[users@httpd] Help to identify the files in the source code
We are a group of students undertaking a project to extend addressing of more machines using IPv4 itself. Here we propose to alter the http://public-ip-address/path-to-object The path-to-object is altered incorporating the address of local machines. i.e., http://public-ip-address/192.168.1.102/path-to-object We propose to let the httpd server execute a wget command when it finds an additional IP address in the path-to-object. ie. it executes wget 192.168.1.102/path-to-object and returns the object. Can anyone advise us as to which are the files where we should be working on ?
Re: [users@httpd] server limit stuck at 10
So do what the error says: increase the ServerLimit On Apr 20, 2011 1:04 PM, Marion McCoskey mck...@gmail.com wrote: I have an unmanaged site, alrightsounds.com, running CentOS. The ServerLimt seems to be stuck at 10. This works OK when most of the people in China a asleep, but... WARNING: MaxClients of 256 exceeds ServerLimit value of 10 servers, lowering MaxClients to 10. To increase, please see the ServerLimit directive. [Tue Apr 19 09:37:51 2011] [notice] Digest: generating secret for digest authent ication ... [Tue Apr 19 09:37:51 2011] [notice] Digest: done [Tue Apr 19 09:37:51 2011] [warn] WARNING: Attempt to change ServerLimit ignored during restart [Tue Apr 19 09:37:51 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations After the reboot of Apache, I get this [root@server1 httpd]# ps -e |grep httpd |wc 11 44 330 And I can't get the site on my browser. [root@server1 httpd]# httpd -t Syntax OK [root@server1 httpd]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c Here is the prefork section of httpd.conf IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 150 /IfModule I have re-installed apache and tried it with the default httpd.conf, and I still have the same problem. Thanks, Marion - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
- Original Message - Hi, I have noticed that when running Joomla, or in-fact any browsing capable PHP code, I am able to navigate above my virtual host document root and look at other virtual host files. How would one stop this ? I have taken a look at mod_chroot but that does not seem to work as ChrootDir can only be used in the main configuration and not in the VirtualHost directive. For reference I am running Apache 2.2.17. I have tried to create a second instance of HTTP, running on port 8080, using the following conf: LoadModule chroot_module modules/mod_chroot.so LoadModule headers_module modules/mod_headers.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule expires_module modules/mod_expires.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule php5_modulemodules/libphp5.so LoadModule deflate_module modules/mod_deflate.so LoadFile /lib64/libnss_dns.so.2 AddHandler php5-script php Listen 8080 ChrootDir/www/somevhost.co.uk ServerRoot / DocumentRoot /htdocs RequestHeader Set Host www.somevhost.co.uk PidFile /var/run/apache2.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 User somevhost.co.uk Group somevhost.co.uk HostnameLookups Off LogLevel warn ErrorLog /logs/error.log CustomLog /logs/access.log combined IfModule dir_module DirectoryIndex index.html index.php /IfModule AccessFileName .htaccess Files ~ ^\.ht Order allow,deny Deny from all /Files Directory /htdocs Order deny,allow Allow from all AllowOverride All /Directory Though when I run :- /usr/local/apache/bin/httpd -f /www/somevhost.co.uk/conf/apache2.conf -k start it complains that it cannot find the DocumentRoot directory which would suggest that the Chroot is not taking place. If I use absolute paths then HTTPD does indeed start but a phpinfo() returns the path as being /www/somevhost.co.uk/htdocs instead of /htdocs. Any ideas what I could be doing wrong please ? -- Thanks, Phil
[users@httpd] Configuring MOD_SSL with and without client auth on the same box
Hi, I would like to configure two different context roots with MOD_SSL in Apache Httpd, such that one is authenticated using client certificate and the other one does not require SSL client authentication. Each of these two context roots are eventually delegated MOD_PROXY_AJP two different backend tomcat applications. How can this be achieved. Any help/pointer highly appreciated. Thanks, Debashis
Re: [users@httpd] Help to identify the files in the source code
On Wed, Apr 20, 2011 at 2:17 AM, siraj p s siraje...@gmail.com wrote: We are a group of students undertaking a project to extend addressing of more machines using IPv4 itself. Here we propose to alter the http://public-ip-address/path-to-object The path-to-object is altered incorporating the address of local machines. i.e., http://public-ip-address/192.168.1.102/path-to-object We propose to let the httpd server execute a wget command when it finds an additional IP address in the path-to-object. ie. it executes wget 192.168.1.102/path-to-object and returns the object. Can anyone advise us as to which are the files where we should be working on ? Apache can just be configured to proxy to that address, you wouldn't change source code. See mod_rewrite and the [P] flag. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] URL Rewrite
