Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect

[Hébergement web ArbreBinaire . com]

Thanks much, that has to be it.

Regards,

François

L'équipe Arbre binaire, Hébergement web
hebergem...@arbrebinaire.com


Arbre binaire Hébergement web 

2015-07-22 18:22 GMT-04:00 Yann Ylavic :

> On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com
>  wrote:
> > Hi,
> >
> > We've been stumped by a configuration problem of our Apache 2.4 server,
> on
> > CentOS 7.
> >
> > Our goal is to prevent the Poodle vulnerability by removing the SSLv3
> > protocol.
> >
> > But it seems this directive is not taking any effect:
>
> You may be hitting bug [1], which has been fixed in latest 2.4.16 and
> 2.2.31.
>
> Regards,
> Yann.
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect

[Yann Ylavic]

On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com
 wrote:
> Hi,
>
> We've been stumped by a configuration problem of our Apache 2.4 server, on
> CentOS 7.
>
> Our goal is to prevent the Poodle vulnerability by removing the SSLv3
> protocol.
>
> But it seems this directive is not taking any effect:

You may be hitting bug [1], which has been fixed in latest 2.4.16 and 2.2.31.

Regards,
Yann.

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache 2.4: SSLProtocol directive not taking effect

[Hébergement web ArbreBinaire . com]

Hi,

We've been stumped by a configuration problem of our Apache 2.4 server, on
CentOS 7.

Our goal is to prevent the Poodle vulnerability by removing the SSLv3
protocol.

But it seems this directive is not taking any effect:

SSLProtocol All -SSLv3

It's located within a VirtualHost context (in
/etc/httpd/conf.d/example.com.conf):



SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:$
SSLHonorCipherOrder on

And the default (in  /etc/httpd/conf.d/ssl.conf)



SSLProtocol All -SSLv3
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!$
SSLHonorCipherOrder on

We have of course restarted Apache, but tests show that SSLv3 is still
enabled.

I'm certain this is a simple problem, but the logs are silent about this
(at LogLevel debug), and we are not able to solve it.

Thanks,

François

[users@httpd] Apache Performance Question

[Dino B.]

I am new to Apache, please provide adequate answer with information.

 Apache (2.2) is serving requests from bar-code scanning devices which scan
items in warehouse. It could be 1-50 or so devices doing scans at any time.
All scans will update item location in database and Apache server is the
middle man between devices and database. The requests from devices are sent
asynchronously, so a device will not wait for a result of a scan, but it
can be just pointed to another item to scan it. So, a device could send say
2-4 request per second, the more devices, the more requests.

However, we have a situation where Apache will stop responding for couple
of seconds every once in a while a few times a day. There is nothing else
on this machine, just the Apache server serving requests coming only from
devices, nothing else.  Problem is that if devices sends request at the
time Apache is not responding for couple of seconds, the requests will
timeout.

I wonder if this is caused by some kind of Apache threshold being reached
and when that happens, Apache will stop responding for couple of seconds
until new requests can be processed.

What settings should I be looking at, how to set them, and where?

Please explain as I am new to Apache.
Much appreciated,

Re: [users@httpd] php-fpm and proxy , httpd 2.4.12

[Yehuda Katz]

Do you need this configuration to be portable to different systems with
different modules available?
If not, remove all the  wrote:

