Re: [us...@httpd] Can't get suexec to work on a userdir
On 29.11.10 16:10, Ken Tanzer wrote: Hi. I'm looking for some help with using suexec and userdir (2.2.15 on FC11). I have this test script running in a userdir (~test44/public_html/test.php): ?php system('whoami'); ? And it keeps reporting apache, not test44. do you run PHP scripts as CGI? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Can't get suexec to work on a userdir
I _think_ that PHP is running as a module (based on this section of my php conf file: IfModule prefork.c LoadModule php5_module modules/libphp5.so /IfModule IfModule worker.c LoadModule php5_module modules/libphp5-zts.so /IfModule But not sure of the implications. Do the PHP scripts need to run as CGI in order for suexec to work? Ken On Tue, Nov 30, 2010 at 12:14 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 29.11.10 16:10, Ken Tanzer wrote: Hi. I'm looking for some help with using suexec and userdir (2.2.15 on FC11). I have this test script running in a userdir (~test44/public_html/test.php): ?php system('whoami'); ? And it keeps reporting apache, not test44. do you run PHP scripts as CGI? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache mod jk loadbalancer
Hi I have some problems with apache load balancer I have one apache (LB) and two tomcats. Apache: Server version: Apache/2.0.64 Tomcat Apache Tomcat/5.5.26 Ajp13, tomcat-connectors-1.2.31-src Everything works fine on simple jsp file. When I deploy applications on both tomcats and I'm trying to log in - my request is rejected (i'm still on login page). All contexts are linked. When I'm trying to log in directly to app on tomcat everything is fine - only through apache something is wrong. What should i check? -- View this message in context: http://old.nabble.com/Apache-mod-jk-loadbalancer-tp30338135p30338135.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Can't get suexec to work on a userdir
On 30.11.10 00:29, Ken Tanzer wrote: I _think_ that PHP is running as a module (based on this section of my php conf file: IfModule prefork.c LoadModule php5_module modules/libphp5.so /IfModule IfModule worker.c LoadModule php5_module modules/libphp5-zts.so /IfModule But not sure of the implications. Do the PHP scripts need to run as CGI in order for suexec to work? Precisely. There was mod_suphp module for apache 2.0 somewhere, you can search if it sills up your requirements, or you can try using peruser MPM. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Call for translation
Hi Rich, do you need people for spanish translation? I could get some time to do that and I have some experience with these issues (open source, translations, etc.). iñ 2010/11/26 Rich Bowen rbo...@rcbowen.com Participation in open source project is not only open to folks who can program in C. If you can read English, and can write in some other language, your participation is desperately needed. The complete documentation for the Apache HTTP Server is currently only available in English. Parts of it are available in other languages, with German, French, and Japanese being the most complete. However, some modules are not available in other languages at all, while many are partially translated, and most are not translated at all. If you are able to translate into any language, please let us know. Either respond to this note, or, better yet, join the d...@httpd.apache.orgmailing list (send a note to docs-subscr...@httpd.apache.org) and join the conversation there. You don't need to know how to program in C, and you don't even need to know how to use svn, or write HTML or XML, although these things are helpful, and if you participate for very long, you're sure to learn. Participation in Open Source projects looks great on your resume, and helps make the world a better place, and it can be a lot of fun. Please consider using your language skills to benefit the Apache HTTP Server project. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- - imed...@grosshat.com es un mundo mágico
[us...@httpd] mod_deflate does not work for zipped incoming soap request
Hi there, I'm trying to make mod_deflate work to decompress zipped incoming soap requests. The system is something like this: webservice client -- httpd --mod_jk -- Webservice exposed by Jboss server. httpd version is 2.2.3 Since the SOAP messages are somehow big, I want the webservice client to send zipped soap message. And the HTTPD should de-compress it with mod_deflate and then pass the de-compressed soap requests to the application server via mod-jk. I added the following config into httpd.conf: #- SetOutputFilter DEFLATE SetInputFilter DEFLATE DeflateFilterNote input DeflateFilterNote output DeflateFilterNote ratio LogFormat '%h %t %r %{output}n/%{input}n (%{ratio}n%%)' deflate CustomLog logs/deflate_log.log deflate #- I expect that httpd should decompress all the incoming http request with Content-Encoding=gzip with this configuration. But when I check the debug logging of mod_jk, I found that the requests passed to mod_jk were NOT DECOMPRESSED. Here is the access log of an incoming request (LogFormat: LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ \%{Content-Length}i\ \%{Content-Type}i\ \%{Content-Encoding}i\ combined): 172.18.50.17 - - [30/Nov/2010:20:31:58 +0800] POST /ws/TestService HTTP/1.1 400 - - Jakarta Commons-HttpClient/3.1 806 text/xml;charset=UTF-8 gzip We can see that the incoming message is a gzipped message. and in deflate_log.log: 172.18.50.17 [30/Nov/2010:20:31:58 +0800] POST /ws/TestService HTTP/1.1 -/- (-%) 172.18.50.17 [30/Nov/2010:20:46:51 +0800] GET / HTTP/1.1 -/- (43%) According to the first line it seems that the mod_deflate does NOT work for incoming requests(?), since input/output/ratio are all empty. According to the second line it seems that the mod_defalte does work for outcoming response...because at least ratio is not empty...(so that we can be sure that mod_deflate is loaded properly) I googled a lot and went over mod_deflate source code but found no hints. Is there anyone has make some similiar system work? or is there any further config I should add to make deflate work for the incoming requests? and is there further debugging methods? (I put LogLevel to debug, but there is no related logs..) Thanks!
