Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Humberto Castro 
Sorry, so far I noticed your first post. Already looked at the link you
gave me to wikipedia, but does not give me further information. I already
told to the hosting provider to facilitate me see the error LOG. Thanks


2014-04-18 21:49 GMT-05:00 Mauricio Tavares :

> On Fri, Apr 18, 2014 at 10:46 PM, Humberto Castro
>  wrote:
> > I told the hosting provider that he cooperates with me this information.
> >
>   did you see my comments in your original post?
>
> >
> > 2014-04-18 14:32 GMT-05:00 Eric Covener :
> >
> >> On Fri, Apr 18, 2014 at 3:30 PM, Humberto Castro
> >>  wrote:
> >> > I have not had access to the error log
> >>
> >> It will be nearly impossible for anyone to help you, or for your to
> >> help yourself, without access to your logs.
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
> >
> > --
> > HUMBERTO CASTRO
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
HUMBERTO CASTRO

RE: [users@httpd] Adobe cq behind reverse proxy

2014-04-18 Thread paul.warren.p.pili 
Hi Eric,

I have tried below:

ProxyRass /cq/ http://ww.cqserver.com:4502
ProxyPassReverse /cq/ http://www.cqserver.com:4502/

But still didn’t worked.

But the below works:

ProxyPass / http://ww.cqserver.com:4502
ProxyPassReverse / http://www.cqserver.com:4502/

But this doesn’t fit our requirements as we need to access it through 
www.portal.com/cq/

Regards,

-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Saturday, April 19, 2014 1:19 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Adobe cq behind reverse proxy

On Fri, Apr 18, 2014 at 12:50 PM,   wrote:
> Hi, we have adobe cq web server which we want to access through apache 
> reverse proxy. Our scenario is:
>
> Adobe cq actual url:
> Www.cqserver.com:4502
>
> Virtual hostname configured in apache:
> Www.portal.com/cq
>
> We have the below lines in httpd.conf:
>
> Proxypass /cq/ Www.cqserver.com:4502
> Proxypassreverse /cq/ Www.cqserver.com:4502
>
> But unfortunately, this doesnt worked. Please advise what else can i do to 
> make it working.

Details?

You probably want a trailing slash on the 2nd parameter, and a scheme/protocol 
as in http:// rather than a hostname and a port -- see examples in the manual.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Mauricio Tavares 
On Fri, Apr 18, 2014 at 10:46 PM, Humberto Castro
 wrote:
> I told the hosting provider that he cooperates with me this information.
>
  did you see my comments in your original post?

>
> 2014-04-18 14:32 GMT-05:00 Eric Covener :
>
>> On Fri, Apr 18, 2014 at 3:30 PM, Humberto Castro
>>  wrote:
>> > I have not had access to the error log
>>
>> It will be nearly impossible for anyone to help you, or for your to
>> help yourself, without access to your logs.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>
>
>
> --
> HUMBERTO CASTRO

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Humberto Castro 
I told the hosting provider that he cooperates with me this information.


2014-04-18 14:32 GMT-05:00 Eric Covener :

> On Fri, Apr 18, 2014 at 3:30 PM, Humberto Castro
>  wrote:
> > I have not had access to the error log
>
> It will be nearly impossible for anyone to help you, or for your to
> help yourself, without access to your logs.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
HUMBERTO CASTRO

RE: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Cabell, Jeff 
Thanks.  I'll look for that then.


Jeff Cabell
Applications Administrator
Education Solutions

Xerox Education Solutions, LLC
12410 Milestone Center Dr
Germantown, MD  20876
 
P: 240.686.2501
M: 240.380.9308
E: jeff.cab...@xerox.com

www.xerox.com/businessservices


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Friday, April 18, 2014 3:10 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache and Upgrading OpenSSL

* PGP Signed by an unknown key

JEff,

On 4/18/14, 2:59 PM, Cabell, Jeff wrote:
> So you're saying that 2.2.27 and 2.4.9 are not actually current 
> releases for Windows...just for *nix?

The httpd project no longer provides binaries of any kind. Most Linux distros 
directly package httpd, and anyone can compile it themselves, too.

Most Windows folks sadly do not have a compiler handy. The ApacheLounge folks 
have kindly been building binaries for Windows. It appears their current 
version is 2.4.9 with OpenSSL 1.0.1g which sounds like it's exactly what you 
want.

-chris


* Unknown Key
* 0xA53CA458

Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Eric Covener 
On Fri, Apr 18, 2014 at 3:30 PM, Humberto Castro
 wrote:
> I have not had access to the error log

It will be nearly impossible for anyone to help you, or for your to
help yourself, without access to your logs.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Humberto Castro 
I have not had access to the error log


2014-04-18 14:27 GMT-05:00 Eric Covener :

> On Fri, Apr 18, 2014 at 3:24 PM, Humberto Castro
>  wrote:
> > More information about this error may be available in the server error
> log.
>
> What does the error log say?
>
>
> --
> Eric Covener
> cove...@gmail.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
HUMBERTO

Re: [users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Eric Covener 
On Fri, Apr 18, 2014 at 3:24 PM, Humberto Castro
 wrote:
> More information about this error may be available in the server error log.

What does the error log say?


-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ¿How to solve '500 Internal Server Error' ?

2014-04-18 Thread Humberto Castro 
Hello. I am configuring restricted access to a directory within my site,
using the file '.htaccess' which references a file where the list of users
is, denominated 'htpasswd'; but having already uploaded the two files (in
the same folder), when I try to access via web to the protected folder, the
first time is displayed the popup asking for username and password, but
once I enter the data is displayed the following message:



--

Internal Server Error



The server encountered an internal error or misconfiguration and was unable
to complete your request.



Please contact the server administrator, supp...@dominio.com and inform
them of the time the error occurred, and anything you might have done that
may have caused the error.



More information about this error may be available in the server error log.

--



And the next time I go back to try to get, not even asks for my username
and password, but immediately the same above error message is displayed.
¿What could I be doing wrong in the process ? Thanks and I hope you can
help me.



