Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE

2015-06-09 Thread Yehuda Katz
On Tue, Jun 9, 2015 at 2:45 PM, Salami Kehinde Rasheed <
kennysal...@gmail.com> wrote:

> I need step-by-step to make apache-httpd-upgrade-2_2_29, what to download
> and how to apply this on production environment(Window Server 2008 and
> 2012R2)
>
> I want to close *Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)*
> vulnerability,
> I want to close *Apache HTTPD: insecure LD_LIBRARY_PATH handling
> (CVE-2012-0883)* Vulnerability
>
> I got advice to upgrade to 2.2.29 of httpd and I am running on window
> server machine... Kindly assist on how I can handle this without
> causing disruption on this operation.
>

This depends greatly on where your current distribution of HTTPD is from.
Did you build it yourself or did you download binaries from a website and
if so, which site?

How is HTTPD set up on your current system? Does it run as a service? What
is the path to the executables and libraries?
Are you using any non-standard modules?

You should obtain the new version from the same place you obtained the old
version from.
I would make a backup copy of the entire HTTPD directory and then just
overwrite all the files except the configuration with the new files you
downloaded.

That is probably as detailed as you can get without more information about
your current environment.

- Y


Re: [users@httpd] Apache24 restrict director access by IP

2015-06-09 Thread Motty Cruz

Thanks for your support;
I changed my code to this:

Require all denied
Require ip 192.168.1.65



now is working fine.

Thanks,
Motty


On 06/09/2015 02:27 PM, Richard wrote:


 Original Message 

Date: Tuesday, June 09, 2015 09:18:02 PM +
From: Richard 




Date: Tuesday, June 09, 2015 02:11:55 PM -0700
From: Motty Cruz 

Hello,
I am trying to restrict access to joomla Administrator directory
by IP:
# defese agains brute force attacks

  order deny,allow
  Deny from all
  Require ip 192.168.1.65


this code on httpd.conf is not stopping me from logging onto
www.site.com/administrator
any ideas?
I used this
http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html

Thanks
Motty


What you are showing are apache 2.2 access control directives.
These changed with 2.4, so if you are using 2.4, as implied by your
subject line, see the "Run-Time Configuration Changes" section of:

   



Apologies (overlooked part of your directives) -- You have a mix of
2.2 and 2.4 directives. The "order" directives are 2.2, while
"require" are 2.4, so I suspect your directives aren't being parsed
correctly by your 2.4 environment. I think things are clearer in the
"upgrading" document than the one you referenced.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 restrict director access by IP

2015-06-09 Thread Richard


 Original Message 
> Date: Tuesday, June 09, 2015 09:18:02 PM +
> From: Richard 
>
> 
> 
>> Date: Tuesday, June 09, 2015 02:11:55 PM -0700
>> From: Motty Cruz 
>> 
>> Hello,
>> I am trying to restrict access to joomla Administrator directory
>> by IP:
>># defese agains brute force attacks
>> 
>>  order deny,allow
>>  Deny from all
>>  Require ip 192.168.1.65
>> 
>> 
>> this code on httpd.conf is not stopping me from logging onto
>> www.site.com/administrator
>> any ideas?
>> I used this
>> http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html
>> 
>> Thanks
>> Motty
>> 
> 
> What you are showing are apache 2.2 access control directives.
> These changed with 2.4, so if you are using 2.4, as implied by your
> subject line, see the "Run-Time Configuration Changes" section of:
> 
>   
> 
> 

Apologies (overlooked part of your directives) -- You have a mix of
2.2 and 2.4 directives. The "order" directives are 2.2, while
"require" are 2.4, so I suspect your directives aren't being parsed
correctly by your 2.4 environment. I think things are clearer in the
"upgrading" document than the one you referenced.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 restrict director access by IP

2015-06-09 Thread Motty Cruz

Thanks,

seem to be blocking me when accesssing from a different IP now:
here is the code am using:
# defese agains brute force attacks

order deny,allow
Deny from all
allow from 192.168.1.65


yes! I am using Apache 2.4 version.