Hi New to Apache, but learning fast. Knocks IIS into a cocked hat, but I have a newbie question: I have looked through the documentation and examples for the mod_rewrite module and although I think my request is simple, I cannot find the solution to it in either this documentation or the Practical Solutions to Common Problems section. Google throws me back to these same pages. I want my browser to display only the root canonical URL while browsing: http://www.mydomain.com. Whatever is contained in the URL or querystring following this should not appear in the browser window. So http://www.mydomain.com/index.pl or http://www.mydomain.com/app/subapp/file.extension?var=somethinganotherv ar=somethingelse should both simply show http://www.mydomain.com in the browser window. The iFrame solution works to a point, but that still reveals the filename containing the iFrame - I want this hidden also. Simple, I know, but search as I might... Many thanks for the assist! Rod Rod Behr Software Design Manager ( +44 (0) 1932 733 849 (Impact) | +44 (0) 7976 112 442 (mobile) | +44 (0) 1932 733 700 (switchboard) Impact | Europe House, 170 Windmill Road West, Sunbury-on-Thames, Middlesex, TW16 7HB www.impact-europe.com http://www.impact-europe.com/ | rod.b...@impact-europe.com mailto:rod.b...@impact-europe.com www.global-presence.org Travel less, videoconference more. It does not cost the Earth. Impact Marcom Ltd trading as Impact | Registered in England No. 1166286. Registered Address: Europe House, 170 Windmill Road West, Sunbury-on-Thames, Middlesex, TW16 7HB The information contained in this message is intended only for the recipient, and may be privileged, confidential and/or protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Impact Marcom Ltd reserves the right, subject to applicable local law, to monitor and review the content of any electronic message or information sent to or from Impact Marcom employee e-mail addresses without informing the sender or recipient of the message.
Re: [users@httpd] URL Rewrite
On Wed, Apr 20, 2011 at 7:07 AM, Rod Behr rod.b...@impact-europe.com wrote: Hi New to Apache, but learning fast. Knocks IIS into a cocked hat, but I have a newbie question: I have looked through the documentation and examples for the mod_rewrite module and although I think my request is simple, I cannot find the solution to it in either this documentation or the “Practical Solutions to Common Problems” section. Google throws me back to these same pages. I want my browser to display only the root canonical URL while browsing: http://www.mydomain.com. Whatever is contained in the URL or querystring following this should not appear in the browser window. So http://www.mydomain.com/index.pl or http://www.mydomain.com/app/subapp/file.extension?var=somethinganothervar=somethingelse should both simply show http://www.mydomain.com in the browser window. The iFrame solution works to a point, but that still reveals the filename containing the iFrame – I want this hidden also. Simple, I know, but search as I might… Many thanks for the assist! Rod Rod Behr Software Design Manager ( +44 (0) 1932 733 849 (Impact) | +44 (0) 7976 112 442 (mobile) | +44 (0) 1932 733 700 (switchboard) Impact | Europe House, 170 Windmill Road West, Sunbury-on-Thames, Middlesex, TW16 7HB www.impact-europe.com | rod.b...@impact-europe.com www.global-presence.org P TRAVEL LESS | VIDEOCONFERENCE MORE | IT WON'T COST THE EARTH Impact Marcom Ltd trading as Impact | Registered in England No. 1166286. Registered Address: Europe House, 170 Windmill Road West, Sunbury-on-Thames, Middlesex, TW16 7HB The information contained in this message is intended only for the recipient, and may be privileged, confidential and/or protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Impact Marcom Ltd reserves the right, subject to applicable local law, to monitor and review the content of any electronic message or information sent to or from Impact Marcom Ltd employee e-mail addresses without informing the sender or recipient of the message. See http://httpd.apache.org/docs/trunk/rewrite/remapping.html#canonicalhost Frank - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache Web Server Testing Framework
Hello everyone, I am an undergraduate student currently working on some research at the University of California, San Diego. We are currently trying to run the tests for the Apache Web Server using the testing framework; however, I am having difficulty understanding how the perl script in the testing framework actually works and where the tests are actually getting called from. If you could give me information about how the testing framework works I would greatly appreciate that. If it helps, we would ultimately like to run the tests and collect the traces of the Apache Web Server using software like valgrind.