Initially I tried the protection placing the file ‘.htpassswd’ in the root,
and accordingly placing the first line of ‘.htaccess’ like this:
“AuthUserFile /.htpasswd”. At this point of time the problem presented was
exactly the same (the first time the system asked me for the username and
password, and then it displayed the error message; the following times not
even asked for the user data and immediately it displayed the error). So
that's the reason I opted to move the '.Htpasswd' to the same protected
directory to detect well what was my mistake.



I have also tested leaving the '.Htaccess' file completely blank and, thus
is not generated any error message; obviously it does not request data to
validate username.



Initially I had expected the original password of the user within the
'.Htpasswd' file, it was encrypted by the Crypt() function of PHP, but this
did not happened.



--

The contents of my '.Htaccess' file is:

AuthUserFile /ruta/.htpasswd

AuthName 'Por favor, introduzca usuario y contraseña'

AuthType Basic

Require valid-user



The contents of the '.Htpasswd' file is:

uprueba:cumGzwtU82Vts

--



I have noticed that removing the line 'Require valid-user' the error is not
generated - but obviously the system lets access the directory without
validating the user. I even tried changing this line with 'Require user
uprueba', but thus the same error message is generated.



I also changed the permissions on both files to '755', even to '777', but
the error is still generated.



--

HUMBERTO

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
J.Lance,

On 4/18/14, 2:55 PM, J.Lance Wilkinson wrote:
> Christopher Schultz wrote:
> ...snip...
>>
>> I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
>> update available to 1.0.1g (I haven't read the changelogs but I'll bet
>> the difference is mostly the version-bump since everyone is paranoid
>> about 1.0.1e, now). I'll see if that changes anything.
> 
> Chris,
> What OS are you running?  RHEL6?

Something like that. It's "Amazon Linux" which is RHEL-compatible.

> If so, then you actually do have the patched version EQUIVALENT to 1.0.1g,
> so my local Linux guru tells me.
> 
> On RHEL6, I get:
> % openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> 
> BUT, I also get:
> ~% rpm -q openssl
> openssl-1.0.1e-16.el6_5.7.x86_64
> 
> 
> RedHat, he tells me, does not distribute the new version but actually
> weng back and applied the relevant patches TO THEIR DISTRIBUTED
> VERSION.  Note the -16.
> That's the indicator.

Yes, I'm aware. Amazon released another update that brings the version
explicitly up to 1.0.1g. I am aware that I saw safe from Heartbleed even
with the older version.

> It seems that RedHat thinks they know better than we.

The difference is that the patched 1.0.1e had only the security patch
for Heartbleed. I suspect that the difference between 1.0.1e and 1.0.1g
directly from OpenSSL includes more changes than just the Heartbleed
patch. This is how most distros work: they back-port only the patches
that are appropriate instead of always including version.current for
their updates.

Anyhow, it seems you've strayed off-topic because this isn't about which
is more appropriate -- 1.0.1e or 1.0.1g... it's about why I can't seem
to get httpd 2.2.26 to use ECDHE ciphers. I suspect it has something to
do with Amazon's build process even though the libraries are
dynamically-linked. Perhaps httpd was built against 1.0.0 so does not
include certain capabilities even though 1.0.1g is available at run-time.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Christopher Schultz 
JEff,

On 4/18/14, 2:59 PM, Cabell, Jeff wrote:
> So you're saying that 2.2.27 and 2.4.9 are not actually current
> releases for Windows...just for *nix?

The httpd project no longer provides binaries of any kind. Most Linux
distros directly package httpd, and anyone can compile it themselves, too.

Most Windows folks sadly do not have a compiler handy. The ApacheLounge
folks have kindly been building binaries for Windows. It appears their
current version is 2.4.9 with OpenSSL 1.0.1g which sounds like it's
exactly what you want.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Eric Covener 
On Fri, Apr 18, 2014 at 2:59 PM, Cabell, Jeff  wrote:
> So you're saying that 2.2.27 and 2.4.9 are not actually current releases for 
> Windows...just for *nix?

No, that source code is what the project releases.  While it's
confusing, binaries have always been at the discretion of comitters
who wanted to share them.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Cabell, Jeff 
So you're saying that 2.2.27 and 2.4.9 are not actually current releases for 
Windows...just for *nix?



Jeff Cabell
Applications Administrator
Education Solutions

Xerox Education Solutions, LLC
12410 Milestone Center Dr
Germantown, MD  20876
 
P: 240.686.2501
M: 240.380.9308
E: jeff.cab...@xerox.com

www.xerox.com/businessservices


-Original Message-
From: Eric Covener [mailto:cove...@gmail.com] 
Sent: Friday, April 18, 2014 2:55 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache and Upgrading OpenSSL

On Fri, Apr 18, 2014 at 2:51 PM, Cabell, Jeff  wrote:
> And while on the subject, can anyone tell me why the download page, and 
> mirrors for Apache 2.4.9 and 2.2.27 only contain 2.0.65 and 2.2.25?

Windows binary builds have not been contributed by any comitters in quite some 
time.  Third-party sites like apachelounge are the primary source of binary 
builds on Windows.

--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread J.Lance Wilkinson 

Christopher Schultz wrote:
...snip...


I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
update available to 1.0.1g (I haven't read the changelogs but I'll bet
the difference is mostly the version-bump since everyone is paranoid
about 1.0.1e, now). I'll see if that changes anything.


Chris,
What OS are you running?  RHEL6?

If so, then you actually do have the patched version EQUIVALENT to 1.0.1g,
so my local Linux guru tells me.

On RHEL6, I get:
% openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

BUT, I also get:
~% rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64


RedHat, he tells me, does not distribute the new version but actually weng back 
and applied the relevant patches TO THEIR DISTRIBUTED VERSION.  Note the -16.

That's the indicator.

It seems that RedHat thinks they know better than we.

