Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Eric - I'm not exactly sure what your last question means. However, I think you answered my question. In short, the situation has not changed. If we want to ensure that the password is passed from the client (browser) to the server securely (to be further passed on to the LDAP server), we have to use SSL (https). The path from the http server to the LDAP server is secure using SSL (ldaps), but from the client to the server is unencrypted unless the entire thing is SSL'ed. I'm pretty new at this, but it appears that the act of popping up a dialog box asking for username/password cannot be encrypted separately from the http connection. Thanks, Ken On 03/28/2013 04:11 PM, Eric Covener wrote: On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura wrote: Basically, using the mod_auth_ldap module, apart from using SSL (and associated overhead), is it still the case that there is no way to encrypt just the passing of username and password from the client (browser) back to the server? As others have pointed out, SSL is a fallback, but with associated overhead. Has this been fixed in later versions of Apache? mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. What does your client support that would need a "fixed" mod_authnz_ldap? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura wrote: > Basically, using the mod_auth_ldap module, apart from using SSL (and > associated overhead), is it still the case that there is no way to encrypt > just the passing of username and password from the client (browser) back to > the server? > > As others have pointed out, SSL is a fallback, but with associated overhead. > Has this been fixed in later versions of Apache? mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. What does your client support that would need a "fixed" mod_authnz_ldap? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] JkWorkerFile (mod_jk)
On Mar 28, 2013, at 12:26 PM, "Tom Evans" wrote: > Are you including this config file multiple times? Perhaps once > explicitly, and once as a >That I know of, this is the only time it is being called. With that said, in >httpd.conf I have an include statement pointing to /etc/apache2 >/conf.d. Maybe jk.conf is placed in a place where it is automatically being >read/loaded and my file reads/loads it also? Ok, i moved the jk.conf file to .opt/alfresco/tomcat/conf and now i do not get the "only allowed once" described in a previous post. However, now when accessing http://share.domain.com, the result is directories and files are listed, the jsp files are not running. Here is my complete setup: jk.conf- # simple configuration for apache (for AJP connector, modul mod_jk.so) JkWorkersFile /opt/alfresco/tomcat/workers.properties JkLogFile /var/log/alfresco/mod_jk.log JkShmFile /var/log/alfresco/shm # Log level to be used by mod_jk JkLogLevel error # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 virtualhost- ServerName share.domain.com #RewriteEngine On #RewriteCond %{REQUEST_URI} !^/share/ #RewriteCond %{HTTPS} on #RewriteRule ^/. http://share.paradixent.com/share/ [P] #JkMount /share/* worker1 # The following line makes apache aware of the location of # the /jsp-examples context Alias /share "/opt/alfresco/tomcat/webapps/share" Options Indexes FollowSymLinks allow from all # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 # The following line prohibits users from directly accessing WEB-INF #AllowOverride None deny from all # if not specified, the global error log is used ErrorLog /var/log/apache2domain.com-error_log CustomLog /var/log/apache2/domain.com-access_log combined httpd.conf- # mod_jk Include /opt/alfresco/tomcat/conf/jk.conf Mod_jk is loaded: web:~ # /usr/sbin/httpd2 -M Loaded Modules: ... jk_module (shared) perl_module (shared) php5_module (shared) Syntax OK Here is the log from apache: [Thu Mar 28 18:40:14 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var [Thu Mar 28 18:40:28 2013] [error] [client pub ip] (70007)The timeout specified has expired: proxy: error reading status line from remote server share.paradixent.com [Thu Mar 28 18:40:28 2013] [error] [client pub ip] proxy: Error reading from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var Any ideas why the jsp's are being listed instead of running?