Re: [users@httpd] Help to identify the files in the source code
th On Wed, Apr 20, 2011 at 4:30 PM, Eric Covener cove...@gmail.com wrote: On Wed, Apr 20, 2011 at 2:17 AM, siraj p s siraje...@gmail.com wrote: We are a group of students undertaking a project to extend addressing of more machines using IPv4 itself. Here we propose to alter the http://public-ip-address/path-to-object The path-to-object is altered incorporating the address of local machines. i.e., http://public-ip-address/192.168.1.102/path-to-object We propose to let the httpd server execute a wget command when it finds an additional IP address in the path-to-object. ie. it executes wget 192.168.1.102/path-to-object and returns the object. Can anyone advise us as to which are the files where we should be working on ? Apache can just be configured to proxy to that address, you wouldn't change source code. See mod_rewrite and the [P] flag. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache Web Server Testing Framework
On Wed, Apr 20, 2011 at 9:50 AM, Sanket ithrewar...@gmail.com wrote: Hello everyone, I am an undergraduate student currently working on some research at the University of California, San Diego. We are currently trying to run the tests for the Apache Web Server using the testing framework; however, I am having difficulty understanding how the perl script in the testing framework actually works and where the tests are actually getting called from. If you could give me information about how the testing framework works I would greatly appreciate that. If it helps, we would ultimately like to run the tests and collect the traces of the Apache Web Server using software like valgrind. Would love to see a writeup of using the test framework / adding tests in the httpd wiki! -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Help to identify the files in the source code
Thanks for the response..Our need is not a proxy server.We are trying to create a proxy that would serve objects from other machines on the local net which belongs to class C family.. On Wed, Apr 20, 2011 at 4:30 PM, Eric Covener cove...@gmail.com wrote: On Wed, Apr 20, 2011 at 2:17 AM, siraj p s siraje...@gmail.com wrote: We are a group of students undertaking a project to extend addressing of more machines using IPv4 itself. Here we propose to alter the http://public-ip-address/path-to-object The path-to-object is altered incorporating the address of local machines. i.e., http://public-ip-address/192.168.1.102/path-to-object We propose to let the httpd server execute a wget command when it finds an additional IP address in the path-to-object. ie. it executes wget 192.168.1.102/path-to-object and returns the object. Can anyone advise us as to which are the files where we should be working on ? Apache can just be configured to proxy to that address, you wouldn't change source code. See mod_rewrite and the [P] flag. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Help to identify the files in the source code
On Wed, Apr 20, 2011 at 9:54 AM, siraj p s siraje...@gmail.com wrote: Thanks for the response..Our need is not a proxy server.We are trying to create a proxy that would serve objects from other machines on the local net which belongs to class C family.. Why would you want to create a proxy by running wget when there's a fully-featured HTTP proxy already there? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: failing to access ssl port
On Tue, Apr 19, 2011 at 11:27 PM, Asif Iqbal vad...@gmail.com wrote: I am getting this error while trying to connect to https port. There is only this log in the error log http://goo.gl/IeTnV Here is the error log [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] Connection to child 1 established (server www.example.net:8443) [Tue Apr 19 22:34:36 2011] [info] Seeding PRNG with 136 bytes of entropy [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] Connection closed to child 1 with abortive shutdown (server www.example.net:8443) Here is my apache version [Tue Apr 19 23:13:32 2011] [info] mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/0.9.8e I am using +sslv3 in the cipher suite as shown in my conf/extra/httpd-ssl.conf SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL openssl ciphers -v 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL' shows sslv2 and sslv3 in there Any suggestion? If I take the same certificate and start openssl s_server like below openssl s_server -cert conf/server.crt -key conf/server.key -port 8443 and then try to connect to it from the same FF broswer I do the usual This Connection is Untrusted.. That is what I expected when apache2 was running. so obviously apache2 is not configured to handle request like openssl s_server can. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Incomplete file downloads if Apache HTTPD is killed
Hi all, if a server is killed (SIGKILL) during a large static file transfer, then the client is not notified by his browser that file has not been completely downloaded. On Win it just says it is not a valid Win32 application or corrupted or sth. Now I know this is not a general problem and a graceful restart is the way to go around this, but if I do an upgrade then proper restart is required, or at least I think I remember I had problems with graceful restart in such situations. According to this article http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/browsers-accommodate-incorrect-http-content-length-and-sites-depressingly-depend-on-it.aspx sending RST TCP flag should solve the problem for majority of browsers, but I don't know how to achieve such a behaviour of Apache on Linux. Does anyone know how to work around this issue? Thanks for your answer, b.
Re: [users@httpd] Incomplete file downloads if Apache HTTPD is killed
On April 20, 2011 11:11 , Bostjan Skufca bost...@a2o.si wrote: if a server is killed (SIGKILL) during a large static file transfer, then the client is not notified by his browser that file has not been completely downloaded. On Win it just says it is not a valid Win32 application or corrupted or sth. Now I know this is not a general problem and a graceful restart is the way to go around this, but if I do an upgrade then proper restart is required, or at least I think I remember I had problems with graceful restart in such situations. Sending a SIGKILL is an unfriendly way to end a process -- it causes the kernel to immediately terminate the process, without giving the process any chance to clean up. SIGKILL is thus not one of the signals handled specially by Apache HTTP Server. For a list of the signals that are handled specially, see http://httpd.apache.org/docs/2.2/stopping.html If you'd like to completely stop Apache HTTP Server so you can manually restart it later, then sending SIGWINCH will cause httpd to exit gracefully after completing any current requests or after GracefulShutdownTimeout is reached, whichever comes first. Alternatively, you can cause httpd to exit more quickly, interrupting any current requests, by sending it a SIGTERM. I don't know for sure if either of these will cause a TCP RST to be sent to the client, but I think the odds are better than if you used a SIGKILL. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_balancer - no way to name pool members by IP.
