RE: [us...@httpd] how to get multiple SSL with name based vhost ?
-Original Message- From: J. Bakshi [mailto:joyd...@infoservices.in] Sent: Tuesday, December 01, 2009 8:20 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] how to get multiple SSL with name based vhost ? ... Thanks for your nice explanatory response. The server where my apache is running is based on opensuse 11.0 . Hence I don't think this box can support SNI. As this is a production server I can't simply upgrade the box. So I need some other alternative. Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. Having said that, if you have a research or academic environment and don't care about browser warnings, you can just use the same cert for all sites. You will get the encryption aspect of HTTPS but not the authentication aspect. Alternatively, if all sites have the same domain-name (eg, sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that certifies *.wibble.com. Aside from these special cases, there is NO WAY to have name-based SSL VHs. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Thanks to make me familiar with SNI -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Carsten Wiedmann wrote: William A. Rowe Jr. schrieb: I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite magic to kick out a 400, but we should probably allow this to be explicit [default?] That would be nice. And if I'm be able to set the status code in a RewriteRule and/or Header directive. I guess you have seen my RewriteRule with the Perl script in my other message. Well, I'm only using a Perl script, because this is not possible (assuming httpd-multilang-errordoc.conf is enabled): | RewriteRule ^.*$ /error/HTTP_BAD_REQUEST.html.var \ [PT,NS,E=REDIRECT_STATUS:400] | Header set Status 400 Bad Request I'm getting my multi language error document, but I can't set the status header in this way. You are going way overboard, I suspect. Simply try; NameVirtualHost *:80 # This MUST be the first host, it will be the default after all other # hosts are evaluated and rejected. The servername must simply be a # name which is never used, so example.com is appropriate. VirtualHost *:80 ServerName bad.host.example.com RewriteEngine On RewriteRule .* - [R=400] /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !
William A. Rowe Jr. schrieb: RewriteRule .* - [R=400] Hm, ok, I've never realized, that I can set other status codes in RewriteRule [R], then the well known redirect status codes (Redirection 3xx). A little bit curious? With [R=400] it's the same as with the Perl script (thanks for this hint). Another thing: I know [F] also exists, but if all status codes are valid (like I can read in the manual), [R=404] is not working correctly. Well, and the error document with [R=400] (or other status codes) is also not multi language. Regards, Carsten - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
Boyle Owen wrote: -Original Message- From: J. Bakshi [mailto:joyd...@infoservices.in] Sent: Tuesday, December 01, 2009 8:20 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] how to get multiple SSL with name based vhost ? ... Thanks for your nice explanatory response. The server where my apache is running is based on opensuse 11.0 . Hence I don't think this box can support SNI. As this is a production server I can't simply upgrade the box. So I need some other alternative. Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. Having said that, if you have a research or academic environment and don't care about browser warnings, you can just use the same cert for all sites. You will get the encryption aspect of HTTPS but not the authentication aspect. Alternatively, if all sites have the same domain-name (eg, sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that certifies *.wibble.com. Aside from these special cases, there is NO WAY to have name-based SSL VHs. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Hello Owen, Thank for your response. your assumption is correct. I am working in an environment where the domain name is same. Hence I am using the same certificate. But the problem is with port. apache complaining if it see more name based vhost with port 443. I was using the config as below ` ` ` ` Listen 443 NameVirtualHost example1.de:443 VirtualHost example1:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example1.de ServerAlias https://example1.de DocumentRoot /srv/www/htdocs/blevti.opendingo.de DirectoryIndex index.php /VirtualHost NameVirtualHost example2.de:443 VirtualHost example2:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example2.de ServerAlias https://example2.de DocumentRoot /srv/www/htdocs/example2.de DirectoryIndex index.php /VirtualHost ` ` ` ` but no luck -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] how to get multiple SSL with name based vhost ?
