[users@httpd] SSLSessionCache - DSO Load Failed
Here is the output from the error_log: [error] (20019)DSO load failed: Cannot create SSLSessionCache DBM file `/usr/local/apache/conf/ssl/SessionCache' Here is my entry in the conf file, which is also entered before the virtual host, as stated in the documentation: SSLSessionCache dbm:/usr/local/apache/conf/ssl/SessionCache Here are the cache modules loaded: LoadModule file_cache_module /opt/freeware/lib/httpd/modules/mod_file_cache.so LoadModule cache_module /opt/freeware/lib/httpd/modules/mod_cache.so LoadModule disk_cache_module /opt/freeware/lib/httpd/modules/mod_disk_cache.so I tried touching SessionCache and setting open permissions on it, but when I restart apache, the file gets deleted. Please assist with issue. Thank you
[users@httpd] RE: Moving Apache from Solaris to Linux
I would like to thank all the people who replied to me regarding the question above. As with many people who run Solaris, we are moving to an alternative OS as a result of the change of ownership of Solaris from Sun to Oracle. Over the past 6 months we have investigated installing application from source and packages on all the major Linux distributions. During this process we got a feel of each of the OS. My next step was to provide some evidence to management on what the general community was using and why. I now have sufficient testimonials to proceed from this stage. I am pleased to say that nearly all the replies I received supported my own conclusions. First is that Apache will run stably on all the popular flavours of Linux with very little performance difference. The second, which was in nearly all the replies, is that the choice of OS was down to the administrators experience, skills and preferences. For completes I have include the number of users using each OS, if it was stated in the reply. Because the sample is so small it may not be an accurately representation. It includes replies from the BIND, Exim, Apache and Squid mail list for the same question. Centos 5 Redhat 5 Ubuntu4 Debian 3 OpenSuse 3 Gentoo2 Fedro1 And finally a summary of the points raised when choosing which Linux flavour to run Apache. Administrators experience and skills Administrators preferences. Administration time. Availability of replacement staff with experience of OS and training requirements. Compilation or packages installs. Availability of suitable packages (if not using source). Ease of compilation from source (if not using packages) update cycle (Cutting edge or stable). Online support or commercial support (Budget). Once again, many thanks for all the people who replied. Regards, Graham Butler Infrastructure Team. Computing and Library Services. The University of Huddersfield. From: Graham Butler [mailto:g.but...@hud.ac.uk] Sent: 01 October 2012 13:59 To: 'users@httpd.apache.org' Subject: [users@httpd] Moving Apache from Solaris to Linux We are currently looking at replacing our Solaris boxes with a flavour of Linux to run Apache with a focus on Red Hat and Ubuntu. I am trying to collect some evidence to which OS is being used to run Apache and why, before we make a decision. Could you please respond by sending me, or the list, information on which OS you are using to run Apache and any information on why your decided to run it on that particular platform. I am also asking other list for similar information on Squid, BIND, Exim, etc... Many thanks for any information you may send me. Graham Butler Infrastructure Team. Email:g.but...@hud.ac.uk Tel: 01484 473785 The University of Huddersfield Computing and Library Services PO Box No. 341 Huddersfield HD1 3DH --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
[users@httpd] Configuration of virtual hosts
Dear users, sorry for botherring you with that issue but I have some questions regarding apache2.2.22: 1) from the Java applet I see sometimes (Client 2008)- server (SLES 10) error message from Java console like: exception: Invalid argument: setsockopt. It seems like apache2 closed the connection before openning. Could it be problem when in apache2 log I see message server is busy? This error is sporadicall. 2) Configuration issue First one configuration file is stored in conf.d/myconfig.conf which is used for configuration 80 port Second one configuration file is stored in vhosts.d/vhost-myconfig.conf which is used for configuration as for 443 as for virtual host. My question is: are directives mentioned in conf.d/myconfig.conf also used (inherited) in virtual hosts sections mention in vhosts.d/vhost-muconfig.conf or shall I mentioned twice/three times? in conf.d/myconfig.conf are mentioned directives like: ServerLimit 256 MaxClients 256 MaxRequestsPerChild 1 LimitRequestBody 2147483648 Timeout 180 KeepAlive On KeepAliveTimeout 5 MaxKeepAliveRequests 100 StartServers 8 MinSpareServers 9 MaxSpareServers 10 in vhosts.d/vhost-myconfig.conf are mentioned virtual hosts like: VirtualHost *:443 SSLEngine on SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLProxyEngine on ServerName main_server #ProxyPreserveHost on ProxyRequests On TraceEnable off - Location /term/ AuthType MyType require valid-user ProxyPass http://127.0.0.1:8000/ ProxyPassReverse http://localhost:8000/ /Location // This directive proxy to VirtualHost 127.0.0.1:443 ProxyPass / https://127.0.0.1/ ProxyPassReverse / https://127.0.0.1/ - /VirtualHost VirtualHost 127.0.0.1:443 ServerName myserver SSLEngine on SSLProxyEngine on SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 ProxyPreserveHost on ProxyRequests Off TraceEnable Off /VirtualHost -- Best Regards / S pozdravem Petr Hracek - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Configuration of virtual hosts
