Re: [users@httpd] Certificate check on Apache reverse proxy with upstream SSL

[Christian Georg]

Hi Jim,

Not sure I understand your response. The attachment it's the JDK release notes 
and I did not find anything specific in there.

I partially solved his by migrating to Apache 2.4 and using checkpeername. With 
Apache 2.4 the host name from the http request is checked against the 
certificate rather than the IP address used in balancer member, but this still 
leaves the pining issue open, which I would like to put on to.

Cheers

Chris

Von meinem iPad gesendet

Am 06.12.2015 um 14:39 schrieb Jim Paniagua 
>:

if you could i sure would appreciate getting rid of these certs   CA  .. it 
appears why i am here he continues to be a large problem with breaking serveral 
good productive working computers as well as having fun redirecting me and not 
allowing me anything but under his control .. this is why i am here .. thank 
you .. here was a first attempt prom a fellow member to help out .. i just 
didnt get it ..

On Wed, Dec 2, 2015 at 4:29 PM, Christian Georg 
> wrote:
Hi all,

I wanted to implement certificate pinning on an upstream SSL connection of a 
reverse proxy but I am struggling with the setup.
Please let me know where I am going wrong or if the expected setup should work.

My setup is as follows:
Multiple local applications ---HTTP via localhost --->  Apache httpd 2.2 as 
reverse proxy - HTTPS via the internet ---> 
API Provider

I am having a bunch of applications which all consume an API provided by a 
third party. Connection to the third party is accessible via https and mutual 
SSL.
All local applications are running on the same server and we decided to bundle 
requests by using an apache reverse proxy which handles the SSL connections to 
the API Provider.
By doing this the Proxy also reduced the number of SSL connections needed while 
at the same time reducing latency as connections are be reused. I am running an 
apache 2.2 on CentOS.
Due to the fact that applications and proxy are living on the same host we 
decided to use only http via localhost.

The API Provider is using a server certificate which is derived from a public 
CA.
root CA => intermediate CA 1 => intermediate CA 2 => API Server Certificate.

The setup is working in general but I wanted to ensure that I am understanding 
the way certificate chains are evaluated correctly as my understanding of the 
trust model is not working a expected.
This where I hope you can help.

According to my understanding I should be able to place the Server Certificate 
in a file referred to via SSLProxyCACertificateFile
If I then set SSLProxyVerifyDepth to 0 only certificates included in the 
certificate file should be trusted.

During tests this setup failed and I am getting an handshake failure. My 
assumption is that this is due to the fact that the server certificate is not 
selfsigned but derived from an intermediate CA.
I got this to work by Adding all three CAs (root CA, intermediate CA 1 and 
intermediate CA 2) and setting SSLProxyVerifyDepth to 3
As soon as I started removing certificates from the top or reducing the 
verification level I was getting handshake errors stating either CA chain too 
long or CA not found.

Could you advice on the best way to ensure only specific certificates (Signed 
by public CAs) rather than whole CAs can be trusted in outgoing SSL Connections 
from Appache 2.2 using the SSLProxyEngine


Here is the config I am using:


SSLProxyEngine   on
SSLProxyCACertificateFile   trusted_CAs.pem
# this includes the 3 CAs and I even tried including the 3 CAs and the server 
certificate.
SSLProxyVerify require
SSLProxyCheckPeerCN on
SSLProxyVerifyDepth3

ProxyPass / https://API-Server.X.Y/API-App

Thanks

Chris






-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Dec 7, 2015 11:36 PM, "Marat Khalili"  wrote:
>>
>> Everything *after* that handshake, in cleartext, is open for inspection
or for manipulation
>
> Are you sure about the manipulation part? Why do you think encryption
helps here then?

To turn the question around, what gives you the suggestion that the user
agent or the httpd server would notice any modification of plaintext bytes
in transit through a router or other network intermediate?

Re: [users@httpd] explicitly including other ciphers for use with https

[Marat Khalili]

what gives you the suggestion that the user agent or the httpd server 
would notice any modification of plaintext bytes in transit through a 
router or other network intermediate?

Isn't this authentication is for?

