Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 06, 2014 at 09:21:20AM -0500, Tom Browder wrote: > On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: > > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. > > I haven't turned on compression because of all the warnings about > > CRIME and BREACH. However, when I run my sites against web site > > analyzers they always suggest turning on compression. > > > > So what is the consensus? > > Ping! Anyone? > The site that seems authoritative for testing SSL is https://www.ssllabs.com/ssltest/ -- David Benfell See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpBQIAAdUWuE.pgp Description: PGP signature
Re: [users] Re: Basic Login as domain\username
On Fri, Jun 6, 2014 at 3:50 PM, Darly Senecal Baptiste wrote: > What about in apache 2.2.3? I don't think so. I think you'd need to write a small module to strip (or add?) that prefix - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Basic Login as domain\username
What about in apache 2.2.3? On Fri, Jun 6, 2014 at 3:40 PM, Eric Covener wrote: > On Fri, Jun 6, 2014 at 3:38 PM, Darly Senecal Baptiste > wrote: > > Hi Community : > > > > Let's forget about NTLM module. It is a way to perform a Rewrite > username? > > Like using mod_rewrite? > > > > 2.4's mod_authnz_ldap has specific stuff to alter the username > specifically for this scenario. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users] Re: Basic Login as domain\username
On Fri, Jun 6, 2014 at 3:38 PM, Darly Senecal Baptiste wrote: > Hi Community : > > Let's forget about NTLM module. It is a way to perform a Rewrite username? > Like using mod_rewrite? > 2.4's mod_authnz_ldap has specific stuff to alter the username specifically for this scenario. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users] Re: Basic Login as domain\username
Hi Community : Let's forget about NTLM module. It is a way to perform a Rewrite username? Like using mod_rewrite? Thanks On Thu, Jun 5, 2014 at 4:26 PM, Darly Senecal Baptiste wrote: > Hi Community: > > I had implemented a git repository server and its authentication is Basic > (*AuthType > Basic*).This type of authentication allows users to login with their > username and password through the LDAP server. > > However, there are some service accounts (Thank you windows) that needs to > authenticate as domain\username. Looking on some forums, there are some > settings that use the* AuthType NTLM. *My fear is that if i implement the > NTLM for just a group of account, then the rest of the users will be forced > (... and frustrated ...) to type domain\username. > > Is there a way in apache that allows service accounts to access as > domain\username and other users to authenticate as username? > > > Thanks > > > >
[users] Re: getting stuck
Oh one more thing that might be important. The current system is created by moving the harddrive from one machine to an identical (however with somewhat different plugged in Hw), as the first machine just went out and wouldnt boot at all. So having access to a second DellDimension5000 I just switched drive. On the first machine I didnt have really the same frequency of hickup, there it was much longer periods between downtimes.p Hi, I have a kind of problem. My computer running as Apache server under fedora/linux is getting stuck more or less regularly. It runs for around 2 days and then just does not respond, neither to internet nor to keybord/mouse. I do not know if its the httpd or the linux/pc that goes into stall. Im not so into linux that I know how to reach possible loggfiles from previous session before re-boot (if there are any), or how to trigger generating such loggs. Any clues or hints Kindly Georg - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users] getting stuck
Hi, I have a kind of problem. My computer running as Apache server under fedora/linux is getting stuck more or less regularly. It runs for around 2 days and then just does not respond, neither to internet nor to keybord/mouse. I do not know if its the httpd or the linux/pc that goes into stall. Im not so into linux that I know how to reach possible loggfiles from previous session before re-boot (if there are any), or how to trigger generating such loggs. Any clues or hints Kindly Georg - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder wrote: > On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick wrote: >>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: >>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. >>> > I haven't turned on compression because of all the warnings about >>> > CRIME and BREACH. However, when I run my sites against web site >>> > analyzers they always suggest turning on compression. >>> > >>> > So what is the consensus? > ... >> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses >> some of your question. There's also an Apache-specific chapter of the big >> book which I haven't looked at. > Thanks, Jeff--I forgot about Ivan's book! Actually, I also forgot about