxy should be transparent. For example, if I only need a proxy for general usage(e.g.caching), I may be able to use Squid software, not Apache. However, my intention of the proxy is more than that. Currently I am using mod_proxy_http where I put some code for looking at each html data and modify it if necessary. Of course, I have added other functionality too. Is this enough information to answer to my question? Thanks in advance. On Wed, Jul 22, 2009 at 6:04 PM, André Warniera...@ice-sa.com wrote: Brian Kim wrote: The big picture for my http proxy is to install it to ISP level. It means users must not need to set up the proxy configuration In that sense, I thought a reverse proxy seems to be the transparent proxy. Is it right? Can you remind us exactly of what you want to do ? I am getting a bit lost here... Like, - where are the users ? - where is (are) the webserver(s) they are trying to reach ? - where should Apache figure in all that ? I mean, if you really mean transparent, then you mean a router (maybe with NAT), and you do not need Apache for that. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org