On Tue, Oct 2, 2012 at 10:38 AM, Petr Hracek phrac...@gmail.com wrote: Dear users, sorry for botherring you with that issue but I have some questions regarding apache2.2.22: 1) from the Java applet I see sometimes (Client 2008)- server (SLES 10) error message from Java console like: exception: Invalid argument: setsockopt. It seems like apache2 closed the connection before openning. Could it be problem when in apache2 log I see message server is busy? This error is sporadicall. Who can say, if not you? Analyzing a tcpdump of the packets sent to and from apache would give you some clues about whether apache is behaving correctly, but who knows whether your Java app is simply not handling an error state correctly. 2) Configuration issue First one configuration file is stored in conf.d/myconfig.conf which is used for configuration 80 port Second one configuration file is stored in vhosts.d/vhost-myconfig.conf which is used for configuration as for 443 as for virtual host. My question is: are directives mentioned in conf.d/myconfig.conf also used (inherited) in virtual hosts sections mention in vhosts.d/vhost-muconfig.conf or shall I mentioned twice/three times? No vhost inherits from another vhost - even the SSL variant of a non SSL vhost. Some directives from the main server config context are inherited into a vhost context, some directives are only inherited if you explicitly specify so in the vhost, and some directives are only valid in the main server config. The best thing to do is to read the description of each directive you are unsure about from the docs. http://httpd.apache.org/docs/2.2/mod/quickreference.html Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] availability of httpd 2.0.65
Any news on this issue? Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Regev Ayelet [mailto:ayelet.re...@comverse.com] Sent: Sunday, September 30, 2012 4:08 PM To: users@httpd.apache.org Subject: RE: [users@httpd] availability of httpd 2.0.65 In this link: http://wiki.apache.org/httpd/CVE-2011-3192 FIX This vulnerability has been fixed in release 2.2.20 and further corrected in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the legacy 2.0.65 release, once this is published (anticipated in September). If you cannot upgrade, or cannot wait to upgrade - you can apply the appropriate source code patch and recompile a recent existing version; http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19) http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64) If you cannot upgrade and/or cannot apply above patches in a timely manner then you should consider to apply one or more of the mitigation suggested below. Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Sunday, September 30, 2012 4:05 PM To: users@httpd.apache.org Subject: Re: [users@httpd] availability of httpd 2.0.65 On Sun, Sep 30, 2012 at 9:56 AM, Regev Ayelet ayelet.re...@comverse.com wrote: Hi All, According to apache.org , httpd 2.0.65 suppose to be released during September. Does anyone have updates on this issue? I tried to install the patch, but my security system still claim there is a security bug… Where do you see a date listed for 2.0.65? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.” - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.” - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] availability of httpd 2.0.65
Even after installing httpd patch provided by Apache, nessus scanning system is claiming: 55976 - Apache HTTP Server Byte Range DoS Synopsis The web server running on the remote host is affected by a denial of service vulnerability. Description The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild. See Also http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html http://www.gossamer-threads.com/lists/apache/dev/401638 http://www.nessus.org/u?404627ec http://httpd.apache.org/security/CVE-2011-3192.txt http://www.nessus.org/u?1538124a http://www-01.ibm.com/support/docview.wss?uid=swg24030863 Solution Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression. If the host is running a web server based on Apache httpd, contact the vendor for a fix. Risk Factor High CVSS Base Score 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSS Temporal Score 6.4 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) References BID 49303 CVE CVE-2011-3192 XREF OSVDB:74721 XREF CERT:405811 26 XREF EDB-ID:17696 XREF EDB-ID:18221 Exploitable with Core Impact (true)Metasploit (true) Plugin Information: Publication date: 2011/08/25, Modification date: 2012/09/06 Ports tcp/443 Nessus determined the server is unpatched and is not using any of the suggested workarounds by making the following requests : Testing for workarounds HEAD /manual/rewrite/index.html HTTP/1.1 Host: 10.106.12.185 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.0 206 Partial Content Date: Mon, 01 Oct 2012 08:36:33 GMT Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT ETag: bb44d-158f-401b9740;bb44c-ce-d99b0140 Accept-Ranges: bytes Content-Length: 836 Connection: close Content-Type: multipart/x-byteranges; boundary=4cafb4d91905b7f1 Content-Language: en Testing for workarounds Testing for patch HEAD /manual/rewrite/index.html HTTP/1.1 Host: 10.106.12.185 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.0 206 Partial Content Date: Mon, 01 Oct 2012 08:36:33 GMT Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT ETag: bb44d-158f-401b9740;bb44c-ce-d99b0140 Accept-Ranges: bytes Content-Length: 11227 Connection: close Content-Type: multipart/x-byteranges; boundary=4cafb4d91ab998 [...]Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Regev Ayelet [mailto:ayelet.re...@comverse.com] Sent: Tuesday, October 02, 2012 1:01 PM To: users@httpd.apache.org Subject: RE: [users@httpd] availability of httpd 2.0.65 Any news on this issue? Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Regev Ayelet [mailto:ayelet.re...@comverse.com] Sent: Sunday, September 30, 2012 4:08 PM To: users@httpd.apache.org Subject: RE: [users@httpd] availability of httpd 2.0.65 In this link: http://wiki.apache.org/httpd/CVE-2011-3192 FIX This vulnerability has been fixed in release 2.2.20 and further corrected in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the legacy 2.0.65 release, once this is published (anticipated in September). If you cannot upgrade, or cannot wait to upgrade - you can apply the appropriate source code patch and recompile a recent existing version; http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19)
Re: [users@httpd] availability of httpd 2.0.65
On 10/2/2012 7:34 AM, Regev Ayelet wrote: Even after installing httpd patch provided by Apache, nessus scanning system is claiming: You have to email your scanning company and let them know it is patched. They are only checking the version of Apache and most scanners are pretty stupid at really knowing if the issue is resolved. Regards, KAM - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] availability of httpd 2.0.65
Thank you for the quick response... Do you know when 2.0.65 will be ready? Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Sent: Tuesday, October 02, 2012 1:39 PM To: users@httpd.apache.org Cc: Regev Ayelet Subject: Re: [users@httpd] availability of httpd 2.0.65 On 10/2/2012 7:34 AM, Regev Ayelet wrote: Even after installing httpd patch provided by Apache, nessus scanning system is claiming: You have to email your scanning company and let them know it is patched. They are only checking the version of Apache and most scanners are pretty stupid at really knowing if the issue is resolved. Regards, KAM “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.” - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] availability of httpd 2.0.65
What is the best way to validate my patch? Is there a checksum I can compare to? Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 ayelet.re...@comverse.com www.comverse.com -Original Message- From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Sent: Tuesday, October 02, 2012 1:39 PM To: users@httpd.apache.org Cc: Regev Ayelet Subject: Re: [users@httpd] availability of httpd 2.0.65 On 10/2/2012 7:34 AM, Regev Ayelet wrote: Even after installing httpd patch provided by Apache, nessus scanning system is claiming: You have to email your scanning company and let them know it is patched. They are only checking the version of Apache and most scanners are pretty stupid at really knowing if the issue is resolved. Regards, KAM “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.” - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] availability of httpd 2.0.65
On 10/2/2012 7:41 AM, Regev Ayelet wrote: Thank you for the quick response... Do you know when 2.0.65 will be ready? Other than the same information you have that they are working on a release, no. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] how to redirect a site via r301
I use apache2.2 on freebsd8. I have 2 sites on it. First is test.org and second one is test.com. I wish apache to redirect that When a visitor reaches at http://test.org/query.php?id=516263 to http://test.com/query.php?id=516263 How can i do that ? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] how to redirect a site via r301
On 10/2/2012 9:46 AM, Bulent Malik wrote: I use apache2.2 on freebsd8. I have 2 sites on it. First is test.org and second one is test.com. I wish apache to redirect that When a visitor reaches at http://test.org/query.php?id=516263 to http://test.com/query.php?id=516263 How can i do that ? http://httpd.apache.org/docs/current/rewrite/remapping.html#movehomedirs - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache + Tomcat + mod_jk ; Wrong content type. Why?
Hi All, We are using Apache 2.2 + Tomcat 7 + mod_jk (all 64-bit) on a RedHat box. I have configured the settings such that the static content like css and javascript are served by httpd rather than tomcat. However, when I do so, the css files are returned with a content type=text/plain rather than content type=text/css. Why is that so? Here are the snippets from the relevant files.. /* workers.properties */ worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 /* httpd-vhosts.conf */ DocumentRoot /hosts/example.com/webapps/ROOT JkUnMount /css/* worker1 JkUnMount /img/* worker1 JkUnMount /js/* worker1 JkMount /* worker1 Thanks, Joe