RE: [users@httpd] Use Allow from IP when there is a proxy exist?
Your .htaccess file: # ALLOW USER BY IP order deny,allow deny from all SetEnvIF X-Forwarded-For 1.2.3.4 AllowIP SetEnvIF X-Forwarded-For 5.6.7.8 AllowIP Allow from env=AllowIP allow from 1.2.3.4 allow from 5.6.7.8source: http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish Looks sane to me although don't see the need for the last 2 allow since they are already included by the previous Allow from env=AllowIP. You can also use regexp like: SetEnvIF X-Forwarded-For 1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69] AllowIP just as example.
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov icici...@gmail.com wrote: Your .htaccess file: # ALLOW USER BY IP order deny,allow deny from all SetEnvIF X-Forwarded-For 1.2.3.4 AllowIP SetEnvIF X-Forwarded-For 5.6.7.8 AllowIP Allow from env=AllowIP allow from 1.2.3.4 allow from 5.6.7.8source: http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish Looks sane to me although don't see the need for the last 2 allow since they are already included by the previous Allow from env=AllowIP. You can also use regexp like: SetEnvIF X-Forwarded-For 1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69] AllowIP Looks insane to me. If squid is setting X-Forwarded-For and you trust squid, use mod_remoteip or mod_rpaf2 so that apache knows the real client address and will use it in authentication and logging. Using string matching, or even worse, regexp matching on X-Forwarded-For is a mistake as it is error prone - you must specify your authentication as a string or regexp, not as it's native type - and worse it is potentially malicious as squid does not scrub X-Forwarded-For, it appends to it, making your simple string match easily exploitable. mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow you to specify which hosts you trust to add X-Forwarded-For, and they interpret the X-Forwarded-For correctly as an IP address, allowing you to specify your configuration in it's natural form. Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Rewrite and automount question
We have experimented with using Rewrite to replace /~someuser with /someuser However there is a problem with systems using automounter in the case of an http request for a non-existing http://someserver.com/someuser Anyone have a way to implement the above without doing undesired automount attempts of a non-existent someuser? Thanks
Re: [users@httpd] Windows Apache 2.4.9 restarts itself
On Thu, Aug 7, 2014 at 9:45 AM, Agnetta Kamugisha kamugis...@nccommunitycolleges.edu wrote: Jeff, Check this link. We had to implement this workaround. https://www.apachelounge.com/viewtopic.php?t=6037 FWIW, AH00344 after AH00356 shouldn't be interesting. The listening socket got closed as part of shutting down after the original problem. I hope to improve logging of that in the shutdown scenario so that people don't worry about that. This netsh winsock reset hint is interesting. With the report we have on 2.4.10, which tells us which handle goes bad (thus triggering AH00356), the bad handle is a rather generic handle. (CreateEvent(NULL, TRUE, FALSE, NULL);) When, or how often, do you need to use netsh winsock reset? Please confirm that you were seeing AH00356 without netsh winsock reset. (I can imagine that there are situations with third-party winsock layers where netsh winsock reset helps with the AH00344 error which doesn't come right after the AH00356 error.) Thanks!
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
On 08/08/2014 11:21 PM, Tom Evans tevans...@googlemail.com wrote: On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov icici...@gmail.com wrote: Your .htaccess file: # ALLOW USER BY IP order deny,allow deny from all SetEnvIF X-Forwarded-For 1.2.3.4 AllowIP SetEnvIF X-Forwarded-For 5.6.7.8 AllowIP Allow from env=AllowIP allow from 1.2.3.4 allow from 5.6.7.8source: http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish Looks sane to me although don't see the need for the last 2 allow since they are already included by the previous Allow from env=AllowIP. You can also use regexp like: SetEnvIF X-Forwarded-For 1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69] AllowIP Looks insane to me. If squid is setting X-Forwarded-For and you trust squid, use mod_remoteip or mod_rpaf2 so that apache knows the real client address and will use it in authentication and logging. Using string matching, or even worse, regexp matching on X-Forwarded-For is a mistake as it is error prone - you must specify your authentication as a string or regexp, not as it's native type - and worse it is potentially malicious as squid does not scrub X-Forwarded-For, it appends to it, making your simple string match easily exploitable. Not if you use forward-for truncate mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow you to specify which hosts you trust to add X-Forwarded-For, and they interpret the X-Forwarded-For correctly as an IP address, allowing you to specify your configuration in it's natural form. Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache.org server-status
Looking at the apache.org server-status I do not see any of these … OPTIONS * HTTP/1.0 In the Request column While I see quite a few in ours. Why does apache.org not have any of these entries? thanks