--
J.Lance Wilkinson ("Lance")   InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - LeadPhone: (814) 865-4870
Information Technology Services FAX:   (814) 863-3560
Penn State University
Digital Library Technologies, E3 Paterno Library, University Park, PA 16802
http://ucs.psu.edu/home/jl...@psu.edu?fmt=freebusy

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Eric Covener 
On Fri, Apr 18, 2014 at 2:51 PM, Cabell, Jeff  wrote:
> And while on the subject, can anyone tell me why the download page, and 
> mirrors for Apache 2.4.9 and 2.2.27 only contain 2.0.65 and 2.2.25?

Windows binary builds have not been contributed by any comitters in
quite some time.  Third-party sites like apachelounge are the primary
source of binary builds on Windows.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Cabell, Jeff 
Yes.  Windows Server 2008.   Thanks to other vulnerabilities that were 
apparently located on the last security scan, I have been instructed to upgrade 
to 1.0.1g.  We're currently running a 0.9.8 version.  So I really need to find 
out what needs to be done for Apache to use the newer version of openssl

And while on the subject, can anyone tell me why the download page, and mirrors 
for Apache 2.4.9 and 2.2.27 only contain 2.0.65 and 2.2.25?

Jeff,

On 4/18/14, 12:23 PM, Cabell, Jeff wrote:
> I'm working on doing some upgrade testing to mitigate the Heartbleed 
> issue and some other vulnerabilities.  Part of that is updating 
> OpenSSL, but I'm a bit confused about something and am hoping that 
> someone can help me.  I've done at least a dozen internet searches and 
> can't find the answer.  It's probably simple, but I'd like to find out 
> anyway.
> 
> What do I need to do in order to update the version of OpenSSL that is 
> included in the Apache HTTP server release?  I've installed OpenSSL 
> 1.0.1g on the server, but the older version is still in the apache 
> /bin directory.  Do I simply replace the openssl executable or is 
> there some kind of change that needs to be made in the httpd.conf file 
> to point to the newer installation?

OS?

Since you said "executable" and not "binary", I should assume you are on 
Windows. If you are using Windows and downloaded the ASF-provided binary, it 
appears (just from the filename, I did nothing other than look at that) that it 
ships with OpenSSL 0.9.8y, which is not affected by Heartbleed.

If you downloaded the "nossl" package, then you are don't have SSL or you have 
a separate OpenSSL package that you installed yourself (and it's up to you to 
figure out how to fix that).

-chris


* Unknown Key
* 0xA53CA458

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
John,

On 4/18/14, 1:16 PM, John Iliffe wrote:
> Further to my previous post, the log reports:
> 
> [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 
> 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- 
> resuming normal operations
> [Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 
> 140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd'
> 
> BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is 
> libssl-1.0.0

My setup is a little different:

$ httpd -v
Server version: Apache/2.2.23 (Unix)
Server built:   Oct 21 2012 20:35:47

$ ldd /usr/sbin/httpd
linux-gate.so.1 =>  (0xb7761000)
libm.so.6 => /lib/i686/nosegneg/libm.so.6 (0xb76c3000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb7668000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7649000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb7625000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb75f6000)
libexpat.so.1 => /lib/libexpat.so.1 (0xb75d)
libdb-4.7.so => /lib/libdb-4.7.so (0xb745e000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb743)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7415000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb726f000)
/lib/ld-linux.so.2 (0xb7762000)
libdl.so.2 => /lib/libdl.so.2 (0xb726a000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb7265000)
libfreebl3.so => /lib/libfreebl3.so (0xb7206000)

$ ldd /usr/lib/libapr-1.so.0
linux-gate.so.1 =>  (0xb779a000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb776)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7731000)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7717000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb757)
/lib/ld-linux.so.2 (0xb779b000)
libfreebl3.so => /lib/libfreebl3.so (0xb7511000)
libdl.so.2 => /lib/libdl.so.2 (0xb750c000)

$ ldd /usr/lib/httpd/modules/mod_ssl.so
linux-gate.so.1 =>  (0xb76f3000)
libssl.so.10 => /usr/lib/libssl.so.10 (0xb765d000)
libcrypto.so.10 => /lib/libcrypto.so.10 (0xb74a6000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb730)
libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0xb72c2000)
libkrb5.so.3 => /lib/libkrb5.so.3 (0xb71f3000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb71ef000)
libk5crypto.so.3 => /lib/libk5crypto.so.3 (0xb71c4000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb71ad000)
libdl.so.2 => /lib/libdl.so.2 (0xb71a8000)
libz.so.1 => /lib/libz.so.1 (0xb7192000)
/lib/ld-linux.so.2 (0xb76f4000)
libkrb5support.so.0 => /lib/libkrb5support.so.0 (0xb7187000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7183000)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7169000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb714a000)

$ ls -l /usr/lib/libssl.so.10
lrwxrwxrwx 1 root root 16 Apr  8 15:38 /usr/lib/libssl.so.10 ->
libssl.so.1.0.1e

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

$ sudo grep "resuming" /var/log/httpd/error_log
[Fri Apr 18 03:21:02 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

So httpd is dynamically-linked to OpenSSL 1.0.1e (really 1.0.1g, with a
very important patch ;) and yet it reports OpenSSL 1.0.0 on startup.

I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
update available to 1.0.1g (I haven't read the changelogs but I'll bet
the difference is mostly the version-bump since everyone is paranoid
about 1.0.1e, now). I'll see if that changes anything.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Christopher Schultz 
Jeff,

On 4/18/14, 12:23 PM, Cabell, Jeff wrote:
> I'm working on doing some upgrade testing to mitigate the Heartbleed
> issue and some other vulnerabilities.  Part of that is updating
> OpenSSL, but I'm a bit confused about something and am hoping that
> someone can help me.  I've done at least a dozen internet searches
> and can't find the answer.  It's probably simple, but I'd like to
> find out anyway.
> 
> What do I need to do in order to update the version of OpenSSL that
> is included in the Apache HTTP server release?  I've installed
> OpenSSL 1.0.1g on the server, but the older version is still in the
> apache /bin directory.  Do I simply replace the openssl executable or
> is there some kind of change that needs to be made in the httpd.conf
> file to point to the newer installation?

OS?