-Original Message- From: J. Bakshi [mailto:joyd...@infoservices.in] Sent: Tuesday, December 01, 2009 10:53 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] how to get multiple SSL with name based vhost ? ... Thank for your response. your assumption is correct. I am working in an environment where the domain name is same. Hence I am using the same certificate. But the problem is with port. apache complaining if it see more name based vhost with port 443. I was using the config as below I think you are just getting a *warning* - if you test the sites it should work... That is to say, you will get an SSL session with the cert from VH1 then if you request site1 all will be OK (no browser warnings sice site1 matches cert1). If you request site2, you will get a browser warning since site2 doesn't match cert1, but otherwise the request should succeed (since the SSL session is up by this time, apache can decrypt the request, get the Host header and so go to the appropriate VH). If this is not happening, post back with a description of what *is* happening... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. ` ` ` ` Listen 443 NameVirtualHost example1.de:443 VirtualHost example1:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example1.de ServerAlias https://example1.de DocumentRoot /srv/www/htdocs/blevti.opendingo.de DirectoryIndex index.php /VirtualHost NameVirtualHost example2.de:443 VirtualHost example2:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example2.de ServerAlias https://example2.de DocumentRoot /srv/www/htdocs/example2.de DirectoryIndex index.php /VirtualHost ` ` ` ` but no luck -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
Boyle Owen wrote: -Original Message- From: J. Bakshi [mailto:joyd...@infoservices.in] Sent: Tuesday, December 01, 2009 10:53 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] how to get multiple SSL with name based vhost ? ... Thank for your response. your assumption is correct. I am working in an environment where the domain name is same. Hence I am using the same certificate. But the problem is with port. apache complaining if it see more name based vhost with port 443. I was using the config as below I think you are just getting a *warning* - if you test the sites it should work... That is to say, you will get an SSL session with the cert from VH1 then if you request site1 all will be OK (no browser warnings sice site1 matches cert1). If you request site2, you will get a browser warning since site2 doesn't match cert1, but otherwise the request should succeed (since the SSL session is up by this time, apache can decrypt the request, get the Host header and so go to the appropriate VH). If this is not happening, post back with a description of what *is* happening... Hello Boyle, Thanks for your kind response. I have just activated my second SSL connection to generate the logs. Here it is ` ` ` [Tue Dec 01 11:38:31 2009] [warn] Init: SSL server IP/port conflict: www.example1.de:443 (/etc/apache2/vhosts.d/blevti.opendingo.de.conf:34) vs. example2.in:443 (/etc/apache2/vhosts.d/phpmyadmin.conf:5) [Tue Dec 01 11:38:31 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! ` ` ` What happen now, the second vhost SSL does not complain but it goes to the first vhost SSL and apache2ctl -S displays the first one as the default one. ` ` ` Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. ` ` ` ` Listen 443 NameVirtualHost example1.de:443 VirtualHost example1:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example1.de ServerAlias https://example1.de DocumentRoot /srv/www/htdocs/blevti.opendingo.de DirectoryIndex index.php /VirtualHost NameVirtualHost example2.de:443 VirtualHost example2:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example2.de ServerAlias https://example2.de DocumentRoot /srv/www/htdocs/example2.de DirectoryIndex index.php /VirtualHost ` ` ` ` but no luck -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Carsten Wiedmann wrote: Well, and the error document with [R=400] (or other status codes) is also not multi language. Right; presume for a moment that anyone hitting your server with a bogus dns reference or by-ip is doing so in a less-than-friendly, spidery or malicious manner. Are they really worth sending an elegant error page to? You can't both set the code and trigger ErrorDocument; but of course patches would be welcome. I'm not certain if this works, but; Redirect 400 / or RedirectMatch 400 .* would more likely provide the proper error page you are looking for, but I haven't tested this for you. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !
William A. Rowe Jr. schrieb: Well, and the error document with [R=400] (or other status codes) is also not multi language. Right; presume for a moment that anyone hitting your server with a bogus dns reference or by-ip is doing so in a less-than-friendly, spidery or malicious manner. Are they really worth sending an elegant error page to? OK, for script kiddies is must not be multi language (maybe just for completeness). It's more because of the common wildcard DNS. For an vhost I have deleted in Apache, it might be also possible to set an status 410, but I guess 400 is better (not only the current uri is gone, the whole host does not exist). Of course, setting a 410 is the same problem. I'm not certain if this works, but; Redirect 400 / or RedirectMatch 400 .* It's the same as with: | RewriteRule ^.*$ - [R=400] BTW: If httpd-multilang-errordoc.conf is enabled, all above solutions are also not working nice. Because now the error document shows: | Bad Request | | Your browser sent a request that this server could not understand. | | Additionally, a 500 Internal Server Error error was encountered while | trying to use an ErrorDocument to handle the request. (and with [R=404] you have an additional error, because of endless internal redirects) Regards, Carsten - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
* Boyle Owen owen.bo...@six-group.com [2009-12-01 10:08]: Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. Nonsense, and shouting does not make it correct either. Use X.509v3 SubjectAltName extensions in the certs, as I (and probably others) said several times on this very list last month alone. (And of course SNI is preferable, once ubiquitious support for it is available in servers and user agents alike). -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Carsten Wiedmann schrieb: It's the same as with: | RewriteRule ^.*$ - [R=400] BTW: If httpd-multilang-errordoc.conf is enabled, all above solutions are also not working nice. Because now the error document shows: Just for the records. This is doing the trick: | NameVirtualHost *:80 | | VirtualHost *:80 | ServerName nonexistent | | RewriteEngine On | RewriteCond %{IS_SUBREQ} false | RewriteCond %{REQUEST_URI} !/error/HTTP_BAD_REQUEST.html.var | RewriteRule ^.*$ - [R=400] | /VirtualHost Regards, Carsten - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] how to get multiple SSL with name based vhost ?
-Original Message- From: Peter Schober [mailto:peter.scho...@univie.ac.at] Sent: Tuesday, December 01, 2009 12:40 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] how to get multiple SSL with name based vhost ? * Boyle Owen owen.bo...@six-group.com [2009-12-01 10:08]: Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. Nonsense, and shouting does not make it correct either. Use X.509v3 SubjectAltName extensions in the certs, as I (and probably others) said several times on this very list last month alone. whisper Thanks for the reminder, peter. Oddly enough, I had a nagging suspicion I had heard of some rather obscure alternative to SNI and now I know where I heard it :-) But couldn't remember enough about it to find it on Google :-( Anyway, I stand corrected. Sorry for afflicting your hearing - but it seemed the op wasn't getting the point. However, at least he now has an alternative... Would you mind helping him out with it? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. /whisper (And of course SNI is preferable, once ubiquitious support for it is available in servers and user agents alike). -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
* Boyle Owen owen.bo...@six-group.com [2009-12-01 14:51]: However, at least he now has an alternative... Would you mind helping him out with it? http://markmail.org/message/yr52ptnpgbocgvad cheers, -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Marked as spam?