--

With Best Regards,
Marat Khalili

On 08/12/15 08:54, William A Rowe Jr wrote:


On Dec 7, 2015 11:36 PM, "Marat Khalili" > wrote:

>>
>> Everything *after* that handshake, in cleartext, is open for 
inspection or for manipulation

>
> Are you sure about the manipulation part? Why do you think 
encryption helps here then?


To turn the question around, what gives you the suggestion that the 
user agent or the httpd server would notice any modification of 
plaintext bytes in transit through a router or other network intermediate?

[users@httpd] Apache2 and Tomcat : Simultaneously running both servers and Virtual Hosting.

[Kernel freak]

Hello friends,

I am working on some server side changes in which I have the webapps or
website hosted by Apache server is called by the URL. So if url is
www.domain-one.com, then the specific webapp or website must be served.

I have partial success in these regards as I have already configured Apache
Tomcat to host multiple webapps, and call them based on URL. It is working.

Now on to the 2nd stage of problem, where I have hosted a CMS on Apache
server, and would like to call it with a URL, *but also keep Apache tomcat
running in parallel*, and this is the main problem I am dealing with.

This may seem like a Apache server issue, but it's both, as I want to run
Apache web-server and Apache tomcat simultaneously with Virtual hosting. I
just hope there might be people here who know both servers.

I tried mod_jk without any luck. Here are the changes I made to tomcat and
apache server.

Tomcat changes : server.xml :








 

www.domain-first.com




www.domain-second.com








Installed mod_jk with following command :


  apt-get install libapache2-mod-jk

Created file workers.properties in /etc/apache2/


# Define 1 real worker using ajp13
 worker.list=worker
 # Set properties for worker (ajp13)
 worker.worker.type=ajp13
 worker.worker.host=localhost
 worker.worker.port=8010

Instructed jk.conf to load this file :


JkWorkersFile /etc/apache2/workers.properties


Finally edited 000-default in sites-enabled to add :


JkMount /home/user/tomcat_directory/* worker1

Then restarted Apache2, and I got this error :


[] Restarting web server: apache2(98)Address already in use:
make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
 failed!


I understand that Tomcat is running on 80, but how do I then configure
the servers so they can run simultaneously.

Kindly let me know..

Regards,

Akshay S.

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion  wrote:

> On 12/07/2015 05:06 PM, William A Rowe Jr wrote:
>
>> On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg > > wrote:
>>
>> Hello,
>>
>> I a building a storage system, using HTTP/HTTPS for ingesting data.
>>
>> I would like to use the authentication over HTTPS, while after that
>> I want no encryption on the data because of peformance.
>>
>>
>> Then you probably don't understand the performance impact of TLS.
>>
>
> To help Ron out a little... he's coming from this conversation [1] on the
> openssl-users mailing list, where he's described his rather unusual network
> topology already.
>
> I'm still unsure as to whether or not his proposed solution is secure...
> but I am convinced that his use case is atypical.


It should be straightforward to patch mod_ssl to accept null ciphers, for
such an unusual use case, but it isn't something we would likely accept in
the ASF distribution for the reasons I outlined.


> Otherwise,
>> any man-in-the-middle can observe the data in transit and alter
>> the data passed between your client and backend storage server
>>
>
> Wait, why does the use of NULL encryption have any effect on the
> authenticity/integrity characteristics of the cipher? I asserted otherwise
> on openssl-users and was not corrected...
>

I didn't suggest it that it would.  Everything *after* that handshake, in
cleartext, is open for inspection or for manipulation by every link in
between the user agent and server.


> --Jacob
>
> [1] https://marc.info/?t=14490098273=1=2

Re: [users@httpd] mod_proxy - Status lines without response phrases are getting turned into 500 errors

[Nick Kew]

On Mon, 2015-12-07 at 14:03 -0500, Adam wrote:
> We are using Apache 2.2.29 in production with mod_perl and mod_proxy

What's the role of mod_perl in your proxy?  Can the
problem be replicated without mod_perl?

Oh, right, just looked up the bug you reference: seems
I was there.  The final comment suggests that the issue
you describe was fixed in 2.3/2.4, but not in 2.2.
You could presumably apply the patch attached to that
bug report if you don't want to upgrade?