On 06/09/2015 02:18 PM, Richard wrote:



Date: Tuesday, June 09, 2015 02:11:55 PM -0700
From: Motty Cruz 

Hello,
I am trying to restrict access to joomla Administrator directory
by IP:
# defese agains brute force attacks

  order deny,allow
  Deny from all
  Require ip 192.168.1.65


this code on httpd.conf is not stopping me from logging onto
www.site.com/administrator
any ideas?
I used this
http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html

Thanks
Motty


What you are showing are apache 2.2 access control directives. These
changed with 2.4, so if you are using 2.4, as implied by your
subject line, see the "Run-Time Configuration Changes" section of:

   



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 restrict director access by IP

2015-06-09 Thread Richard


> Date: Tuesday, June 09, 2015 02:11:55 PM -0700
> From: Motty Cruz 
>
> Hello,
> I am trying to restrict access to joomla Administrator directory
> by IP:
># defese agains brute force attacks
> 
>  order deny,allow
>  Deny from all
>  Require ip 192.168.1.65
> 
> 
> this code on httpd.conf is not stopping me from logging onto
> www.site.com/administrator
> any ideas?
> I used this
> http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html
> 
> Thanks
> Motty
>

What you are showing are apache 2.2 access control directives. These
changed with 2.4, so if you are using 2.4, as implied by your
subject line, see the "Run-Time Configuration Changes" section of:

  



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[users@httpd] Apache24 restrict director access by IP

2015-06-09 Thread Motty Cruz

Hello,
I am trying to restrict access to joomla Administrator directory by IP:
# defese agains brute force attacks

order deny,allow
Deny from all
Require ip 192.168.1.65


this code on httpd.conf is not stopping me from logging onto 
www.site.com/administrator

any ideas?
I used this http://httpd.apache.org/docs/2.4/en/mod/mod_authz_host.html

Thanks
Motty

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE

2015-06-09 Thread Salami Kehinde Rasheed
Hello Jeff,

I need step-by-step to make apache-httpd-upgrade-2_2_29, what to download
and how to apply this on production environment(Window Server 2008 and
2012R2)

I want to close *Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)*
vulnerability,
I want to close *Apache HTTPD: insecure LD_LIBRARY_PATH handling
(CVE-2012-0883)* Vulnerability

I got advice to upgrade to 2.2.29 of httpd and I am running on window
server machine... Kindly assist on how I can handle this without
causing disruption on this operation.

I need your responce

On Tue, Jun 9, 2015 at 5:36 PM, Jeff Trawick  wrote:

> On Tue, Jun 9, 2015 at 11:41 AM, Salami Kehinde Rasheed <
> kennysal...@gmail.com> wrote:
>
>> I need step-by-step to upgrade to apache v7.0.40, what to download and
>> how to apply this on production environment.
>>
>> *SALAMI KEHINDE R*
>>
>>
>>
> This is the wrong mailing list; this list is for supporting Apache HTTP
> Server, not Apache Tomcat.
>
> Look here: http://tomcat.apache.org/lists.html
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
>


-- 

*[image: Inline image 2]*
*SALAMI KEHINDE R*

*+234-8056511120*


[users@httpd] mod_fcgid tmp dir issue

2015-06-09 Thread 5 Diamond Info
When using Sugar CRM under mod-fcgid, we encounter a problem after a few days 
of running. The error logged by httpd is:

[Tue Jun 09 09:32:33.423239 2015] [fcgid:warn] [pid 5202:tid 140367450076928] 
(20014)Internal error: [client 75.147.140.126:5] mod_fcgid: can't get tmp 
dir, referer: 
http://crm.ourdomain.com/index.php?module=Accounts&action=DetailView&record=7c77ce81-a854-7b8e-65d0-52fd384deacq

So, when this occurs, it keeps occurring forever until we restart httpd. It 
will then work for 2-5 days, and, then happen again. Once it starts happening, 
all users are affected, same mod_fcgid process or not. Only a restart of httpd 
seems to matter to clear it.