On Fri, Feb 04, 2011 at 11:06:48PM +, dfw-apa...@white.u-net.com wrote: On Fri, Feb 04, 2011 at 05:36:01PM +, Igor Gali?? wrote: But ProxySet only allows you to set the same Variables as ProxyPass does. host is none of them. Indeed. This appears to be the problem. Such an option is missing. Right now I'm looking into 2.2's source to see how to add an option preservehost=(on|off). Can you please test: http://people.apache.org/~igalic/patches/mod_proxy-preserve_host.diff duh.. nodocumentationpatch! But I'm pretty sure you can guess how to use it ;) http://people.apache.org/~igalic/patches/mod_proxy-preserve_host.2.diff Adds: Documentation, CHANGES update, MMN bump Also has a _set variable analogous to the other options. Bonus: compiles. Untested so far. Thanks. I've poked and snuffled, but a co-worker has pointed out that there may be problems if this worker is a member of two different balance pools. The connection properties would be controlled by the worker, but what is sent down that connection should be controlled by the balancer pool. I followed your earlier lead when you mentioned ProxyPreserveHost is now localisable in trunk. I dug out svn commit r824072 which looks to be exactly what I need. It should prevent shared workers getting mixed up by allowing me to set the Host at the Proxy balancer://.. level. I have a sneaking suspicion trying to set Proxy http://10.* for a worker would never work anyway, as the system won't see that as the destination. It will see the balancer instead, so only the Proxy balancer://.. config would apply anyway. We'll see how far I get. As it turns out, after a very long journey, I didn't get very far at all. I needed to backport a few mod_proxy thread safety patches from 2.3 to 2.2.17 or else apachebench was just a massacre. After backporting the localisable ProxyPreserveHost patch I successfully overwrote the Host header from inside a Proxy block, allowing me to control which vhost I talked to on the backend member. Unfortunately this kludged Host header makes its way into your cached object headers and your access log... Now, you can fix the log by catching the Host in a Setenvif and logging that, and I don't *think* anything looks at the Host header in the cached object, but it turns out there is a more unpleasant problem : This works as expected : RewriteRule /foo(.*) balancer://back.foo.com/fooback/$1 [P] And this also proxypasses, but *none* of the directives in the Proxy balancer://back.foo.com/ take effect: Location /foo RewriteRule /foo(.*) balancer://back.foo.com/fooback/$1 [P] /Location No, I don't know why. Without the Proxy block directives to control the Host header sent to the backend, the backend gives us the finger, as its balancer member IP/hostname is not the vhost we want. I think I'm going to have to retreat. It looks like I will need a patch to *specify* a host header at the balancer config level. Does anyone have any tips on how this might be done? DFW PS: Ignoring parameter 'lbset=0' for worker 'http://10.1.2.3' because of worker sharing (I backported a log verbosity patch too) Ignoring the other variables I can understand, but shouldn't lbset be unique to each balancer? e.g. I share the same backend workers amongst several balancers, but each backend IP may serve each vhost to a differing degree. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] URL Rewrite
On April 20, 2011 7:07 , Rod Behr rod.b...@impact-europe.com wrote: I want my browser to display only the root canonical URL while browsing: http://www.mydomain.com. Whatever is contained in the URL or querystring following this should not appear in the browser window. So http://www.mydomain.com/index.pl or http://www.mydomain.com/app/subapp/file.extension?var=somethinganothervar=somethingelse http://www.mydomain.com/app/subapp/file.extension?var=somethinganothervar=somethingelse should both simply show http://www.mydomain.com in the browser window. Why? Knowing this might allow us to suggest other solutions. Note that what you are asking for goes against the way web browsers are designed, is user-unfriendly, and, if you are successful in implementing it, will cause problems for search engines such as Google and Bing (even to the point of them being unable to access your content and/or outright banning your site from search results). Also, this could cause accessibility issues for people with disabilities, which may be a violation of one or more national or local laws. Apache HTTP Server can internally rewrite request URLs in a way that is invisible to the web browser and end user, but this will not accomplish what you want: the web browser will always display the URL that the user originally requested (the link target) even if the content is actually being served from a different URL. A user would go to http://www.mydomain.com/ but if they then clicked on a link for http://www.mydomain.com/something/else, the web browser would display this second URL in their location bar before sending the request to the web server, and there is no way the web server can change the URL displayed in the location bar short of doing a redirect to a different URL. The iFrame solution works to a point, but that still reveals the filename containing the iFrame -- I want this hidden also. Another solution is to design your site to use a front controller that live at http://www.mydomain.com/ and handles all requests for content for the entire site. If you did this and did not use path info (extra path components) and made all pages except for the main page pass information to the front controller via hidden form fields in POST requests (instead of query strings). See http://en.wikipedia.org/wiki/Front_Controller_pattern Finally, you could write a page that uses AJAX to request content from the server whenever the user clicks on a link, dynamically loading that content into various areas of the current web page. Since a complete page load is never done, the URL in the titlebar will never change from http://www.mydomain.com/You could configure Apache HTTP Server with rewrite rules so that if a request comes in for any other URL the user is redirected to the site's main page. Out of curiosity -- your original message implies that you already know how to do what you want with Microsoft IIS but are trying to find the equivalent solution for Apache HTTP Server. How does IIS do this? -- Mark Montague m...@catseye.org
