[users@httpd] SuExec and Mod_Mime_Magic
I have pored over every page I can find on SuExec and Mod_Mime_Magic and I am still at a loss here. This is the error I am seeing. AH01512: mod_mime_magic: can't read `ExecutableFile` The file permissions are 0700, owned by me and is being run by me via suexec. I have tested and I am 100% sure that code in that directory is being run as me and that the directory and file are owned by me. I can fix this by setting perms to 0755 but isn't the point of suexec that you don't need to do that? I'm not even sure why Mod_Mime_Magic is involved in the first place. The script is a CGI and the extension is in the config as "AddHandler cgi-script .py". Thanks for any help. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Block access to "OPTIONS *"
I put this:
RewriteEngine on
RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=405,L]
RewriteRule ^[^/] - [R=403,L]
in my .htaccess file, but when I still telnet to mydomain 80, and try the
OPTIONS thing, it's still returning a 200. I also tried the stuff but that didn't work either.
On Fri, Feb 12, 2016 at 6:47 AM, Yann Ylavic wrote:
> On Fri, Feb 12, 2016 at 10:47 AM, Daniel wrote:
> > The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> > IIRC. You just add this in your location/directory:
> >
> > deny from all
> >
> >
> > and will return 403 if you try OPTIONS method there
>
> That wouldn't work because the replies to OPTIONS requests happen
> before in the map_to_storage hook, that is before the authz hooks
> (Toomas tried that already).
>
> Will discuss this on dev@, because ISTM that should work with something
> like:
> # matches / and *
>
>Deny from all # 2.2
>Require all denied # 2.4
>
>
>
> For now I could only make it work with:
> RewriteEngine on
> RewriteOptions AllowAnyURI # for * to be taken into account by
> mod_rewrite
> RewriteCond %{REQUEST_METHOD} OPTIONS
> RewriteRule ^ - [R=405,L]
> RewriteRule ^[^/] - [R=403,L]
> which should be the first rewrite rules for AllowAnyURI to not be
> "dangerous" for further rules (if any) failing to match the leading
> slash.
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Re: [users@httpd] Block access to "OPTIONS *"
Thanks, do you mean open a new thread for me wanting to know how to turn off the OPTIONS stuff?Or do you mean open a new thread if I want help with blocking the hacking kits? cPanel / CFS seem to handle all the w00t stuff, so I'm not to worried about that now. On Fri, Feb 12, 2016 at 6:49 AM, Yann Ylavic wrote: > On Fri, Feb 12, 2016 at 2:38 AM, Spork Schivago > wrote: > > Sorry to but in here, but is there away for me to test to see if my > server > > is affected by this OPTIONS issue? > > OPTIONS is not an issue, could you elaborate? > > > I have cPanel / WHM and ConfigServer > > Firewall installed and just about every day, I see CSF blocking users > from > > trying to hack in using some known hacking kit. Something with the word > > w00t in it and blackhat. I'd just like to make sure I got all > exploitable > > services closed. Thanks! > > Please open a new thread. > > Regards, > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] Expiring DAV file locks with mod_dav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, Ping. Any ideas? Thanks, - -chris On 2/5/16 4:04 PM, Christopher Schultz wrote: > All, > > I've been searching for a bit and mostly people are having the > opposite problem I'm having: they are having file locks expire too > early . > > I have a lock on a file on the DAV that looks like it's no longer > valid, but LibreOffice Writer won't open a document on by WebDAV > server because it says it's locked by another user (and names the > user). > > Are there any tools to investigate and/or tweak the locks held by > mod_da v? > > I tried "dbmmanage DAVLocks view" just to see if anything would > work, and it dumped-out some stuff, but didn't look like dbmmanage > could really interpret the DAVLocks file. > > Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2 > restart" would do the trick, but I'd like to keep any other > legitimate file locks in place if possible. > > Thanks, -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla9/74ACgkQ9CaO5/Lv0PDn2ACeMZKPb8SwWNyhOFlXCM0EGTPs heQAn2mtzV1nkzx+HJADvqH78kZZ+pT3 =eArQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Proxy logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I'm using mod_proxy_http as a reverse-proxy to another origin server. It seems that httpd doesn't record access logs for stuff going over to the proxy. Is there a way to write an access log for requests handles by mod_proxy? Or is the best practice to aggregate the logs from the origin server and the reverse proxy? (In this case, I have complete control over both servers). Apache httpd 2.4 everywhere. Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla996gACgkQ9CaO5/Lv0PAa3gCgoWy/cmwz8srKD6vSTnsvY/rI J/EAoLYf9qpR8BWOKEXEjTC3wHDE73FI =p44+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Block access to "OPTIONS *"
I'm sorry to suggest it without myself testing it first, but are you
aware of mod_allowmethods?