This appears to be triggered in the mod_fcgid code:

  641 rv = apr_temp_dir_get(&tempdir, r->pool);
  642 if (rv != APR_SUCCESS) {
  643 ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r,
  644   "mod_fcgid: can't get tmp dir");
  645 return HTTP_INTERNAL_SERVER_ERROR;
  646 }

A df -h shows:

Filesystem Size  Used Avail Use% Mounted on
/dev/mapper/VGLSI-root  30G  6.7G   23G  23% /
devtmpfs32G 0   32G   0% /dev
tmpfs   32G 0   32G   0% /dev/shm
tmpfs   32G   50M   32G   1% /run
tmpfs   32G 0   32G   0% /sys/fs/cgroup
/dev/sda2  497M  207M  290M  42% /boot
/dev/mapper/VGLSI-solr  63G   11G   53G  17% /solr
/dev/mapper/VGLSI-backups   50G  245M   50G   1% /backups
/dev/mapper/VGLSI-home 1.5T  944G  521G  65% /home
/dev/mapper/VGLSI-var  489G  184G  305G  38% /var

Apache status shows:
mod_fcgid status:

Total FastCGI processes: 3
Process: php5.fcgi  (/home/crm/fcgi-bin/php5.fcgi)
Pid Active  IdleAccessesState
11573   217460  79  Ready
11574   217449  72  Ready
10713   290012  165 Ready

/tmp used to be on its own filesystem, on the off chance that has an effect, we 
removed it to use root filesystem. No impact. Even if at the instant in time 
the root filesystem was full, and it isn’t, it happens forever until we restart 
Apache. Once it starts, all Sugar file uploads fail. 

I know that mod_fcgid obtains it’s temp dir when a file is larger than some 
threshold, a value set. Ours is default value, whatever that is. I am not sure 
where this can be tuned, anyone know? Is it perhaps FcgidMaxRequestInMem? What 
is the impact to the system if I change this to say 100MB? Will each process 
consume that much more memory, or, is the memory freed? If I can increase it to 
larger than anyone ever uploads, seems like I might avoid the problem as long 
as I don’t lose all the memory permanently so to speak.

Here’s our mod_fcgid config:

FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
FcgidMaxRequestsPerProcess 500
FcgidMaxProcesses 100
FcgidMinProcessesPerClass 0
FcgidIOTimeout 121
FcgidIdleTimeout 600
FcgidErrorScanInterval 10
FcgidFixPathinfo 1

mod_fcgid version is Centos 7 standard 2.3.9 with Apache 2.4.6 as we use the 
standard repository. The application used to be running on Centos 6 without 
issue. That uses Apache 2.2.15 and mod_fcgid 2.3.7

Steve
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] HOW TO APPLY TOMCAT UPGRADE

2015-06-09 Thread Jeff Trawick
On Tue, Jun 9, 2015 at 11:41 AM, Salami Kehinde Rasheed <
kennysal...@gmail.com> wrote:

> I need step-by-step to upgrade to apache v7.0.40, what to download and how
> to apply this on production environment.
>
> *SALAMI KEHINDE R*
>
>
>
This is the wrong mailing list; this list is for supporting Apache HTTP
Server, not Apache Tomcat.

Look here: http://tomcat.apache.org/lists.html

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/


[users@httpd] HOW TO APPLY TOMCAT UPGRADE

2015-06-09 Thread Salami Kehinde Rasheed
I need step-by-step to upgrade to apache v7.0.40, what to download and how
to apply this on production environment.

*SALAMI KEHINDE R*


Re: [users@httpd] Issue with Mutual SSL Authentication

2015-06-09 Thread Yann Ylavic
On Tue, Jun 9, 2015 at 9:29 AM, Karan Mengi  wrote:
>
> The problem appears to be that HTTPD does not include the issuer details
> while presenting its certificate to the server, so probably its failing
> chain verification. We have tried many options found on the net like
> including the flag “SSLOptions +ExportCertData”, but nothing seems to help.

Did you try SSLProxyMachineCertificateChainFile?
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxymachinecertificatechainfile

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Frederik Nosi

Hi James,
On 06/09/2015 03:59 PM, James Smith wrote:
In many cases it will only be a few packets anyway so won't actually 
make that much difference!


The point is that it is better to stop the request in the first place 
by setting the appropriate expires/cache control header... than use 
the etag mechanism...


In case it wasn't clear, we very much agree on this one, my question was 
centered on the ETag in particular.


Thanks for your reply!



James

On 09/06/2015 14:56, Frederik Nosi wrote:

Hi James,

On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest 
(slowest) part before returning the not-changed response - and then 
serving the content!


