Re: [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Thanks Mark! On Wed, Oct 5, 2011 at 5:01 PM, Mark Montague wrote: > On October 5, 2011 17:44 , Thomas Smith wrote: >> >> Can someone help me get my desired configuration to work? > > Maybe someone who is not me can :) I'd be able to help you better if you > asked your question much more narrowly. Provide the configuration that is > NOT working, say what your goal is (desired outcome/behavior), and be as > specific as possible about the problem you are encountering: include what > you do to encounter the problem (the specific HTTP requests), messages from > the Apache HTTP Server error log, observed behavior (how what actually > happens differs from the desired behavior), and so on. I've attempted MANY different configurations that DIDN'T work. So I thought it would be best to say "this is what I have that works and this is what I'd like to do but haven't been able to get working" rather than post the many, many configuration failures I've attempted. :-) >> I created a Directory directive for /opt/rt4 that enables the LDAP >> authentication. This works really well but breaks their mail-gateway >> functionality (because this script is unable to perform >> authenticatation). I used a SetEnvIf parameter to exclude the two >> directories from authentication and it worked well (only the REST >> directory is required for the mail-gateway to work, though). However, >> the RT developers recommend restricting access to mail-gateway to >> 127.0.0.1 as it's used to inject tickets, via email, into RT's >> database--I haven't been able to get this to work. > > From what I can extract from the above, you want to have everything use LDAP > authentication except for one or more specific resources which you want to > use host-based access control, correct? > > In this case, you need to use the "Satisfy Any" directive since access > control methods normally supplement, not replace, authentication mechanisms. > Here's an example (note that this is not a complete example, I've left out > most directives for clarity): > > > Require valid-user > Order allow,deny > Allow from all > > > # Require EITHER an authenticated user (the configuration for /foo is > inherited for /foo/bar) > # OR allow access from 127.0.0.1 > Allow from 127.0.0.1 > Satisfy Any > I tried the Directory directives you mentioned and they didn't work. However, I finally found a configuration that did work (your post inspired me to look at this problem in a different way and ultimately led to the solution): . LDAP authentication stuff goes here . Order allow,deny Allow from all Options +ExecCGI AddHandler fastcgi-script fcgi Order allow,deny Allow from all Satisfy any Order allow,deny Allow from 127.0.0.1 Satisfy any If I change the last two Location directives to Directory and point them to the respective file system locations, things don't work as expected--that is, when accessing https://sub.domain.tld/REST/1.0/NoAuth/mail-gateway from localhost, I still get prompted to authentication. But those directives as they appear here work as expected (I can access mail-gateway from localhost and attempts outside of this [i.e. not from localhost] are prompted to authenticate). Also note that the latter two Location directives WILL NOT work without listing "Order allow,deny", which seems contrary to the inheritance you mentioned. The Apache documentation also mentions that it's more favorable to use Directory directives over Location directives when the intent is to secure file system locations (see the "What to use When" section located here: http://httpd.apache.org/docs/2.0/sections.html). So given that my intent is to secure file system locations, are there any inherent security risks associated with doing things the way I have it configured here? Or any reason I wouldn't want to continue forward with this configuration? Thanks again for your help! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Forward client cert with no HTTPS