Re: [users@httpd] Configuring MOD_SSL with and without client auth on the same box
On April 20, 2011 6:06 , Debashis Roy r_debas...@hotmail.com wrote: I would like to configure two different context roots with MOD_SSL in Apache Httpd, such that one is authenticated using client certificate and the other one does not require SSL client authentication. Each of these two context roots are eventually delegated MOD_PROXY_AJP two different backend tomcat applications. How can this be achieved. Any help/pointer highly appreciated. The SSLVerifyClient directive controls whether a client certificate is required, optional, or never used. If you had two different Location stanzas in the same virtual host (one for each of the two backend Tomcat applications), include the SSLVerifyClient directive in the one that you wanted to authenticate using client certificates, and omit it from the other. Alternatively, you could set up two separate virtual hosts, one for each backend Tomcat application, and specify the SSLVerfiyClient directive in one of the two virtual hosts, omitting it from the other. -- Mark Montague m...@catseye.org
Re: [users@httpd] Chroot a virtual host
On April 19, 2011 19:47 , --[ UxBoD ]-- ux...@splatnix.net wrote: I have noticed that when running Joomla, or in-fact any browsing capable PHP code, I am able to navigate above my virtual host document root and look at other virtual host files. How would one stop this ? I have taken a look at mod_chroot but that does not seem to work as ChrootDir can only be used in the main configuration and not in the VirtualHost directive. As an alternative to chroot, you could use privilege separation to achieve what you want, setting up each virtual host to execute PHP code as a different user from all other virtual hosts' users. There are many ways to implement privilege separation, see http://wiki.apache.org/httpd/PrivilegeSeparationMy favorite way is to use FastCGI, although I personally use mod_proxy_fcgi for this rather than mod_fcgid. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] failing to access ssl port
On April 19, 2011 23:27 , Asif Iqbal vad...@gmail.com wrote: [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] Connection to child 1 established (server www.example.net:8443) [Tue Apr 19 22:34:36 2011] [info] Seeding PRNG with 136 bytes of entropy [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Apr 19 22:34:36 2011] [info] [client 192.168.0.248] Connection closed to child 1 with abortive shutdown (server www.example.net:8443) Any suggestion? You can use openssl s_client to see what is happening when you try to connect to Apache HTTP Server via HTTPS. Hopefully there will be a clue to what is causing the problem in the openssl s_client output. However, if the handshake is successful, then your might have a problem with the web browser or your network rather than with Apache HTTP Server. If openssl s_client does not give any clues as to what is happening, add ssl:debug to the end of your existing LogLevel directive, restart httpd, and reproduce the error using your web browser again. More information should be logged to the Apache error log this time. If neither of those work, send us all your SSL configuration directives, not just the SSLCipherSuite directive, plus any relevant portions of virtual host configuration directives. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] problems with delivering precompressed content
Hi apache folks, I've been struggling with precompressed content for a while now, but I can't find a satisfying solution. There are plenty of .js and .css, which I currently compress at runtime with mod_deflate. To save CPU load, I want to precompress these, put them as .(js|css).gz on the server and deliver the precompressed variant transparently depending on Accept-Encoding. By now, I tried two possible ways of doing this. 1) mod_rewrite I tried to switch according to RewriteCond's, while checking the accessibility of the requested file and the rewritten file with subrequests (security concerns). While this seems to work, the security guys at my company complain, that mod_rewrite should be absolutely the last resort. If mod_rewrite would be the solution, we'd rather do dynamic compression (this might sound paranoid, but they have good reason and we have a very high focus on security). 