I just tried to reply to a message on the how to get multiple SSL with name based vhost discussion, but it was marked as spam I don't think I mentioned anything particularly spam worthy.. Full copy of the raw email (as gmail remembers it) is at http://pastebin.com/m7aba774b Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Marked as spam?
Hi, I just tried to reply to a message on the how to get multiple SSL with name based vhost discussion, but it was marked as spam I don't think I mentioned anything particularly spam worthy.. Full copy of the raw email (as gmail remembers it) is at http://pastebin.com/m7aba774b I often experienced that spam filters or email clients feel offended by IP addresses, because these are sometimes used instead of domain names in phishing mails. Cheers Sascha -- Softwareentwickler Fachbuchautor -- u.a. IT-Handbuch für Fachinformatiker, http://www.galileocomputing.de/2138 - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Marked as spam?
On Tue, Dec 1, 2009 at 2:27 PM, Sascha Kersken s...@lingoworld.de wrote: Hi, I just tried to reply to a message on the how to get multiple SSL with name based vhost discussion, but it was marked as spam I don't think I mentioned anything particularly spam worthy.. Full copy of the raw email (as gmail remembers it) is at http://pastebin.com/m7aba774b I often experienced that spam filters or email clients feel offended by IP addresses, because these are sometimes used instead of domain names in phishing mails. Cheers Sascha I redacted the IP addresses, but still no go. This spam filter seems excessively harsh given the expected content of mails to this list - ie apache configuration files. I still see nothing remotely spammy in that email, and the only info I have is that my spam score is 6.4 - no break down of why it is 6.4 though. Bah, never mind. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon I see that also but I don't know how to use them. I put the statement into my vhost of Apache reverse proxy and the apache complaining they are wrong statement, etc. virtualhost ... Proxyrequst off . X-Forwarded-For /virtualhost Is above the correct way to use it? I am not much care about the remote IP being logged in the Apache log but I am care about the remote client IP being forwarded to the backend server since our backend server will decide what to do based on the remote client IP. Thanks. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Monday, November 30, 2009 7:54 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 4:37pm, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, all RJ RJ Question 1: Is there a way to pass Internet users' IP address to RJ backend server through Apache reverse proxy server? I am testing that RJ feature so far no luck. My backend server gets Apache proxy server's RJ IP address. But I'd like to have Internet users' IP being passed RJ through Apache. This is http request. RJ Hi Ruiyan, See: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers you are interested in the X-Forwarde-For header. Once you get it to your backend server, then you will need to figure out how to get the information from that header into your logs (or whereever else). You may need to take extra care as multiple proxies can be in the path, so only trust this information if coming straight from your own reverse proxy. RJ RJ [..snip..] RJ Later, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
You seem to be a bit confused about how to configure name based virtual hosts.. On Tue, Dec 1, 2009 at 10:53 AM, J. Bakshi joyd...@infoservices.in wrote: ` ` ` ` Listen 443 NameVirtualHost example1.de:443 VirtualHost example1:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example1.de ServerAlias https://example1.de DocumentRoot /srv/www/htdocs/blevti.opendingo.de DirectoryIndex index.php /VirtualHost NameVirtualHost example2.de:443 VirtualHost example2:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example2.de ServerAlias https://example2.de DocumentRoot /srv/www/htdocs/example2.de DirectoryIndex index.php /VirtualHost You should have only one NameVirtualHost statement, per IP/Port combination, so unless you have a multi homed host this should be: NameVirtualHost *:433 And your VirtuaHost blocks should all be like this: VirtualHost *:433 ServerName example1.de ... your directives here /VirtualHost VirtualHost *:433 ServerName example2.de ... your directives here /VirtualHost etc... It is the ServerName directive that tells Apache which virtualhost is which. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Adding module to Apache-httpd