Hi all I Have an Apache Web Server v2.2.14 which is used as a front-end for a Tomcat Server v5.5. The connector between servers is mod_jk v1.2.28. So the Tomcat Server is behind the Apache Server, itself behind an IPS (Intrusion Prevention System). The IPS is in a DMZ, and HTTPS/SSL is enabled only in this area. So there is NO HTTPS/SSL nor on Apache or on Tomcat. The users of my application authenticate with an x509 certificate contained in a USB device. The SSL mutual authentication is done by the IPS. After that, all is in HTTP. What I want is to get the client's certificate on Tomcat, to perform further business check in my application. The only thing that I know is that, after mutual SSL authentication, the IPS put the client certificate in the HTTP header with the value "X-SSL_CLIENT_CERT". My questions are : 1/ is Apache able to forward the client's certificate to Tomcat, even there is no HTTPS on Apache and Tomcat ? (maybe using JkEnvVar ?) 2/ the value "X-SSL_CLIENT_CERT" to store the cert in http header : is it standard ? is there a difference with "SSL_CLIENT_CERT" ? If not standard, this could be modified. 3/ Ideally, is there a way with Apache to put the client's certificate as a request attribute "javax.servlet.request.X509Certificate" ? (because I use Spring Security in my app, and X509 authentication with Spring Security uses request.getAttribute("javax.servlet.request.X509Certificate") to get the cert and authenticate) PS1 : I would have run some tests myself, but I have to write quickly a specification without having all I need to test if what I write is good :( PS2 : Sorry if my english is bad because I'm french... Thanx in advance Stieuma
RE: [users@httpd] HELP: apache 2.2.17 creating zombies that are increasing server load
Just a follow-up, upgrading to 2.2.21 has cleared this issue and we are no longer experiencing zombies. Thank you! Jeff -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Saturday, September 10, 2011 3:45 AM To: users@httpd.apache.org Cc: Martin, Jeff Subject: Re: [users@httpd] HELP: apache 2.2.17 creating zombies that are increasing server load Hi Martin, Thanks for the detailed information. The observed zombies are threads in Apache child processes. Those processes (here PID 16042 are actually in the process of shutting down, either due to a web server restart, or MPM configuration (like MacRequestsPerChild or spare process configuration). Unfortunately one of the threads falls into a non-terminated loop during shutdown which consumes lots of cpu and prevents the process from exiting. So the real problem is this looping thread: > - lwp# 24 / thread# 24 > ff1577dc apr_brigade_cleanup (a5a500, 0, 10c0c, fec6367c, fee58624, > a5a4f0) + 18 > ff014ab8 run_cleanups (a39a80, 0, 4, 0, 1, a65b00) + 20 > ff015b94 apr_pool_destroy (a39a70, a35aa0, ff017ddc, 0, de520, 0) + 38 > ff015dec apr_pool_clear (a35a60, a35aa0, a35aa0, 1d5, 0, 19ab58) + 1c > 00099a2c worker_thread (19aef8, 7, 0, e0400, e0400, 54) + 230 > ff020640 dummy_worker (19aef8, fd47c000, 0, 0, ff020634, 1) + c > fecc94f0 _lwp_start (0, 0, 0, 0, 0, 0) Problems like that are unfortunately not easy to debug. Do you use any 3rd-party modules, which did not come bundled with Apache? Your config doesn't indicate it, but I'm asking to double check, because e.g. "pfiles" lists OpenSSL libs without mod_ssl being loaded in the config. It might be you compiled modules into httpd statically. Any error message in the error_log? Can you reproduce the problem? Even on a test system? Although I'm not aware of any fixes directly related, it might be a good first step to switch to 2.2.20 (or 2.2.21, which will be released likely in few days) and apr 1.4.5 / apr-util 1.3.12 in order to start debugging from recent versions. Regards, Rainer On 07.09.2011 22:59, Martin, Jeff wrote: > Hello, > I have a Solaris 10 server running apache 2.2.17 and on a weekly basis > its creating zombies and increasing the load to the point where we have > to restart it every Thursday night. There are 6 apache instances running > on this box but this is the only one seeing the issue. There have been > no changes to the box that I am aware of or the developers are aware of. > I've included a lot of output as I'm not sure what will be helpful and > what won't. Any info or steps to resolve this is most appreciated. TIA. > Jeff > > bash-3.00# ulimit -a > core file size(blocks, -c) unlimited > data seg size (kbytes, -d) unlimited > file size (blocks, -f) unlimited > open files(-n) 256 > pipe size (512 bytes, -p) 10 > stack size(kbytes, -s) 8192 > cpu time (seconds, -t) unlimited > max user processes(-u) 29995 > virtual memory(kbytes, -v) unlimited > > bash-3.00# netstat -an|grep 172.23.181.34.80|wc -l > 3438 > > bash-3.00# uptime > 1:43pm up 343 day(s), 2:59, 2 users, load average: 4.41, 4.50, > 4.39 > > SunOS 5.10 Generic_142909-17 sun4v sparc SUNW,SPARC-Enterprise-T5120 > > httpd.conf > ServerRoot "/web/apache2-prod-showcase_second" > > Listen 172.23.181.34:80 > > LoadModule headers_module modules/mod_headers.so > LoadModule rewrite_module modules/mod_rewrite.so > > > > > User csdrd > Group daemon > > > > > ServerAdmin webmas...