Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
--On 30 May 2012 15:06:15 -0400 Eric Covener cove...@gmail.com wrote: Is there anything else I can do, like (e.g.) put the IP address as a hex constant or something in VirtualHost? Or disable this rather annoying feature? I'd suggest opening a bug report that something weird seems to happen with the literal IP address in the virtualHost arguments and that it works with *:80. OK, that gives me an idea. My config looks a bit like this: # Listen on 192.200.0.1, 192.200.0.2, 192.200.0.3 Listen *:80 Listen *:1234 # --- config for this not omitted below NameVirtualHost 192.200.0.1:80 VirtualHost 192.200.0.1:80 # --- *** THIS LINE *** ServerName will-not-resolve.example.com:80 # port no included as per docs # Default vhost for things that resolve to 192.200.0.1 /VirtualHost VirtualHost 192.200.0.1:80 ServerName a.web.site.example.com:80 # port no included as per docs # VHost for http://a.web.site.example.com/ /VirtualHost VirtualHost 192.200.0.1:80 ServerName 192.200.0.1:80 # port no included as per docs # VHost for http://192.200.0.1/ /VirtualHost # 192.200.0.2 VirtualHost 192.200.0.2:80 # IP based Virtual Host goes here on 192.200.0.2 /VirtualHost To recap the problem is that accessing http://192.200.0.1/ returns the default site (the first one), not the specific site (the third). Suppose I change the line marked '*** THIS LINE *** so it reads VirtualHost *:80 # --- *** THIS LINE *** Will that interfere in any way with the IP based virtual host which is the fourth above? I have no other name based virtual hosts and even if I did, I wouldn't mind this being the global default. And will it fix the issue that http://192.200.0.1/ is not connecting to the third virtual host block above? -- Alex Bligh - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
On Wed, May 30, 2012 at 3:06 PM, Eric Covener cove...@gmail.com wrote: Is there anything else I can do, like (e.g.) put the IP address as a hex constant or something in VirtualHost? Or disable this rather annoying feature? I'd suggest opening a bug report that something weird seems to happen with the literal IP address in the virtualHost arguments and that it works with *:80. On 30.05.12 22:10, Eric Covener wrote: Sorry, just catching on now that Matus nailed it. It's not so clear what the code is trying to tolerate by comparing this way. I guess that this was historic workaround for defining name-based virtual servers without defining ServerName/ServerAlias VirtualHost one.na.me # one.na.me served here /VirtualHost VirtualHost another.na.me # another.na.me /VirtualHost Since this makes creating default-only name-based virtual hosts impossible, I've had to found the workaround mentioned in my previous mail. I've been trying to solve this problem in the past, but I was only directed to the mentioned docs, I remember no explanation of why this is done. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Apache proxy sending client certificate on behalf of the client
Nevermind, got around the problem. Thanks anyway, regards, Duarte On Monday 28 May 2012 21:13:02 Duarte Silva wrote: Hi all, I know this should be imposssible (sounds to me like a MITM), but bare with me for a second and please tell me if this is in any way possible: Client (HTTPS request) - Apache (Forward Proxy) - Server (HTTPS) \___/ \/ Sends the client certificate on behalf of the client Note that the client is able to create SSL connections but it is not able to send client certificate. Since the Apache is the one openning the connection to the end Server, isn't there a way to force Apache to send a specific client cert? I know the handshake is done in the Client even thought the server is opening the connection. If it isn't, is there any alternatives that do this? Maybe if it was a transparent proxy? Thanks for all your time, regards, Duarte Silva smime.p7s Description: S/MIME cryptographic signature
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
--On 31 May 2012 08:34:42 +0100 Alex Bligh a...@alex.org.uk wrote: To recap the problem is that accessing http://192.200.0.1/ returns the default site (the first one), not the specific site (the third). Suppose I change the line marked '*** THIS LINE *** so it reads VirtualHost *:80 # --- *** THIS LINE *** Will that interfere in any way with the IP based virtual host which is the fourth above? I have no other name based virtual hosts and even if I did, I wouldn't mind this being the global default. And will it fix the issue that http://192.200.0.1/ is not connecting to the third virtual host block above? This fails because VirtualHost *:80 does not appear to set a default when you also have a VirtualHost 192.200.0.1:80. The latter always becomes the default. -- Alex Bligh - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