Hi, William Can you give me more details: There is the %{Header-Name}i syntax of the custom log, so you could easily verify which header is actually in use. X-Forwarded-For is the usual 'public' method, I will use Apache as reverse proxy not forward proxy. So the IPs are from Internet user not internal private IP users. The remote internal IP is not suitable for me in my case. Thanks. Ryan -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: Monday, November 30, 2009 8:39 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Adding module to Apache-httpd Ruiyuan Jiang wrote: I compiled remoteip module and loaded it without problem. In one of my virtualhost of Apache reverse proxy, I added and tested: RemoteIPHeader X-Client-IP Or RemoteIPHeader X-Forwarded-For Or both I don't see the remote client IP is being forwarded to the backend server from Apache as it supposed to be. Does anyone know why or what I did wrong? Thanks. There is the %{Header-Name}i syntax of the custom log, so you could easily verify which header is actually in use. X-Forwarded-For is the usual 'public' method, but nobody promises you'll have such information assigned. The other example would entirely depend on your load balancer/router which picks up the requests and has redispatched them. Usually such devices will *not* share any info over the web, but replace that particular header unilaterally. Also note the module will only set the IP address as 'authentic' when the remote machine is trusted, see http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy and the commentary at the top of that page. [I'm thinking about a RemoteIPTrustedHeader directive that wouldn't deal with that scrutiny, but I'm a bit hesitant. You know your own IP's of your own infrastructure to trust such proxies, right?] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
On Today at 10:09am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ I see that also but I don't know how to use them. I put the statement RJ into my vhost of Apache reverse proxy and the apache complaining they RJ are wrong statement, etc. RJ Hi Ryan, X-Forwarded-For is not a statement that goes inside the httpd.conf. The documentation page is just telling you that these headers are already available to you, if you are using reverse-proxy. RJ RJ virtualhost RJ RJ ... RJ Proxyrequst off RJ . RJ X-Forwarded-For RJ RJ /virtualhost RJ So, don't put the X-Forwarded-For statement there. RJ RJ Is above the correct way to use it? I am not much care about the RJ remote IP being logged in the Apache log but I am care about the RJ remote client IP being forwarded to the backend server since our RJ backend server will decide what to do based on the remote client IP. RJ Thanks. RJ For the backend server to be able to see the remote client IP, as if it was the real client IP, your application will have to be aware of the X-Forwarded-For. Depending on what technology you are using on the backend, the answer may be different about how to make your backend be aware of X-Forwarded-For header. Regardless of the technology, you probably should read up on the XFF entry at wikipedia: http://en.wikipedia.org/wiki/X-Forwarded-For And again, regardless of the tech, the HTTP request will contain the X-Forwarded-For header. On my java projects, I use xebia-france XForwardedFilter at: http://code.google.com/p/xebia-france/wiki/XForwardedFilter YMMV, RJ RJ Ryan RJ Cheers, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, William For your answer to my question 1, current I use BlueCoat reverse proxy which is passing internet remote client IP to the backend server. We'd like to migrate the reverse proxy server to Apache server. The rest network setup has not been changed. For your answer to my question2, it is my fault that I did not post all the related statements. Here they are: Proxy balancer://backend BalancerMember https://backend1:443 keepalive=on BalancerMember https://backend2:443 keepalive=on /Proxy ProxyPass / balancer://backend/ ProxyPassReverse/ balancer://backend/ stickysession=JSESSIONID|jsessionid Like I said, the Apache does not stick the https session to one particular server for the session. Ryan Jiang -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: Monday, November 30, 2009 9:14 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Passing remote client IP address to backend server and session stickness I realize I just answered you, but in response to your explicit and specific questions; Ruiyuan Jiang wrote: Question 1: Is there a way to pass Internet users' IP address to backend server through Apache reverse proxy server? I am testing that feature so far no luck. My backend server gets Apache proxy server's IP address. But I'd like to have Internet users' IP being passed through Apache. This is http request. Only if this information has been shared with you by the upstream proxy or router/gateway/forward proxy. E.g. - what mod_remoteip is designed to decode, ---when the information is presented---. Question 2: I am testing another Apache reverse proxy which proxies two backend https servers. I am trying to use mod_proxy_balancer. proxy balancer://mycluster Balancermember https://192.168.1.1:443 keepalive=on Balancermember https://192.168.1.2:443 keepalive=on /proxy Proxypass /test balancer:mycluster/ When I test to access the site, I got login prompt from first server which I saw from access log. I typed in login name and password. I got the login prompt back but from the log I saw the connectivity was back from server 2. It seems to me like round robin connection to backend server by Apache. I tried with keyword JSESSION but no luck. Does anyone know how to configure Apache so the same connection always goes through the same backend https (http) server. Thanks in advance. Are you forgetting your ProxyPassReverse statements? As of the current version, the syntax above (but wtf happened to your // before mycluster???) would work just fine for a ProxyPassReverse rule. This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. You have emailed a public list. Your intended individuals are the world. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Marked as spam?
