Re: [users@httpd] Rewrite Rule
On 02.03.2012, at 15:59, Vivek Nambiar wrote: http://servername:port/myapp then it should redirect itself to https://servername:SSLport/myapp. I have added the following rewrite condition and rule in my httpd.conf file RewriteCond %{SERVER_PORT} PORT RewriteRule ^/(.*)$ https://%{SERVER_NAME}:SSLPORT/$1 [R,L]. The rewrite rule works only if I use the url as http://servername:port/myapp/ (i have to add a / infront of my application) if I use http://servername:port/myapp then the rewrite is done only for the port,that is it changes to http://servername:sslport/myapp (http does not change to https). Add a RewriteLog, and set a RewriteLogLevel of, as a start, 4. Make a single request, look at the output. If you don't see the problem yourself then, post the log output for that one request, and your full rewrite config. Maybe there's a different rule catching the URL first. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Stable Version of Httpd
i want to use openssl 0.9.8. Is this compatible with 2.4.1? 2012/3/4 Igor Galić i.ga...@brainsware.org [snip] You will need to rebuild all external modules of course given its a new major (like php, mod_perl etc) The latest stable of mod_perl (2.0.5) doesn't currently build with 2.4.1. Haven't checked out the trunk. i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Stable Version of Httpd
On Mon, 2012-03-05 at 14:45 +0530, Harsimranjit singh Kler wrote: i want to use openssl 0.9.8. Is this compatible with 2.4.1? Builds fine with openssl-0.9.8 I build against openssl-0.9.8t signature.asc Description: This is a digitally signed message part
Re: [users@httpd] Stable Version of Httpd
2012/3/4 Igor Galić i.ga...@brainsware.org [snip] You will need to rebuild all external modules of course given its a new major (like php, mod_perl etc) The latest stable of mod_perl (2.0.5) doesn't currently build with 2.4.1. Haven't checked out the trunk. svn version wont work either - modperl_interp.c:503: error: 'conn_rec' has no member named 'remote_ip' ^^^ this is no longer valid with changes in APR I'd log a bug report on it but that window is using lynx and that site is shocking in support of it so meh, someone else can. signature.asc Description: This is a digitally signed message part
Re: [users@httpd] https port and virtualhost
On 3/5/2012 1:03 AM, Alain Roger wrote: Hi, on my local windows 7 computer, i have installed and setup a web server for development purpose. everything works well under port 80 (listening, servername, etc..), i also setup virtualhost in extra conf file as following: VirtualHost *:80 DocumentRoot d:/webserver/www/joomla25 ServerName joomla25.loc ServerAlias www.joomla25.loc ErrorLog logs/joomla25.loc.error.log CustomLog logs/joomla25.loc.access.log common AccessFileName .htaccess Directory d:/webserver/www/joomla25/ AllowOverride All Order deny,allow Deny from all Allow from 127.0.0.1 /Directory /VirtualHost however, when my joomla instance goes to https port (so 443) i get the following error: Forbidden You don't have permission to access /E-Shop/checkout.html on this server. does it mean that i must create another virtualhost with addition settings like: VirtualHost *:443 SSLEngine On SSLCertificateFile conf/ssl/my_local_IP.cert SSLCertificateKeyFile conf/ssl/my_local_IP.key /VirtualHost if not what should i do ? thx -- Alain --- Windows 7 x64 / Fedora 14 x64 PostgreSQL 8.3.5 / MySQL 5 Apache 2.2.16 PHP 5.3.1 C# 2005-2008 You haven't yet allowed access to the directory like you have in the :80 vhost. Add this to the SSL vhost, or move it to the server level (outside of any vhosts): Directory d:/webserver/www/joomla25/ AllowOverride All Order deny,allow Deny from all Allow from 127.0.0.1 /Directory -- Daniel Ruggeri
Re: [users@httpd] confused about modsecurity and apparmor
On March 4, 2012 22:11 , Rajeev Prasad rp.ne...@yahoo.com wrote: want to make sure my web server is highly secure. I am not sure between modsecurity and AppArmor. can someone help with their experience? mod_security is a web application firewall that works at the HTTP level to protect the web server and web application from attacks. You can add rules to prevent specific exploits, or to implement policies (e.g., block requests that appear to contain credit card numbers or other sensitive data). See https://modsecurity.org/projects/modsecurity/apache/ AppArmor is a Mandatory Access Control system that works at the operating system level. It restricts what programs running on the system, such as Apache HTTP Server, are allowed to do. For example, if someone exploits a security vulnerability in a web application you are running to gain control of Apache, AppArmor can prevent the attacker from opening an outgoing IRC connection. More importantly, AppArmor can detect that Apache has TRIED to do something that it shouldn't be doing, thus alerting you to the attacker's presence. See https://en.wikipedia.org/wiki/Apparmor Normally, you would not choose between mod_security and AppArmor: both can be used together, and they complement each other to provide defense in depth. I hope this helps. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_status, disable server-status for users
