Re: [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
On October 5, 2011 17:44 , Thomas Smith wrote: Can someone help me get my desired configuration to work? Maybe someone who is not me can :) I'd be able to help you better if you asked your question much more narrowly. Provide the configuration that is NOT working, say what your goal is (desired outcome/behavior), and be as specific as possible about the problem you are encountering: include what you do to encounter the problem (the specific HTTP requests), messages from the Apache HTTP Server error log, observed behavior (how what actually happens differs from the desired behavior), and so on. I created a Directory directive for /opt/rt4 that enables the LDAP authentication. This works really well but breaks their mail-gateway functionality (because this script is unable to perform authenticatation). I used a SetEnvIf parameter to exclude the two directories from authentication and it worked well (only the REST directory is required for the mail-gateway to work, though). However, the RT developers recommend restricting access to mail-gateway to 127.0.0.1 as it's used to inject tickets, via email, into RT's database--I haven't been able to get this to work. From what I can extract from the above, you want to have everything use LDAP authentication except for one or more specific resources which you want to use host-based access control, correct? In this case, you need to use the "Satisfy Any" directive since access control methods normally supplement, not replace, authentication mechanisms. Here's an example (note that this is not a complete example, I've left out most directives for clarity): Require valid-user Order allow,deny Allow from all # Require EITHER an authenticated user (the configuration for /foo is inherited for /foo/bar) # OR allow access from 127.0.0.1 Allow from 127.0.0.1 Satisfy Any I hope this helps. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Fwd: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Apologies, I sent the wrong config. Here is the WORKING config (except for the location restriction of 127.0.0.1 for the REST directory). Any help with this would be appreciated! :-) > >ServerName sub.domain.tld > >RewriteEngine On >#RewriteLog /var/log/httpd/modrewrite_log >#RewriteLogLevel 9 > >RewriteCond %{HTTP_HOST}sub.domain.tld [NC] >RewriteCond %{SERVER_PORT} 80 >RewriteRule ^/(.*) https://sub.domain.tld:4431/$1 > > > Listen 4431 > >ServerName sub.domain.tld > >SSLEngine On >SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem >SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem >SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > >AddDefaultCharset UTF-8 > >FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 > -idle-timeout 300 > >Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ >ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ > >DocumentRoot /opt/rt4/share/html > >AuthType Basic >AuthName "Request Tracker Login" > >AuthLDAPEnabled on >AuthLDAPAuthoritative on > >AuthLDAPUrl > "ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))" >AuthLDAPBindDN > "CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local" >AuthLDAPBindPassword ** > >Require valid-user > > >Order deny,allow >Deny from all >SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow >Allow from env=allow >Satisfy Any >Options +ExecCGI >AddHandler fastcgi-script fcgi > > Sent from my iPad Begin forwarded message: > From: Thomas Smith > Date: October 5, 2011 2:44:42 PM PDT > To: users@httpd.apache.org > Subject: Configuration issue allowing unauthenticated access from 127.0.0.1 > to a single directory within a password-protected directory structure > > Hi, > > I'm configuring the Request Tracker to use Apache authentication. I've > had RT running for quite a few years, but (up to this point) only > using its internal database for authentication. > > Software: > * CentOS 4.8 > * Apache 2.0.63 > * RT 4.0.2 > * mod_fastcgi 2.4.6 > > I created a Directory directive for /opt/rt4 that enables the LDAP > authentication. This works really well but breaks their mail-gateway > functionality (because this script is unable to perform > authenticatation). I used a SetEnvIf parameter to exclude the two > directories from authentication and it worked well (only the REST > directory is required for the mail-gateway to work, though). However, > the RT developers recommend restricting access to mail-gateway to > 127.0.0.1 as it's used to inject tickets, via email, into RT's > database--I haven't been able to get this to work. I've tried a number > of combinations of Directory, Files, and Location directives without > any success. Here's a sanitized version of my Apache config for this > virtual host (a working configuration without the above mentioned > 127.0.0.1 restriction): > > > >ServerName sub.domain.tld > >RewriteEngine On >#RewriteLog /var/log/httpd/modrewrite_log >#RewriteLogLevel 9 > >RewriteCond %{HTTP_HOST}sub.domain.tld [NC] >RewriteCond %{SERVER_PORT} 80 >RewriteRule ^/(.