Re: [us...@httpd] Call for translation
We absolutely do. You can see a full list here: http://httpd.apache.org/docs-project/avail_translations.html of what has been translated and what has not. With Spanish, you can start anywhere at all. It looks like mod_actions is the only file that has been translated. Please let me know if you need any help getting started, and please do join the docs list if you decide this is something you want to do. We look forward to you being part of the team. --Rich On Nov 30, 2010, at 5:56 AM, iñigo medina wrote: Hi Rich, do you need people for spanish translation? I could get some time to do that and I have some experience with these issues (open source, translations, etc.). iñ 2010/11/26 Rich Bowen rbo...@rcbowen.com Participation in open source project is not only open to folks who can program in C. If you can read English, and can write in some other language, your participation is desperately needed. The complete documentation for the Apache HTTP Server is currently only available in English. Parts of it are available in other languages, with German, French, and Japanese being the most complete. However, some modules are not available in other languages at all, while many are partially translated, and most are not translated at all. If you are able to translate into any language, please let us know. Either respond to this note, or, better yet, join the d...@httpd.apache.org mailing list (send a note to docs-subscr...@httpd.apache.org) and join the conversation there. You don't need to know how to program in C, and you don't even need to know how to use svn, or write HTML or XML, although these things are helpful, and if you participate for very long, you're sure to learn. Participation in Open Source projects looks great on your resume, and helps make the world a better place, and it can be a lot of fun. Please consider using your language skills to benefit the Apache HTTP Server project. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- - imed...@grosshat.com es un mundo mágico -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Call for translation
It turns out that quite a bit of work has been done already for the 2.0 documentation in Spanish, but I don't yet have any idea how much, if any, of that, can be copied straight forward to the 2.4 documentation. I would need someone - perhaps yourself - to evaluate that. Meanwhile, I have been intending to write a short how to get started section on the Translations page. Perhaps this is a good time to do that. :) --Rich On Nov 30, 2010, at 8:30 AM, Rich Bowen wrote: We absolutely do. You can see a full list here: http://httpd.apache.org/docs-project/avail_translations.html of what has been translated and what has not. With Spanish, you can start anywhere at all. It looks like mod_actions is the only file that has been translated. Please let me know if you need any help getting started, and please do join the docs list if you decide this is something you want to do. We look forward to you being part of the team. --Rich On Nov 30, 2010, at 5:56 AM, iñigo medina wrote: Hi Rich, do you need people for spanish translation? I could get some time to do that and I have some experience with these issues (open source, translations, etc.). iñ 2010/11/26 Rich Bowen rbo...@rcbowen.com Participation in open source project is not only open to folks who can program in C. If you can read English, and can write in some other language, your participation is desperately needed. The complete documentation for the Apache HTTP Server is currently only available in English. Parts of it are available in other languages, with German, French, and Japanese being the most complete. However, some modules are not available in other languages at all, while many are partially translated, and most are not translated at all. If you are able to translate into any language, please let us know. Either respond to this note, or, better yet, join the d...@httpd.apache.org mailing list (send a note to docs-subscr...@httpd.apache.org) and join the conversation there. You don't need to know how to program in C, and you don't even need to know how to use svn, or write HTML or XML, although these things are helpful, and if you participate for very long, you're sure to learn. Participation in Open Source projects looks great on your resume, and helps make the world a better place, and it can be a lot of fun. Please consider using your language skills to benefit the Apache HTTP Server project. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- - imed...@grosshat.com es un mundo mágico -- Rich Bowen rbo...@rcbowen.com -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Call for translation
On Nov 30, 2010, at 8:39 AM, Rich Bowen wrote: It turns out that quite a bit of work has been done already for the 2.0 documentation in Spanish, but I don't yet have any idea how much, if any, of that, can be copied straight forward to the 2.4 documentation. I would need someone - perhaps yourself - to evaluate that. Meanwhile, I have been intending to write a short how to get started section on the Translations page. Perhaps this is a good time to do that. :) I've added that here: http://httpd.apache.org/docs-project/translations.html It's not at all detailed, but should be enough to get you started. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Call for translation