Hello List, ist there any possibility to hide server-status page provided by mod-status for my users? every user with .htaccess is able to use sethandler and able to view complete status. how to disable this? Thanks, Hajo - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_fcgi + PHP-FPM on Apache 2.4 solution?
On March 3, 2012 7:22 , Daniel danco...@gmail.com wrote: Thank you, I just realized that earlier, as I thought Location /www/ meant server side. It works, however it passes all traffic through PHP-FPM and gives a Access denied. message on static files, and does not allow passing variables through the URL with the mod_rewrite method. An alternative rewrite, RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9000/www/$1 http://127.0.0.1:9000/www/$1 [P,L], allows static files to work, but breaks PHP files when you try to pass variables, or even add a symbol, as like before. (ex: info.php?) Is there any 'fully-working' solution for PHP-FPM with Apache 2.4? None of the methods seem to work as intended. Either static files do not work, or variables cannot be passed. I have PHP-FPM fully working with a patched Apache 2.3.12, so it should be workable with 2.4. For passing static files, this is just a guess, but make sure you have default_mimetype set to an empty value in php.ini. If this does not help, let me know and I'll look at my configuration more closely. For the RewriteRule not passing query strings (variables), see https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 Unfortunately, the person with commit access who looked at this did not see the rationale for it, and I have not had time to go back and install the entire testing framework (which is apparently a big pain, according to the recent thread on the topic) to see what tests the patch breaks and how/why it breaks them. I do hope to go back and take another stab at this, but I can't say when it will be, so if anyone else wants to, please feel free. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_fcgi + PHP-FPM on Apache 2.4 solution?
I have found an alternative method that works nicely, only passes .php files to PHP-FPM and allows the variables to pass. ProxyPassMatch ^(.*\.php)$ fcgi:// 127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com$1 This is really weird though, because when it's put outside of a vhost, it works properly, but when I put it inside one, it gives a 404. Error logs show up for the same URL, but when put inside the vhost, it says it does not exist. Any idea why? vhost: AH00128: File does not exist: proxy:fcgi:// 127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com//index.php outside of vhost: AH00947: connected /www/danielhe/danielhe.com/cookie.danielhe.com//index.phpto 127.0.0.1:9000 On Mon, Mar 5, 2012 at 9:34 AM, Mark Montague markm...@umich.edu wrote: On March 3, 2012 7:22 , Daniel danco...@gmail.com danco...@gmail.comwrote: Thank you, I just realized that earlier, as I thought Location /www/ meant server side. It works, however it passes all traffic through PHP-FPM and gives a Access denied. message on static files, and does not allow passing variables through the URL with the mod_rewrite method. An alternative rewrite, RewriteRule ^/?(.*\.php)$ fcgi:// 127.0.0.1:9000/www/$1 [P,L], allows static files to work, but breaks PHP files when you try to pass variables, or even add a symbol, as like before. (ex: info.php?) Is there any 'fully-working' solution for PHP-FPM with Apache 2.4? None of the methods seem to work as intended. Either static files do not work, or variables cannot be passed. I have PHP-FPM fully working with a patched Apache 2.3.12, so it should be workable with 2.4. For passing static files, this is just a guess, but make sure you have default_mimetype set to an empty value in php.ini. If this does not help, let me know and I'll look at my configuration more closely. For the RewriteRule not passing query strings (variables), see https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 Unfortunately, the person with commit access who looked at this did not see the rationale for it, and I have not had time to go back and install the entire testing framework (which is apparently a big pain, according to the recent thread on the topic) to see what tests the patch breaks and how/why it breaks them. I do hope to go back and take another stab at this, but I can't say when it will be, so if anyone else wants to, please feel free. -- Mark Montague LSA Research Systems Group University of Michigan markm...@umich.edu