* Tom Evans tevans...@googlemail.com [2009-12-01 15:22]: Full copy of the raw email (as gmail remembers it) is at http://pastebin.com/m7aba774b Yes, wildcard certificates are another possibilty, if your CA supports them (same goes for subjectAltName, of course). You'll still need one public IP-address per shared DNS-domain though, which will be an improvement over IP-based SSL vhosting (one public IP-address per SSL-ified Vhost) if most of your vhosts share a common DNS domain. Or it may not, depending on your use case. -peter - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon Thanks for the reply. Do you mean they are automatically activated for reverse proxy? Unfortunately it does not work for me if they are activated. My backend server will be Oracle 9iAS or Oracle 10gAS. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 10:23 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 10:09am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ I see that also but I don't know how to use them. I put the statement RJ into my vhost of Apache reverse proxy and the apache complaining they RJ are wrong statement, etc. RJ Hi Ryan, X-Forwarded-For is not a statement that goes inside the httpd.conf. The documentation page is just telling you that these headers are already available to you, if you are using reverse-proxy. RJ RJ virtualhost RJ RJ ... RJ Proxyrequst off RJ . RJ X-Forwarded-For RJ RJ /virtualhost RJ So, don't put the X-Forwarded-For statement there. RJ RJ Is above the correct way to use it? I am not much care about the RJ remote IP being logged in the Apache log but I am care about the RJ remote client IP being forwarded to the backend server since our RJ backend server will decide what to do based on the remote client IP. RJ Thanks. RJ For the backend server to be able to see the remote client IP, as if it was the real client IP, your application will have to be aware of the X-Forwarded-For. Depending on what technology you are using on the backend, the answer may be different about how to make your backend be aware of X-Forwarded-For header. Regardless of the technology, you probably should read up on the XFF entry at wikipedia: http://en.wikipedia.org/wiki/X-Forwarded-For And again, regardless of the tech, the HTTP request will contain the X-Forwarded-For header. On my java projects, I use xebia-france XForwardedFilter at: http://code.google.com/p/xebia-france/wiki/XForwardedFilter YMMV, RJ RJ Ryan RJ Cheers, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon I read http://en.wikipedia.org/wiki/X-Forwarded-For yesterday and I did not see Apache listed there. I saw squid, bluecoat, etc. listed there so I was thinking to test squid with the feature. What is your suggestion? Thanks. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 10:23 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 10:09am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ I see that also but I don't know how to use them. I put the statement RJ into my vhost of Apache reverse proxy and the apache complaining they RJ are wrong statement, etc. RJ Hi Ryan, X-Forwarded-For is not a statement that goes inside the httpd.conf. The documentation page is just telling you that these headers are already available to you, if you are using reverse-proxy. RJ RJ virtualhost RJ RJ ... RJ Proxyrequst off RJ . RJ X-Forwarded-For RJ RJ /virtualhost RJ So, don't put the X-Forwarded-For statement there. RJ RJ Is above the correct way to use it? I am not much care about the RJ remote IP being logged in the Apache log but I am care about the RJ remote client IP being forwarded to the backend server since our RJ backend server will decide what to do based on the remote client IP. RJ Thanks. RJ For the backend server to be able to see the remote client IP, as if it was the real client IP, your application will have to be aware of the X-Forwarded-For. Depending on what technology you are using on the backend, the answer may be different about how to make your backend be aware of X-Forwarded-For header. Regardless of the technology, you probably should read up on the XFF entry at wikipedia: http://en.wikipedia.org/wiki/X-Forwarded-For And again, regardless of the tech, the HTTP request will contain the X-Forwarded-For header. On my java projects, I use xebia-france XForwardedFilter at: http://code.google.com/p/xebia-france/wiki/XForwardedFilter YMMV, RJ RJ Ryan RJ Cheers, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re-negotiation handshake failed: Not accepted by client!?
All, We are trying to configure apache to accept client certificate when accessing the page from client side. Here is the configuration, VirtualHost :4406 RewriteEngine on RewriteOptions inherit ServerName *** JkMountFile /apps/local/apache-ssl/conf/jkm_servicesit06.properties JkRequestLogFormat %w %V %T SSLCertificateFile certs/services.crt Include conf/shared-ssl.conf Location /Dummy SSLCACertificatePath /apps/local/ssl_certificates/clients SSLVerifyClient require /Location /VirtualHost When we try to access the page we get page cannot be displayed message and in the log files we get Re-negotiation handshake failed: Not accepted by client!? The certificate files inside /apps/local/ssl_certificates/clients was provided by client. We are using Apache/2.0.63 , openssl-0.9.8h and Jboss 4.0.4.GA Could someone throw some light on this issue?
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
On Today at 10:29am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ Thanks for the reply. Do you mean they are automatically activated for RJ reverse proxy? Yes. RJ RJ Unfortunately it does not work for me if they are activated. RJ What does not work? The X-Forwarded-For header *is* there and that's where the automatic part ends. Is your application looking for it? Looking for it in what way? RJ RJ My backend server will be Oracle 9iAS or Oracle 10gAS. RJ Seems like you are on the java platform. How about deploying a test servlet? or a jsp as follows: %= request.getHeader(X-Forwarded-For) % On an aside, mod_remoteip does all of the address figuring out in apache land. AFAIK, it is only bundled with apache 2.3. I see that you are asking on another thread about how to include mod_remoteip in apache 2.2 land. Again, I can only tell you about my experiences. I use apache 2.2.x with mod_proxy in a reverse-proxy configruation. For my java app, I use xebia-france XForwardedFilter (which is a java port of mod_remoteip). RJ RJ Ryan RJ Cheers, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Environment variable in require ldap-group?
Hi, Is there for the LDAP search string for require ldap-group to be based on some variable (like an environment variable)? I've tried something like the following without success : LocationMatch /hg/[\^]+ require ldap-group CN=%{ENV:HG_GROUP},OU=SAVX,OU=Comptes et groupes de services,DC=CDDDC01,DC=LOCAL /LocationMatch I was setting the HG_GROUP variable using a rewrite rule like this : RewriteRule ^/hg/([^/]+)/.* - [E=HG_GROUP:$1] Thanks!