# Listen on 192.200.0.1, 192.200.0.2, 192.200.0.3 Listen *:80 Listen *:1234 # --- config for this not omitted below NameVirtualHost 192.200.0.1:80 VirtualHost 192.200.0.1:80 # --- *** THIS LINE *** ServerName will-not-resolve.example.com:80 # port no included as per docs # Default vhost for things that resolve to 192.200.0.1 /VirtualHost VirtualHost 192.200.0.1:80 ServerName a.web.site.example.com:80 # port no included as per docs # VHost for http://a.web.site.example.com/ /VirtualHost VirtualHost 192.200.0.1:80 ServerName 192.200.0.1:80 # port no included as per docs # VHost for http://192.200.0.1/ /VirtualHost # 192.200.0.2 VirtualHost 192.200.0.2:80 # IP based Virtual Host goes here on 192.200.0.2 /VirtualHost This config can avoid the problematic behavior by s/VirtualHost 192.200.0.1:80/VirtualHost *:80 and letting normal name-based resolution take over for everything other than 192.200.0.2. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
This fails because VirtualHost *:80 does not appear to set a default when you also have a VirtualHost 192.200.0.1:80. The latter always becomes the default. This is sensible/expected, the vhosts with a specific match in the incoming interface are the only candidates. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
--On 31 May 2012 07:02:57 -0400 Eric Covener cove...@gmail.com wrote: This fails because VirtualHost *:80 does not appear to set a default when you also have a VirtualHost 192.200.0.1:80. The latter always becomes the default. This is sensible/expected, the vhosts with a specific match in the incoming interface are the only candidates. OK. So is there any way, in an environment where it is not possible to create DNS entries to order, where namevirtualhosts are used, to have a default vhost which is different from a vhost whose name is the IP address? -- Alex Bligh - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Should name based virtual hosts work when the ServerName is an IP address?
--On 31 May 2012 07:02:57 -0400 Eric Covener cove...@gmail.com wrote: This fails because VirtualHost *:80 does not appear to set a default when you also have a VirtualHost 192.200.0.1:80. The latter always becomes the default. This is sensible/expected, the vhosts with a specific match in the incoming interface are the only candidates. On 31.05.12 12:36, Alex Bligh wrote: OK. So is there any way, in an environment where it is not possible to create DNS entries to order, where namevirtualhosts are used, to have a default vhost which is different from a vhost whose name is the IP address? btw: we use hostnames that are present in /etc/hosts. I found it more efficient to create different /etc/hosts (same name, different IP) on multiple machines than push httpd.conf through a filter that will replace hostname by IP. Just for sure: * is not acceptable (yet) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Balancer logic on a per-context basis
Hello, I have a couple apache http servers (v2.2) proxying requests to a handful of tomcat servers (6.x) serving applications in individual contexts. I have a ProxyPass line for each context in my config. I'm utilizing the proxy balancer and its working well; if I kill tomcat1, apache will quit sending requests to it as expected. However, if I stop a context (to simulate a crashed app) and leave tomcat running, apache seems to consider the balancer member alive. Obviously, this results in unavailable responses from Tomcat to the end user. I realize there are multiple technologies at work here (apache balancer, AJP, and tomcat). Is it possible to configure apache to check each context listed with a ProxyPass directive for availability, and execute logic based on that (e.g. remove the balancer_member, or select another balancer_member for requests to that ProxyPass item)? Based on my reading of the documentation and archives, it appears the balancer is concerned with connectivity to the http/ajp connector of the back-end server, which makes sense. I understand HTTP isn't designed to do what I'm asking, but I'm hoping there is some special functionality in AJP that could allow the aforementioned to be possible. Thanks for any input. --- httpd Configuration Snippet --- Proxy balancer://some-balancer BalancerMember ajp://tntest-app-a-1:8009 loadfactor=1 route=tomcat1 BalancerMember ajp://tntest-app-a-2:8009 loadfactor=1 route=tomcat2 ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid scolonpathdelim=On /Proxy ProxyPass /testApp balancer://some-balancer/testApp ProxyPass /anotherApp balancer://some-balancer/anotherApp --- System Info --- OS: Ubuntu 10.04 LTS Apache httpd: 2.2.14 (Ubuntu) Tomcat: 6.0.24 AJP Protocol version 1.3 Kyle Harper This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Build problem
howdy; I just wanted to thank everyone who replied to my questions. Looks like it'll be a while before I can do a re-install/OS change, but whichever it is, we'll get there. Thanks again; Bill - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Is apache version 2.2.3 compatible for mod security 2.5.13 ?