[users@httpd] gen_test_char: cannot execute binary file
Hi! When porting/cross-compiling the Apache HTTP Server the build fails with the following error message: /bin/sh: ./gen_test_char: cannot execute binary file. This is due to that the gen_test_char is compiled with the cross-compiler but executed on the build system. This error has been around for 10 years or so, but I could not find an error report on this issue so I created one (in May, 2011): https://issues.apache.org/bugzilla/show_bug.cgi?id=51257 There exists an old (2003-08-13) patch (http://marc.info/?l=apache-httpd-devm=106150997309208w=2) for this error but I do not think that it was integrated. Another patch (http://svn.apache.org/viewvc/httpd/httpd/trunk/server/gen_test_char.c?r1=758929r2=795438pathrev=1001398diff_format=h) has recently been integrated to simplify cross-compilation. However, this patch does not solve the gen_test_char cross-compiling issue. A known workaround is to: 1. Cross-compile and wait for the build to fail. 2. Compile for build system and copy the gen_test_char binary to the cross-compiled build folder 3. Run make a second time for the cross-compiled system However, since I'm about to automate the build process this workaround is not sufficient for me. It seems strange that this error has been around for so long time so I'm wondering if the Httpd build system does include some way to generate a correct gen_test_char file when cross-compiling? Thanks in advance. Kind Regards, Henrik - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Conditional disabling of caching (mod_cache) based on presence of certain cookie possible ?
On 02.03.12 15:29, Soumendu Bhattacharya wrote: We use Apache + mod_cache for caching our website. Our mod_cache rule is such that it enables caching for all and then selectively certain url pattern is disabled (like some contexts). Currently the need is that if a certain cookie is present , the same url which was originally cached , should now be prevented from caching. Say I was caching xyz.com/a/b.html , but now if a certain cookie say NO-CACHE is present , the same xyz.com/a/b.html should not be served from cache. The url's which can contain NO-CACHE cookie is not limited (cannot be defined fully) and hence it looks like I need to check the presence of this cookie and then figure out a way to prevent (if the cookie is present) Apache from serving the content from cache. Why a cookie? There's Cache-Control: HTTP header designed for this, not Cookie: -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
On 05.03.12 14:32, Hajo Locke wrote: ist there any possibility to hide server-status page provided by mod-status for my users? every user with .htaccess is able to use sethandler and able to view complete status. I'm afraid the only way to disable this is to disable mod_status. I don't know of any other way and I that's why I don't use mod_status. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
hello, I'm afraid the only way to disable this is to disable mod_status. I don't know of any other way and I that's why I don't use mod_status. which module you are using? i cant renounce to view a statuspage of my server. Thanks, Hans - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
On March 5, 2012 8:32 , Hajo Locke hajo.lo...@gmx.de wrote: ist there any possibility to hide server-status page provided by mod-status for my users? every user with .htaccess is able to use sethandler and able to view complete status. how to disable this? Disable mod_status, or turn off .htaccess files, or disable the FileInfo override (Options -FileInfo), or don't give any access to the filesystem to anyone who you don't trust with the power to use .htaccess files. The documentation warns about this problem: https://httpd.apache.org/docs/2.2/mod/mod_status.html says, *It should be noted that if |mod_status https://httpd.apache.org/docs/2.4/mod/mod_status.html| is loaded into the server, its handler capability is available in /all/ configuration files, including /per/-directory files (/e.g./, |.htaccess|). This may have security-related ramifications for your site.* -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy_fcgi + PHP-FPM on Apache 2.4 solution?