-- 
Nick Kew


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy - Status lines without response phrases are getting turned into 500 errors

[Adam]

Thanks Nick!  I'm not sure what our plans are to upgrade, but we do have an
easy fix in our application for now.  Thanks for clarifying where it was
fixed and not fixed.

Adam

On Mon, Dec 7, 2015 at 2:34 PM, Nick Kew  wrote:

> On Mon, 2015-12-07 at 14:03 -0500, Adam wrote:
> > We are using Apache 2.2.29 in production with mod_perl and mod_proxy
>
> What's the role of mod_perl in your proxy?  Can the
> problem be replicated without mod_perl?
>
> Oh, right, just looked up the bug you reference: seems
> I was there.  The final comment suggests that the issue
> you describe was fixed in 2.3/2.4, but not in 2.2.
> You could presumably apply the patch attached to that
> bug report if you don't want to upgrade?
>
> --
> Nick Kew
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] explicitly including other ciphers for use with https

[Ron Croonenberg]

Hello,

I a building a storage system, using HTTP/HTTPS for ingesting data.

I would like to use the authentication over HTTPS, while after that I 
want no encryption on the data because of peformance.


I think using  null ciphers, like eNULL would work, but how do I change 
the configurations is httpd.conf/ssl.conf ?


The NULL cipher keys are in openssl,  I just want to use them.


thanks,

Ron

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2 and Tomcat : Simultaneously running both servers and Virtual Hosting.

[William A Rowe Jr]

Pretty simple answer, you either,

1. Change the Tomcat port, E.g. 8080 so it doesn't collide with httpd, or

2. Listen (IPaddr1):80 to httpd and bind (IPaddr2):80 to Tomcat.

The second can be more confusing, since if you bind localhost:80 to Tomcat,
httpd won't respond unless you make a request to its own IP listener.
On Dec 7, 2015 07:13, "Kernel freak"  wrote:

> Hello friends,
>
> I am working on some server side changes in which I have the webapps or
> website hosted by Apache server is called by the URL. So if url is
> www.domain-one.com, then the specific webapp or website must be served.
>
> I have partial success in these regards as I have already configured
> Apache Tomcat to host multiple webapps, and call them based on URL. It is
> working.
>
> Now on to the 2nd stage of problem, where I have hosted a CMS on Apache
> server, and would like to call it with a URL, *but also keep Apache
> tomcat running in parallel*, and this is the main problem I am dealing
> with.
>
> This may seem like a Apache server issue, but it's both, as I want to run
> Apache web-server and Apache tomcat simultaneously with Virtual hosting. I
> just hope there might be people here who know both servers.
>
> I tried mod_jk without any luck. Here are the changes I made to tomcat and
> apache server.
>
> Tomcat changes : server.xml :
>
>  compression="force" compressionMinSize="1024"
>connectionTimeout="2"  maxPostSize="5242880"
>URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"/>
>
>
>  maxPostSize="5242880" SSLEnabled="true" maxThreads="200" compre$
>   compressionMinSize="1024" scheme="https" secure="true" 
> clientAuth="false"  sslProtocol="TLS"
>keystoreFile="keystorefile" keystorePass="PASSWORD" 
> URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"/>
>
>
>
>   autoDeploy="true"/>
>  appBase="tooltank_webapps">
> www.domain-first.com
> 
> 
>
>  appBase="aupair_webapps">
> www.domain-second.com
> 
>
>
> 
>  URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/ 
> javascript,application/x-javascript,application/javascript"
> />
>
>
>
> Installed mod_jk with following command :
>
>
>   apt-get install libapache2-mod-jk
>
> Created file workers.properties in /etc/apache2/
>
>
> # Define 1 real worker using ajp13
>  worker.list=worker
>  # Set properties for worker (ajp13)
>  worker.worker.type=ajp13
>  worker.worker.host=localhost
>  worker.worker.port=8010
>
> Instructed jk.conf to load this file :
>
>
> JkWorkersFile /etc/apache2/workers.properties
>
>
> Finally edited 000-default in sites-enabled to add :
>
>
> JkMount /home/user/tomcat_directory/* worker1
>
> Then restarted Apache2, and I got this error :
>
>
> [] Restarting web server: apache2(98)Address already in use: make_sock: 
> could not bind to address [::]:80
> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
> no listening sockets available, shutting down
> Unable to open logs
> Action 'start' failed.
> The Apache error log may have more information.
>  failed!
>
>
> I understand that Tomcat is running on 80, but how do I then configure the 
> servers so they can run simultaneously.
>
> Kindly let me know..
>
> Regards,
>
> Akshay S.
>
>