[users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Hi - I've searched the archives and it looks like this was discussed back in 2010 with a "WONTFIX". I just wanted to make sure this is still the case. Basically, using the mod_auth_ldap module, apart from using SSL (and associated overhead), is it still the case that there is no way to encrypt just the passing of username and password from the client (browser) back to the server? As others have pointed out, SSL is a fallback, but with associated overhead. Has this been fixed in later versions of Apache? Thanks, Ken - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Mod_proxy: Authentication-Info header lost in response
On Thu, 28 Mar 2013 16:21:56 +0100 Nicolas Daniels wrote: > Hi, > > I finally solved the problem myself by modifying the source code of > mod_proxy_http.c: Thanks! I started to compose a reply yesterday, then decided I should look at it first to determine whether it's a bug. I might end up applying your fix, if I don't forget about it first. -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] JkWorkerFile (mod_jk)
On Mar 28, 2013, at 12:26 PM, "Tom Evans" wrote: > Are you including this config file multiple times? Perhaps once > explicitly, and once as a That I know of, this is the only time it is being called. With that said, in httpd.conf I have an include statement pointing to /etc/apache2/conf.d. Maybe jk.conf is placed in a place where it is automatically being read/loaded and my file reads/loads it also?
Re: [users@httpd] JkWorkerFile (mod_jk)
On Thu, Mar 28, 2013 at 4:20 PM, Chris Arnold wrote: > Apache2.12.x on SLES11 SP2. > I am trying to get apache2 mod_jk working with apache to access a webapp. I > have loaded the mod_jk module and configured a virtual host and > workers.properties file like so: > > virtualhost: > > ServerName share.domain.com > > > > # The following line makes apache aware of the location of > # the /jsp-examples context > Alias /share "/opt/alfresco/tomcat/webapps/share" > > Options Indexes FollowSymLinks > allow from all > > > # The following line mounts all JSP files and the /servlet/ uri to tomcat > #JkMount /servlets-examples/servlet/* ajp13 > JkMount /share/*.jsp ajp13 > > # The following line prohibits users from directly accessing WEB-INF > > AllowOverride None > deny from all > > > > > > > jk.conf: > > > JkWorkersFile /opt/alfresco/tomcat/workers.properties > JkLogFile /var/log/alfresco/mod_jk.log > JkShmFile /var/log/alfresco/shm > > # Log level to be used by mod_jk > JkLogLevel error > > > > When i restart apache, i get: > JkWorkerFile only allowed once > and apache does not start until i comment out the jkworkerfile line in > jk.conf. > So my question is, does apache already have a jkworkerfile somewhere that i > do not know about? I searched for workers.properties and see only 2, 1 is > mine that i created and the other is in > /usr/share/doc/packages/apache2-mod-jk. > I do not have tomcat installed outside of the tomcat the webapp (which is > alfresco) installed. > Are you including this config file multiple times? Perhaps once explicitly, and once as a glob include? Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] JkWorkerFile (mod_jk)
Apache2.12.x on SLES11 SP2. I am trying to get apache2 mod_jk working with apache to access a webapp. I have loaded the mod_jk module and configured a virtual host and workers.properties file like so: virtualhost: ServerName share.domain.com # The following line makes apache aware of the location of # the /jsp-examples context Alias /share "/opt/alfresco/tomcat/webapps/share" Options Indexes FollowSymLinks allow from all # The following line mounts all JSP files and the /servlet/ uri to tomcat #JkMount /servlets-examples/servlet/* ajp13 JkMount /share/*.jsp ajp13 # The following line prohibits users from directly accessing WEB-INF AllowOverride None deny from all jk.conf: JkWorkersFile /opt/alfresco/tomcat/workers.properties JkLogFile /var/log/alfresco/mod_jk.log JkShmFile /var/log/alfresco/shm # Log level to be used by mod_jk JkLogLevel error When i restart apache, i get: JkWorkerFile only allowed once and apache does not start until i comment out the jkworkerfile line in jk.conf. So my question is, does apache already have a jkworkerfile somewhere that i do not know about? I searched for workers.properties and see only 2, 1 is mine that i created and the other is in /usr/share/doc/packages/apache2-mod-jk. I do not have tomcat installed outside of the tomcat the webapp (which is alfresco) installed. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Control of reverse proxy workers