I haven't been able to play with this yet but shouldn't something like this work as well? LocationMatch \.php$ ProxyPass fcgi://127.0.0.1:9000 /LocationMatch Regards, Dennis On 03/05/2012 03:04 PM, Daniel wrote: I have found an alternative method that works nicely, only passes .php files to PHP-FPM and allows the variables to pass. ProxyPassMatch ^(.*\.php)$ fcgi://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com$1 http://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com$1 This is really weird though, because when it's put outside of a vhost, it works properly, but when I put it inside one, it gives a 404. Error logs show up for the same URL, but when put inside the vhost, it says it does not exist. Any idea why? vhost: AH00128: File does not exist: proxy:fcgi://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com//index.php http://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com//index.php outside of vhost: AH00947: connected /www/danielhe/danielhe.com/cookie.danielhe.com//index.php http://danielhe.com/cookie.danielhe.com//index.php to 127.0.0.1:9000 http://127.0.0.1:9000 On Mon, Mar 5, 2012 at 9:34 AM, Mark Montague markm...@umich.edu mailto:markm...@umich.edu wrote: On March 3, 2012 7:22 , Daniel danco...@gmail.com mailto:danco...@gmail.com wrote: Thank you, I just realized that earlier, as I thought Location /www/ meant server side. It works, however it passes all traffic through PHP-FPM and gives a Access denied. message on static files, and does not allow passing variables through the URL with the mod_rewrite method. An alternative rewrite, RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9000/www/$1 http://127.0.0.1:9000/www/$1 [P,L], allows static files to work, but breaks PHP files when you try to pass variables, or even add a symbol, as like before. (ex: info.php?) Is there any 'fully-working' solution for PHP-FPM with Apache 2.4? None of the methods seem to work as intended. Either static files do not work, or variables cannot be passed. I have PHP-FPM fully working with a patched Apache 2.3.12, so it should be workable with 2.4. For passing static files, this is just a guess, but make sure you have default_mimetype set to an empty value in php.ini. If this does not help, let me know and I'll look at my configuration more closely. For the RewriteRule not passing query strings (variables), see https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 Unfortunately, the person with commit access who looked at this did not see the rationale for it, and I have not had time to go back and install the entire testing framework (which is apparently a big pain, according to the recent thread on the topic) to see what tests the patch breaks and how/why it breaks them. I do hope to go back and take another stab at this, but I can't say when it will be, so if anyone else wants to, please feel free. -- Mark Montague LSA Research Systems Group University of Michigan markm...@umich.edu mailto:markm...@umich.edu - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4.1, regression, caching forward proxy configuration
On Sat, Mar 03, 2012 at 06:06:51PM +0100, Rainer Jung wrote: On 01.03.2012 17:19, Juergen Daubert wrote: On Thu, Mar 01, 2012 at 03:38:10PM +, Nick Kew wrote: On Thu, 1 Mar 2012 12:34:22 +0100 Juergen Daubertj...@jue.li wrote: Any ideas or suggestions? Set Loglevel to debug, or if necessary high-level trace, for the relevant modules. Thanks for the hint but I've tried that already, with no result. Even with a LogLevel cache:trace8 LogLevel cache_disk:trace8 there's nothing in the logfile. To verify the syntax I've done the same for the proxy module with proxy:trace8 which works, meaning a lot of traces in the logfile. The strange thing is that everything works with apache 2.2.x, so my guess is that there are either new but undocumented configuration switches or we have a regression in 2.4.1. BTW, I've found another report for probably the same issue, see [1]. [1] http://article.gmane.org/gmane.comp.apache.user/98771 Could it be some VHost config merging thing? Cache defined in the main server, but requests handled in some VHost? I