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon Where do you see Apache 2.3? I don't see on the office Apache web site. Also where should I apply: %= request.getHeader(X-Forwarded-For) % In my Apache reverse proxy server? Thanks. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 10:57 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 10:29am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ Thanks for the reply. Do you mean they are automatically activated for RJ reverse proxy? Yes. RJ RJ Unfortunately it does not work for me if they are activated. RJ What does not work? The X-Forwarded-For header *is* there and that's where the automatic part ends. Is your application looking for it? Looking for it in what way? RJ RJ My backend server will be Oracle 9iAS or Oracle 10gAS. RJ Seems like you are on the java platform. How about deploying a test servlet? or a jsp as follows: %= request.getHeader(X-Forwarded-For) % On an aside, mod_remoteip does all of the address figuring out in apache land. AFAIK, it is only bundled with apache 2.3. I see that you are asking on another thread about how to include mod_remoteip in apache 2.2 land. Again, I can only tell you about my experiences. I use apache 2.2.x with mod_proxy in a reverse-proxy configruation. For my java app, I use xebia-france XForwardedFilter (which is a java port of mod_remoteip). RJ RJ Ryan RJ Cheers, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] mod_rewite
ok. i need mod rewrite installed on my apache but i dot know how. i also need to install some others but this is the main one
Re: [us...@httpd] mod_rewite
On Dec 1, 2009, at 11:30 , Peter Maguire wrote: ok. i need mod rewrite installed on my apache but i dot know how. i also need to install some others but this is the main one Tell us more. The method of installing a missing module will vary somewhat, depending on how you installed Apache in the first place. Have you installed from source? From a package? From some third-party distribution you downloaded? Are you certain that mod_rewrite isn't in fact already installed? It usually is. -- Rich Bowen rbo...@rcbowen.com
Re: [us...@httpd] mod_rewite
i installed from a package from the apache website From: Rich Bowen rbo...@rcbowen.com To: users@httpd.apache.org Sent: Tue, 1 December, 2009 16:35:23 Subject: Re: [us...@httpd] mod_rewite On Dec 1, 2009, at 11:30 , Peter Maguire wrote: ok. i need mod rewrite installed on my apache but i dot know how. i also need to install some others but this is the main one Tell us more. The method of installing a missing module will vary somewhat, depending on how you installed Apache in the first place. Have you installed from source? From a package? From some third-party distribution you downloaded? Are you certain that mod_rewrite isn't in fact already installed? It usually is. -- Rich Bowen rbo...@rcbowen.com
Re: [us...@httpd] mod_rewite
On Dec 1, 2009, at 11:38 , Peter Maguire wrote: i installed from a package from the apache website Then you should rebuild it, using --enable-rewrite in the arguments to ./configure this time. From: Rich Bowen rbo...@rcbowen.com To: users@httpd.apache.org Sent: Tue, 1 December, 2009 16:35:23 Subject: Re: [us...@httpd] mod_rewite On Dec 1, 2009, at 11:30 , Peter Maguire wrote: ok. i need mod rewrite installed on my apache but i dot know how. i also need to install some others but this is the main one Tell us more. The method of installing a missing module will vary somewhat, depending on how you installed Apache in the first place. Have you installed from source? From a package? From some third-party distribution you downloaded? Are you certain that mod_rewrite isn't in fact already installed? It usually is. -- Rich Bowen rbo...@rcbowen.com -- Rich Bowen rbo...@rcbowen.com
Re: [us...@httpd] mod_rewite
Rich Bowen wrote: On Dec 1, 2009, at 11:38 , Peter Maguire wrote: i installed from a package from the apache website Then you should rebuild it, using --enable-rewrite in the arguments to ./configure this time. Simpler just to google apxs. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Passing remote client IP address to backend server and session stickness
On Tue, Dec 1, 2009 at 4:29 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Hi, Haroon Where do you see Apache 2.3? I don't see on the office Apache web site. Also where should I apply: %= request.getHeader(X-Forwarded-For) % In my Apache reverse proxy server? Thanks. Ryan Apache 2.3 is apache development branch. When apache acts as a reverse proxy it automatically adds the X-Forwarded-For header to the incoming request. It does this automatically, it is part of what reverse proxies do. Your application server can see this header and update itself to use the IP address in this header as the 'real' IP address of the connection. mod_remoteip is an apache module in apache 2.3 that does this. For you to use this, your application server must be apache. It seems like your application server is not apache, it is some sort of java application server. mod_remoteip would not be a solution for that. Simply stfw for 'x-forwarded-for name of your app server' for potential solutions: http://lmgtfy.com/?q=oracle+10+x-forwarded-for http://lmgtfy.com/?q=oracle+9+x-forwarded-for Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
On Today at 11:29am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ Where do you see Apache 2.3? I don't see on the office Apache web site. As of yet unreleased. If I remember correctly, 2.3 will be the unstable branch and 2.4 (when released) will be the stable version. RJ Also where should I apply: RJ RJ %= request.getHeader(X-Forwarded-For) % RJ RJ In my Apache reverse proxy server? Thanks. RJ No, that is the content of .jsp which you could deploy on your Oracle app server. Are you a java developer or sysadmin? If not a java developer, then ask your java devs for some help. RJ Ryan RJ Later, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Erasing HTTPD library global variables before reinitialize server