> Apologies for the missing info. It is https by the way. Please see below:
>
> On 21 July 2015 at 00:48, Yehuda Katz  wrote:
>
>> You haven't shown a need for any proxy configuration at all
>>
> Yes. If I have a single box with low traffic, I don't need a proxy config
> at all, right?
> Is this related to
> 1. presence of php-fpm processes? If so, do I turn them off?
> 2. the  ... ProxyRequests On ...
> setting. If so, do I comment it out?
>
>> and you did not include nearly enough configuration, plus you didn't say
>> what wiki package you are running.
>>
> mediawiki 1.25.1
>
>> How about posting more of your config, including the vhost and actual fpm
>> or mod_php config?
>>
> Here is a flattened httpd.conf with all the other relevant conf files
> included:
>
> Listen 0.0.0.0:80
> ServerName myserver:80
> UseCanonicalName Off
> DocumentRoot "/var/www/html"
>
> Alias /wiki/skins /usr/share/mediawiki/skins
> Alias /wiki /var/www/wiki
>
> 
> Require all denied
> 
> AddType text/html .php
> DirectoryIndex index.php
> 
> 
> SetHandler application/x-httpd-php
> 
> php_value session.save_handler "files"
> php_value session.save_path"/var/lib/php/session"
> php_value soap.wsdl_cache_dir  "/var/lib/php/wsdlcache"
> 
> 
> 
> SetHandler "proxy:unix:/run/php-fpm/www.sock|fgci://localhost"
> 
> 
>
>
> Listen 0.0.0.0:443 https
> 
> DocumentRoot "/var/www/html"
> ServerName publichostname:443
> SSLEngine on
> SSLProtocol all -SSLv2
> 
>
> 
> DocumentRoot "/var/www/html"
> ServerName lanlocalhostname:443
> SSLEngine on
> SSLProtocol all -SSLv2
> 
>
>
> These modules are also loaded, after the ones above:
> LoadModule ssl_module modules/mod_ssl.so
> 
>LoadModule cgid_module modules/mod_cgid.so
> 
> 
>LoadModule cgid_module modules/mod_cgid.so
> 
> 
>LoadModule cgi_module modules/mod_cgi.so
> 
> 
>   LoadModule php5_module modules/libphp5.so
> 
> 
>   LoadModule php5_module modules/libphp5-zts.so
> 
>
> Please advise any other conf I could add.
>
>> On Jul 20, 2015 1:25 PM, "MM"  wrote:
>>
>>> I get this error when I try to access my wiki
>>>
>>> AH01144: No protocol handler was valid for the URL /wiki/index.php. If
>>> you are using a DSO version of mod_proxy, make sure the proxy submodules
>>> are included in the configuration using LoadModule.
>>>
>>> 1. For some reason, my linux distribution somehow enabled php-fpm by
>>> default.
>>> My site has very little traffic, and I don't have performance
>>> requirements.
>>>
>>> 2. I have the following setting
>>>
>>> 
>>> ProxyRequests On
>>> 
>>> Order deny,allow
>>> Deny from all
>>> Allow from 
>>> 
>>> 
>>>
>>> Do I need this setting?
>>>
>>> 3.All these modules are loaded
>>> LoadModule proxy_module modules/mod_proxy.so
>>> LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
>>> LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
>>> LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
>>> LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
>>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>>> LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
>>> LoadModule proxy_connect_module modules/mod_proxy_connect.so
>>> LoadModule proxy_express_module modules/mod_proxy_express.so
>>> LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
>>> LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
>>> LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
>>> LoadModule proxy_http_module modules/mod_proxy_http.so
>>> LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
>>>
>>> and
>>> LoadModule xml2enc_module modules/mod_xml2enc.so
>>> LoadModule proxy_html_module modules/mod_proxy_html.so
>>>
>>> Are there any more modules to load?
>>>
>>>
>

[users@httpd] AW: Rewrite, .php files and PHP-FPM

[Adolph, Tobias]

Do you use php via mod_proxy_fcgi?


Could be possible that the .htaccess file is never honoured since the request 
was proxied before.


Kind regards,

Tobias Adolph


Von: Rose, John B 
Gesendet: Mittwoch, 22. Juli 2015 17:05
An: users@httpd.apache.org
Betreff: [users@httpd] Rewrite, .php files and PHP-FPM

Red Hat 7
Apache 2.4
PHP-FPM

We are having some trouble getting Rewrite to work with Apache 2.4/PHP-FPM

In other words, it isn't successfully working.


Our test example:

The .htaccess file:




RewriteEngine On

RewriteRule ^index2.html$ index.html

RewriteRule ^index2.php$ index.php




Here is the content of index.php(In other words that is the text in the file, 
in addition to being the name):

"index.php"


Here is the content of index2.php:

"index2.php"


If we go to index2.php, we get "index2.php" which indicates the mod_rewrite is 
not working on php request.


Any suggestions on addressing the above problem?

Thanks

[users@httpd] Rewrite, .php files and PHP-FPM

[Rose, John B]

Red Hat 7
Apache 2.4
PHP-FPM

We are having some trouble getting Rewrite to work with Apache 2.4/PHP-FPM

In other words, it isn't successfully working.


Our test example:

The .htaccess file:




RewriteEngine On

RewriteRule ^index2.html$ index.html

RewriteRule ^index2.php$ index.php




Here is the content of index.php(In other words that is the text in the file, 
in addition to being the name):

"index.php"


Here is the content of index2.php:

"index2.php"


If we go to index2.php, we get "index2.php" which indicates the mod_rewrite is 
not working on php request.


Any suggestions on addressing the above problem?