don't have much experience with mod_cache, but I vaguely remember some VHost config support being added or improved in 2.4. No, there are no VHosts defined at all. See the configuration in my initial posting. Double check, that your rquests are actually handled by the global server and if not, copy or moce the cache config to the correct VHost and retest. To exclude an error in that region I've created a VHost setup which includes the proxy and cache defines, but without success. The problem is still the same: proxy works, caching to disk doesn't work. Thanks and regards Juergen - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] confused about modsecurity and apparmor
thx Mark, it does help to understand things better. so that mean grsecurity and AppArmor doing the same thing? except that grsecurity is much complex and harder i guess. (I wanted to do that, but does not have enough expertise to think of building a LAMP install on grsecurity patched ubuntu.) I will go for both AppAromr and mod_security. I will publish my notes, once i get everything done right. From: Mark Montague m...@catseye.org To: users@httpd.apache.org Cc: Rajeev Prasad rp.ne...@yahoo.com Sent: Monday, March 5, 2012 7:03 AM Subject: Re: [users@httpd] confused about modsecurity and apparmor On March 4, 2012 22:11 , Rajeev Prasad rp.ne...@yahoo.com wrote: want to make sure my web server is highly secure. I am not sure between modsecurity and AppArmor. can someone help with their experience? mod_security is a web application firewall that works at the HTTP level to protect the web server and web application from attacks. You can add rules to prevent specific exploits, or to implement policies (e.g., block requests that appear to contain credit card numbers or other sensitive data). See https://modsecurity.org/projects/modsecurity/apache/ AppArmor is a Mandatory Access Control system that works at the operating system level. It restricts what programs running on the system, such as Apache HTTP Server, are allowed to do. For example, if someone exploits a security vulnerability in a web application you are running to gain control of Apache, AppArmor can prevent the attacker from opening an outgoing IRC connection. More importantly, AppArmor can detect that Apache has TRIED to do something that it shouldn't be doing, thus alerting you to the attacker's presence. See https://en.wikipedia.org/wiki/Apparmor Normally, you would not choose between mod_security and AppArmor: both can be used together, and they complement each other to provide defense in depth. I hope this helps. -- Mark Montague m...@catseye.org
RE: [users@httpd] apache 2.4.1, regression, caching forward proxy configuration
The strange thing is that everything works with apache 2.2.x, so my guess is that there are either new but undocumented configuration switches or we have a regression in 2.4.1. BTW, I've found another report for probably the same issue, see [1]. [1] http://article.gmane.org/gmane.comp.apache.user/98771 This slightly dated thread mentions the check-in for the realigned naming convention: http://old.nabble.com/mod_disk_cache--%3E-mod_cache_disk-td29963400.html I wonder if anyone confirmed Graham's work as requested? -Original Message- From: Juergen Daubert [mailto:j...@jue.li] Sent: Monday, March 05, 2012 8:41 AM To: users@httpd.apache.org Subject: Re: [users@httpd] apache 2.4.1, regression, caching forward proxy configuration On Sat, Mar 03, 2012 at 06:06:51PM +0100, Rainer Jung wrote: On 01.03.2012 17:19, Juergen Daubert wrote: On Thu, Mar 01, 2012 at 03:38:10PM +, Nick Kew wrote: On Thu, 1 Mar 2012 12:34:22 +0100 Juergen Daubertj...