Since you said "executable" and not "binary", I should assume you are on
Windows. If you are using Windows and downloaded the ASF-provided
binary, it appears (just from the filename, I did nothing other than
look at that) that it ships with OpenSSL 0.9.8y, which is not affected
by Heartbleed.

If you downloaded the "nossl" package, then you are don't have SSL or
you have a separate OpenSSL package that you installed yourself (and
it's up to you to figure out how to fix that).

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] NameVirtualHost address is not supported

2014-04-18 Thread Christopher Schultz 
Michael,

On 4/18/14, 2:16 PM, Michael Peters wrote:
> I have a few sites I’d like to run on a single server with one IP on
> port 80 and 443. I’ve tried several configuration examples without
> success. I get error messages like this:
> 
>  
> 
> Starting httpd: [Fri Apr 18 09:23:32 2014] [error] VirtualHost
> _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost
> address is not supported, proceeding with undefined results
> 
> [Fri Apr 18 09:23:32 2014] [warn] NameVirtualHost 184.168.190.45:0
>  has no VirtualHosts
> 
>  
> 
> When I put multiple entries into httpd.conf similar to this:
> 
>  
> 
> #
> 
> http://208.109.171.169:80>>
> 
> ServerName sitename-1.com 
> 
> DocumentRoot "/www/html/ sitename-1"
> 
> ServerAdmin webmaster@ sitename-1.com 
> 
> 
> 
> allow from all
> 
> Options +Indexes
> 
> 
> 
> 
> 
> #
> 
> http://208.109.171.169:80>>
> 
> ServerName sitename-2.com 
> 
> DocumentRoot "/www/html/ sitename-2"
> 
> ServerAdmin webmaster@ sitename-2.com 
> 
> 
> 
> allow from all
> 
> Options +Indexes
> 
> 
> 
> 
> 
> #

What does your "NameVirtualHost" directive look like?

-chris



signature.asc
Description: OpenPGP digital signature

[users@httpd] NameVirtualHost address is not supported

2014-04-18 Thread Michael Peters 
I have a few sites I'd like to run on a single server with one IP on port
80 and 443. I've tried several configuration examples without success. I
get error messages like this:



Starting httpd: [Fri Apr 18 09:23:32 2014] [error] VirtualHost
_default_:443 -- mixing * ports and non-* ports with a NameVirtualHost
address is not supported, proceeding with undefined results

[Fri Apr 18 09:23:32 2014] [warn] NameVirtualHost 184.168.190.45:0 has no
VirtualHosts



When I put multiple entries into httpd.conf similar to this:



#



ServerName sitename-1.com

DocumentRoot "/www/html/ sitename-1"

ServerAdmin webmaster@ sitename-1.com



allow from all

Options +Indexes





#



ServerName sitename-2.com

DocumentRoot "/www/html/ sitename-2"

ServerAdmin webmaster@ sitename-2.com



allow from all

Options +Indexes





#



There is nothing but defaults in the ssl.conf file.



I have a site running fine located in the root directory, but when I try to
add other sites in subdirectories, that's when the errors start and all
sites go down. Would anyone please offer me a suggestion for enabling
multiple sites for Apache 2.2?



Best regards,



*Michael*

[users@httpd] Help with Virtual Hosting on Linux 3.2 / Ubuntu 12.04.4

2014-04-18 Thread Roy Hinkelman - Technical Services 

Definite Linux newby, and after bumbling about with nothing working, I thought 
I'd ask.
 
With the below setup, and an entry in my hosts file, FireFox complains with 
Unable to connect
Firefox can't establish a connection to the server at wtp4.atoztheworld.com.
 
+
- Multiple websites, each has it's own config file for mailman, custom 
redirects, mod_rewrite,  whatever
- Linux 3.2.0-60-generic / Ubuntu 12.04.4

# 1) create directories to hold website
/var/www/AZtheWorld
/var/www/AZtheWorld/htdocs
/var/www/AZtheWorld/logs
/var/www/AZtheWorld/index.html # Hello World output

/var/www/website2
etc.

#  2) The next thing to do is to enable virtual hosts in your Apache  
configuration. The simplest way to do this is to create a file called 
/etc/apache2/conf.d/virtual.conf and include the following content in it:
 # #  We're running multiple virtual hosts. # NameVirtualHost *
#TODO valid for my situation? Came from 
[http://www.debian-administration.org/articles/412] 
http://www.debian-administration.org/articles/412

#TODO [https://httpd.apache.org/docs/2.4/vhosts/name-based.html] 
https://httpd.apache.org/docs/2.4/vhosts/name-based.html  says a reference is 
needed in etc/apache2/httpd.conf but I do not see this referenced anywhere 
else. 
Is it required?? Does #2 handle it??


# 3) # AZtheWorld (/etc/apache2/sites-available/AZtheWorld)
# separate files for each site


 #ServerAdmin webmas...@example.com
 #TODO find out about this
 
 ServerName wtp4.atoztheworld.com
 #ServerAlias example.com # used only if needed / wanted

 # Indexes + Directory Root.
 DirectoryIndex index.html
 DocumentRoot /var/www/AZtheWorld

 # CGI Directory
 #ScriptAlias /cgi-bin/ /home/www/www.example.com/cgi-bin/
 #
 #Options +ExecCGI
 #
 #TODO find out about this
 
 # Logfiles
 ErrorLog /var/www/AZtheWorld/logs/error.log
 CustomLog /var/www/AZtheWorld/logs/access.log combined



# 4) enable sites and reload ( or restart? )
# a2dissite default #
# a2ensite AZtheWorld
# service apache2 restart
+
 
Thanks,
 
Roy Hinkelman
 Technical Services
 World Trade Press
 707-774-7411
 r...@worldtradepress.com
 
 www.WorldTradePress.com (main website)

Re: [users@httpd] ¿Cómo se soluciona "500 Internal Server Error" ?