@xx.x.com > > ServerName xx.x.com > > DocumentRoot "/apps/doc-root" > > ErrorLog "logs/error_log" > LogLevel warn > > DefaultType text/plain > > # Cache control > ExpiresActive On > ExpiresByType image/gif "access plus 1 weeks" > ExpiresByType image/jpg "access plus 1 weeks" > ExpiresByType image/jpeg "access plus 1 weeks" > ExpiresByType application/x-shockwave-flash "access plus 1 > weeks" > ExpiresByType image/png "access plus 1 weeks" > FileETag none > > ProxyRequests Off > ProxyPreserveHost On > > > Order deny,allow > Deny from all > Allow from all > > > ProxyPass /showcase/explore balancer://exploreutc > stickysession=JSESSIONID|jsessionid timeout=5 lbmethod=byrequests nofail > over=Off > # Port 8180 service bind > > BalancerMember http://172.22.81.99:8080/utc route=host3 > BalancerMember http://172.22.81.100:8080/utc route=host4 > BalancerMember http://172.22.81.99:8180/utc route=host3a > BalancerMember http://172.22.81.100:8180/utc route=host4a > > > > Options FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > > > > Options FollowSymLinks > AllowOverride All > Order allow,deny > Allow from all > > > > AllowOverride None > Options None > Order allow,deny > Allow f
[users@httpd] output_filter apr_bucket_read
I am working on output_filter I have question about reading data. I am reading data with similar technic like mod_dumpio, but when testing with large pdf file, I have less data in apr_bucket_read , then b->length indicates. It seems some buffer size limit for reading exists. how should I get all data out of b? any existing example ? (I am not manipulating data in buckets at all, just forwarding them to next filter). for (b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) { apr_size_t bsize = b->length; if (!(APR_BUCKET_IS_METADATA(b))) { if (apr_bucket_read(b, &buf, &nbytes, APR_BLOCK_READ) == APR_SUCCESS) { if (nbytes) { do something with buf } } } } printout of buckets: (data-HEAP as b->length): 254 bytes nbytes:254 (data-FILE): 11563137 bytes length from nbytes:4194304 (data-FILE): 7368833 bytes length from nbytes:4194304 (data-FILE): 3174529 bytes length from nbytes:3174529 mod_ta: (metadata-EOS): 0 bytes thanks, Lyudmila - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache is redirecting/rewriting randomly
On Wed, Oct 12, 2011 at 6:04 AM, Bilal Itani wrote: > ** > My apache webserver is redirecting URLs to a random directory, ex if I > enter in the browser : www.mydomain.com it is redirected internally > without the URL being changed on the browser to www.mydomain.com/SokMT/, > each time a new random directory. > > Could be this a hack? I started facing this on October 10th and I am > running CentOs 5.4 with apache 2.2.3 > Probably. If you keep FTP/SSH logs, you can check what changed around that time if that is how the attacker got in. If it was a bug in an application you ave on the server, it will probably show up in some other log (maybe a strange request in apache's access.log, or the PAM auth log.) Otherwise, you should look at .htaccess in the htdocs folder (or wherever your virtual host DocumentRoot is). It is also possible that it is in the server/vhost config and has been for a long time, but apache (or the server) restarted on October 10th and reread the configuration. You should also check that it is not your DNS that was hacked. Use nslookup to make sure that you domain is actually pointing to your server's IP address.
[users@httpd] Apache is redirecting/rewriting randomly
Hello, My apache webserver is redirecting URLs to a random directory, ex if I enter in the browser : www.mydomain.com it is redirected internally without the URL being changed on the browser to www.mydomain.com/SokMT/, each time a new random directory. Could be this a hack? I started facing this on October 10th and I am running CentOs 5.4 with apache 2.2.3 Thanks, Bilal Itani