@jue.li wrote: Any ideas or suggestions? Set Loglevel to debug, or if necessary high-level trace, for the relevant modules. Thanks for the hint but I've tried that already, with no result. Even with a LogLevel cache:trace8 LogLevel cache_disk:trace8 there's nothing in the logfile. To verify the syntax I've done the same for the proxy module with proxy:trace8 which works, meaning a lot of traces in the logfile. The strange thing is that everything works with apache 2.2.x, so my guess is that there are either new but undocumented configuration switches or we have a regression in 2.4.1. BTW, I've found another report for probably the same issue, see [1]. [1] http://article.gmane.org/gmane.comp.apache.user/98771 Could it be some VHost config merging thing? Cache defined in the main server, but requests handled in some VHost? I don't have much experience with mod_cache, but I vaguely remember some VHost config support being added or improved in 2.4. No, there are no VHosts defined at all. See the configuration in my initial posting. Double check, that your rquests are actually handled by the global server and if not, copy or moce the cache config to the correct VHost and retest. To exclude an error in that region I've created a VHost setup which includes the proxy and cache defines, but without success. The problem is still the same: proxy works, caching to disk doesn't work. Thanks and regards Juergen - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] confused about modsecurity and apparmor
On March 5, 2012 11:20 , Rajeev Prasad rp.ne...@yahoo.com wrote: thx Mark, it does help to understand things better. so that mean grsecurity and AppArmor doing the same thing? except that grsecurity is much complex and harder i guess. (I wanted to do that, but does not have enough expertise to think of building a LAMP install on grsecurity patched ubuntu.) grsecurity and AppArmor are both Mandatory Access Control (MAC) systems, yes. But they have different strengths and weaknesses. As far as I know, you can only run one MAC system at any given time. Two other MAC systems which you may have heard about are SELinux and Tomoyo. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] changing owner:group of uploaded data
On 5 March 2012 08:06, Steve Swift swi...@swiftys.org.uk wrote: This certainly sounds like a situation for SUEXEC. However, if you need the apache server to assign files to arbitrary user:group then there are two ways that I know of: 1. You could create a SUDO entry which allows apache to use the chown/chgrp command AS root This did the trick 1. You could create a program to issue the chown/chgrp commands and use the SETUID bit so that it executes as root. Somehow, this failed to work, no matter what I tried. Although the simple shell script did work when invoked from the command line, it never worked when invoked with (Perl) system( /name/of/script $usr:$grp $path ) Thank you! Wolfgang In the first case, the SUDO entry should be restricted to your apache ID In the second case, the process is controlled by a program that you control, so you can add any security that you wish. I'd start by having the program verify that it is, indeed, running under the apache userid, whatever that is in your case. On 4 March 2012 21:57, Mark Montague m...@catseye.org wrote: On March 4, 2012 12:33 , Wolfgang Laun wolfgang.l...@gmail.com wrote: A CGI script creates a file; it should also change it's natural owner and group (daemon.daemon) to the one of the (authenticated) requesting user. Several users should be able to do that. Having read the Apache 2.4 documentation on Suexec I have the impression that this isn't possible at all. Is this correct or did I miss something? Only root can change the owner of a file. So if a CGI needs to change the owner of a file that it creates, the CGI would have to be run as root (very dangerous, do not do this) or it would have to use a set-uid helper script to change the owner. Suexec cannot change the owner of a file created by a CGI, because it will not know what files the CGI creates. I think what you want is to run the CGI as the user who is authenticated. Then any files created by the CGI will be owned by the user who is authenticated. Does this sound right? For more information, see https://wiki.apache.org/httpd/** PrivilegeSeparation https://wiki.apache.org/httpd/PrivilegeSeparation -- Mark Montague m...@catseye.org --**--**- To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.orgusers-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Steve Swift http://www.swiftys.org.uk
Re: [users@httpd] mod_proxy_fcgi + PHP-FPM on Apache 2.4 solution?
