RE: [us...@httpd] mod_authnz_ldap with kerberos?
I use mod_authnz_ldap today with simple ldap bind. Our security team wants me to use to use Kerberos instead to make it more secure. This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping. Is it possible to make mod_authnz_ldap to use a keytab instead? Or do anyone have a suggestion how to solve this in a even better way? mod_auth_kerb: http://modauthkerb.sourceforge.net/ Complex but does work, even with Active Directory. I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap to do the authorization based on AD security groups. What I need is better security for the ldap bind mod_authnz_ldap - AD. Do you mean that I should be able to use the kinit done by mod_auth_kerb? Best regards, Emil Assarsson
Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 19.10.10 11:27, William A. Rowe Jr. wrote: * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote: does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? On 20.10.10 15:05, William A. Rowe Jr. wrote: From these two flaws? Only if your external expat is also up-to-date, refer that question to the expat community. I see. Unfortunately, I haven't seen bundled expat version in the announce. And luckily, my version is patched. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] mod_authnz_ldap with kerberos?
Hi, On Thu, 2010-10-21 at 08:51 +0200, Assarsson, Emil wrote: I use mod_authnz_ldap today with simple ldap bind. Our security team wants me to use to use Kerberos instead to make it more secure. This will allow them to specify from where the service account can login and will also protect the credentials from eavesdropping. Is it possible to make mod_authnz_ldap to use a keytab instead? Or do anyone have a suggestion how to solve this in a even better way? mod_auth_kerb: http://modauthkerb.sourceforge.net/ Complex but does work, even with Active Directory. I am using mod_auth_kerb today to do the accual authentication. I only use mod_authnz_ldap to do the authorization based on AD security groups. What I need is better security for the ldap bind mod_authnz_ldap - AD. Do you mean that I should be able to use the kinit done by mod_auth_kerb? Ah sorry, I mis-understood your question. You mean you want to use Kerberos credentials to communicate with the LDAP server (in this case, an AD server)? I haven't tried that, instead I've used a low-privilege user over SSL (not TLS here) communicating with the global catalogue server - that does work. I think you would have to specify the user as a gssapi login (see openldap for syntax) and specify an explicit credentials cache for apache using the KRB5CC environment variable. But please bare in mind I've never tried this and I don't know if its even possible let alone if it would work. Hope this helps. Best regards, Emil Assarsson __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- Best Regards, Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] possible to add multiple locations for the document root
Readers, The /etc/httpd.conf file on my pc (mandriva 2008) contains: documentroot '/var/www/html' What is the syntax please to add another address? I want another directory to be searched to serve files. Thanks in advance. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] possible to add multiple locations for the document root
On Thu, Oct 21, 2010 at 5:43 AM, e-letter inp...@gmail.com wrote: Readers, The /etc/httpd.conf file on my pc (mandriva 2008) contains: documentroot '/var/www/html' What is the syntax please to add another address? I want another directory to be searched to serve files. Try Alias or look at the mod_rewrite examples in the manual. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Weird behaviour of Apache
It states that you do not have any logs where you have them configured. Please make sure you have the logs in the following That part of the error message is a red herring. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: possible to add multiple locations for the document root
I tried to use the command 'Alias', to try and use the program phppgadmin which was extracted to /path/to/phppgadmin: DocumentRoot /var/www/html Alias /localhost/target /usr/local/phppgadmin/phppgadmin Directory /localhost/target Order allow,deny Allow from all /Directory After stopping and restarting the web server, when I navigate the web brower to 'http://localhost/target' I receive an error 404 page. In the phppgadmin directory there are various php pages, e.g. login.php: $ ls /usr/local/phppgadmin/phppgadmin/ aciur.jsgroups.php redirect.php aggregates.php help/ reports.php all_db.php help.phprobots.txt autocomplete.phpHISTORY roles.php browser.php history.php rules.php BUGSimages/ schemas.php casts.php indexes.js sequences.php classes/indexes.php servers.php colproperties.php index.php sql/ conf/ info.phpsqledit.php constraints.php INSTALL sql.php conversions.php intro.php tables.js CREDITS lang/ tablespaces.php database.phplanguages.php tables.php dataexport.php libraries/ tblproperties.php dataimport.php LICENSE themes/ dbexport.phplinks.jsTODO DEVELOPERS login.php TRANSLATORS display.php logout.php triggers.php domains.php multiactionform.js types.php FAQ opclasses.php users.php fulltext.phpoperators.php viewproperties.php functions.jsplugin_slony.phpviews.php functions.php privileges.php xloadtree/ What is my mistake please? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Weird behaviour of Apache
Hello Eric Covener, Am 2010-10-20 21:16:04, hacktest Du folgendes herunter: Restarting web server: apache2no listening sockets available, shutting down IfModule mod_ssl.c Listen 443 /IfModule You need to define at least 1 Listen directive. This is the only one in your post, and it's obviously not part of your config due to absence of mod_ssl. It seems the Listen 80 was accidently deleted from the template and caused the problem on all 14 newly installed machines... :-/ Now all VServers and VHosts are working. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
[us...@httpd] How to compile mod_proxy_add_forward.c
Hi, Please let me know the procedure to compile the mod_proxy_add_forward.c module. Version details of apache : apache_1.3.28 I have tried using the following commands : ./configure --prefix=/opt/web/apache/app/systech/ --enable-module=proxy --activate-module=src/modules/extra/mod_proxy_add_forward.c --enable-module=proxy_add_forward but to enable the module the mod_proxy_add_forwar.c is not present in the extra directory. Kindly let me know what needs to be done to install apache with this module enabled. Thanks Regards, Aparna.
