Re: [users@httpd] Apache 2.4 forward Proxy Configuration Issue

2017-02-15 Thread Eric Covener 
On Wed, Feb 15, 2017 at 6:59 AM, Tapas Mishra
 wrote:
> But when I am disabling SSL in the virtual host and trying to connect
> outbound http it's working.

Most clients expect to speak HTTP to the proxy.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache 2.4 forward Proxy Configuration Issue

2017-02-15 Thread Tapas Mishra 
Hi all,

I am trying to configure a Apache forward proxy with SSL. But I am not able
to connect external host using the proxy. Below is my virtual host
configuration.

Listen 10.157.131.196:12149

  ServerName ech-10-157-131-196.test.com
  SSLEngine On
  SSLCertificateFile /opt/ssl/apache-selfsigned-new.crt
  SSLCertificateKeyFile /opt/ssl/apache-selfsigned-new.key

  ProxyVia On
  ProxyRequests On
  SSLProxyEngine On
  RewriteEngine On

  RewriteCond %{REQUEST_URI} !https://www.google.com/ [NC]
  RewriteRule .* - [F]


*Scenario 1:* Using Curl try to access https://www.goole.com

curl  -v --proxy 10.157.131.196:12149 https://www.google.com
* About to connect() to proxy 10.157.131.196 port 12149 (#0)
*   Trying 10.157.131.196... connected
* Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0)
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 
> Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* Closing connection #0
curl: (56) Proxy CONNECT aborted

*Seenario 2:* Using Curl try to access http://www.google.com

curl  -v --proxy 10.157.131.196:12149 http://www.google.com
* About to connect() to proxy 10.157.131.196 port 12149 (#0)
*   Trying 10.157.131.196... connected
* Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0)
> GET http://www.google.com/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 
> Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: www.google.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 400 Bad Request
< Date: Wed, 15 Feb 2017 10:03:52 GMT
< Server: Apache
< Content-Length: 362
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<


400 Bad Request

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
 Instead use the HTTPS scheme to access this URL, please.


* Closing connection #0

But when I am disabling SSL in the virtual host and trying to connect
outbound http it's working.

Virtual host Configuration:

Listen 10.157.131.196:12149

  ServerName ech-10-157-131-196.test.com
  #SSLEngine On
  #SSLCertificateFile /opt/ssl/apache-selfsigned-new.crt
  #SSLCertificateKeyFile /opt/ssl/apache-selfsigned-new.key

  ProxyVia On
  ProxyRequests On
  #SSLProxyEngine On
  RewriteEngine On

  RewriteCond %{REQUEST_URI} !https://www.google.com/ [NC]
  RewriteRule .* - [F]


*Scenario 1:* Using Curl try to access https://www.goole.com

curl  -v --proxy 10.157.131.196:12149 https://www.google.com
* About to connect() to proxy 10.157.131.196 port 12149 (#0)
*   Trying 10.157.131.196... connected
* Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0)
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 
> Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 500 Internal Server Error
< Date: Wed, 15 Feb 2017 10:13:15 GMT
< Server: Apache
< Content-Length: 546
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Received HTTP code 500 from proxy after CONNECT
* Closing connection #0
curl: (56) Received HTTP code 500 from proxy after CONNECT

*Seenario 2:* Using Curl try to access http://www.google.com

curl  -v --proxy 10.157.131.196:12149 http://www.google.com
* About to connect() to proxy 10.157.131.196 port 12149 (#0)
*   Trying 10.157.131.196... connected
* Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0)
> GET http://www.google.com/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 
> Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: www.google.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 302 Found
< Date: Wed, 15 Feb 2017 10:14:20 GMT
< Server: Apache
< Location: http://www.cfauth.com/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw==
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Content-Length: 660
< Via: 1.1 ech-10-157-131-196.test.com
<

Redirect









Redirect (authentication_redirect_to_virtual_host)

[users@httpd] Processes starts

2017-02-15 Thread Hemant Chaudhary 
Hi

When I am stating my httpd-2.4.23 servers, sometime 6 process id's or
sometimes 7 process id's are generated. Can I edit how many process id's I
want to start. I am assuming 1 process id is of root and remaining 5 of its
thread.
Please help to know why this is happening and where it is stated how much
to open?

Second doubt is I want to check process id's in access_log, I am editing %P
for process id in format, I am getting correct value. I want to use
%{format}P. I tried with this but this is not working, please helpp how to
get pid,tid,hextid using %{format}P.


Thanks
Hemant

Re: [users@httpd] filtering by IP SAN entries in the client certificate

2017-02-15 Thread Daniel Gruno 
On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> Hi,
> I have a requirement to check incoming requests, something that would be
> succinctly expressed this way:
> 
> 
> Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> 
> 
> This would check that the request IP address is among the IP addresses
> in the client certificate.
> 
> Unfortunately, this doesn't work:
> 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> mod_nss, which exports it
> 2. The expression evaluation engine doesn't know how to evaluate this
> kind of expression
> 3. I've tried using mod_lua for the expression, but it can't access this
> kind of environment variables (and the SSL specific only if exposed by
> mod_ssl, not other modules, like mod_nss)

Have you tried using a rewriterule hack to pass the var?
RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]

that would expose it in mod_lua as r.subprocess_env['sanip'], provided
mod_nss actually exposes it.

> 
> I have ran out of ideas on what to try.
> 
> Please help.
> 
> Thank you.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] filtering by IP SAN entries in the client certificate

2017-02-15 Thread Andrei Ivanov 
Hi,
I have a requirement to check incoming requests, something that would
be succinctly
expressed this way:


Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"


This would check that the request IP address is among the IP addresses in
the client certificate.

Unfortunately, this doesn't work:
1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
mod_nss, which exports it
2. The expression evaluation engine doesn't know how to evaluate this kind
of expression
3. I've tried using mod_lua for the expression, but it can't access this
kind of environment variables (and the SSL specific only if exposed by
mod_ssl, not other modules, like mod_nss)

I have ran out of ideas on what to try.

Please help.

Thank you.

Re: [users@httpd] Session disconnection

2017-02-15 Thread Yann Ylavic 
Hi,

On Wed, Feb 15, 2017 at 7:32 AM, Fady Haikal  wrote:
>
> Disable reuse set to on means that it will disconnect the connection
> once the proxy call it completed. So this will affect the AJAX
> functions that required the connection to be always on.

Hmm, mod_proxy_http will close the connection once there is nothing
more expected on it from an HTTP point of view, so nothing should
break with or without keepalive.

If this is the case (i.e. protocol is WebSocket), maybe you'd need
mod_proxy_wstunnel instead?

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Session disconnection

2017-02-15 Thread Luca Toscano 
2017-02-14 16:55 GMT+01:00 Fady Haikal :

> Luca,
> Apache/2.4.18 (Win64)
>
> 10.114.119.* are the clients machines, 10.114.43.102 and 10.114.43.103
> are the app servers
>
> yes i can see 502 in the httpd access log but all are related to a
> specific ajax we are using in our application, in other words it's not
> related to the disconnection issues we are facing
>
> from application server i cannot see any error, but from the client
> machine the session expired
>
>
For this kind of debugging issues I'd suggest you to follow up in the
#httpd IRC Freenode channel, because we might need to ask you a lot of
questions and the mailing lists might be a bit overkill.

Thanks!

Luca