2) mod_negotiation I tried both MultiViews and type-maps. Maybe I misunderstood typemaps - but, I would have to place a filename.var file everywhere I want a negotiated file? This would be cumbersome, as I want the negotiation to be transparent and I don't want the user to request a .js.var file. So I switched to MultiViews, which brings up the next problem. I have to rename the uncompressed file to something else like name.js.plain for MultiViews to kick in on GET /name.js. After removing .gz as a known type and adding the encoding to mod_mime, delivery of precompressed content works fine. Unfortunately, the plain content is no longer accessible. The plain file isn't a variant for mod_negotiation, if I get it right. I would have to associate the identity encoding with a negotiable file extension. But I found no way to accomplish this. So now, I'm looking for other ways. I noticed mod_gzip, which looks like it could do this sort of thing. But there were no updates for quite a time now and it's not an Apache project, which discourages its use for us (security concerns and a different release cycle). So I'd like to know, what your suggestions are. Is there a way to get mod_negotiation to work the way I have in mind? Am I missing something or is there an alternative solution? Regards, Edgar - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] server limit stuck at 10
Igor Cicimo said: So do what the error says: increase the ServerLimit I've tried that a lot of times. Maybe I am doing it wrong. My understanding is that the IfModule prefork.c section of httpd.conf is where this directive is read when using the prefork module. When I change this value, the error message I get sometimes reflects the value I have put in. I have tried various values for ServerLimit and MaxClients, but no joy. My site has one gig memory and 2 gigs burstable. As I said in my original post: Here is the prefork section of httpd.conf IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 150 /IfModule If I should be setting the ServerLimit some other way, I would be very happy to hear what that is. I am currently working on switching the site from php to html so I can use the threaded model and get rid of the php overhead from the server. I currently use perl programs to generate most of the php code for the site anyway. I am switching the code to C because I am not that fluent in perl and I spend too much time looking things up. But if I can solve this problem some other way, I might reconsider that plan. Thanks, Marion - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_balancer - no way to name pool members by IP.
On Fri, Feb 04, 2011 at 11:06:48PM +, dfw-apa...@white.u-net.com wrote: On Fri, Feb 04, 2011 at 05:36:01PM +, Igor Gali?? wrote: But ProxySet only allows you to set the same Variables as ProxyPass does. host is none of them. Indeed. This appears to be the problem. Such an option is missing. Right now I'm looking into 2.2's source to see how to add an option preservehost=(on|off). Can you please test: http://people.apache.org/~igalic/patches/mod_proxy-preserve_host.diff duh.. nodocumentationpatch! But I'm pretty sure you can guess how to use it ;) http://people.apache.org/~igalic/patches/mod_proxy-preserve_host.2.diff Adds: Documentation, CHANGES update, MMN bump Also has a _set variable analogous to the other options. Bonus: compiles. Untested so far. Thanks. I've poked and snuffled, but a co-worker has pointed out that there may be problems if this worker is a member of two different balance pools. The connection properties would be controlled by the worker, but what is sent down that connection should be controlled by the balancer pool. I followed your earlier lead when you mentioned ProxyPreserveHost is now localisable in trunk. I dug out svn commit r824072 which looks to be exactly what I need. It should prevent shared workers getting mixed up by allowing me to set the Host at the Proxy balancer://.. level. I have a sneaking suspicion trying to set Proxy http://10.* for a worker would never work anyway, as the system won't see that as the destination. It will see the balancer instead, so only the Proxy balancer://.. config would apply anyway. We'll see how far I get. As it turns out, after a very long journey, I didn't get very far at all. After backporting the localisable ProxyPreserveHost patch I successfully overwrote the Host header from inside a Proxy block, allowing me to control which vhost I talked to on the backend member. Unfortunately this kludged Host header makes its way into your cached object headers and your access log... Now, you can fix the log by catching the Host in a Setenvif and logging that, and I don't *think* anything looks at the Host header in the cached object, but it turns out there is a more unpleasant problem : This works as expected : RewriteRule /foo(.*) balancer://back.foo.com/fooback/$1 [P] And this also proxypasses, but *none* of the directives in the Proxy balancer://back.foo.com/ take effect: Location /foo RewriteRule /foo(.*) balancer://back.foo.com/fooback/$1 [P] /Location No, I don't know why. Without the Proxy block directives to control the Host header sent to the backend, the backend gives us the finger, as its balancer member IP/hostname is not the vhost we want. I also needed to backport a few mod_proxy_http.c thread safety patches from 2.3 to 2.2.17 or else apachebenching was just a massacre. I think I'm going to have to retreat. It looks like I will need a patch to *specify* a host header at the balancer config level. Does anyone have any tips on how this might be done? DFW PS: Ignoring parameter 'lbset=0' for worker 'http://10.1.2.3' because of worker sharing (I backported a log verbosity patch too) Ignoring the other variables I can understand, but shouldn't lbset be unique to each balancer? e.g. I share the same backend workers amongst several balancers, but each backend IP may serve each vhost to a differing degree. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_balancer - no way to name pool members by IP.