Thank you! This worked for me :) LocationMatch ^(.*\.php)$ ProxyPass fcgi://127.0.0.1:9000 /LocationMatch I'm not sure why the ProxyPassMatch does not work inside the vhost though, but LocationMatch does. On Mon, Mar 5, 2012 at 11:33 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: I haven't been able to play with this yet but shouldn't something like this work as well? LocationMatch \.php$ ProxyPass fcgi://127.0.0.1:9000 /LocationMatch Regards, Dennis On 03/05/2012 03:04 PM, Daniel wrote: I have found an alternative method that works nicely, only passes .php files to PHP-FPM and allows the variables to pass. ProxyPassMatch ^(.*\.php)$ fcgi://127.0.0.1:9000/www/**danielhe/danielhe.com/cookie.**danielhe.com$1http://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com$1 http://127.0.0.1:9000/www/**danielhe/danielhe.com/cookie.** danielhe.com$1http://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com$1 This is really weird though, because when it's put outside of a vhost, it works properly, but when I put it inside one, it gives a 404. Error logs show up for the same URL, but when put inside the vhost, it says it does not exist. Any idea why? vhost: AH00128: File does not exist: proxy:fcgi://127.0.0.1:9000/**www/danielhe/danielhe.com/** cookie.danielhe.com//index.phphttp://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com//index.php http://127.0.0.1:9000/www/**danielhe/danielhe.com/cookie.** danielhe.com//index.phphttp://127.0.0.1:9000/www/danielhe/danielhe.com/cookie.danielhe.com//index.php outside of vhost: AH00947: connected /www/danielhe/danielhe.com/**cookie.danielhe.com//index.phphttp://danielhe.com/cookie.danielhe.com//index.php http://danielhe.com/cookie.**danielhe.com//index.phphttp://danielhe.com/cookie.danielhe.com//index.php to 127.0.0.1:9000 http://127.0.0.1:9000 On Mon, Mar 5, 2012 at 9:34 AM, Mark Montague markm...@umich.edu mailto:markm...@umich.edu wrote: On March 3, 2012 7:22 , Daniel danco...@gmail.com mailto:danco...@gmail.com wrote: Thank you, I just realized that earlier, as I thought Location /www/ meant server side. It works, however it passes all traffic through PHP-FPM and gives a Access denied. message on static files, and does not allow passing variables through the URL with the mod_rewrite method. An alternative rewrite, RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9000/www/$1 http://127.0.0.1:9000/www/$1 [P,L], allows static files to work, but breaks PHP files when you try to pass variables, or even add a symbol, as like before. (ex: info.php?) Is there any 'fully-working' solution for PHP-FPM with Apache 2.4? None of the methods seem to work as intended. Either static files do not work, or variables cannot be passed. I have PHP-FPM fully working with a patched Apache 2.3.12, so it should be workable with 2.4. For passing static files, this is just a guess, but make sure you have default_mimetype set to an empty value in php.ini. If this does not help, let me know and I'll look at my configuration more closely. For the RewriteRule not passing query strings (variables), see https://issues.apache.org/**bugzilla/show_bug.cgi?id=51077https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 Unfortunately, the person with commit access who looked at this did not see the rationale for it, and I have not had time to go back and install the entire testing framework (which is apparently a big pain, according to the recent thread on the topic) to see what tests the patch breaks and how/why it breaks them. I do hope to go back and take another stab at this, but I can't say when it will be, so if anyone else wants to, please feel free. -- Mark Montague LSA Research Systems Group University of Michigan markm...@umich.edu mailto:markm...@umich.edu --**--**- To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.orgusers-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] What's the name of the http server on my Ubuntu: httpd or apache2?
I'm very puzzled with this simple question: the name of the http server is httpd or apache2? This is because, all apache documentation, in http.apache.org, refers to it as httpd, however in my Ubuntu installation it appears to be apache2. Were not I someone that has some idea of this, I would be certainly lost. I don't know who to blame for this: Apache, Ubuntu or both? Do you have any comments? Thanks, -Sergio. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] What's the name of the http server on my Ubuntu: httpd or apache2?