--
With Best Regards,
Marat Khalili
On 12/02/16 14:47, Yann Ylavic wrote:
On Fri, Feb 12, 2016 at 10:47 AM, Daniel wrote:
The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
IIRC. You just add this in your location/directory:
deny from all
and will return 403 if you try OPTIONS method there
That wouldn't work because the replies to OPTIONS requests happen
before in the map_to_storage hook, that is before the authz hooks
(Toomas tried that already).
Will discuss this on dev@, because ISTM that should work with something like:
# matches / and *
Deny from all # 2.2
Require all denied # 2.4
For now I could only make it work with:
RewriteEngine on
RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=405,L]
RewriteRule ^[^/] - [R=403,L]
which should be the first rewrite rules for AllowAnyURI to not be
"dangerous" for further rules (if any) failing to match the leading
slash.
Regards,
Yann.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Block access to "OPTIONS *"
On Fri, Feb 12, 2016 at 2:38 AM, Spork Schivago wrote: > Sorry to put in here, but is there away for me to test to see if my server > is affected by this OPTIONS issue? OPTIONS is not an issue, could you elaborate? > I have cPanel / WHM and ConfigServer > Firewall installed and just about every day, I see CSF blocking users from > trying to hack in using some known hacking kit. Something with the word > w00t in it and blackhat. I'd just like to make sure I got all exploitable > services closed. Thanks! Please open a new thread. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Block access to "OPTIONS *"
On Fri, Feb 12, 2016 at 10:47 AM, Daniel wrote:
> The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> IIRC. You just add this in your location/directory:
>
> deny from all
>
>
> and will return 403 if you try OPTIONS method there
That wouldn't work because the replies to OPTIONS requests happen
before in the map_to_storage hook, that is before the authz hooks
(Toomas tried that already).
Will discuss this on dev@, because ISTM that should work with something like:
# matches / and *
Deny from all # 2.2
Require all denied # 2.4
For now I could only make it work with:
RewriteEngine on
RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=405,L]
RewriteRule ^[^/] - [R=403,L]
which should be the first rewrite rules for AllowAnyURI to not be
"dangerous" for further rules (if any) failing to match the leading
slash.
Regards,
Yann.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Block access to "OPTIONS *"
The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
IIRC. You just add this in your location/directory:
deny from all
and will return 403 if you try OPTIONS method there
El vie., 12 feb. 2016 a las 7:41, Spork Schivago ()
escribió:
> Thank you. I do see the 200 OK response.
>
> OPTIONS / HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Fri, 12 Feb 2016 06:35:33 GMT
> Server: Apache
> Allow: GET,HEAD,POST,OPTIONS
> Cache-Control: max-age=0, no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: Wed, 11 Jan 1984 05:00:00 GMT
> Content-Length: 0
> Connection: close
> Content-Type: text/html
>
> Connection closed by foreign host.
>
> How do I go about fixing this again? I'd like the fix to be server wide,
> so I'd want to put this in my httpd.conf file?