and I don't *think* anything looks at the Host header in the cached object, you could add a Vary on the Host header. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Incomplete file downloads if Apache HTTPD is killed
if a server is killed (SIGKILL) during a large static file transfer, then the client is not notified by his browser that file has not been completely downloaded. On Win it just says it is not a valid Win32 application or corrupted or sth. Now I know this is not a general problem and a graceful restart is the way to go around this, but if I do an upgrade then proper restart is required, or at least I think I remember I had problems with graceful restart in such situations. Sending a SIGKILL is an unfriendly way to end a process -- it causes the kernel to immediately terminate the process, without giving the process any chance to clean up. SIGKILL is thus not one of the signals handled specially by Apache HTTP Server. For a list of the signals that are handled specially, see http://httpd.apache.org/docs/2.2/stopping.html Sending SIGKILL was just a way to simulate apachectl stop, which sends SIGTERM and then if after 10s some children still did not exit, parent sends SIGKILL to them. If you'd like to completely stop Apache HTTP Server so you can manually restart it later, then sending SIGWINCH will cause httpd to exit gracefully after completing any current requests or after GracefulShutdownTimeout is reached, whichever comes first. Alternatively, you can cause httpd to exit more quickly, interrupting any current requests, by sending it a SIGTERM. I don't know for sure if either of these will cause a TCP RST to be sent to the client, but I think the odds are better than if you used a SIGKILL. Thanks for the hint, SIGWINCH (or apachectl graceful-stop) does the trick. I still have to test it (namely if HTTPD with PHP and eAccelerator has any troubles being restarted that way) but this looks promising. Again, RTFM would be my friend - again:) Thanks again, b.
Re: [users@httpd] problems with delivering precompressed content
So I'd like to know, what your suggestions are. Is there a way to get mod_negotiation to work the way I have in mind? Am I missing something or is there an alternative solution? I've never understood this much -- but I thought this worked as long as your links were to /foo instead of /foo.js with foo.js and foo.js.gz in the filesystem. You could rewrite these on the way in, from /foo to /foo.js with the [PT] flag, then let multiviews pick and setup the headers. Other people use rewrite and mod_setenvif/mod_headers all the way through and skip mod_negotiation. I think there's lot of room for improvement in httpd and in the doc or wiki for precompressed content on an existing site. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_balancer - no way to name pool members by IP.
On Wed, Apr 20, 2011 at 02:17:43PM -0400, Eric Covener wrote: and I don't *think* anything looks at the Host header in the cached object, you could add a Vary on the Host header. I'd rather not play with the Host header after all if I can help it. If it Vary's on Host, won't it check that the Host matches the cached object's Host? Which it never will coz we broke it to get the backend proxy Host header working. DFW - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] problems with delivering precompressed content
Am 20.04.2011 20:25, schrieb Eric Covener: So I'd like to know, what your suggestions are. Is there a way to get mod_negotiation to work the way I have in mind? Am I missing something or is there an alternative solution? I've never understood this much -- but I thought this worked as long as your links were to /foo instead of /foo.js with foo.js and foo.js.gz in the filesystem. This might be a possibility, but I dislike the loss of information. IMHO it should be clearly visible to the user which type of resource he requests by the the file extension. But I'll discuss that. You could rewrite these on the way in, from /foo to /foo.js with the [PT] flag, then let multiviews pick and setup the headers. Other people use rewrite and mod_setenvif/mod_headers all the way through and skip mod_negotiation. Did you mean rewriting /foo.js to /foo? Sounds interesting, especially with the [PT] flag. This should circumvent the possibility of parsing the rewritten url as a filesystem path, right? (e.g. requesting /etc/passwd.js) I think there's lot of room for improvement in httpd and in the doc or wiki for precompressed content on an existing site. I'm looking forward to it. Admittedly the docs didn't help me that much so I dived into the source of mod_negotiation, which is quite a bunch of code (~3000-4000 lines). Regards, Edgar - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] problems with delivering precompressed content
Did you mean rewriting /foo.js to /foo? Sounds interesting, especially with the [PT] flag. yes, had it backwards - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Mod_Rewrite and reverse proxy