The Debian/Ubuntu distributions, or rather their Apache HTTPD package maintainers, have renamed the binary to apache2, amongst other modifications. This was mainly done to differentiate between Apache 1.x and Apache 2.x, but its use is mostly void nowadays. Some other changes and layout peculiarities are listed here: http://wiki.apache.org/httpd/DebianDeb0rkification On Mon, Mar 5, 2012 at 11:12 PM, Julio Sergio julioser...@gmail.com wrote: I'm very puzzled with this simple question: the name of the http server is httpd or apache2? This is because, all apache documentation, in http.apache.org, refers to it as httpd, however in my Ubuntu installation it appears to be apache2. Were not I someone that has some idea of this, I would be certainly lost. I don't know who to blame for this: Apache, Ubuntu or both? Do you have any comments? Thanks, -Sergio. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Gr, Mathijs
[users@httpd] Re: What's the name of the http server on my Ubuntu: httpd or apache2?
Mathijs mathijssch at gmail.com writes: The Debian/Ubuntu distributions, or rather their Apache HTTPD package maintainers, have renamed the binary to apache2, amongst other modifications. This was mainly done to differentiate between Apache 1.x and Apache 2.x, but its use is mostly void nowadays. Some other changes and layout peculiarities are listed here: http://wiki.apache.org/httpd/DebianDeb0rkification On Mon, Mar 5, 2012 at 11:12 PM, Julio Sergio juliosergio at gmail.com wrote: I'm very puzzled with this simple question: the name of the http server is httpd or apache2? This is because, all apache documentation, in http.apache.org, refers to it as httpd, however in my Ubuntu installation it appears to be apache2. Were not I someone that has some idea of this, I would be certainly lost. I don't know who to blame for this: Apache, Ubuntu or both? Do you have any comments? Thanks, -Sergio. - To unsubscribe, e-mail: users-unsubscribe at httpd.apache.org For additional commands, e-mail: users-help at httpd.apache.org -- Gr,Mathijs Thanks, Mathijs -- Sergio. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] What's the name of the http server on my Ubuntu: httpd or apache2?
On Mon, 2012-03-05 at 23:19 +0100, Mathijs wrote: The Debian/Ubuntu distributions, or rather their Apache HTTPD package maintainers, have renamed the binary to apache2, amongst other modifications. This was mainly done to differentiate between Apache 1.x and Apache 2.x, but its use is mostly void nowadays. Yes and I have long believed they need to be called to task on this. The Web Server software httpd, hence why the source code released in httpd-x.xx.xx. Apache is the Foundation name and is not the project name, in their way of thinking, are they are going to call OpenOffice apache3.4 when its released in coming months signature.asc Description: This is a digitally signed message part
Re: [users@httpd] Apache 2.4.1 third party dependencies
On 03/03/2012 06:51 PM, Sander Temme wrote: On Mar 2, 2012, at 2:28 PM, Andy Wang wrote: 've been following the various changes with Apache 2.4.x (and 2.3.x during development regarding the removal of apr/apr-util and pcre from the Apache source bundle and noted that: http://httpd.apache.org/docs/2.4/install.html says nothing about PCRE as a requirement, but the default configure options look for pcre and blow up if it can't find it. I just committed this change: http://svn.apache.org/viewvc?rev=1296736view=rev Does that help clarify things? S. Thanks, that does clarify it but wasn't really why I was bringing it up. I was hoping the old srclib method of bundling pcre was still available somehow :) Thanks, Andy - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Stable Version of Httpd
Is 2.4.1 is compatible with OpenSSL 1.0.0.? On Mon, Mar 5, 2012 at 2:58 PM, Noel Butler noel.but...@ausics.net wrote: ** On Mon, 2012-03-05 at 14:45 +0530, Harsimranjit singh Kler wrote: i want to use openssl 0.9.8. Is this compatible with 2.4.1? Builds fine with openssl-0.9.8 I build against openssl-0.9.8t