2014-04-18 Thread Mauricio Tavares 
2014-04-18 13:29 GMT-04:00 Humberto Castro :
> **
> ¿Cómo se soluciona '500 Internal Server Error' ?
> **
>
  As http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
mentions, 500 is a bit of a catch all for the errors not covered by
the other 5xx error messages. Did you check the log file?

> Hola. Estoy configurando Acceso Restringido a un directrio dentro de mi
> sitio web, usando el archivo '.htaccess' el cual hace referencia al archivo
> en donde se encuentra la lista de usuarios, denominado '.htpasswd'; pero
> habiendo ya cargado los dos archivos (a la misma carpeta), cuando intento
> acceder mediante el explorador de internet a la carpeta protegida, la
> primera vez se muestra la ventana emergente pidiendo el Nombre_de_Usuario y
> la Contraseña, pero una vez entro los datos se muestra el siguiente mensaje:
>
> --
> Internal Server Error
>
> The server encountered an internal error or misconfiguration and was unable
> to complete your request.
>
> Please contact the server administrator, supp...@dominio.com and inform them
> of the time the error occurred, and anything you might have done that may
> have caused the error.
>
> More information about this error may be available in the server error log.
> --
>
> Y las siguientes veces que vuelvo a intentar entrar, ya ni siquiera me pide
> el Nombre_de_Usuario y Contraseña, sino que de una vez se muestra el mismo
> mensaje de error anterior. ¿Qué podría estar haciendo mal en el
> procedimiento ? Gracias y ojalá me puedan ayudar.
>
> Inicialmente intenté la protección colocando el archivo .htpassswd en la
> raiz, y de acuerdo a esto colocando la primera linea de .htaccess así:
> 'AuthUserFile /.htpasswd'. En este punto del tiempo el inconveniente
> presentado fue exactamente el mismo (la primera vez el sistema me pidió el
> Nombre_de_Usuario y Contraseña, y luego me presentó el mensaje de error; las
> siguientes veces ni siquiera me pidió los datos del usuario y de una vez me
> presentó el error). Por eso opté por pasar el '.htpasswd' al mismo
> directorio protegido para detectar bien cuál era el error de mi parte.
>
> He probado también dejando el archivo '.htaccess' completamente en blanco y,
> de esta forma no se me genera ningún mensaje de error, claro que obviamente
> no me pide datos para validar Nombre_de_Usuario.
>
> Inicialmente esperaba que la contraseña original para el usuario dentro del
> archivo '.htpasswd' fuera encriptada la función crypt() de PHP, pero esto no
> se dio.
>
> --
> EL contenido de mi archivo '.htaccess' es:
> AuthUserFile /ruta/.htpasswd
> AuthName 'Por favor, introduzca usuario y contraseña'
> AuthType Basic
> Require valid-user
>
> El contenido del archivo '.htpasswd' es:
> uprueba:cumGzwtU82Vts
> --
>
> He detectado que al quitar la linea 'Require valid-user' no se genera el
> error - pero obviamente deja entrar al directorio sin validar el usuario.
> Inclusive he intentado cambiando esta linea por 'Require user uprueba', pero
> de esta forma se genera exactamente el mismo mensaje de error.
>
> También he cambiado los permisos a ambos archivos a '755', inclusive a
> '777', pero se sigue generando el error.
>
  I do not know if I would want my password file to be readable by
everyone + the cat. https://www.dokuwiki.org/faq:error500 has a few
thoughts on that too.

>
> --
> HUMBERTO

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ¿Cómo se soluciona "500 Internal Server Error" ?

2014-04-18 Thread Humberto Castro 
**
¿Cómo se soluciona '500 Internal Server Error' ?
**

Hola. Estoy configurando Acceso Restringido a un directrio dentro de mi
sitio web, usando el archivo '.htaccess' el cual hace referencia al archivo
en donde se encuentra la lista de usuarios, denominado '.htpasswd'; pero
habiendo ya cargado los dos archivos (a la misma carpeta), cuando intento
acceder mediante el explorador de internet a la carpeta protegida, la
primera vez se muestra la ventana emergente pidiendo el Nombre_de_Usuario y
la Contraseña, pero una vez entro los datos se muestra el siguiente mensaje:

--
Internal Server Error

The server encountered an internal error or misconfiguration and was unable
to complete your request.

Please contact the server administrator, supp...@dominio.com and inform
them of the time the error occurred, and anything you might have done that
may have caused the error.

More information about this error may be available in the server error log.
--

Y las siguientes veces que vuelvo a intentar entrar, ya ni siquiera me pide
el Nombre_de_Usuario y Contraseña, sino que de una vez se muestra el mismo
mensaje de error anterior. ¿Qué podría estar haciendo mal en el
procedimiento ? Gracias y ojalá me puedan ayudar.

Inicialmente intenté la protección colocando el archivo .htpassswd en la
raiz, y de acuerdo a esto colocando la primera linea de .htaccess así:
'AuthUserFile /.htpasswd'. En este punto del tiempo el inconveniente
presentado fue exactamente el mismo (la primera vez el sistema me pidió el
Nombre_de_Usuario y Contraseña, y luego me presentó el mensaje de error;
las siguientes veces ni siquiera me pidió los datos del usuario y de una
vez me presentó el error). Por eso opté por pasar el '.htpasswd' al mismo
directorio protegido para detectar bien cuál era el error de mi parte.

He probado también dejando el archivo '.htaccess' completamente en blanco
y, de esta forma no se me genera ningún mensaje de error, claro que
obviamente no me pide datos para validar Nombre_de_Usuario.

Inicialmente esperaba que la contraseña original para el usuario dentro del
archivo '.htpasswd' fuera encriptada la función crypt() de PHP, pero esto
no se dio.

--
EL contenido de mi archivo '.htaccess' es:
AuthUserFile /ruta/.htpasswd
AuthName 'Por favor, introduzca usuario y contraseña'
AuthType Basic
Require valid-user

El contenido del archivo '.htpasswd' es:
uprueba:cumGzwtU82Vts
--

He detectado que al quitar la linea 'Require valid-user' no se genera el
error - pero obviamente deja entrar al directorio sin validar el usuario.
Inclusive he intentado cambiando esta linea por 'Require user uprueba',
pero de esta forma se genera exactamente el mismo mensaje de error.