But at this point the server in case of a positive match will send 
just a 304 reply with no content, thus saving bandwith and time (due 
to eventual roundtrips) no?




You are better to:

(a) set near future or mid future headers [ expires in a month or in 
a year]


Sure, the best request is the one that does not even come :-)

(b) alter filenames if you significantly change the file contents [ 
we use MD5 of content for js/css ]




This only if you're in the posisition to decide the site layout though.

Note this is "hyper-tuning" of Apache... some people may want to 
enable it - it was originally set up when most users were on 
28K/33.6K modems (or slower) and the transfer of data was the slow 
part of the equation!


James


[...]


Thanks,
Frederik



-- The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.




Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Motty Cruz

Thanks for your suggestions!

Thanks,
Motty

On 06/09/2015 06:59 AM, James Smith wrote:
In many cases it will only be a few packets anyway so won't actually 
make that much difference!


The point is that it is better to stop the request in the first place 
by setting the appropriate expires/cache control header... than use 
the etag mechanism...


James

On 09/06/2015 14:56, Frederik Nosi wrote:

Hi James,

On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest 
(slowest) part before returning the not-changed response - and then 
serving the content!


But at this point the server in case of a positive match will send 
just a 304 reply with no content, thus saving bandwith and time (due 
to eventual roundtrips) no?




You are better to:

(a) set near future or mid future headers [ expires in a month or in 
a year]


Sure, the best request is the one that does not even come :-)

(b) alter filenames if you significantly change the file contents [ 
we use MD5 of content for js/css ]




This only if you're in the posisition to decide the site layout though.

Note this is "hyper-tuning" of Apache... some people may want to 
enable it - it was originally set up when most users were on 
28K/33.6K modems (or slower) and the transfer of data was the slow 
part of the equation!


James


[...]


Thanks,
Frederik



-- The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.




Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith
In many cases it will only be a few packets anyway so won't actually 
make that much difference!


The point is that it is better to stop the request in the first place by 
setting the appropriate expires/cache control header... than use the 
etag mechanism...


James

On 09/06/2015 14:56, Frederik Nosi wrote:

Hi James,

On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest 
(slowest) part before returning the not-changed response - and then 
serving the content!


But at this point the server in case of a positive match will send 
just a 304 reply with no content, thus saving bandwith and time (due 
to eventual roundtrips) no?




You are better to:

(a) set near future or mid future headers [ expires in a month or in 
a year]


Sure, the best request is the one that does not even come :-)

(b) alter filenames if you significantly change the file contents [ 
we use MD5 of content for js/css ]




This only if you're in the posisition to decide the site layout though.

Note this is "hyper-tuning" of Apache... some people may want to 
enable it - it was originally set up when most users were on 
28K/33.6K modems (or slower) and the transfer of data was the slow 
part of the equation!


James


[...]


Thanks,
Frederik





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Frederik Nosi

Hi James,

On 06/09/2015 02:36 PM, James Smith wrote:
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest 
(slowest) part before returning the not-changed response - and then 
serving the content!


But at this point the server in case of a positive match will send just 
a 304 reply with no content, thus saving bandwith and time (due to 
eventual roundtrips) no?




You are better to:

(a) set near future or mid future headers [ expires in a month or in a 
year]


Sure, the best request is the one that does not even come :-)

(b) alter filenames if you significantly change the file contents [ we 
use MD5 of content for js/css ]




This only if you're in the posisition to decide the site layout though.

Note this is "hyper-tuning" of Apache... some people may want to 
enable it - it was originally set up when most users were on 28K/33.6K 
modems (or slower) and the transfer of data was the slow part of the 
equation!


James


[...]


Thanks,
Frederik


Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith
It's not the etag calc it's actually the round tripping to the server 
that is the main over head - better to get the client to cache content...
Apache will still have to touch the file system to see if the content 
has changed (however it is done) and on some filesystems just
locating the file and making sure the user can read it is slower than 
serving it (especially high availability and virtual file systems)...


James

On 09/06/2015 14:51, Frederik Nosi wrote:

Hi Rainer,

On 06/09/2015 02:53 PM, Rainer Canavan wrote:

  Remove etags (Header unset Etag/FileETag None)
Won't this disable conditional requests, ex. If-None-Match and 
friends? Is
your recomendation because of the header overhead or am I missing 
something?