[users@httpd] httpd 2.4.2 not closing backend connection after proxypass ttl expires
Hello, I am running Apache 2.4.2 as a reverse proxy server. The backend IIS http server has a timeout of 120 seconds for the backend connection. I occasionally see 502 errors because the backend connection is closed by the IIS server and Apache still tries to use it. So I have added smax=0 ttl=60 to my ProxyPass directive, but apache continues to use this connection after 60 secs of idle time. I test with making 10 consecutive calls that return good. Apache re-uses the same connection as I would expect. I wait 90 seconds and attempt another connection. It still re-uses the same back-end connection that I would have expected to have timed-out by then. Has anyone else seen this behavior or know of a solution? Any suggestions appreciated. Configured with: configure --with-mpm=prefork Conf file: (ip and urls modified to hide) ServerTokens OS ServerRoot /usr/local/apache PidFile run/httpd-repairctr.pid Timeout 120 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 IfModule prefork.c StartServers 1 MinSpareServers1 MaxSpareServers1 ServerLimit 2048 MaxClients 2048 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule Listen nn.nn.nn.nn:8087 LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule unixd_module modules/mod_unixd.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so IfModule unixd_module User apache Group apache /IfModule ServerAdmin root@localhost UseCanonicalName Off DocumentRoot /var/www/html Directory / Options FollowSymLinks Require all denied /Directory Directory /var/www/html Options Indexes FollowSymLinks AllowOverride None Require all granted /Directory IfModule mod_userdir.c # # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # UserDir disable # # To enable requests to /~user/ to serve the user's public_html # directory, remove the UserDir disable line above, and uncomment # the following line instead: # #UserDir public_html /IfModule DirectoryIndex index.html index.html.var AccessFileName .htaccess Files ~ ^\.ht Require all denied /Files TypesConfig /etc/mime.types IfModule mod_mime_magic.c MIMEMagicFile conf/magic /IfModule HostnameLookups Off LogLevel warn LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined LogFormat %h %l %u %t \%r\ %s %b common LogFormat %{Referer}i - %U referer LogFormat %{User-agent}i agent CustomLog logs/access_log combined ErrorLog logs/error_log ServerSignature On Alias /icons/ /usr/local/apache/icons/ Directory /usr/local/apache/icons Options Indexes MultiViews AllowOverride None Require all granted /Directory IfModule mod_dav_fs.c # Location of the WebDAV lock database. DAVLockDB /var/lib/dav/lockdb /IfModule ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/ Directory /usr/local/apache/cgi-bin AllowOverride None Options None Require all granted /Directory IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t AddDefaultCharset UTF-8 AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddHandler type-map var AddType text/html .shtml AddOutputFilter INCLUDES .shtml Alias /error/ /var/www/error/ IfModule mod_negotiation.c IfModule
Re: [users@httpd] simple easy way to turn to maintenance mode
On 5/27/2012 6:42 AM, Miguel Gonzalez wrote: The version of Plesk we have doesn't support this so maybe there is any easy way to do this. I've thought about setting up a different instance of the web server or configure a different web server but maybe I'm missing an even simplier way to do this. In fact we only want to send a simple html response to the user. I'm a fan of using: VirtualHost *:80 IfDefine MAINTENANCE RewriteRule .* /path/to/maintenance.html [L] /IfDefine #Existing directives /VirtualHost ... then, you only need to restart the server with -DMAINTENANCE to enable and restart without the define to disable maintenance mode. -- Daniel Ruggeri - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Balancer logic on a per-context basis
On 5/31/2012 10:49 AM, kharp...@oreillyauto.com wrote: However, if I stop a context (to simulate a crashed app) and leave tomcat running, apache seems to consider the balancer member alive. Obviously, this results in unavailable responses from Tomcat to the end user. Hi, Kyle - with any luck, Tomcat will return a unique HTTP status code you could use. There is a failonstatus parameter you can set for each balancer member that will have mod_proxy_balancer mark the worker out of service if that status code is found. I've tested this with WebSphere which returns a 503 (Service Unavailable) if a webapp is stopped while the container is running. The downside here is that there's no way to check again before it goes back into service - it just gets reenabled when the retry period (default: 60 seconds) expires... so if it's still down by that time, at least one user will be impacted before httpd takes it out of service again. See the params for ProxyPass at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass -- Daniel Ruggeri - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Balancer logic on a per-context basis