[users@httpd] mod_proxy - Status lines without response phrases are getting turned into 500 errors

[Adam]

Hi,

We are using Apache 2.2.29 in production with mod_perl and mod_proxy (we're
acting as a reverse proxy) and are experiencing a problem with proxying
responses from the back end server that don't include a response phrase
being turned into a 500 error by Apache when it proxies to the client.  The
client is using a custom response code of 320 and is not including a
response phrase in their status line.  This sounds almost identical to an
old bug that was fixed (or supposedly fixed) a very long time ago:

https://bz.apache.org/bugzilla/show_bug.cgi?id=44995

In our mod_perl application if we modify the status line read from the
backend server to include a response phrase then this avoids the bug.
E.g., things are ok if we do something like this when the status line
doesn't contain a response phrase.

$r->status_line($r->status . ' OK');

Does anyone have any experience with this or should I file a new bug with
Apache?

Here is some diag info from the httpd binary:

Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_default_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 file_cache_module (static)
 cache_module (static)
 disk_cache_module (static)
 reqtimeout_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 env_module (static)
 headers_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_http_module (static)
 proxy_scgi_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 ssl_module (static)
 mpm_prefork_module (static)
 http_module (static)
 mime_module (static)
 status_module (static)
 actions_module (static)
 alias_module (static)
 so_module (static)

Server version: Apache/2.2.29 (Unix)
Server built:   Oct 17 2014 13:47:09
Server's Module Magic Number: 20051115:36
Server loaded:  APR 1.5.1, APR-Util 1.5.3
Compiled using: APR 1.5.1, APR-Util 1.5.3
Architecture:   32-bit
Server MPM: Prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/var/httpd"
 -D SUEXEC_BIN="/var/httpd/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Thanks,
Adam

[users@httpd] PHP and mod_fcgid: ap_pass_brigade failed in handle_request_ipc function

[Steven Barre]

OK, so I've been trying to solve this for a while now,. and I still 
can't even figure out what this error means. Can someone tell me what 
has gone wrong in fcgi to cause this error?


I posted on Stack Overflow, but haven't gotten much help yet so I'm 
trying this mailing list. 
http://stackoverflow.com/questions/33811543/php-and-mod-fcgid-ap-pass-brigade-failed-in-handle-request-ipc-function




This has been asked and answered before 
http://stackoverflow.com/a/12686252/219116 but, the solution there is 
not working for me.


mod_fcgid config


  AddHandlerfcgid-script .fcgi
  FcgidIPCDir /var/run/mod_fcgid/
  FcgidProcessTableFile /var/run/mod_fcgid/fcgid_shm

  FcgidIdleTimeout 60
  FcgidProcessLifeTime 120
  FcgidMaxRequestsPerProcess 500
  FcgidMaxProcesses 150
  FcgidMaxProcessesPerClass 144
  FcgidMinProcessesPerClass 0
  FcgidConnectTimeout 30
  FcgidIOTimeout 600
  FcgidIdleScanInterval 10
  FcgidMaxRequestLen 269484032



php-cgi script

#!/bin/bassh
export PHPRC=/var/www/vhosts/example.com/etc/
export PHP_FCGI_MAX_REQUESTS=5000
exec /usr/bin/php-cgi

System details

 - CentOS Linux release 7.1.1503 (Core)
 - httpd-2.4.6-31.el7.centos.x86_64
 - mod_fcgid-2.3.9-4.el7.x86_64
 - php56u-cli-5.6.12-1.ius.centos7.x86_64