Just if-None-Match. If-Modified-Since would still work. I believe
people recommend disabling ETags because they may cause problems with
clusters (i.e. different inode numbers or modification times for
otherwise identical files), or gzip content encoding
(https://bz.apache.org/bugzilla/show_bug.cgi?id=45023).


Well, if it's a static file i think the etag calculation should be 
quite fast, after all in the default apache setting it's computed 
using thre values:


FileETag INode MTime Size

which at least on linux should be cached in the dentry / filesystem 
cache.


So intuitively should be less work then reading this values, the file 
content and sending it.

It's not that i've done measurements on this though, just speculation.

As for the cluster case (and for security reasons), i've been using:

FileETag MTime Size

Out of curiosity, does somebody have real misurements?




rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Frederik Nosi

Hi Rainer,

On 06/09/2015 02:53 PM, Rainer Canavan wrote:

  Remove etags (Header unset Etag/FileETag None)

Won't this disable conditional requests, ex. If-None-Match and friends? Is
your recomendation because of the header overhead or am I missing something?

Just if-None-Match. If-Modified-Since would still work. I believe
people recommend disabling ETags because they may cause problems with
clusters (i.e. different inode numbers or modification times for
otherwise identical files), or gzip content encoding
(https://bz.apache.org/bugzilla/show_bug.cgi?id=45023).


Well, if it's a static file i think the etag calculation should be quite 
fast, after all in the default apache setting it's computed using thre 
values:


FileETag INode MTime Size

which at least on linux should be cached in the dentry / filesystem cache.

So intuitively should be less work then reading this values, the file 
content and sending it.

It's not that i've done measurements on this though, just speculation.

As for the cluster case (and for security reasons), i've been using:

FileETag MTime Size

Out of curiosity, does somebody have real misurements?




rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Stormy

At 09:24 AM 6/9/2015 +0100, James Smith wrote:
[snip good advice]
   * For minifying CSS/JS: look at yui compressor and google closure 
compiler...  (Use jshint to check your js to make sure that it will 
merge/compress OK)

   * Can use a number of build tools to do some of this auto-magically...
One possible caveat -- "mod_pagespeed" which is from Google dev (the start 
of this thread.)  We tried it in a pre-production 2.4 environment, and 
while most of the output was well rewritten/minified/re-ordered, it put an 
enormous hit on server CPU cycles (on a very fast machine) -- to the point 
that end-user browser load times suffered. We had to drop it.  (Note this 
was for a fairly complex perl/js site, so YMMV. Note also that Google do 
not *now* recommend it for 2.4, only 2.2, if I understand their notes 
correctly.)


Best -- Paul


   * Move (most) JS to the foot of the page

Watch out with minifying HTML - there is a minor bug with most of the 
minifiers which which can't handle correctly ends of line after tags, and 
if you have gzip encoding it usually doesn't make a difference!


Finally...
   * Look at your code and try and optimize your HTML { put as much 
presentation as possible into CSS }
   * Look at your JS - don't use multiple "library classes" - I have seen 
sites using jQuery, Scriptaculous and YUI at the same time!


On 08/06/2015 22:43, Motty Cruz wrote:

Hello,
I added this code on .htaccess


 AddType application/x-javascript .js
 AddType text/css .css


 AddOutputFilterByType DEFLATE text/css application/x-javascript 
text/x-component text/html text/richtext image/svg+xml text/plain 
text/xsd text/xsl text/xml image/x-icon application/javascript

 
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 
 
  Header append Vary User-Agent env=!dont-vary
 


does not seem to make a difference!




On 06/08/2015 02:38 PM, Emir Ibrahimbegovic wrote:

What have you tried?

On Mon, Jun 8, 2015 at 5:35 PM, Motty Cruz 
<motty.c...@gmail.com> wrote:

Hello,
I am getting the following suggestions from:
https://developers.google.com/speed/pagespeed/insights/


Should Fix:
Optimize images
Leverage browser caching
Consider Fixing:
Eliminate render-blocking JavaScript and CSS in above-the-fold content
Minify CSS
Minify HTML

What is the best practice to solve errors above?

Thanks,

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org





-- The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a company 
registered in England with number 2742969, whose registered office is 215 
Euston Road, London, NW1 2BE.


Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Rainer Canavan
>>  Remove etags (Header unset Etag/FileETag None)

> Won't this disable conditional requests, ex. If-None-Match and friends? Is
> your recomendation because of the header overhead or am I missing something?

Just if-None-Match. If-Modified-Since would still work. I believe
people recommend disabling ETags because they may cause problems with
clusters (i.e. different inode numbers or modification times for
otherwise identical files), or gzip content encoding
(https://bz.apache.org/bugzilla/show_bug.cgi?id=45023).

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith
Yes - it is the request over head - the client will still make the 
request at which point the server has got to decide has it changed 
before even -   which for most static requests is the heaviest (slowest) 
part before returning the not-changed response - and then serving the 
content!


You are better to:

(a) set near future or mid future headers [ expires in a month or in a year]
(b) alter filenames if you significantly change the file contents [ we 
use MD5 of content for js/css ]


Note this is "hyper-tuning" of Apache... some people may want to enable 
it - it was originally set up when most users were on 28K/33.6K modems 
(or slower) and the transfer of data was the slow part of the equation!


James

On 09/06/2015 13:27, Frederik Nosi wrote:


Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:



From Apache point of view...

  * Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache
has to look for .htaccess files in the directory and any parent
directories}
include "AllowOverride None" in httpd.conf
  * Remove etags (Header unset Etag/FileETag None)



Won't this disable conditional requests, ex. If-None-Match and 
friends? Is your recomendation because of the header overhead or am I 
missing something?


[...]


Thanks,
Frederik





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread Frederik Nosi


Hi James,
On 06/09/2015 10:24 AM, James Smith wrote:



From Apache point of view...

  * Don't use .htaccess files... put everything in httpd.conf (or
equivalent) there is a huge file system performance hit {Apache
has to look for .htaccess files in the directory and any parent
directories}
include "AllowOverride None" in httpd.conf
  * Remove etags (Header unset Etag/FileETag None)



Won't this disable conditional requests, ex. If-None-Match and friends? 
Is your recomendation because of the header overhead or am I missing 
something?


[...]


Thanks,
Frederik


Re: [users@httpd] Apache24 - how to optimize httpd.conf

2015-06-09 Thread James Smith



From Apache point of view...

 * Don't use .htaccess files... put everything in httpd.conf (or
   equivalent) there is a huge file system performance hit {Apache has
   to look for .htaccess files in the directory and any parent directories}
   include "AllowOverride None" in httpd.conf
 * Remove etags (Header unset Etag/FileETag None)
 * Enable keepalive
 * Turn on gzip encoding {mod_deflate} which you have done
 * Auto set expiry dates into the future {mod_expires}:
   ExpiresActive On / ExpiresDefault "access plus 366 day" / Header
   append Cache-Control "public"
   for static content...

Additionally...

 * For images look at:optipng, jpegoptim & advpng... {consider
   spriting if useful}
 * For minifying CSS/JS: look at yui compressor and google closure
   compiler...  (Use jshint to check your js to make sure that it will
   merge/compress OK)
 * Can use a number of build tools to do some of this auto-magically...
 * Move (most) JS to the foot of the page

Watch out with minifying HTML - there is a minor bug with most of the 
minifiers which which can't handle correctly ends of line after tags, 
and if you have gzip encoding it usually doesn't make a difference!


Finally...

 * Look at your code and try and optimize your HTML { put as much
   presentation as possible into CSS }
 * Look at your JS - don't use multiple "library classes" - I have seen
   sites using jQuery, Scriptaculous and YUI at the same time!
 *

On 08/06/2015 22:43, Motty Cruz wrote:

Hello,
I added this code on .htaccess

  AddType application/x-javascript .js
  AddType text/css .css


  *AddOutputFilterByType DEFLATE text/css application/x-javascript 
text/x-component text/html text/richtext image/svg+xml text/plain text/xsd 
text/xsl text/xml image/x-icon application/javascript*
  
   BrowserMatch ^Mozilla/4 gzip-only-text/html
   BrowserMatch ^Mozilla/4\.0[678] no-gzip
   BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  
  
   Header append Vary User-Agent env=!dont-vary
  


does not seem to make a difference!



On 06/08/2015 02:38 PM, Emir Ibrahimbegovic wrote:

What have you tried?