Is it possible to use Mod_Rewrite and apache in reverse proxy mode simultaneously? I have a web server (server1) that is a mirror of another of another web server (server2) and all requests from the server1 are reverse proxyed to server2. The robots.txt from server2 needs to be changed to disallow crawling when accessed through server1. So I created a robots2.txt, uploaded onto server2 and tried this configuration on server1 but it is not working. Directory / RewriteEngine on RewriteBase / RewriteRule ^robots\.txt$ robots2.txt /Directory ProxyPass / http://www.server2/ retry=0 ProxyPassReverse / http://www.server2/ ProxyPreserveHost On Any recommendations as to how to accomplish this are very much appreciated. Thank you. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Mod_Rewrite and reverse proxy
On April 20, 2011 18:43 , Joel Donahue joel.donahu...@gmail.com wrote: Is it possible to use Mod_Rewrite and apache in reverse proxy mode simultaneously? Directory / RewriteEngine on RewriteBase / RewriteRule ^robots\.txt$ robots2.txt /Directory ProxyPass / http://www.server2/ retry=0 ProxyPassReverse / http://www.server2/ ProxyPreserveHost On Yes, but the Directory stanza applies to files that are being served from the front-end server's filesystem. The rewrite rules you put in the Directory stanza have no effect because the requests are being proxied, not served from the filesystem. Move the RewriteEngine and RewriteRule directives out of the Directory context and into the virtual host context with the ProxyPass directive. You should also get rid of the RewriteBase directive and make the RewriteRule directive operate on absolute (not relative) URLs, like this: RewriteRule ^/robots\.txt$ /robots2.txt -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Mod_Rewrite and reverse proxy
On Wed, Apr 20, 2011 at 4:58 PM, Mark Montague m...@catseye.org wrote: On April 20, 2011 18:43 , Joel Donahue joel.donahu...@gmail.com wrote: Is it possible to use Mod_Rewrite and apache in reverse proxy mode simultaneously? Directory / RewriteEngine on RewriteBase / RewriteRule ^robots\.txt$ robots2.txt /Directory ProxyPass / http://www.server2/ retry=0 ProxyPassReverse / http://www.server2/ ProxyPreserveHost On Yes, but the Directory stanza applies to files that are being served from the front-end server's filesystem. The rewrite rules you put in the Directory stanza have no effect because the requests are being proxied, not served from the filesystem. Move the RewriteEngine and RewriteRule directives out of the Directory context and into the virtual host context with the ProxyPass directive. You should also get rid of the RewriteBase directive and make the RewriteRule directive operate on absolute (not relative) URLs, like this: RewriteRule ^/robots\.txt$ /robots2.txt -- Mark Montague m...@catseye.org I just realized I wasn't replying to the list Here is the config that got it working thanks to Mark's suggestions VirtualHost *.*.*.*:80 ServerName server1 ServerAlias server1 ProxyPass / server2/ retry=0 ProxyPassReverse / server2/ ProxyPreserveHost On RewriteEngine on RewriteRule ^/robots\.txt$ /robots2.txt [PT] /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Worker MPM configuration with High Load
Hi Using apache2.2.17,mod_jk_1.2.30,tomcat5.5.27..for my setup.! ./apachectl -V Server version: Apache/2.2.17 (Unix) Server built: Apr 19 2011 08:35:28 Server’s Module Magic Number: 20051115:25 Server loaded: APR 1.4.2, APR-Util 1.3.10 Compiled using: APR 1.4.2, APR-Util 1.3.10 Architecture: 64-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with…. -D APACHE_MPM_DIR=”server/mpm/worker” -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=”/applications/balancer” -D SUEXEC_BIN=”/applications/balancer/bin/suexec” -D DEFAULT_SCOREBOARD=”logs/apache_runtime_status” -D DEFAULT_ERRORLOG=”logs/error_log” -D AP_TYPES_CONFIG_FILE=”conf/mime.types” -D SERVER_CONFIG_FILE=”conf/httpd.conf” See with above setup i am checking load of 1500 concurret requests with SOAPUI with worker MPM.with Default setting i am getting “max client error in error.log”.So i have made following change.please look and validate things if am on track: APACHE- http.conf — – ServerLimit 30 StartServers 20 MaxClients 1500 MinSpareThreads 40 MaxSpareThreads 100 ThreadsPerChild 50 MaxRequestsPerChild 0 —— —– worker.properities ——– worker.list=balancer #For tomcat 1 worker.list=worker1 #worker.worker1.domain=worker1 worker.worker1.type=ajp13 worker.worker1.host= worker.worker1.port=8009 worker.worker1.lbfactor=1 . . #For tomcat 4 worker.list=worker4 #worker.worker4.domain=worker4 worker2.worker4.type=ajp13 worker.worker4.host= worker.worker4.port=8012 worker.worker4.lbfactor=1 worker.balancer.type=lb worker.balancer.balance_workers=worker1,worker2,worker3,worker4 worker.balancer.local_worker_only=1 worker.balancer.sticky_session=1 4 TOMCAT- —– server.xml(tomcats) Connector port=”8009″ enableLookups=”false” redirectPort=”8443″ minProcessors=”25″ maxProcessors=”2000″ maxThreads=”500″ minSpareThreads=”25″ maxSpareThreads=”75″ protocol=”AJP/1.3″ i have few questions..:-) 1)i am hitting with 1500 concurrent user.is this configuration fine? 2)AJP conector port should unique or not?For tomcat running on same machine and if tomcats are on differenct machins? 3)I HAVE SET startserver 20(means 20 child processes with 50 thread per child) .but why am getting 2 with following command “ps aux | grep http | grep -v “\(root\|grep\)” | wc -l”–2 4)Any other configuration need to do for worker MPM? Thanks a lot in advance regards Harsimran