>
>
> RewriteCond %{REQUEST_METHOD} OPTIONS
> RewriteRule .* - [R=405,L]
> RewriteRule ^[^/] - [R=403,L]
>
> I'm currently redirecting all http traffic to the https version of my site
> using this in .htaccess files:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R]
>
> I'd like to add that to make it server wide as well I think. Just gotta
> figure out where to put it in the httpd.conf file (or the vhosts .conf
> files). I use cPanel / WHM and EasyApache so it makes things much harder
> to figure out.
>
>
> On Fri, Feb 12, 2016 at 12:33 AM, Toomas Aas
> wrote:
>
>>
>> On 02/12/2016 03:38 AM, Spork Schivago wrote:
>>
>> Sorry to put in here, but is there away for me to test to see if my
>>> server is affected by this OPTIONS issue?
>>>
>>
>>
>> Testing is easy. Just telnet to port 80 of your server, type "OPTIONS /
>> HTTP/1.0" and press Enter twice.
>>
>> $ telnet www.yoursite.com 80
>> Trying 12.34.56.78...
>> Connected to www.yoursite.com.
>> Escape character is '^]'.
>> OPTIONS / HTTP/1.0
>>
>> HTTP/1.0 200 OK
>> Allow: OPTIONS, GET, HEAD, POST
>> Content-Length: 0
>> Connection: close
>> Date: Fri, 12 Feb 2016 05:29:26 GMT
>> Server: Apache
>>
>> If you see the "200 OK" response, you are affected
>>
>> --
>> Toomas Aas | support engineer
>> www.reach-u.com
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
Re: [users@httpd] Renaming localhost
Hi Greg, Thanks for your reply. Yes the apps are driven by LAMP stack. I looked in the /etc/apache2/conf-enabled/ folder and found shortcut files. This one is for apache docs Alias /manual /usr/share/doc/apache2-doc/manual/ Options Indexes FollowSymlinks AllowOverride None Require all granted AddDefaultCharset off I am guessing I have to create such a file for http://somename/ whose files are under /var/www/html/somename. Right now I found a solution by assigning an IP to the NIC by using ifconfig command ifconfig eth0 10.0.0.100 netmask 255.255.255.0 up The problem is if the connecting is intermittent, when the connection is live, the eth0 is assigned a static IP. When the connection dies, the IP is nullified. Ideally I would like to know how to make Apache point to the same address, 127.0.0.1, using a localhost alias, even when the NIC does not have an IP. Thanks. Regards, Raja. On Thu, 2016-02-11 at 12:13 -0500, Greg Rundlett (freephile) wrote: > On Wed, Feb 10, 2016 at 4:57 AM, Raja wrote: > Hello, > > I sometimes work in remote sites with no network. I have the > same setup > on different machines and I need the server name to know > dynamically > where to do changes, etc. > > > It's not clear to me the situation that you're describing above. > > I edited /etc/hosts to show > 127.0.0.1 localhost somename > > Now, with my Wifi off I am trying `http://somename` and it is > not > connecting. If I turn my wifi on, it works. But I need it to > work with > no connection. How can I resolve this? > > > DNS is the system that resolves names to (numeric) hosts. > > > The /etc/hosts file on Linux systems is consulted first, before any > (local or network) DNS server is consulted. > > > Therefore, the entry in /etc/hosts that you list above WILL map > "http://somename"; to the numeric address 127.0.0.1, which is the local > machine. > > > In order for this to actually produce a usable result, you must have a > web server (e.g. Apache) running on the local machine, along with the > proper configuration (e.g. /etc/apache2/conf-enabled/somename.conf) > and files/scripts in the document root > (e.g. /var/www/somename.com/index.html) to serve some website called > "somename" from your local machine without using any network. > > p.s. If you have the same set of files, and configuration to > synchronize across multiple hosts (e.g. local, testing, production), > you will need a tool like rsync; and be sure to use the --dry-run > --verbose options. Better yet, use git to commit your changes, and > setup a "remotes" such as 'origin' and 'dev' to allow you to track, > and push code changes. > > Greg Rundlett > https://eQuality-Tech.com > https://freephile.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