On Mon, Jun 8, 2015 at 5:35 PM, Motty Cruz > wrote:


Hello,
I am getting the following suggestions from:
https://developers.google.com/speed/pagespeed/insights/


Should Fix:
Optimize images
Leverage browser caching
Consider Fixing:
Eliminate render-blocking JavaScript and CSS in above-the-fold
content
Minify CSS
Minify HTML

What is the best practice to solve errors above?

Thanks,

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org










--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

RE: [users@httpd] Client Auth Retries

2015-06-09 Thread Scot Russell
The documentation recommends a higher value for the sslsessioncache, probably 
for performance reasons.  I wonder if you can unset that ssl header variable 
when your user hits the error page or before they try again, using mod_headers 
unset directive,  configured only on that directory or file?

From: mcgr...@nps.edu
To: users@httpd.apache.org
Date: Thu, 4 Jun 2015 19:32:33 +
Subject: Re: [users@httpd] Client Auth Retries






I think that’s part of it—SSLSessionCache on the server was set to five minutes.
Dialing it down to 10 seconds seems to have solved the problem
on Safari, but it persists on Chrome, even after a server restart.
It fixes itself after a Chrome restart, so clearly Chrome is doing some caching 
of something, somewhere.



What are the consequences of having a low SSLSessionCache value on the server?



Further client diagnosis:



* Chrome 43 OS X renegotiates with the smart card if you open an incognito
window. The same behavior manifests itself in other incognito windows,
though, i.e. if you fail smart card auth it won’t go back and retry
smart card auth. This suggests to me that Chrome is doing some 
client side SSLSessionCache, and they maintain different caches 
for regular windows and incognito windows, but within each cache
the problem persists.



* Safari 8.0.6 OS X works as expected with the SSLSessionCache setting on the
server side. Dialing up the SSLSessionCache replicates the problem.



So it can be both a client and server side issue.




















On Jun 3, 2015, at 5:16 PM, Scot Russell  wrote:



I don't have an answer for you, a couple thoughts though, are you using an SSL 
cache that may be caching the info?  I think there is a cache directive in mod 
ssl.  Or is there software on the client for handling the smart card that could 
be set or configured
 to renegotiate?




From: mcgr...@nps.edu

To: users@httpd.apache.org

Date: Wed, 3 Jun 2015 23:21:57 +

Subject: Re: [users@httpd] Client Auth Retries



This behavior is puzzling. 



*Once the browser goes to the “mistake” page, it won’t renegotiate
the SSL connection with the smart card despite



  - No open https connections to the server
  - The behavior persists across a server restart
  - The behavior persists across a “clear cache” on the client browser (Chrome)
 
The only way to force it to use the smart card auth appears to be quitting and 
restarting
the browser.
  



On Jun 2, 2015, at 3:18 PM, McGregor, Donald (Don) (CIV)  
wrote:




I’m trying to set up client authentication using smart cards and be reasonably 
polite about
auth failures. A typical failure mode is that the user doesn’t have the card 
inserted; I 
should send them to a warning page, then let them retry.



The relevant config file for the top level:



SSLVerifyClient optional



RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS
 RewriteRule .* /mistake/index.html [L]




  SSLVerifyClient none




Client auth is optional, but if it fails they see the informational
page telling them to use a smart card, in a directory
without smart card auth required.



This successfully rewrites to the informational page when they
don’t have the smart card inserted. The first time in If client auth fails for
some reason they see the error page, and if they do have
the card and authenticate, they see the expected content.



But if they see the error page, then insert the card, and then
try to go to the https://myhost/content, they continue to 
see the error page. It seems as if the HTTPS connection
is not being renegotiated or that the SSL_CLIENT_VERIFY
is not being reset to SUCCESS on retry. Or is there a 
better way to do this?

















  

[users@httpd] Issue with Mutual SSL Authentication

2015-06-09 Thread Karan Mengi
Hi Team,

we are facing issues while performing Mutual SSL Authentication between Apache 
HTTPD Proxy and Server (using BW as Server)

Scenario is: HTTP Client --- (http connection)---> Apache HTTPD --- (https 
connection) --->HTTPS Server.