*) https://sub.domain.tld:4431/$1 > > > Listen 4431 > >ServerName sub.domain.tld > >SSLEngine On >SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem >SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem >SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > >AddDefaultCharset UTF-8 > >FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 > -idle-timeout 300 > >Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ >ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ > >DocumentRoot /opt/rt4/share/html > >AuthType Basic >AuthName "Request Tracker Login" > >AuthLDAPEnabled on >AuthLDAPAuthoritative on > >AuthLDAPUrl > "ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))" >AuthLDAPBindDN > "CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local" >AuthLDAPBindPassword ** > >Require valid-user > ># Allow anyone access to the "/NoAuth" location. >SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow >Order deny,allow >
Re: [users@httpd] SSL Smartcard and Chrome browser
How is this an Apache question? On Tue, Oct 4, 2011 at 1:21 AM, Margus Pärt wrote: > Hello! > > > Problem #1 > > 1. Log in to site1.com with Smartcard (and enter PIN1) > 2. Go to site2.com and enter with Smartcard > > > Result: > No PIN1 is asked. (Chrome caches PIN1) > > > > Problem #2 > > 1. Log in to site1.com with Smartcard (SSLCacheTimeout and > KeepAliveTimeout are 1) > 2. Try to log in again without Smartcard > > Result: > Certificate is not asked again. (Haven't had the time to test, but > Chrome probably keeps TCP session up, so SSL session is never timed > out.) > > > > > Any ideas? > > > Br, > Margus > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Hi, I'm configuring the Request Tracker to use Apache authentication. I've had RT running for quite a few years, but (up to this point) only using its internal database for authentication. Software: * CentOS 4.8 * Apache 2.0.63 * RT 4.0.2 * mod_fastcgi 2.4.6 I created a Directory directive for /opt/rt4 that enables the LDAP authentication. This works really well but breaks their mail-gateway functionality (because this script is unable to perform authenticatation). I used a SetEnvIf parameter to exclude the two directories from authentication and it worked well (only the REST directory is required for the mail-gateway to work, though). However, the RT developers recommend restricting access to mail-gateway to 127.0.0.1 as it's used to inject tickets, via email, into RT's database--I haven't been able to get this to work. I've tried a number of combinations of Directory, Files, and Location directives without any success. Here's a sanitized version of my Apache config for this virtual host (a working configuration without the above mentioned 127.0.0.1 restriction): ServerName sub.domain.tld RewriteEngine On #RewriteLog /var/log/httpd/modrewrite_log #RewriteLogLevel 9 RewriteCond %{HTTP_HOST}sub.domain.tld [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^/(.*) https://sub.domain.tld:4431/$1 Listen 4431 ServerName sub.domain.tld SSLEngine On SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown AddDefaultCharset UTF-8 FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 -idle-timeout 300 Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot /opt/rt4/share/html AuthType Basic AuthName "Request Tracker Login" AuthLDAPEnabled on AuthLDAPAuthoritative on AuthLDAPUrl "ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))" AuthLDAPBindDN "CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local" AuthLDAPBindPassword ** Require valid-user # Allow anyone access to the "/NoAuth" location. SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow Order deny,allow Allow from env=allow Satisfy Any Order deny,allow Deny from all Options +ExecCGI AddHandler fastcgi-script fcgi Can someone help me get my desired configuration to work? I've been playing around with it for hours and haven't had any success. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Vanity URL Rewrites Best Practices?