Re: [users@httpd] Apache.org server-status
On Fri, Aug 8, 2014 at 10:56 AM, Rose, John B jbr...@utk.edu wrote: Looking at the apache.org server-status I do not see any of these … OPTIONS * HTTP/1.0 In the Request column While I see quite a few in ours. Why does apache.org not have any of these entries? thanks You're using prefork MPM and your configuration (MinSpareServers/MaxSpareServers/etc.) results in child processes being created and destroyed on a somewhat regular basis? The prefork MPM will wake up processes with an OPTIONS request as part of process management. apache.org runs the event MPM. -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
[users@httpd] Re: Rewrite and automount question
mod_userdir does not seem to cause superfluous automounter attempts when an http request to a non-existent web address, http://website.com/~someuser, is received Is there some way to implement that mechanism with http://website.com/someuser http requests for a nonexistent someuser? From: Rose, John Rose jbr...@utk.edumailto:jbr...@utk.edu Date: Friday, August 8, 2014 9:51 AM To: users@httpd.apache.orgmailto:users@httpd.apache.org users@httpd.apache.orgmailto:users@httpd.apache.org Subject: Rewrite and automount question We have experimented with using Rewrite to replace /~someuser with /someuser However there is a problem with systems using automounter in the case of an http request for a non-existing http://someserver.com/someuser Anyone have a way to implement the above without doing undesired automount attempts of a non-existent someuser? Thanks
Re: [users@httpd] Re: Rewrite and automount question
On 08/08/2014 11:59 AM, Rose, John B wrote: mod_userdir does not seem to cause superfluous automounter attempts when an http request to a non-existent web address, http://website.com/~someuser, is received Is there some way to implement that mechanism with http://website.com/someuser http requests for a nonexistent someuser? What's automounter? Is that some process that mounts a user's home directory on a remote share or something? I suppose you could query a list of valid users on server startup, and use that (via mod_macro or something?) to generate a list of Alias directives? Or possibly use a RewriteMap to do the same thing based on a list of users, although RewriteMap can be a bit of a performance bottleneck. --Rich From: Rose, John Rose jbr...@utk.edu mailto:jbr...@utk.edu Date: Friday, August 8, 2014 9:51 AM To: users@httpd.apache.org mailto:users@httpd.apache.org users@httpd.apache.org mailto:users@httpd.apache.org Subject: Rewrite and automount question We have experimented with using Rewrite to replace /~someuser with /someuser However there is a problem with systems using automounter in the case of an http request for a non-existing http://someserver.com/someuser Anyone have a way to implement the above without doing undesired automount attempts of a non-existent someuser? Thanks -- Rich Bowen - rbo...@rcbowen.com - @rbowen http://apachecon.com/ - @apachecon
Re: [users@httpd] ApacheCon CFP closes June 25
On 08/06/2014 01:18 PM, J.Lance Wilkinson wrote: Rich Bowen wrote: On 06/16/2014 11:06 AM, J.Lance Wilkinson wrote: ...snip... Those of us at edu sites sometimes need to put in for travel/training funding as much as a year in advance, and my own institution's budgeting process cuts of June 30th for the Fiscal Year 2014-2015. ...snip... ACNA 2015 will be in roughly the same timeframe as ACNA 2014 was (ie, April) and we're currently working on locations. I'll be announcing dates and location at ACEU, at the very latest. Hopefully well before then. Anything firmer yet besides roughly April 2015 for those of us who desperately need to put in for funding? I should have a firm answer to this (which will be announced on this list, among other places) within the next week, or two at most. -- Rich Bowen - rbo...@rcbowen.com - @rbowen http://apachecon.com/ - @apachecon - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Order of applicatoin of sites-enabled configs
On 08/07/2014 05:16 PM, M Busche wrote: Frank, I don't think you understood what I was trying to say. My complaint was that in the pre-packaged configuration made with the ubuntu distribution, the default vhost configuration is placed in a file prefixed with the string 000 which causes it to be loaded first. I renamed it to have a prefix 999, so that it was loaded (and processed) last. Note that 999 still comes before abc, so you might consider zzz instead of 999 in order to avoid the same surprise later. I think we are in complete agreement. My original query was to find out whether there was something I was confused about, or alternatively an explanation as to why-on-earth the people who put together the ubuntu distribution would set things up that way. The short answer is that Debian did this in order to make it easier to do stuff from the command line with the various utilities that they ship with their Apache httpd packages. The longer answer has to do with how good ideas mutate into complicated systems over the decades. -- Rich Bowen - rbo...@rcbowen.com - @rbowen http://apachecon.com/ - @apachecon
Re: [users@httpd] Re: Rewrite and automount question