the Qualys site altogether! And I think this is the answer: https://community.qualys.com/message/20404#20404 Note also the site has a wonderful (and free) SSL/TLS checker I have use a lot in the past: https://www.ssllabs.com/ssltest/ Best, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick wrote: >> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: >> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. >> > I haven't turned on compression because of all the warnings about >> > CRIME and BREACH. However, when I run my sites against web site >> > analyzers they always suggest turning on compression. >> > >> > So what is the consensus? ... > I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses > some of your question. There's also an Apache-specific chapter of the big > book which I haven't looked at. Thanks, Jeff--I forgot about Ivan's book! Best regards, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder wrote: > On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: > > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. > > I haven't turned on compression because of all the warnings about > > CRIME and BREACH. However, when I run my sites against web site > > analyzers they always suggest turning on compression. > > > > So what is the consensus? > > Ping! Anyone? > I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses some of your question. There's also an Apache-specific chapter of the big book which I haven't looked at. See http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html > > -Tom > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, 2014-06-06 at 09:21 -0500, Tom Browder wrote: > On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: > > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. > > I haven't turned on compression because of all the warnings about > > CRIME and BREACH. However, when I run my sites against web site > > analyzers they always suggest turning on compression. > > > > So what is the consensus? > > Ping! Anyone? > > -Tom > sorry I have no idea. > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. > I haven't turned on compression because of all the warnings about > CRIME and BREACH. However, when I run my sites against web site > analyzers they always suggest turning on compression. > > So what is the consensus? Ping! Anyone? -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Apache2 Trying to retrieve at least an index but Forbidden
same configuration /etc/apache2 in new virtual machine works in the old one continue to not working. Please HELP!!! On Fri, Jun 6, 2014 at 11:07 AM, Luigi Cirillo wrote: > No idea? very strange I will create another virtual machine with > default conf. If it works I will diff the conf files and I let you > know. > A question there a way to get verbose infos about why Apache return > "Forbidden"? I tried to set all logs to debug level but I got unuseful > infos about the module wsgi. > > On Thu, Jun 5, 2014 at 6:38 PM, Luigi Cirillo wrote: >> Yes it is, in debian with the command "a2ensite" it create a link in >> folder "site-enable" to the virtual host conf file in "site-available" >> >> On Thu, Jun 5, 2014 at 6:23 PM, Frederik Nosi >> wrote: >>> Maybe you'r virtual host configuration file wasn'r included from the main >>> apache conf file. Not sure how it works on ubuntu though, maybe you should >>> place it on a particular directory with a particular extension, eg. in >>> RedHat you should put it in /etc/httpd/conf.d with a filename ending with >>> .conf >>> >>> >>> grep for Include in your conf dir in case. >>> >>> >>> F >>> >>> >>> >>> >>> On 06/05/2014 06:04 PM, Luigi Cirillo wrote: Thank you Frederik, Accessing http://www.indextest.com/test1.html: # Not Found The requested URL /test1.html was not found on this server. Apache/2.2.22 (Debian) Server at www.indextest.com Port 80 ## I added also the default "it works!" index.html page and changed owner to www-data, but accessing http://www.indextest.com/test1.htm: ## Forbidden You don't have permission to access / on this server. Apache/2.2.22 (Debian) Server at www.indextest.com Port 80 ## There is webmin intalled I do not understand why but if I add the index.htm file in /home/domain/public_html, it work. I checked the suexec module and it is the original. On Thu, Jun 5, 2014 at 5:29 PM, Frederik Nosi wrote: > > Try accessing it using this link. it should work: > > www.indextest.com/test1.html > > I think you're missing a index.html in your document root. > > > Bye, > F > > > On 06/05/2014 05:05 PM, Luigi Cirillo wrote: >> >> Hi, I have apache config problems: >> # >> Forbidden >> >> You don't have permission to access / on this server. >> # >> >> I have apache on a virtual machine debian Wheezy on my laptop. >> >> >> I wrote this virtualhost file: >> # >> >> ServerName indextest.com >> DocumentRoot /var/www/index/ >> ServerAlias www.indextest.com >> >> Order deny,allow >> Allow from all >> Options Indexes FollowSymLinks >> >> >> ErrorLog ${APACHE_LOG_DIR}/error.log >> >> # Possible values include: debug, info, notice, warn, error, >> crit, >> # alert, emerg. >> LogLevel debug >> >> CustomLog ${APACHE_LOG_DIR}/access.log combined >> >> >> # >> >> I added the entry www.indextest.com in the hosts file of laptop host >> (Debian Jessie). >> >> >> I tried to enable everything to let work the virtual host. >> >> >> /etc/apache2/apache.conf: >> ### >> >> Order deny,allow >> Allow from all >> Options Indexes FollowSymLinks >> >> >> >> /etc/apache2/conf.d/security: >> ### >> >> AllowOverride None >> Order Deny,Allow >> Allow from all >> >> ## >> >> ls -la /var/www/index: >> ## >> total 8 >> drwxr-xr-x 2 www-data www-data 4096 Jun 5 15:52 . >> drwxr-xr-x 12 root root 4096 Jun 5 15:34 .. >> -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test1.html >> -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test2.html >> -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test3.html >> # >> >> >> No selinux installed. >> Nothing in error.log >> >> Any help? Thank you >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.a
Re: [users] Apache2 Trying to retrieve at least an index but Forbidden
No idea? very strange I will create another virtual machine with default conf. If it works I will diff the conf files and I let you know. A question there a way to get verbose infos about why Apache return "Forbidden"? I tried to set all logs to debug level but I got unuseful infos about the module wsgi. On Thu, Jun 5, 2014 at 6:38 PM, Luigi Cirillo wrote: > Yes it is, in debian with the command "a2ensite" it create a link in > folder "site-enable" to the virtual host conf file in "site-available" > > On Thu, Jun 5, 2014 at 6:23 PM, Frederik Nosi > wrote: >> Maybe you'r virtual host configuration file wasn'r included from the main >> apache conf file. Not sure how it works on ubuntu though, maybe you should >> place it on a particular directory with a particular extension, eg. in >> RedHat you should put it in /etc/httpd/conf.d with a filename ending with >> .conf >> >> >> grep for Include in your conf dir in case. >> >> >> F >> >> >> >> >> On 06/05/2014 06:04 PM, Luigi Cirillo wrote: >>> >>> Thank you Frederik, >>> >>> Accessing http://www.indextest.com/test1.html: >>> # >>> >>> Not Found >>> >>> The requested URL /test1.html was not found on this server. >>> >>> >>> Apache/2.2.22 (Debian) Server at www.indextest.com Port 80 >>> ## >>> >>> I added also the default "it works!" index.html page and changed owner >>> to www-data, but accessing http://www.indextest.com/test1.htm: >>> ## >>> >>> Forbidden >>> >>> You don't have permission to access / on this server. >>> >>> >>> Apache/2.2.22 (Debian) Server at www.indextest.com Port 80 >>> ## >>> >>> There is webmin intalled I do not understand why but if I add the >>> index.htm file in /home/domain/public_html, it work. >>> >>> I checked the suexec module and it is the original. >>> >>> >>> On Thu, Jun 5, 2014 at 5:29 PM, Frederik Nosi >>> wrote: Try accessing it using this link. it should work: www.indextest.com/test1.html I think you're missing a index.html in your document root. Bye, F On 06/05/2014 05:05 PM, Luigi Cirillo wrote: > > Hi, I have apache config problems: > # > Forbidden > > You don't have permission to access / on this server. > # > > I have apache on a virtual machine debian Wheezy on my laptop. > > > I wrote this virtualhost file: > # > > ServerName indextest.com > DocumentRoot /var/www/index/ > ServerAlias www.indextest.com > > Order deny,allow > Allow from all > Options Indexes FollowSymLinks > > > ErrorLog ${APACHE_LOG_DIR}/error.log > > # Possible values include: debug, info, notice, warn, error, > crit, > # alert, emerg. > LogLevel debug > > CustomLog ${APACHE_LOG_DIR}/access.log combined > > > # > > I added the entry www.indextest.com in the hosts file of laptop host > (Debian Jessie). > > > I tried to enable everything to let work the virtual host. > > > /etc/apache2/apache.conf: > ### > > Order deny,allow > Allow from all > Options Indexes FollowSymLinks > > > > /etc/apache2/conf.d/security: > ### > > AllowOverride None > Order Deny,Allow > Allow from all > > ## > > ls -la /var/www/index: > ## > total 8 > drwxr-xr-x 2 www-data www-data 4096 Jun 5 15:52 . > drwxr-xr-x 12 root root 4096 Jun 5 15:34 .. > -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test1.html > -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test2.html > -rw-r--r-- 1 www-data www-data0 Jun 5 15:52 test3.html > # > > > No selinux installed. > Nothing in error.log > > Any help? Thank you > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org >>> - >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >> >> >> --
Re: [users] Server-side include problem in Apache 2.4.9 <--#if expr
I solved this problem by not using server-side includes any more. Most of my site's pages were generated by programs anyway, so it wasn't a big task to have them all generated by programs, eliminating the need for SSI. Roger - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org