Thanks, Rich. I've already joined the docs list and I'll look at the links you give me to get an idea. iñ 2010/11/30 Rich Bowen rbo...@rcbowen.com On Nov 30, 2010, at 8:39 AM, Rich Bowen wrote: It turns out that quite a bit of work has been done already for the 2.0 documentation in Spanish, but I don't yet have any idea how much, if any, of that, can be copied straight forward to the 2.4 documentation. I would need someone - perhaps yourself - to evaluate that. Meanwhile, I have been intending to write a short how to get started section on the Translations page. Perhaps this is a good time to do that. :) I've added that here: http://httpd.apache.org/docs-project/translations.html It's not at all detailed, but should be enough to get you started. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- - imed...@grosshat.com es un mundo mágico
Re: [us...@httpd] Call for translation
I've already checkout from svn and started to look at what is translated. Any preference to start? Mod is a good directory as starting point? iñ 2010/11/30 Rich Bowen rbo...@rcbowen.com On Nov 30, 2010, at 8:39 AM, Rich Bowen wrote: It turns out that quite a bit of work has been done already for the 2.0 documentation in Spanish, but I don't yet have any idea how much, if any, of that, can be copied straight forward to the 2.4 documentation. I would need someone - perhaps yourself - to evaluate that. Meanwhile, I have been intending to write a short how to get started section on the Translations page. Perhaps this is a good time to do that. :) I've added that here: http://httpd.apache.org/docs-project/translations.html It's not at all detailed, but should be enough to get you started. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- - imed...@grosshat.com es un mundo mágico
Re: [us...@httpd] Call for translation
On Nov 30, 2010, at 9:48 AM, iñigo medina wrote: I've already checkout from svn and started to look at what is translated. Any preference to start? Mod is a good directory as starting point? Yes, I think mod/ is probably the best place to start, as well as the easiest, since things are in small sections and that gives a greater sense of accomplishment. It's probably also the part of the docs that people spend the most time reading, so it's the most valuable. Thanks so much for your participation. -- Rich Bowen rbo...@rcbowen.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Connection Issues
On 11/29/2010 11:25 PM, Travis Whitton wrote: Hi, We're experiencing some odd behavior regarding connections taking a long time to establish to our website. We've been running Apache in production for over three years now and have recently began experiencing issues where the server-status page, static, and dynamic content response times will slow anywhere from a few seconds to long enough for the connection to timeout. Initially thinking we might be hitting some hard limits with the OS, we've thoroughly audited our sysctl variables, tried disabling iptables and conntrack, and ensured that we're not running out of ephemeral ports or anything along those lines. Looking at netstat, it seems we have a pretty large number of connections in TIME_WAIT which is understandable since this is a high traffic website, but I'm wondering if this value could indicate we're backlogging on TCP connections or something along those lines? [r...@rhl073 ipv4]# netstat -an | awk '/^tcp/ {A[$(NF)]++} END {for (I in A) {printf %5d %s\n, A[I], I}}' 34723 TIME_WAIT 3 CLOSE_WAIT 275 FIN_WAIT1 74 FIN_WAIT2 8824 ESTABLISHED 815 SYN_RECV 102 CLOSING 30 LAST_ACK 10 LISTEN In an effort to tune things, I've tried playing with the TCP timeout settings a bit, and the response times have improved somewhat. Please note that I've been testing response times using the loopback interface to rule out any ethernet hardware issues. echo 15 /proc/sys/net/ipv4/tcp_fin_timeout echo 1 /proc/sys/net/ipv4/tcp_tw_recycle echo 1 /proc/sys/net/ipv4/tcp_tw_reuse We're running prefork, and have configured the client settings to what seem to be reasonable limits for our hardware. IfModule prefork.c StartServers 100 MinSpareServers100 MaxSpareServers 200 ServerLimit 1500 MaxClients1500 MaxRequestsPerChild 100 /IfModule Forking new children is VERY expensive, compared to the alternatives. If 1500 concurrent clients is common for your site, consider starting up that many as well. min/maxspare is only meant to handle bursts, not define your normal load. Your settings mean accept up to 1500 concurrent connections, but only RUN 300 threads when you don't have that many clients Since apache will have to fork up to 1200 threads in rapid succession when the load spikes, this will cause startup throttling after only a few seconds, which is causing your timeouts. You should change these to AT LEAST 1000 startup, 100 minspare and 200 maxspare - if 1500 is your actual max load, and not a limit you imposed because you think it can't handle more. It can handle many more, if you have the memory for them. With 1500 concurrent connections, I would long ago have moved to worker combined with proxying dynamic content to a separate prefork instance. This will optimize memory and resource usage to such an extent that you can easily run 5000 clients concurrently. Worker threads are much more efficient and take far less memory than prefork children, therefore they suffer far less from being short-lived (due to low maxrequest settings) Unless the majority of these requests are for dynamic content (they rarely are), I predict you can increase performance several fold. -- J. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] (22)Invalid argument
I'm trying to set up a cgi rss feed on a remote server to which I do not have root access. This is to replace an existing feed which is a static file periodically updated, so what I want to do is set, in the directory with the existing feed: Options +ExecCGI AddHandler cgi-script xml Then we will replace the feed.xml with a cgi script, or a symlink to such. This works fine for me here where I have root access to the server. It also works fine on the remote server, but only in the previously existing cgi-bin. We don't want to change the url, so that is no good. I can get the site conf updated, but I have to email the sysadmins. So now the directory is set as above, but when I try to access the feed I get a 500 error and in the log: (22)Invalid argument: setting of resource limits failed Premature end of script headers: feed.xml We do have Rlimits set (and I can change those, again via email), but I am confused by the fact that the exact same process in the existing cgi-bin works fine whereas in the rss directory I get this error -- obviously, it is executing as a cgi process, but perhaps it wants to start a new (perl) interpreter or something and thus violates the mem limit? It is not at all clear to me, after googling, that this error even has to do with Rlimits, and it is not mentioned in the apache docs at all. Does anyone know what it might refer to? MK -- The angel of history[...]is turned toward the past. (Walter Benjamin) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache HTTPD 2.2.6 + mod_ssl 2.2.6 -- odd error...
My organization recently switched its SSL Certificate vendor and the new supplier (COMODO) insists (reasonably) that we use 2048-bit Private and Public keys. So I take a running Apache installation, HTTPD v2.2.6, with mod_ssl v2.2.6 and openssl v0.9.8g running on Solaris 10, currently using a Thawte certificate, and upgrade it for the new vendor's certificates. I implement the new certificates. reboot httpd, and both aspects where the new certificate is used in the server (mod_ssl and an additional module, mod_cosign from http://weblogin.org) seem to be working properly. That is, mod_cosign works as expected providing single signon features, and mod_ssl appears to be encrypting properly. Short of sniffing the wire to verify the data between browser and server, the little padlock icons are proudly displayed by the browser and page info displays confirm security by the vendor expected, dates expected, etc. But my httpd log files present an unexpected error each and every time a browser visits an SSL encrypted page (2 examples cited): User interface error unable to load Private Key 22188:error:0906A068:PEM routines:PEM_do_header:bad password read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401: User interface error unable to load Private Key 22439:error:0906A068:PEM routines:PEM_do_header:bad password read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401: Any idea what these might be? I have already verified that the private key file is NOT password protected. I've also seen notations on both sites for Apache and mod_ssl: Why does my 2048-bit private key not work? http://www.modssl.org/docs/2.8/ssl_faq.html http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize both seem to say say that 2048-bit private keys are NOT ALLOWED because of incompatibility w/ certain web browsers. Meanwhile it's not clear that I could even generate a 2048-bit public key without having a 2048-bit private key. So how could these COMODO certs EVER work if this was the issue? Count this with a layer of extreme urgency, as this new vendor is my only source for certificates now, and I have two production webservers with current certs expiring in about 30 hours that I need to replace w/ these new certs. Another server in the organization running RHEL v2.2.3 has no such issues; naturally the powers that be have no examples of v2.2.6 on Solaris to compare against. -- J.Lance Wilkinson (Lance) InterNet: lance.wilkin...@psu.edu Systems Design Specialist - LeadPhone: (814) 865-4870 Digital Library TechnologiesFAX: (814) 863-3560 E3 Paterno Library Penn State University University Park, PA 16802 - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache HTTPD 2.2.6 + mod_ssl 2.2.6 -- odd error...