>Is there a way to have a script which can be allowed to enabled/disable >workers used in a reverse proxy. > >Similar to what can be done using the balancer-manager page, but without >needing to have something that can emulate a web browser to do the job. I'd be interested to know this too. I wound up writing a perl script using WWW::Mechanize to handle the web scraping. I allowed unauthenticated access from localhost and run the script locally. My use case was I wanted which workers were enabled/disable to persist after an apache restart and/or failover to another server. -Alex - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Mod_proxy: Authentication-Info header lost in response
Hi, I finally solved the problem myself by modifying the source code of mod_proxy_http.c: Line 1697: apr_table_do(addit_dammit, save_table, r->headers_out, "Set-Cookie", NULL); --> apr_table_do(addit_dammit, save_table, r->headers_out, "Set-Cookie", "Authentication-Info", NULL); Cheers On 27/03/2013 13:23, Nicolas Daniels wrote: Ok, I was probably not clear enough ;-) First I'm using mod_proxy_http and DIGEST authentication. Authentication-Info header is part of digest authentication: http://rfc-ref.org/RFC-TEXTS/2069/chapter2.html Lets say I've 2 accessed URLs: http://mydomain.com/index.html http://mydomain.com/tomcat/index.html Both are using digest authentication on apache. Proxy is configured as follow: ProxyPass /tomcat http://mytomcat.com/bla ProxyPassReverse /tomcathttp://mytomcat.com/bla So http://mydomain.com/index.html is replied directly by apache and http://mydomain.com/tomcat/index.html is proxied to tomcat. 1st case: Authentication-Info replied > GET /index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 401 Unauthorized < Date: Wed, 27 Mar 2013 11:24:18 GMT < Server: Apache/2.4.4 (Unix) < WWW-Authenticate: Digest realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", algorithm=MD5, qop="auth" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 > GET /index.html HTTP/1.1 > Authorization: Digest username="username", realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", uri="/index.html", cnonce ="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=0001, qop=auth, response="bbfa7dqsdqs2c014d85sqdzaab1", algorithm="MD5" > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 200 OK < Date: Wed, 27 Mar 2013 11:24:18 GMT < Server: Apache/2.4.4 (Unix) *< Authentication-Info: rspauth="efbdcdsqdsqhiaaazqds4eee3c1", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=0001, qop=auth* < Last-Modified: Tue, 19 Feb 2013 08:24:06 GMT < ETag: "22-4d60f909e7580" < Accept-Ranges: bytes < Content-Length: 34 < Content-Type: text/plain 2nd case: Authentication-Info *not* replied > GET /tomcat/index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 401 Unauthorized < Date: Wed, 27 Mar 2013 12:15:25 GMT < Server: Apache/2.4.4 (Unix) < WWW-Authenticate: Digest realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", algorithm=MD5, qop="auth" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 > GET /tomcat/index.html HTTP/1.1 > Authorization: Digest username="username", realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", uri="/tomcat/index.html", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA0NDk5NzM=", nc=0001, qop=auth, response="cf10890c9dsqdsqef3bd248dsqdsqec34", algorithm="MD5" > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 200 OK < Date: Wed, 27 Mar 2013 12:15:27 GMT < Server: Apache-Coyote/1.1 < Content-Type: application/json < Content-Length: 142 . So my question is, is there any way to have Apache reply this Authentication-Info in both case ? I guess the reverse proxy should add is somehow... Thanks ! On 27/03/2013 13:00, Nick Kew wrote: On 27 Mar 2013, at 11:39, Nicolas Daniels wrote: Everything work fine except that when the proxy is used, the Authentication-Info header is not included in the response. If Apache is replying directly without using the proxy, it is included. There's no such header in HTTP. Why not tell us exactly what you mean?