On Mon, Oct 3, 2011 at 1:41 PM, Andrew Schulman wrote: > > > For example, > > > > http://foo.com/mmh/maintenance_plan/tip?contentCategoryType=MaintenanceTip&id=%2Fwww%2Favm_webapps%2Fmmh%2Fmaintenance-tips%2Fcontent%2Fafter_blizzard.xml > > > > Being sent to > > > > http://foo.com/mmh/articles/authored/after-blizzard > > > > We've got a very frequent process where we'll get a huge block of rewrites > > like this that vary just by the last part and so far just keep going through > > and adding dozens and dozens of new rewrite rules each time. Surely there > > has to be a better way? (Ideally that just involve Apache changes and not > > code changes on the back-end) > > Are the requests similar enough that you can write a single regular > expression, > or maybe two or three, that extracts the useful part from the URL in every > case? > For example, > > RewriteCond %{REQUEST_URI} ^/mmh/ > RewriteCond %{QUERY_STRING} \%2F(\w+)\.xml$ > RewriteRule .* /mmh/articles/authored/%1 > > If you can describe all of the requests in this way or something like it, > you're > done. If not, if each request is so different that it needs its own regular > expression, then it seems you're doomed to keep doing it as you are now. Yes, I'm very nearly there, thanks! The only thing is, I'm not quite sure how to combine what you have here with a RewriteMap. If I had something like this: RewriteMap vanmap txt:/tmp/map.txt RewriteCond %{REQUEST_URI} ^/mmh/ RewriteCond %{QUERY_STRING} \%2F(\w+)\.xml$ Then can I just do a rewrite rule at the end like this? RewriteRule .* /mmh/${vanmap:$1}? [L,NC,R=302] Because I tried that and it keeps failing to pull any kind of key out of the REQUEST_URI. > > Good luck, > Andrew. > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_cache is caching content with Cache-Control: private response headers
I think I have this figured out, but am interested to know if this is a bug or expected behavior. So I had Spring add a Cache-Control: max-age=600 header in the configuration. I was also adding a Cache-Control: private header in the Java code in a specific place, more or less for testing. I could see both headers come through on Firefox and Chrome, but mod_cache refused to obey the private header and would cache that request. I took out the automatic spring stuff and just added the private header in my code. My gosh, it worked! Mod_cache would NOT cache that specific request, exactly what I wanted. My thought is that two Cache-Control headers were coming through and mod_cache obeyed one or the other, not both (and it happened to not obey the private one probably because of the order). Does this sound feasible? Bug? On Wed, Oct 5, 2011 at 9:00 AM, Brendon Anderson wrote: > I am 100% sure. I am adding the header using Java code on Tomcat > behind Apache. If I remove that particular line from the code, the > Cache-Control: private header is not being sent. > > Java code, if it matters: > response.addHeader("Cache-Control", "private"); > > On Wed, Oct 5, 2011 at 8:53 AM, Tom Evans wrote: >> On Wed, Oct 5, 2011 at 2:16 PM, Brendon Anderson wrote: >>> I am setting the Cache-Control: private header in a response on a >>> certain url, but mod_cache is still caching this url. >>> >>> Response Headers as indicated by Firefox (Chrome reports similar results): >>> >>> Response Headers >>> Date Wed, 05 Oct 2011 12:58:41 GMT >>> Server Apache/2.2.20 (Win32) mod_jk/1.2.32 >>> Expires Wed, 05 Oct 2011 12:59:25 GMT >>> Cache-Control private >>> Content-Language en-US >>> Content-Length 7046 >>> Age 15 >>> Content-Type text/html;charset=UTF-8 >>> X-Cache MISS from x.y.z.com >>> Via 1.0 x.y.z.com:80 (squid/2.6.STABLE22) >>> Proxy-Connection keep-alive >>> >> >> Are you 100% sure that the Cache-Control header is being sent with the >> content, and it is not being added by the Squid cache that you are >> also going through? >> >> Cheers >> >> Tom >> >> - >> The official User-To-User support forum of the Apache HTTP Server Project. >> See http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_cache is caching content with Cache-Control: private response headers