Re: [us...@httpd] How to compile mod_proxy_add_forward.c
On Thu, Oct 21, 2010 at 11:31 AM, aparna aryan aparnapu...@gmail.com wrote: Hi, Please let me know the procedure to compile the mod_proxy_add_forward.c module. Version details of apache : apache_1.3.28 I have tried using the following commands : ./configure --prefix=/opt/web/apache/app/systech/ --enable-module=proxy --activate-module=src/modules/extra/mod_proxy_add_forward.c --enable-module=proxy_add_forward but to enable the module the mod_proxy_add_forwar.c is not present in the extra directory. 1) search the web 2) download the module 3) read the instructions in the download - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On Thu, Oct 21, 2010 at 12:34 PM, e-letter inp...@gmail.com wrote: I tried to use the command 'Alias', to try and use the program phppgadmin which was extracted to /path/to/phppgadmin: DocumentRoot /var/www/html Alias /localhost/target /usr/local/phppgadmin/phppgadmin Alias refers to the path in the URL. For the URL 'http://localhost/target', the path is '/target'. http://httpd.apache.org/docs/2.2/mod/mod_alias.html#alias Directory /localhost/target Directory refers to physical directories on disk, not to the URL space. http://httpd.apache.org/docs/2.2/mod/core.html#directory Order allow,deny Allow from all /Directory After stopping and restarting the web server, when I navigate the web brower to 'http://localhost/target' I receive an error 404 page. In the phppgadmin directory there are various php pages, e.g. login.php: Fix the above errors first. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Pack200 Content Negotiation
Dear all, to speed up our applet based application we are using the pack200 compression for the corresponding jar-files (e.g., First.jar, see example below). The applet is hosted on Apache 2. Unfortunately we have to support old JREs such as JRE 1.4.2 as well. Therefore, as pack200 is not supportet in Java 1.4, the uncompressed version of the jar-file should be delivered if requested by a browser with Java plugin ver. 1.4.2. I did not manage it to configure Apache according to these requirements. Using the following configuration always (both, for JRE 1.4 and for JRE 1.6) delivers the unpacked jar-file (i.e., unpacked/First.jar): httpd.conf AddType application/x-java-archive .jar AddHandler type-map var Options +MultiViews MultiviewsMatch Handlers AddEncoding pack200-gzip .jar RemoveEncoding .gz a) First.jar.var - URI: First.jar URI: packed/First.jar.pack.gz Content-Type: x-java-archive Content-Encoding: pack200-gzip URI: unpacked/First.jar Content-Type: x-java-archive Using configuration b) instead (see below), delivers the packed (compressed) jar-file (i.e., packed/First.jar.pack.gz) for both, JRE 1.4 and JRE 1.6: b) First.jar.var URI: First.jar URI: packed/First.jar.pack.gz Content-Type: x-java-archive Content-Encoding: pack200-gzip What I'm doing wrong? I really appreciate your help, Tom
Re: [us...@httpd] Pack200 Content Negotiation
Hmm I used to try to do something via Apache for this, but I gave up a long time ago and started handling this via a Java servlet filter and directing *.jar requests to the servlet engine. This also allows me to set jar version information in the response headers in the same servlet. Of course, I end up using this sort of approach much of the time as (1) I have to support other web servers than just Apache and (2) writing a servlet filter is /far/ easier than attempting to write an Apache module (we don't deploy modules for Perl, PHP, etc -- and the Java servlet API is far easier for /me /to deal with than Perl, PHP, etc, anyway). -- Jess Holle On 10/21/2010 11:43 AM, Beer Dr. Thomas wrote: Dear all, to speed up our applet based application we are using the pack200 compression for the corresponding jar-files (e.g., First.jar, see example below). The applet is hosted on Apache 2. Unfortunately we have to support old JREs such as JRE 1.4.2 as well. Therefore, as pack200 is not supportet in Java 1.4, the uncompressed version of the jar-file should be delivered if requested by a browser with Java plugin ver. 1.4.2. I did not manage it to configure Apache according to these requirements. Using the following configuration always (both, for JRE 1.4 and for JRE 1.6) delivers the unpacked jar-file (i.e., unpacked/First.jar): httpd.conf AddType application/x-java-archive .jar AddHandler type-map var Options +MultiViews MultiviewsMatch Handlers AddEncoding pack200-gzip .jar RemoveEncoding .gz a) First.jar.var - URI: First.jar URI: packed/First.jar.pack.gz Content-Type: x-java-archive Content-Encoding: pack200-gzip URI: unpacked/First.jar Content-Type: x-java-archive Using configuration b) instead (see below), delivers the packed (compressed) jar-file (i.e., packed/First.jar.pack.gz) for both, JRE 1.4 and JRE 1.6: b) First.jar.var URI: First.jar URI: packed/First.jar.pack.gz Content-Type: x-java-archive Content-Encoding: pack200-gzip What I'm doing wrong? I really appreciate your help, Tom