[users@httpd] Re:Re: [users@httpd] connection closed for event mpm?
i dont use flv module, and the error_log not provide any clue...~ and someone also reported the problem: http://marc.info/?l=apache-httpd-bugs&m=135712896422945 At 2013-03-28 17:19:21,"Marcin Wanat" wrote: >What error_log says ? It looks like httpd is crashing. >Maybe you are using some flv streaming mod which is not thread safe ? > >2013/3/28 Esmq : >> hi, guys >> >> i have come across a problem related to event mpm in apache(v2.4.3), >> that is >> connection may closed during transfer for some times. when i change to >> prefork mpm, everything goes well... >> i also try to set EnableSendfile & EnableMMAP to Off, but without work... >> >> following is the full Scenario of the problem.. >> >> wget -O a.flv http://video.test.com/a.flv; md5sum a.flv >> --2013-03-27 18:15:51-- http://video.test.com/a.flv >> Resolving video.test.com... 192.168.1.100 >> Connecting to video.test.com|192.168.1.100|:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 290899940 (277M) [video/x-flv] >> Saving to: “a.flv” >> >> 19% [===> ] 56,424,265 2.50M/s in 16s >> >> 2013-03-27 18:16:07 (3.30 MB/s) - Connection closed at byte 56424265. >> Retrying. >> >> --2013-03-27 18:16:08-- (try: 2) http://video.test.com/a.flv >> Connecting to video.test.com|192.168.1.100|:80... connected. >> HTTP request sent, awaiting response... 206 Partial Content >> Length: 290899940 (277M), 234475675 (224M) remaining [video/x-flv] >> Saving to: “a.flv” >> >> 19% [ ] 56,424,265 --.-K/s in 11s >> >> 2013-03-27 18:16:20 (0.00 B/s) - Connection closed at byte 56424265. >> Retrying. >> >> --2013-03-27 18:16:22-- (try: 3) http://video.test.com/a.flv >> Connecting to video.test.com|192.168.1.100|:80... connected. >> HTTP request sent, awaiting response... 206 Partial Content >> Length: 290899940 (277M), 234475675 (224M) remaining [video/x-flv] >> Saving to: “a.flv” >> >> 100%[>] >> 290,899,940 3.37M/s in 58s >> >> 2013-03-27 18:17:20 (3.86 MB/s) - “a.flv” saved [290899940/290899940] >> >> 671034be784ce6eb7bc9366572f5441f a.flv >> >> > >- >To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >For additional commands, e-mail: users-h...@httpd.apache.org >
Re: [users@httpd] connection closed for event mpm?
What error_log says ? It looks like httpd is crashing. Maybe you are using some flv streaming mod which is not thread safe ? 2013/3/28 Esmq : > hi, guys > > i have come across a problem related to event mpm in apache(v2.4.3), > that is > connection may closed during transfer for some times. when i change to > prefork mpm, everything goes well... > i also try to set EnableSendfile & EnableMMAP to Off, but without work... > > following is the full Scenario of the problem.. > > wget -O a.flv http://video.test.com/a.flv; md5sum a.flv > --2013-03-27 18:15:51-- http://video.test.com/a.flv > Resolving video.test.com... 192.168.1.100 > Connecting to video.test.com|192.168.1.100|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 290899940 (277M) [video/x-flv] > Saving to: “a.flv” > > 19% [===> ] 56,424,265 2.50M/s in 16s > > 2013-03-27 18:16:07 (3.30 MB/s) - Connection closed at byte 56424265. > Retrying. > > --2013-03-27 18:16:08-- (try: 2) http://video.test.com/a.flv > Connecting to video.test.com|192.168.1.100|:80... connected. > HTTP request sent, awaiting response... 206 Partial Content > Length: 290899940 (277M), 234475675 (224M) remaining [video/x-flv] > Saving to: “a.flv” > > 19% [ ] 56,424,265 --.-K/s in 11s > > 2013-03-27 18:16:20 (0.00 B/s) - Connection closed at byte 56424265. > Retrying. > > --2013-03-27 18:16:22-- (try: 3) http://video.test.com/a.flv > Connecting to video.test.com|192.168.1.100|:80... connected. > HTTP request sent, awaiting response... 206 Partial Content > Length: 290899940 (277M), 234475675 (224M) remaining [video/x-flv] > Saving to: “a.flv” > > 100%[>] > 290,899,940 3.37M/s in 58s > > 2013-03-27 18:17:20 (3.86 MB/s) - “a.flv” saved [290899940/290899940] > > 671034be784ce6eb7bc9366572f5441f a.flv > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org