Server side authentication is working fine on both Linux and Windows 
environment. However, Mutual SSL authentication is only working on Windows, and 
facing issues while implementing same logic on Linux.
On Windows we are using the latest Apache HTTPD Proxy version 2.4.10. And for 
Linux we are using Apache HTTPD Proxy version 2.2.26.

The problem appears to be that HTTPD does not include the issuer details while 
presenting its certificate to the server, so probably its failing chain 
verification. We have tried many options found on the net like including the 
flag "SSLOptions +ExportCertData", but nothing seems to help.

On Linux HTTPD is not sending the full certificate details back to the server

Please find below the Logs for both Windows(success) and Linux(error) 
Environments:

Windows

Server version: Apache/2.4.10 (Win64)
Apache Lounge VC11 Server built:   Jul 17 2014 12:58:29

Logs:

[Wed Jun 03 16:21:18.307618 2015] [ssl:debug] [pid 6580:tid 964] 
ssl_engine_kernel.c(1517): [remote 127.0.0.1:9099] AH02277: Proxy client 
certificate callback: (Proxy:hostname) AH02278: no acceptable CA list, sending 
[subject: CN=Proxy,OU=ITS,O=X,L=X,ST=X,C=X / issuer: 
CN=X,DC=testcore,DC=test,DC=dir,DC=X,DC=com / serial: 
247B89560002890B / notbefore: Apr 19 04:24:18 2015 GMT / notafter: Apr 18 
04:24:18 2017 GMT]
[Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] 
ssl_engine_kernel.c(1836): [remote 127.0.0.1:9099] AH02041: Protocol: TLSv1, 
Cipher: X
[Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] 
ssl_util_ssl.c(343): AH02412: [Proxy_Server:hostname] Cert matches for name 
'Server' [subject: CN=Server,OU=ITS,O=X,L=X,ST=X,C=X / issuer: 
CN=XCA1,DC=testcore,DC=test,DC=dir,DC=X,DC=com / serial: 
24884F6A0002890F / notbefore: Apr 19 04:38:15 2015 GMT / notafter: Apr 18 
04:38:15 2017 GMT]


Linux

Server version: Apache/2.2.26 (Unix)
Server built:   Jul 18 2014 10:26:47

Logs:

[Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(56): proxy: HTTP: 
canonicalising URL //Server_URL
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(1513): [client 10.75.19.54] 
proxy: https: found worker https://Server_URL for https://Server_URL
[Thu Jun 04 13:00:49 2015] [debug] mod_proxy.c(1036): Running scheme https 
handler (attempt 0)
[Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(1974): proxy: HTTP: serving 
URL https://Server_URL
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2018): proxy: HTTPS: has 
acquired connection for (Server)
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2074): proxy: connecting 
https://Server_URL to Server:hostname
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2200): proxy: connected 
/WSDL-service0.serviceagent/PortTypeEndpoint0 to Server:hostname
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2451): proxy: HTTPS: fam 2 
socket created to connect to Server
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2583): proxy: HTTPS: connection 
complete to Server:hostname
[Thu Jun 04 13:00:49 2015] [info] [client 10.75.19.54] Connection to child 0 
established (Server:hostname)
[Thu Jun 04 13:00:49 2015] [info] Seeding PRNG with 144 bytes of entropy
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1090): [client 0.0.0.0] SNI 
extension for SSL Proxy request set to 'Server'
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1915): OpenSSL: 
Handshake: start
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: 
before/connect initialization
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: 
SSLv2/v3 write client hello A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 
bytes from BIO#7f1409de9600 [mem: 7f1409deebe0] (BIO dump follows)

Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: 
SSLv3 read server hello A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] 
Certificate Verification: depth: 3, subject: /CN=X X, issuer: /CN=X
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] 
Certificate Verification: depth: 2, subject: /CN=X, issuer: /CN=X
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] 
Certificate Verification: depth: 1, subject: 
/DC=com/DC=X/DC=dir/DC=test/DC=testcore/CN=X, issuer: /CN=X
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] 
Certificate Verification: depth: 0, subject: 
/C=X/ST=X/L=X/O=X/OU=ITS/CN=Server, issuer: 
/DC=com/DC=X/DC=dir/DC=test/DC=testcore/CN=X
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: 
SSLv3 read server certificate A
[Thu Jun 0