So my FcgidMaxRequestsPerProcess is set to 500 and my 
PHP_FCGI_MAX_REQUESTS is set to 10x that as suggested in the previous 
answers and the Apache documentation. And yet I still get these errors


[Thu Nov 19 18:16:48.197238 2015] [fcgid:warn] [pid 6468:tid 
139726677858048]
(32)Broken pipe: [client X.X.X.X:41098] mod_fcgid: ap_pass_brigade 
failed in handle_request_ipc function


--
=
Steven Barre, RHCE
ste...@realestatewebmasters.com

Systems Administrator
Real Estate Webmasters - 250-753-9893
==


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] explicitly including other ciphers for use with https

[Jacob Champion]

On 12/07/2015 05:06 PM, William A Rowe Jr wrote:

On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg > wrote:

Hello,

I a building a storage system, using HTTP/HTTPS for ingesting data.

I would like to use the authentication over HTTPS, while after that
I want no encryption on the data because of peformance.


Then you probably don't understand the performance impact of TLS.


To help Ron out a little... he's coming from this conversation [1] on 
the openssl-users mailing list, where he's described his rather unusual 
network topology already.


I'm still unsure as to whether or not his proposed solution is secure... 
but I am convinced that his use case is atypical.



Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server


Wait, why does the use of NULL encryption have any effect on the 
authenticity/integrity characteristics of the cipher? I asserted 
otherwise on openssl-users and was not corrected...


--Jacob

[1] https://marc.info/?t=14490098273=1=2

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] explicitly including other ciphers for use with https

[William A Rowe Jr]

On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg  wrote:

> Hello,
>
> I a building a storage system, using HTTP/HTTPS for ingesting data.
>
> I would like to use the authentication over HTTPS, while after that I want
> no encryption on the data because of peformance.
>

Then you probably don't understand the performance impact of TLS.

TLS is very expensive to negotiate between endpoints working from
elliptic curve or prime math.  There's no avoiding this initial hit if you
are going to use TLS whatsoever.

Once the endpoints have completed the handshake, they exchange
keys for a much simpler and more performant cipher such as the
AES-256 cipher (for faster performance, you could use AES-128
depending on the application).

You will measure very little benefit dropping TLS once the handshake
and your auth step is completed.


> I think using  null ciphers, like eNULL would work, but how do I change
> the configurations is httpd.conf/ssl.conf ?
>
> The NULL cipher keys are in openssl,  I just want to use them.
>

Only if you have 100% faith in the end-to-end topography of your
network. That pretty much restricts you to localhost:. Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server,
which makes the entire point of authenticating rather silly, don't
you think?



.

Re: [users@httpd] explicitly including other ciphers for use with https

[Marat Khalili]

Everything *after* that handshake, in cleartext, is open for 
inspection or for manipulation
Are you sure about the manipulation part? Why do you think encryption 
helps here then?


--

With Best Regards,
Marat Khalili


On 08/12/15 05:30, William A Rowe Jr wrote:
On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion > wrote:


On 12/07/2015 05:06 PM, William A Rowe Jr wrote:

On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg 
>> wrote:

Hello,

I a building a storage system, using HTTP/HTTPS for
ingesting data.

I would like to use the authentication over HTTPS, while
after that
I want no encryption on the data because of peformance.


Then you probably don't understand the performance impact of TLS.


To help Ron out a little... he's coming from this conversation [1]
on the openssl-users mailing list, where he's described his rather
unusual network topology already.

I'm still unsure as to whether or not his proposed solution is
secure... but I am convinced that his use case is atypical.


It should be straightforward to patch mod_ssl to accept null ciphers, 
for such an unusual use case, but it isn't something we would likely 
accept in the ASF distribution for the reasons I outlined.


Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server


Wait, why does the use of NULL encryption have any effect on the
authenticity/integrity characteristics of the cipher? I asserted
otherwise on openssl-users and was not corrected...


I didn't suggest it that it would.  Everything *after* that handshake, 
in cleartext, is open for inspection or for manipulation by every link 
in between the user agent and server.


--Jacob

[1] https://marc.info/?t=14490098273=1=2