What's automounter? Is that some process that mounts a user's home directory on a remote share or something? Yes. But only when it is requested. I.e. When you login via ssh, or access a web site via http whose content is in the remote filesystem, etc. You may refer to it as autofs. From: Rich Bowen rbo...@rcbowen.commailto:rbo...@rcbowen.com Reply-To: users@httpd.apache.orgmailto:users@httpd.apache.org users@httpd.apache.orgmailto:users@httpd.apache.org Date: Friday, August 8, 2014 3:24 PM To: users@httpd.apache.orgmailto:users@httpd.apache.org users@httpd.apache.orgmailto:users@httpd.apache.org Subject: Re: [users@httpd] Re: Rewrite and automount question On 08/08/2014 11:59 AM, Rose, John B wrote: mod_userdir does not seem to cause superfluous automounter attempts when an http request to a non-existent web address, http://website.com/~someuser, is received Is there some way to implement that mechanism with http://website.com/someuser http requests for a nonexistent someuser? What's automounter? Is that some process that mounts a user's home directory on a remote share or something? I suppose you could query a list of valid users on server startup, and use that (via mod_macro or something?) to generate a list of Alias directives? Or possibly use a RewriteMap to do the same thing based on a list of users, although RewriteMap can be a bit of a performance bottleneck. --Rich From: Rose, John Rose jbr...@utk.edumailto:jbr...@utk.edu Date: Friday, August 8, 2014 9:51 AM To: users@httpd.apache.orgmailto:users@httpd.apache.org users@httpd.apache.orgmailto:users@httpd.apache.org Subject: Rewrite and automount question We have experimented with using Rewrite to replace /~someuser with /someuser However there is a problem with systems using automounter in the case of an http request for a non-existing http://someserver.com/someuser Anyone have a way to implement the above without doing undesired automount attempts of a non-existent someuser? Thanks -- Rich Bowen - rbo...@rcbowen.commailto:rbo...@rcbowen.com - @rbowen http://apachecon.com/ - @apachecon
[users@httpd] How to forbid browsers to cache some pages?
How to configure Apache to want to forbid browsers from caching all web pages in www1.example.com/public and in www1.example.com/books so every time I ask the browser about any page it brings it from source. but I want it to cache the pages under: www1.example.com? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Rewrite and automount question
On 8 Aug 2014, at 14:51, Rose, John B wrote: We have experimented with using Rewrite to replace /~someuser with /someuser How very 1997. However there is a problem with systems using automounter in the case of an http request for a non-existing http://someserver.com/someuser That's your filesystem. Apache has no knowledge of whether a directory exists until it performs a lookup. And it's the lookup that triggers the automount. Check your NFS options. Using NFS with apache - or anywhere exposed to the public 'net - is not encouraged. Not good for either security or performance. Anyone have a way to implement the above without doing undesired automount attempts of a non-existent someuser? Most simply, make sure AllowOverride is set to None. You could also see if mod_cache helps, and if it doesn't then you've diagnosed a major inefficiency in your server. But mod_cache will only reduce, not eliminate, NFS accesses. -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Windows Apache 2.4.9 restarts itself
On Fri, Aug 8, 2014 at 10:21 AM, Jeff Trawick traw...@gmail.com wrote: On Thu, Aug 7, 2014 at 9:45 AM, Agnetta Kamugisha kamugis...@nccommunitycolleges.edu wrote: Jeff, Check this link. We had to implement this workaround. https://www.apachelounge.com/viewtopic.php?t=6037 FWIW, AH00344 after AH00356 shouldn't be interesting. The listening socket got closed as part of shutting down after the original problem. I hope to improve logging of that in the shutdown scenario so that people don't worry about that. This netsh winsock reset hint is interesting. With the report we have on 2.4.10, which tells us which handle goes bad (thus triggering AH00356), the bad handle is a rather generic handle. (CreateEvent(NULL, TRUE, FALSE, NULL);) When, or how often, do you need to use netsh winsock reset? Uhh, for those trying this, be aware that after doing that it says to restart the computer ;) Please confirm that you were seeing AH00356 without netsh winsock reset. (I can imagine that there are situations with third-party winsock layers where netsh winsock reset helps with the AH00344 error which doesn't come right after the AH00356 error.) Thanks! -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [users@httpd] How to forbid browsers to cache some pages?
I thought there was a META ... Tag in HTML, something linke NO-CACHE. Whether the browsers respect it, is another question... suomi On 2014-08-08 23:11, Mark jensen wrote: How to configure Apache to want to forbid browsers from caching all web pages in www1.example.com/public and in www1.example.com/books so every time I ask the browser about any page it brings it from source. but I want it to cache the pages under: www1.example.com? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org