También he cambiado los permisos a ambos archivos a '755', inclusive a
'777', pero se sigue generando el error.


--
HUMBERTO

Re: [users@httpd] Adobe cq behind reverse proxy

2014-04-18 Thread J.Lance Wilkinson 

paul.warren.p.p...@accenture.com wrote:

Hi, we have adobe cq web server which we want to access through apache
reverse proxy. Our scenario is:

Adobe cq actual url: Www.cqserver.com:4502

Virtual hostname configured in apache: Www.portal.com/cq

We have the below lines in httpd.conf:

Proxypass /cq/ Www.cqserver.com:4502 Proxypassreverse /cq/
Www.cqserver.com:4502

But unfortunately, this doesnt worked. Please advise what else can i do to
make it working.



I'm no proxy expert, but why aren't you using the CQ Dispatcher
instead?


--
J.Lance Wilkinson ("Lance")   InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - LeadPhone: (814) 865-4870
Information Technology Services FAX:   (814) 863-3560
Penn State University
Digital Library Technologies, E3 Paterno Library, University Park, PA 16802
http://ucs.psu.edu/home/jl...@psu.edu?fmt=freebusy

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Adobe cq behind reverse proxy

2014-04-18 Thread Eric Covener 
On Fri, Apr 18, 2014 at 12:50 PM,   wrote:
> Hi, we have adobe cq web server which we want to access through apache 
> reverse proxy. Our scenario is:
>
> Adobe cq actual url:
> Www.cqserver.com:4502
>
> Virtual hostname configured in apache:
> Www.portal.com/cq
>
> We have the below lines in httpd.conf:
>
> Proxypass /cq/ Www.cqserver.com:4502
> Proxypassreverse /cq/ Www.cqserver.com:4502
>
> But unfortunately, this doesnt worked. Please advise what else can i do to 
> make it working.

Details?

You probably want a trailing slash on the 2nd parameter, and a
scheme/protocol as in http:// rather than a hostname and a port -- see
examples in the manual.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread John Iliffe 
Further to my previous post, the log reports:

[Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 
140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- 
resuming normal operations
[Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 
140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd'

BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is 
libssl-1.0.0

John
==
On Friday 18 April 2014 13:08:12 John Iliffe wrote:
> Re the version of OpenSSL, I reported this last week to this list.
> 
> Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual
> libssl-1.x.x format.
> 
> Probably a make file error, but it really seems to be 1.0.1g.
> 
> John
> =
> 
> On Friday 18 April 2014 12:14:32 Christopher Schultz wrote:
> > Igor,
> > 
> > On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> > > On 18/04/2014 2:30 AM, "Hanno Böck"  > > 
> > > > wrote:
> > >> On Thu, 17 Apr 2014 12:27:37 -0400
> > >> Christopher Schultz  > > 
> > > > wrote:
> > >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that
> > >> > can
> > >> 
> > >> > support them. I've done the obvious:
> > >> [...]
> > >> 
> > >> > I'm running httpd 2.2.23
> > >> 
> > >> That's your problem. Get rid of that old cruft. You'll need apache
> > >> 2.4 (for that and for many other improvements regarding ssl
> > >> encryption).
> > > 
> > > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers
> > > and TLSv1.2 and ECDHE ciphers are supported.
> > 
> > I checked, and even though I have the OpenSSL 1.0.1g package
> > installed, it appears that httpd was compiled against OpenSSL 1.0.0.
> > When I look at the start up log, it says:
> > 
> > [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
> > mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured
> > -- resuming normal operations
> > 
> > On another test server, I upgraded to the latest 2.2.x httpd I can get
> > from Amazon, which is 2.2.26. I re-started and still can't seem to use
> > the ECDHE algorithms.
> > 
> > On that same (second) test server I upgraded to httpd 2.4.9. Here is
> > the startup log message there:
> > 
> > [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
> > AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
> > mod_jk/1.2.40 configured -- resuming normal operations
> > 
> > I'm now able to use the ECDHE ciphers.
> > 
> > Everything appears to be dynamically-linked, so I can't understand why
> > 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have
> > 1.0.1 installed. This is almost certainly an Amazon-Linux-related
> > thing if you were able to get ECDHE ciphers working on 2.2.x.
> > 
> > I wonder, what does your startup string say about OpenSSL?
> > 
> > The good news is that I really did only have to put it in my ciphers
> > list.
> > 
> > Thanks,
> > -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread John Iliffe 
Re the version of OpenSSL, I reported this last week to this list.

Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual 
libssl-1.x.x format.

Probably a make file error, but it really seems to be 1.0.1g.

John
=
On Friday 18 April 2014 12:14:32 Christopher Schultz wrote:
> Igor,
> 
> On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> > On 18/04/2014 2:30 AM, "Hanno Böck"  > 
> > > wrote:
> >> On Thu, 17 Apr 2014 12:27:37 -0400
> >> Christopher Schultz  > 
> > > wrote:
> >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that
> >> > can
> >> 
> >> > support them. I've done the obvious:
> >> [...]
> >> 
> >> > I'm running httpd 2.2.23
> >> 
> >> That's your problem. Get rid of that old cruft. You'll need apache
> >> 2.4 (for that and for many other improvements regarding ssl
> >> encryption).
> > 
> > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers
> > and TLSv1.2 and ECDHE ciphers are supported.
> 
> I checked, and even though I have the OpenSSL 1.0.1g package installed,
> it appears that httpd was compiled against OpenSSL 1.0.0. When I look at
> the start up log, it says:
> 
> [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
> mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
> resuming normal operations
> 
> On another test server, I upgraded to the latest 2.2.x httpd I can get
> from Amazon, which is 2.2.26. I re-started and still can't seem to use
> the ECDHE algorithms.
> 
> On that same (second) test server I upgraded to httpd 2.4.9. Here is the
> startup log message there:
> 
> [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
> AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
> mod_jk/1.2.40 configured -- resuming normal operations
> 
> I'm now able to use the ECDHE ciphers.
> 
> Everything appears to be dynamically-linked, so I can't understand why
> 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1
> installed. This is almost certainly an Amazon-Linux-related thing if you
> were able to get ECDHE ciphers working on 2.2.x.
> 
> I wonder, what does your startup string say about OpenSSL?
> 
> The good news is that I really did only have to put it in my ciphers
> list.
> 
> Thanks,
> -chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Adobe cq behind reverse proxy