Thanks

[users@httpd] TLS session tickets

[Venkat V]

Hi,

We use Apache 2.2.29 on.  We have observed that sessions are enabled even
though we configured to use ticket for the following scenario.

scenario:
1. configure server to use TLS tickets
2. generate a client certificate on server and export it to a
browser(firefox/chrome)
2. try to access web page multiple times

Please note that issue does not occur if we dont use client certificates

configuration file :

# client certificate
SSLCACertificateFile "conf/ssl.crt/ca-rsa.crt"

# renegotiation and client certificate

   SSLVerifyClient require
   SSLVerifyDepth 2


Log:
[debug] ssl_engine_kernel.c(2786): OpenSSL: Loop: SSLv3 write session
ticket A
...
[debug] ssl_scache_shmcb.c(443): ssl_scache_shmcb_retrieve (0xfe ->
subcache 30)
[debug] ssl_scache_shmcb.c(798): shmcb_subcache_retrieve found no match
[debug] ssl_scache_shmcb.c(458): leaving ssl_scache_shmcb_retrieve
successfully
[debug] ssl_engine_kernel.c(2624): Inter-Process Session Cache: request=GET
status=MISSED
id=FEF6CFEBB06C5ED58058892740B018EFE7827C8508B5FF905D62D1B70040B581
(session renewal)

Can you please clarify the following

1. is this expected behavior?
2. if not, what could be the issue


Thanks & Regards,
Venkat.

Re: [users@httpd] Re: Problem in chunked response

[Yann Ylavic]

On Wed, Jul 22, 2015 at 8:58 AM, skbarik  wrote:
>
> We are very heavily dependant upon the extension to indicate certain status
> to client.
> and unfortunately we dont have any control over backend to change this.
> Is there way to configure mod proxy to not discard this.

No, mod_proxy handles Content-Length and/or Transfer-Encoding per
connection (hop-by-hop), and may switch from one to the other
depending on whether it already has the whole payload or not (plus
possible content transformations in the chain).

Even when the chunked Transfer-Encoding encoding is preserved, chunks'
boundaries may change, hence it does not (always) make sense to
preserve chunk-extensions.

The backend can hardly rely on chunk-extensions as an "out of band"
communication with the user-agent, precisely because there may be
intermediaries, and extensions are always meant for the next hop.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Http trailers in chunked requests

[Sachin Shetty]

Hi,

I tried with Apache 2.4.16 with the "MergeTrailers On". No luck, apache
just wont let the trailers pass through. I enabled debug log as well, but
no additional info in logs about skipping trailers.

Thanks
Sachin

On Mon, Jul 20, 2015 at 11:44 AM, Sachin Shetty 
wrote:

> Hi Eric,
>
> We are using mod proxy and mod rewrite to forward the request to an
> haproxy server running a pool of tomcat. I have verified that when the
> request is directly sent to haproxy, trailers are sent to the tomcat and it
> does print it in the debug logs.
>
> While debugging this I have also noticed that apache converts a chunked
> request < 8KB to a non chunked one and assembled the whole body before
> sending it down the proxy.
>
> Thanks
> Sachin
>
> Sorry could not figure out how to post from a digest, I have copied your
> question below:
>
> >> What module handles this request, and where are you looking for the
> trailers?
>
>
> On Sat, Jul 18, 2015 at 6:27 PM, Sachin Shetty 
> wrote:
>
>> Hi,
>>
>> as per http spec, we want clients to send us trailers in chunked
>> requests. However the request on the server side does not get the trailer
>> at all.
>>
>> Is there some setting on apache to allow trailers, we are using apache
>> 2.4.
>>
>> Our request looks like this.
>>
>> <
>> telnet somehost 80
>> POST /some-path HTTP/1.1
>> Authorization: Basic =
>> Host: somehost.domain.com
>> Transfer-Encoding: chunked
>> Trailer: My-Test-Trailer
>>
>> 50
>> 
>> 0
>> My-Test-Trailer: some-value-new
>> >>
>>
>>
>
>
> --
> Thanks & Regards
> Sachin Shetty
>
> " I never make mistakeas "
>

[users@httpd] Re: Problem in chunked response

[skbarik]

Hi Yann

Thanks for the reply.

We are very heavily dependant upon the extension to indicate certain status
to client.
and unfortunately we dont have any control over backend to change this.
Is there way to configure mod proxy to not discard this.

Thanks.

barik



--
View this message in context: 
http://apache-http-server.18135.x6.nabble.com/Problem-in-chunked-response-tp5022879p5022927.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org