Hello! I build my application vs. libhttpd (Apache) library (for adding HTTP server abilities), during application running it required to shutting down and then (after some time) to start this (HTTP) server again. The procedure I used to initialize/shutting down this server is same as used in the Apache httpd project “main.c” file with one difference, I set back the 'apr_app_init_complete' (defined at 'start.c' file) global variable (again 'erasing global variables' issue) to zero (cause server to read again the CLI 'argc'/'argv' argument). The problem occur in the 2nd running, exception occur. I debug it and I see that this issue caused by global (static) variables that initialized and doesn’t erased after 1st server running. Specifically I saw it for the ‘hooks’ ( “static struct { members } _hooks;”) global variable that defined at the ‘apr_hooks.h’ file, for the 1st running it’s fields set to ‘NULL’ value, but at 2nd it keep illegal addresses from the 1st running. Location for this acceptation: APR_DECLARE(void *) apr_array_push(apr_array_header_t *arr) { here== if (arr-nelts == arr-nalloc) { int new_size = (arr-nalloc = 0) ? 1 : arr-nalloc * 2; char *new_data; new_data = apr_palloc(arr-pool, arr-elt_size * new_size); . . . } Call Stack for this exception: libapr-1.dll!apr_array_push(apr_array_header_t * arr=0x046299c0) Line 109 + 0x6 bytes C libhttpd.dll!ap_hook_create_connection(conn_rec * (apr_pool_t *, server_rec *, apr_socket_t *, long, void *, apr_bucket_alloc_t *)* pf=0x6ff0c430, const char * const * aszPre=0x, const char * const * aszSucc=0x, int nOrder=30) Line 42 + 0x41 bytesC libhttpd.dll!register_hooks(apr_pool_t * p=0x043905b0) Line 3988 C libhttpd.dll!ap_register_hooks(module_struct * m=0x6ff47928, apr_pool_t * p=0x043905b0) Line 427 + 0xc bytes C libhttpd.dll!ap_add_module(module_struct * m=0x6ff47928, apr_pool_t * p=0x043905b0) Line 554 C libhttpd.dll!ap_setup_prelinked_modules(process_rec * process=0x0438f5c8) Line 697 + 0x12 bytesC NOTE: The called to apr_array_push() procedure added using the 'APR_IMPLEMENT_EXTERNAL_HOOK_BASE' macro (defined at 'apr_hooks.h' file). /** macro to implement the hook */ #define APR_IMPLEMENT_EXTERNAL_HOOK_BASE(ns,link,name) \ link##_DECLARE(void) ns##_hook_##name(ns##_HOOK_##name##_t *pf,const char * const *aszPre, \ const char * const *aszSucc,int nOrder) \ { \ ns##_LINK_##name##_t *pHook; \ if(!_hooks.link_##name) \ { \ _hooks.link_##name=apr_array_make(apr_hook_global_pool,1,sizeof(ns##_LINK_##name##_t)); \ apr_hook_sort_register(#name,_hooks.link_##name); \ } \ pHook=apr_array_push(_hooks.link_##name); \ . . . } I use: -- HTTPD version: httpd-2.2.13-win32-src Platform: Windows, build with VC2005 Any suggestion? P.S I run it with the CLI -X (single process) option, I use the 'SIGNAL_PARENT_SHUTDOWN' signal (e.g. ap_signal_parent(SIGNAL_PARENT_SHUTDOWN)) for terminate this (httpd) server. Thanks, Ishay Lavi Software Engineer Web: www.audiocodes.com Email: ishay.l...@audiocodes.com This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
I am a sysadmin, Haroon. Thanks. -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 11:55 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 11:29am, RJ=Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: RJ Hi, Haroon RJ RJ Where do you see Apache 2.3? I don't see on the office Apache web site. As of yet unreleased. If I remember correctly, 2.3 will be the unstable branch and 2.4 (when released) will be the stable version. RJ Also where should I apply: RJ RJ %= request.getHeader(X-Forwarded-For) % RJ RJ In my Apache reverse proxy server? Thanks. RJ No, that is the content of .jsp which you could deploy on your Oracle app server. Are you a java developer or sysadmin? If not a java developer, then ask your java devs for some help. RJ Ryan RJ Later, -- Haroon Rafique haroon.rafi...@utoronto.ca - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Thanks, Tom I will check with my developers here. By the way, is apache done differently for X-Forwarded-For than the rest reverse proxy vendors? Ryan -Original Message- From: Tom Evans [mailto:tevans...@googlemail.com] Sent: Tuesday, December 01, 2009 11:51 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Passing remote client IP address to backend server and session stickness On Tue, Dec 1, 2009 at 4:29 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Hi, Haroon Where do you see Apache 2.3? I don't see on the office Apache web site. Also where should I apply: %= request.getHeader(X-Forwarded-For) % In my Apache reverse proxy server? Thanks. Ryan Apache 2.3 is apache development branch. When apache acts as a reverse proxy it automatically adds the X-Forwarded-For header to the incoming request. It does this automatically, it is part of what reverse proxies do. Your application server can see this header and update itself to use the IP address in this header as the 'real' IP address of the connection. mod_remoteip is an apache module in apache 2.3 that does this. For you to use this, your application server must be apache. It seems like your application server is not apache, it is some sort of java application server. mod_remoteip would not be a solution for that. Simply stfw for 'x-forwarded-for name of your app server' for potential solutions: http://lmgtfy.com/?q=oracle+10+x-forwarded-for http://lmgtfy.com/?q=oracle+9+x-forwarded-for Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Passing remote client IP address to backend server and session stickness
On Tue, Dec 1, 2009 at 5:01 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Thanks, Tom I will check with my developers here. By the way, is apache done differently for X-Forwarded-For than the rest reverse proxy vendors? Ryan No. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] how to get multiple SSL with name based vhost ?
Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. To back up a moment, though -- another way to do this is to define multiple IPs on the network card and run multiple instances of apache, each with different config files. We run 20 or more on some of our production servers. Having said that, if you have a research or academic environment and don't care about browser warnings, you can just use the same cert for all sites. You will get the encryption aspect of HTTPS but not the authentication aspect. Some people get awfully upset when they see browser warnings, though. Alternatively, if all sites have the same domain-name (eg, sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that certifies *.wibble.com. Aside from these special cases, there is NO WAY to have name-based SSL VHs. But I wonder if name-based SSL VHs really are a necessity. The OP has a Linux box. If he has additional IPs the problem can be taken care of without virtual hosts. And, having done it both way in a group that supports multiple departments, it saves a lot of headaches trying to schedule upgrades, configuration changes, or even just restarts to clear a problem. But it all depends on the environment. Sheryl - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
On Tue, Dec 1, 2009 at 3:48 PM, Sheryl gubyd...@his.com wrote: Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE. To back up a moment, though -- another way to do this is to define multiple IPs on the network card and run multiple instances of apache, each with different config files. [snip] That's only if he has multiple IP addresses available on the network, right? If we assume this is a public sever, that means he needs multiple public IP addresses from his ISP that route to this server. That's certainly a possibility, in general, but I want to make sure I'm not missing something awesome. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
On Tue, Dec 1, 2009 at 3:48 PM, Sheryl gubyd...@his.com wrote: To back up a moment, though -- another way to do this is to define multiple IPs on the network card and run multiple instances of apache, each with different config files. We run 20 or more on some of our production servers. You could run one instance of apache and configure each VH to listen in a different IP. At least that how I had it understood. -r - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
On Tue, Dec 1, 2009 at 4:05 PM, Roger rno...@gmail.com wrote: On Tue, Dec 1, 2009 at 3:48 PM, Sheryl gubyd...@his.com wrote: To back up a moment, though -- another way to do this is to define multiple IPs on the network card and run multiple instances of apache, each with different config files. We run 20 or more on some of our production servers. You could run one instance of apache and configure each VH to listen in a different IP. At least that how I had it understood. That's right, no problem differentiating between SSL environments when you've got multiple IP:port combinations. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to get multiple SSL with name based vhost ?
Krist van Besien wrote: You seem to be a bit confused about how to configure name based virtual hosts.. On Tue, Dec 1, 2009 at 10:53 AM, J. Bakshi joyd...@infoservices.in wrote: ` ` ` ` Listen 443 NameVirtualHost example1.de:443 VirtualHost example1:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example1.de ServerAlias https://example1.de DocumentRoot /srv/www/htdocs/blevti.opendingo.de DirectoryIndex index.php /VirtualHost NameVirtualHost example2.de:443 VirtualHost example2:443 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/myca/mars-server.crt SSLCertificateKeyFile /etc/apache2/myca/mars-server.key SSLCertificateChainFile /etc/apache2/myca/my-ca.crt ServerName https://example2.de ServerAlias https://example2.de DocumentRoot /srv/www/htdocs/example2.de DirectoryIndex index.php /VirtualHost You should have only one NameVirtualHost statement, per IP/Port combination, so unless you have a multi homed host this should be: NameVirtualHost *:433 And your VirtuaHost blocks should all be like this: VirtualHost *:433 ServerName example1.de ... your directives here /VirtualHost VirtualHost *:433 ServerName example2.de ... your directives here /VirtualHost etc... It is the ServerName directive that tells Apache which virtualhost is which. Krist Hello Krist, Thanks for your example. I have tried to implement it but as I mentioned before whatever be the server name it always opens the site which apache has detected as default. Here is the output from apache2ctl -S ` ` ` wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server example1.de (/etc/apache2/vhosts.d/ssl.conf:5) port 443 namevhost example1.de (/etc/apache2/vhosts.d/ssl.conf:5) port 443 namevhost example2.de (/etc/apache2/vhosts.d/ssl.conf:51) Syntax OK ` ` ` The configuration is exactly same which you have suggested above. Any thing which I am overlooking here ? Thanks -- জয়দীপ বক্সী - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org