2014-04-18 Thread paul.warren.p.pili 
Hi, we have adobe cq web server which we want to access through apache reverse 
proxy. Our scenario is:

Adobe cq actual url:
Www.cqserver.com:4502

Virtual hostname configured in apache:
Www.portal.com/cq

We have the below lines in httpd.conf:

Proxypass /cq/ Www.cqserver.com:4502
Proxypassreverse /cq/ Www.cqserver.com:4502

But unfortunately, this doesnt worked. Please advise what else can i do to make 
it working.



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Cabell, Jeff 
I'm working on doing some upgrade testing to mitigate the Heartbleed issue and 
some other vulnerabilities.  Part of that is updating OpenSSL, but I'm a bit 
confused about something and am hoping that someone can help me.  I've done at 
least a dozen internet searches and can't find the answer.  It's probably 
simple, but I'd like to find out anyway.

What do I need to do in order to update the version of OpenSSL that is included 
in the Apache HTTP server release?  I've installed OpenSSL 1.0.1g on the 
server, but the older version is still in the apache /bin directory.  Do I 
simply replace the openssl executable or is there some kind of change that 
needs to be made in the httpd.conf file to point to the newer installation?

Any help would be appreciated.

Thanks, 

Jeff 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
Igor,

On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> 
> On 18/04/2014 2:30 AM, "Hanno Böck"  > wrote:
>>
>> On Thu, 17 Apr 2014 12:27:37 -0400
>> Christopher Schultz  > wrote:
>>
>> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
>> > support them. I've done the obvious:
>> [...]
>> > I'm running httpd 2.2.23
>>
>> That's your problem. Get rid of that old cruft. You'll need apache 2.4
>> (for that and for many other improvements regarding ssl encryption).
>>
> No you don't i have 2.2 with latest openssl-1.0.1g on all my servers and
> TLSv1.2 and ECDHE ciphers are supported.

I checked, and even though I have the OpenSSL 1.0.1g package installed,
it appears that httpd was compiled against OpenSSL 1.0.0. When I look at
the start up log, it says:

[Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

On another test server, I upgraded to the latest 2.2.x httpd I can get
from Amazon, which is 2.2.26. I re-started and still can't seem to use
the ECDHE algorithms.

On that same (second) test server I upgraded to httpd 2.4.9. Here is the
startup log message there:

[Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
mod_jk/1.2.40 configured -- resuming normal operations

I'm now able to use the ECDHE ciphers.

Everything appears to be dynamically-linked, so I can't understand why
2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1
installed. This is almost certainly an Amazon-Linux-related thing if you
were able to get ECDHE ciphers working on 2.2.x.

I wonder, what does your startup string say about OpenSSL?

The good news is that I really did only have to put it in my ciphers list.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] ProxyPassMatch with Unix sockets

2014-04-18 Thread Jim Jagielski 
Since this is a new feature, we are consistently adding
enhancements and new methods for it... Thx for the
feedback; let me take a look.

On Apr 18, 2014, at 10:12 AM, Marc Aymerich  wrote:

> On Fri, Apr 18, 2014 at 2:48 AM, Igor Cicimov  wrote:
>> 
>> On 18/04/2014 10:43 AM, "Igor Cicimov"  wrote:
>>> 
>>> 
>>> On 18/04/2014 8:25 AM, "Marc Aymerich"  wrote:
 
 On Thu, Apr 17, 2014 at 11:18 PM, Marc Aymerich 
 wrote:
> On Wed, Apr 16, 2014 at 11:17 PM, Marc Aymerich 
> wrote:
>> Hi,
>> I have a PHP-FPM web application that I want it to be accessed under
>> "/alias/" path. I'm trying to configure ProxyPassMatch with Unix
>> sockets but it doesn't work because it passes "/alias/" to the web
>> app, but this path doesn't exist :(
>> 
>> What I have so far is this:
>> 
>> ProxyPassMatch ^/alias/(.*\.php(/.*)?)$ \
>> unix:/var/run/user-fpm.sock|fcgi://localhost/home/user/webapps/app1/
> 
> 
> I think I got something :)
> 
> if you guys like to comment on the following solution it would be
> great! (I'm kind of newbie)
> 
> # Rewrite the URL before proxying
> RewriteRule ^/alias(.*\.php)$ $1 [L,PT]
> 
> ProxyPassMatch ^/?(.*\.php)$
> unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/
> 
> # Create an alias for app1 static content
> Alias /alias /home/user/webapps/app1/
 
 
 Well, actually this doesn't solve my original problem which is having
 two different php-fpm apps under the same VirtualHost.
 
 Based on the previous directives I kind of expected something like the
 following to work:
 
 
RewriteRule $1 [L,PT]
ProxyPassMatch
 unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/
 
 
 
RewriteRule $1 [L,PT]
ProxyPassMatch
 unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app2/
 
 
 
 But it doesn't, the RewriteRule seems to be totally ignored inside a
 LocationMatch no matter what I put there.
 