On Nov 30, 2010, at 8:37 PM, J.Lance Wilkinson wrote: But my httpd log files present an unexpected error each and every time a browser visits an SSL encrypted page (2 examples cited): So there is no discernible negative impact on the client? User interface error unable to load Private Key 22439:error:0906A068:PEM routines:PEM_do_header:bad password read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401: Any idea what these might be? It's hard to guess what's going on here without a backtrace. A cursory glance at the OpenSSL source suggests that things FAIL when this error is triggered, so successful SSL connections seem unlikely under those circumstances. I would not be surprised if this should cause your server to fail to start. So the fact that it doesn't happen when the server starts (which is when we read the SSL private keys and certificates from disk), and does not cause the connections to the browser to fail, suggests that this does not have anything to do with mod_ssl. What other modules do you have that might be reading a private key from a PEM blob on every request? I have already verified that the private key file is NOT password protected. I've also seen notations on both sites for Apache and mod_ssl: Why does my 2048-bit private key not work? http://www.modssl.org/docs/2.8/ssl_faq.html http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize both seem to say say that 2048-bit private keys are NOT ALLOWED because of incompatibility w/ certain web browsers. Meanwhile it's not clear that I could even generate a 2048-bit public key without having a 2048-bit private key. So how could these COMODO certs EVER work if this was the issue? Surely that is very old and no longer relevant. If you visit https://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize , you will find it protected by a 4096 bit key. Count this with a layer of extreme urgency, as this new vendor is my only source for certificates now, and I have two production webservers with current certs expiring in about 30 hours that I need to replace w/ these new certs. Besides the weird error messages, what is the impact on functionality at this point? S. -- Sander Temme scte...@apache.org PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A View my availability: http://tungle.me/sctemme - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] mod_proxy | bundling | timeout | connection losts
Hi Apache2 professionals, we identified the following problem when using mod_proxy_ajp in combination with a balancer configuration (see detailed configuration below), that: - multiple HTTP requests seem to use the SAME AJP CHANNEL - when just ONE request is exceeding the configured ProxySet timeout configuration (see detailed config below), the following error is displayed within the central Apache2 error log (exact the time interval after the long running request): [Mon Nov 29 17:17:11 2010] [error] (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header - when this log entry occurs, all connections running over the above AJP channel are cut - including connections that do run much more shorter than the timeout interval specified. Possibly, Apache2 assumes the Apache Tomcat instance is not reachable anymore and switches from one to the other Tomcat server. - all clients running over this AJP-connection are lost and loose the connection to the server Here the long running request (duration is specified in microseconds): 10.35.32.123 - - [29/Nov/2010:17:12:11 +0100] POST /xxx/Dispatcher HTTP/1.1 500 538 request url Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729) JSESSIONID=80AC6DFF149E802C3AA8735996CE7AA0.rb-wcmstc1; 80AC6DFF149E802C3AA8735996CE7AA0.rb-wcmstc1 - 300456752 Here, the following configuration snippet - including the timeout interval: Proxy balancer://fs4server BalancerMember ajp://rb-wcmstc1.xx.x.xxx:8009 loadfactor=100 retry=10 route=rb-wcmstc1 BalancerMember ajp://rb-wcmstc2.xx.x.xxx:8009 loadfactor=100 retry=10 route=rb-wcmstc2 ProxySet stickysession=JSESSIONID|jsessionid ProxySet lbmethod=byrequests ProxySet scolonpathdelim=On #ProxySet nofailover=On ProxySet timeout=90 /Proxy When checking the documentation for mod_proxy, below http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass we identifed, there are TWO timeout settings available: - timeout - connectiontimeout Our questions: - how to prevent bundling HTTP-requests in JUST ONE AJP connection? - how to set timeout and connectiontimeout intervals to prevent connection losts? - are there any other possibilites to prevent that behavior? Any suggestions are very welcome! Best regards, Holger King - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org