I am 100% sure. I am adding the header using Java code on Tomcat behind Apache. If I remove that particular line from the code, the Cache-Control: private header is not being sent. Java code, if it matters: response.addHeader("Cache-Control", "private"); On Wed, Oct 5, 2011 at 8:53 AM, Tom Evans wrote: > On Wed, Oct 5, 2011 at 2:16 PM, Brendon Anderson wrote: >> I am setting the Cache-Control: private header in a response on a >> certain url, but mod_cache is still caching this url. >> >> Response Headers as indicated by Firefox (Chrome reports similar results): >> >> Response Headers >> Date Wed, 05 Oct 2011 12:58:41 GMT >> Server Apache/2.2.20 (Win32) mod_jk/1.2.32 >> Expires Wed, 05 Oct 2011 12:59:25 GMT >> Cache-Control private >> Content-Language en-US >> Content-Length 7046 >> Age 15 >> Content-Type text/html;charset=UTF-8 >> X-Cache MISS from x.y.z.com >> Via 1.0 x.y.z.com:80 (squid/2.6.STABLE22) >> Proxy-Connection keep-alive >> > > Are you 100% sure that the Cache-Control header is being sent with the > content, and it is not being added by the Squid cache that you are > also going through? > > Cheers > > Tom > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_cache is caching content with Cache-Control: private response headers
On Wed, Oct 5, 2011 at 2:16 PM, Brendon Anderson wrote: > I am setting the Cache-Control: private header in a response on a > certain url, but mod_cache is still caching this url. > > Response Headers as indicated by Firefox (Chrome reports similar results): > > Response Headers > Date Wed, 05 Oct 2011 12:58:41 GMT > Server Apache/2.2.20 (Win32) mod_jk/1.2.32 > Expires Wed, 05 Oct 2011 12:59:25 GMT > Cache-Control private > Content-Language en-US > Content-Length 7046 > Age 15 > Content-Type text/html;charset=UTF-8 > X-Cache MISS from x.y.z.com > Via 1.0 x.y.z.com:80 (squid/2.6.STABLE22) > Proxy-Connection keep-alive > Are you 100% sure that the Cache-Control header is being sent with the content, and it is not being added by the Squid cache that you are also going through? Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_cache is caching content with Cache-Control: private response headers
I am setting the Cache-Control: private header in a response on a certain url, but mod_cache is still caching this url. Response Headers as indicated by Firefox (Chrome reports similar results): Response Headers DateWed, 05 Oct 2011 12:58:41 GMT Server Apache/2.2.20 (Win32) mod_jk/1.2.32 Expires Wed, 05 Oct 2011 12:59:25 GMT Cache-Control private Content-Languageen-US Content-Length 7046 Age 15 Content-Typetext/html;charset=UTF-8 X-Cache MISS from x.y.z.com Via 1.0 x.y.z.com:80 (squid/2.6.STABLE22) Proxy-Connectionkeep-alive Logs indicating url is being cached (url set to private is /hrportal/home): (accessing using Chrome) [Wed Oct 05 07:58:25 2011] [debug] mod_cache.c(757): cache: Removing CACHE_REMOVE_URL filter. [Wed Oct 05 07:58:25 2011] [info] mem_cache: Cached url: http://blahfoobar:8080/hrportal/home? (accessing using Firefox) [Wed Oct 05 07:58:41 2011] [debug] mod_cache.c(298): cache: running CACHE_OUT filter [Wed Oct 05 07:58:41 2011] [debug] mod_cache.c(312): cache: serving /hrportal/home Mod_cache config: CacheIgnoreNoLastMod On CacheIgnoreQueryString On CacheIgnoreHeaders Set-Cookie CacheIgnoreURLSessionIdentifiers jsessionid CacheStorePrivate Off CacheEnable mem / #100MB in KB MCacheSize 102400 #MCacheMinObjectSize 1 #4MB in bytes MCacheMaxObjectSize 4194304 What am I doing wrong? From my reading on mod_cache, it should NOT cache if the Cache-Control header contains private. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_cache per virtualhost in a proxy apache
Hi. I am trying to enable mod_cache in one apache in ubuntu-server (2.2.14) that acts like a proxy for another apaches. My first question is: ¿Is mod_mem_cache indicated for a proxy of apaches or it should be mod_disk_cache? Finally I enabled mod_mem_cache as the doc seems to say: - Simple I edit /etc/apache2/mods-available/mem_cache.conf with: CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 and enable modules and restart apache: # a2enmod cache # a2enmod mem_cache # /etc/init.d/apache2 restart My second question is: It is so easy like this to configure mem_cache in a "apache that act as proxy for another apaches" (only editing the mem_cache.conf file) for manage all the another apaches that are managed by this proxy-apache?...or I must set one configuration like this, per proxy defined like virtualhost in /etc/apache2/sites-available dir? For example, in /etc/apache2/sites-available/webserver1: ProxyPreserveHost On ProxyPass / http://192.168.X.XX/ ProxyPassReverse / http://192.168.X.XX/ ServerName blabla.com CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 - in /etc/apache2/sites-available/webserver2: ProxyPreserveHost On ProxyPass / http://192.168.X.XX/ ProxyPassReverse / http://192.168.X.XX/ ServerName blabla.com CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 etc, etc. Or it is enough with sepecify it in the /etc/apache2/mods-available/mem_cache.conf for all the proxy apaches to star being cahed by my 'proxy-apache' Thank you Gonzalo - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org