>>> Did you read
>>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassmatch
>>> 
>> And
>> http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule
>> Pay attention to the Context which explains where the directive should be
>> used.
> 
> 
> Thanks Igor for pointing out these documents.
> 
> I've read them carefully this morning and done some more tests, none
> of them worked as I wanted to.
> 
> I have concluded that it is not possible to have multiple fcgi socket
> apps on the same VirtualHost using mod proxy.
> 
> At least not by using the functionality available on current stable 2.4.9.
> 
> But I'd love someone to prove me wrong :)
> 
> 
> 
> Here the summary of the 3 ways I've tried:
> 
> 1) The first thing is trying to pass the matched part of a URL using
> ProxyPassMatch.
> 
> But the obvious way of doing this doesn't work:
> 
> ProxyPassMatch ^/alias(.*\.php)$
> unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/$1
> 
> [Fri Apr 18 13:32:21.367171 2014] [proxy:error] [pid 29185:tid
> 139735912711936] (111)Connection refused: AH00957: FCGI: attempt to
> connect to 127.0.0.1:8000 (*) failed
> [Fri Apr 18 13:32:21.367226 2014] [proxy_fcgi:error] [pid 29185:tid
> 139735912711936] [client 10.0.3.64:35267] AH01079: failed to make
> connection to backend: 127.0.0.1
> 
> What makes proxy_fcgi break is the ending $1. Without it no error is
> reported by Apache.
> However the backend server will receive the full path, a GET
> /alias/info.php request.
> 
> 
> 2) Contrary on what is stated on the ProxyPassMatch documentation[1]
> it seems that you can NOT use mod rewrite to do more advanced stuff.
> At least not in an obvious way, something like this will not work:
> 
> RewriteRule ^/alias(.*\.php)$
> unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1$1
> [P,NE]
> 
> because it gets actually rewritten as:
> 
> http://domain/unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/info.php
> 
> 
> 3) Also you can not use a Location block to limit the effect of a
> RewriteRule+ProxyPassMatch, i.e.
> 
> 
>RewriteRule $1 [L,PT]
>ProxyPassMatch
> unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/
> 
> 
> According to the documentation RewriteRules have no effect inside a
> Location block, but still is syntactically correct :).
> 
> 
> 
> [1] http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch
> 
> 
> -- 
> Marc
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: ProxyPassMatch with Unix sockets

2014-04-18 Thread Marc Aymerich 
On Fri, Apr 18, 2014 at 2:48 AM, Igor Cicimov  wrote:
>
> On 18/04/2014 10:43 AM, "Igor Cicimov"  wrote:
>>
>>
>> On 18/04/2014 8:25 AM, "Marc Aymerich"  wrote:
>> >
>> > On Thu, Apr 17, 2014 at 11:18 PM, Marc Aymerich 
>> > wrote:
>> > > On Wed, Apr 16, 2014 at 11:17 PM, Marc Aymerich 
>> > > wrote:
>> > >> Hi,
>> > >> I have a PHP-FPM web application that I want it to be accessed under
>> > >> "/alias/" path. I'm trying to configure ProxyPassMatch with Unix
>> > >> sockets but it doesn't work because it passes "/alias/" to the web
>> > >> app, but this path doesn't exist :(
>> > >>
>> > >> What I have so far is this:
>> > >>
>> > >> ProxyPassMatch ^/alias/(.*\.php(/.*)?)$ \
>> > >> unix:/var/run/user-fpm.sock|fcgi://localhost/home/user/webapps/app1/
>> > >
>> > >
>> > > I think I got something :)
>> > >
>> > > if you guys like to comment on the following solution it would be
>> > > great! (I'm kind of newbie)
>> > >
>> > > # Rewrite the URL before proxying
>> > > RewriteRule ^/alias(.*\.php)$ $1 [L,PT]
>> > >
>> > > ProxyPassMatch ^/?(.*\.php)$
>> > > unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/
>> > >
>> > > # Create an alias for app1 static content
>> > > Alias /alias /home/user/webapps/app1/
>> >
>> >
>> > Well, actually this doesn't solve my original problem which is having
>> > two different php-fpm apps under the same VirtualHost.
>> >
>> > Based on the previous directives I kind of expected something like the
>> > following to work:
>> >
>> > 
>> > RewriteRule $1 [L,PT]
>> > ProxyPassMatch
>> > unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/
>> > 
>> >
>> > 
>> > RewriteRule $1 [L,PT]
>> > ProxyPassMatch
>> > unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app2/
>> > 
>> >
>> >
>> > But it doesn't, the RewriteRule seems to be totally ignored inside a
>> > LocationMatch no matter what I put there.
>> >
>> Did you read
>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassmatch
>>
> And
> http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule
> Pay attention to the Context which explains where the directive should be
> used.


Thanks Igor for pointing out these documents.

I've read them carefully this morning and done some more tests, none
of them worked as I wanted to.

I have concluded that it is not possible to have multiple fcgi socket
apps on the same VirtualHost using mod proxy.

At least not by using the functionality available on current stable 2.4.9.

But I'd love someone to prove me wrong :)



Here the summary of the 3 ways I've tried:

1) The first thing is trying to pass the matched part of a URL using
ProxyPassMatch.

But the obvious way of doing this doesn't work:

ProxyPassMatch ^/alias(.*\.php)$
unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/$1

[Fri Apr 18 13:32:21.367171 2014] [proxy:error] [pid 29185:tid
139735912711936] (111)Connection refused: AH00957: FCGI: attempt to
connect to 127.0.0.1:8000 (*) failed
[Fri Apr 18 13:32:21.367226 2014] [proxy_fcgi:error] [pid 29185:tid
139735912711936] [client 10.0.3.64:35267] AH01079: failed to make
connection to backend: 127.0.0.1

What makes proxy_fcgi break is the ending $1. Without it no error is
reported by Apache.
However the backend server will receive the full path, a GET
/alias/info.php request.


2) Contrary on what is stated on the ProxyPassMatch documentation[1]
it seems that you can NOT use mod rewrite to do more advanced stuff.
At least not in an obvious way, something like this will not work:

RewriteRule ^/alias(.*\.php)$
unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1$1
[P,NE]

because it gets actually rewritten as:

http://domain/unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/info.php


3) Also you can not use a Location block to limit the effect of a
RewriteRule+ProxyPassMatch, i.e.


RewriteRule $1 [L,PT]
ProxyPassMatch
unix:/var/run/user.sock|fcgi://127.0.0.1/home/user/webapps/app1/


According to the documentation RewriteRules have no effect inside a
Location block, but still is syntactically correct :).



[1] http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch


-- 
Marc

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org