Hello Daniel, There is a failonstatus parameter you can set for each balancer member that will have mod_proxy_balancer mark the worker out of service if that status code is found I noticed that parameter and had considered it, but wasn't sure how apache would know to re-enable it. Thank you for clearing that up. I am using AJP exclusively to the balancer-members. Forgive my ignorance... but will apache still take action if a failonstatus is set (for example, to 503) if AJP is the communication medium to the balancer-member? I assume apache can deduce the HTTP status code regardless of the protocol used to the back-end server, but I dislike assumptions. :) Thanks. Kyle Harper This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_proxy_ajp dialog to [...] failed
Hello. Please, I appreciate if someone could help me answering some questions: I'm working on an issue that I sent to the Tomcat users mailing list (http://tomcat.markmail.org/search/?q=#query:%20list%3Aorg.apache.tomcat.users+page:5+mid:4w7j4oqnuxwkz67c+state:results). I have some questions: 1. Are the error messages below caused by Apache waiting for a response from Tomcat which never comes? There's no directly corresponding error message in the Tomcat logs, some errors are past or before the dates on the Apache log; 2. After the node enters the error state what happens to the existing connections to this Tomcat instance? [Thu May 31 10:15:47 2012] [error] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : ajp_ilink_receive() can't receive header [Thu May 31 10:15:47 2012] [error] ajp_read_header: ajp_ilink_receive failed [Thu May 31 10:15:47 2012] [error] (70007)The timeout specified has expired: proxy: dialog to 127.0.0.1:9109 (127.0.0.1) failed [Thu May 31 10:15:49 2012] [error] proxy: BALANCER: (balancer://wlb). All workers are in error state for route (wt2) [Thu May 31 10:15:50 2012] [error] proxy: BALANCER: (balancer://wlb). All workers are in error state for route (wt2) [Thu May 31 10:15:51 2012] [error] proxy: BALANCER: (balancer://wlb). All workers are in error state for route (wt2) We were suspecting on a TCP/IP stack issue (or something related) but everything works fine (no other connection problems), only this application shows these errors. I'm suspecting this is caused by some misbehavior in the application, which in turn, causes other problems due to the node entering the error state. Apache is proxying to 2 Tomcat instances (this application) and to 1 third application (which doesn't suffer any problem). Apache is version 2.2.22, Tomcat 6.0.29 (same thing with 6.0.20). This single error puts the worker in error state, which is bad, and the fix from 2.2.22 to overcome this kind of situation doesn't cover this specific case. The configuration used in Apache HTTP is: ServerSignature Off ServerTokens Prod Timeout 600 LimitRequestFieldSize 20480 ProxyIOBufferSize 21504 ProxyRequests Off ProxyPreserveHost On Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://wlb BalancerMember ajp://10.11.102.224:9109 route=wt1 loadfactor=50 max=85 ttl=120 retry=5 connectiontimeout=5000ms ping=5000ms BalancerMember ajp://127.0.0.1:9109 route=wt2 loadfactor=50 max=85 ttl=120 retry=5 connectiontimeout=5000ms ping=5000ms /Proxy ProxyPass /app1 balancer://wlb/app1 stickysession=JSESSIONID nofailover=On ProxyPass /app2 ajp://10.11.102.219:8009/app2 The AJP connector in Tomcat (app1): Connector port=9109 protocol=AJP/1.3 redirectPort=8443 packetSize=22528 maxThreads=200 connectionTimeout=12/ Thanks a lot. Roney - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Balancer logic on a per-context basis
On 5/31/2012 1:40 PM, kharp...@oreillyauto.com wrote: I am using AJP exclusively to the balancer-members. Forgive my ignorance... but will apache still take action if a failonstatus is set (for example, to 503) if AJP is the communication medium to the balancer-member? I assume apache can deduce the HTTP status code regardless of the protocol used to the back-end server, but I dislike assumptions. :) I think that should be fine but have never tested it myself. When I wrote the patch, my testing was all over http - I don't recall adding any protocol specific logic. Please do report back if you come across any complications. -- Daniel Ruggeri - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org