[users@httpd] MIL CAC and mod_ssl for httpd 2.4.6

2017-05-04 Thread Doug Maurer 

We have a setup where we have to use MIL CAC's to access our site. It
currently works with SSLVerifyClient require and SSLVerifyDepth  10, but
we want to limit what the users see to just of the certs that is
presented. We tried changing the VerifyDepth to 1 and removed all the
non-email certs in the ca-bundle.crt file. But the problem we get is it
errors in the ssl_errors_log of AH02039: Certificate Verification: Error
(20): unable to get local issuer. Googling this error says it's missing a
intermediate cert. Tried to create by googling for instructions, but still
get the same thing.

The 2.4.6-45 is from CentOS 7

Has anyone been able to get this to work?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Headers blocking application content

2017-05-04 Thread Mike Rumph 

Hello Saikiran,

First of all, thanks for asking for help on this.
Many other users may also be having difficulty with these issues.

But one thing to keep in mind, "suggest a fix immediately" is not 
something that should be expected of a group of open source volunteers.


The first thing that I would suggest is that we take a look at Content 
Security Policy in detail.

Here are a couple of links:
- https://www.w3.org/TR/CSP11/#directive-frame-ancestors
- 
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive


The first thing I see is that blocking application content would the 
desired intention.

But in your case the blocking seems to be overactive.

This directive is an agreement between browser and application server.
So you would need to examine both to make sure that they can handle this 
directive as expected.

Here is an excerpt from one of the links:


 Limitations  (OfContent Security Policy frame-ancestors directive)

 * *Browser support:* frame-ancestors is not supported by all the major
   browsers yet.
 * *X-Frame-Options takes priority:* Section 7.7.1 of the CSP Spec
   

   says X-Frame-Options should be ignored if frame-ancestors is
   specified, but Chrome 40 & Firefox 35 ignore the frame-ancestors
   directive and follow the X-Frame-Options header instead.

So this could explain the different behavior you are seeing from the 
different browsers.
Secondly, I would double check the intent of each of the directives you 
are using in your Content-Security-Policy example.
Beyond this, it may be helpful if you were to provide a few more details 
on how you are using Apache HTTP Server for this.

(httpd version?, which MPM? using as a reverse proxy?)

Thanks,

Mike

On 5/4/2017 1:04 PM, saikiran@wipro.com wrote:


Hi,

We are using below header to fix the vulnerabilities.

*Header set Content-Security-Policy "default-src 'none'; script-src 
'self'; connect-src 'self'; img-src 'self'; style-src 'self';"*


But after that application content is getting blocked while accessing 
it through browser.


We have given a try with same header but with different value.

*Header set Content-Security-Policy "frame-ancestors"*

Application is able show the content in IE and Firefox but not in 
chrome. Please suggest a fx immediately.


Best Regards

http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg 





*Saikiran M*

*Middleware Administrator  | SNXT Operations***– Global Service 
Management Centre


*Wipro Limited*

p:  214924 | *Toll Free* 1800 200 5656

#146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA

cid:image002.png@01D198BF.43C16BA0

*DO BUSINESS BETTER*

CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES





cid:image003.png@01D198BF.43C16BA0 





cid:image004.png@01D198BF.43C16BA0 



cid:image005.png@01D198BF.43C16BA0 



cid:image006.png@01D198BF.43C16BA0 



The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of the 
addressee(s) and may contain proprietary, confidential or privileged 
information. If you are not the intended recipient, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately and destroy all copies of this message and any 
attachments. WARNING: Computer viruses can be transmitted via email. 
The recipient should check this email and any attachments for the 
presence of viruses. The company accepts no liability for any damage 
caused by any virus transmitted by this email. www.wipro.com

RE: [users@httpd] HTTPS implementation to apache2 server, localhost

2017-05-04 Thread saikiran....@wipro.com 
You are missing intermediate certificate i.e, CA certificate.

You should add it after below lines

SSLCertificateFile/etc/apache2/ssl/apache.crt
 SSLCertificateKeyFile /etc/apache2/ssl/apache.key


In ssl.conf you will find

Server Certificate Chain:
Certificate Authority (CA):

add it anywhere but not in both.

Best Regards

[http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg]

  Saikiran M

  Middleware Administrator  | SNXT Operations – Global Service Management Centre

  Wipro Limited

   p:  214924 | Toll Free 1800 200 5656

  #146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA



[cid:image002.png@01D198BF.43C16BA0]

DO BUSINESS BETTER

CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES




[cid:image003.png@01D198BF.43C16BA0]

[cid:image004.png@01D198BF.43C16BA0]

[cid:image005.png@01D198BF.43C16BA0]

[cid:image006.png@01D198BF.43C16BA0]





From: Keerthi Narayan [mailto:mkeerth...@gmail.com]
Sent: Thursday, May 4, 2017 6:10 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] HTTPS implementation to apache2 server, localhost


** This mail has been sent from an external source **
below is the details of error log file

[Thu May 04 07:35:01.892795 2017] [ssl:warn] [pid 15336:tid 140037655033728] 
AH01906: 172.19.18.238:443:0 server certificate is a CA certificate 
(BasicConstraints: CA == TRUE !?)
[Thu May 04 07:35:01.892876 2017] [mpm_event:notice] [pid 15336:tid 
140037655033728] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 OpenSSL/1.0.2g 
configured -- resuming normal operations
[Thu May 04 07:35:01.892881 2017] [core:notice] [pid 15336:tid 140037655033728] 
AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 12:54:40.038040 2017] [mpm_event:notice] [pid 15336:tid 
140037655033728] AH00491: caught SIGTERM, shutting down
[Thu May 04 12:54:40.780686 2017] [ssl:warn] [pid 18991:tid 140346453059456] 
AH01906: 172.19.18.238:443:0 server certificate is a CA certificate 
(BasicConstraints: CA == TRUE !?)
[Thu May 04 12:54:40.787424 2017] [ssl:warn] [pid 18992:tid 140346453059456] 
AH01906: 172.19.18.238:443:0 server certificate is a CA certificate 
(BasicConstraints: CA == TRUE !?)
[Thu May 04 12:54:40.788009 2017] [mpm_event:notice] [pid 18992:tid 
140346453059456] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 OpenSSL/1.0.2g 
configured -- resuming normal operations
[Thu May 04 12:54:40.788023 2017] [core:notice] [pid 18992:tid 140346453059456] 
AH00094: Command line: '/usr/sbin/apache2'


On Thu, May 4, 2017 at 2:33 PM, Daniel 
> wrote:
At first sight there is no syntax error. Can you try to describe what error you 
get and paste related error.log entries?

2017-05-04 9:30 GMT+02:00 Keerthi Narayan 
>:
Hi All,
I am trying to implement HTTPS to my local server(apache2) and below is 
configuration file.   -UBUNTU SERVER



ServerAdmin user@localhost
ServerName x.x.x.x
ServerAlias www.x.x.x.x
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile/etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  
SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

 BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


Please advice me what else i have to configure apart from above configuration 
or correction.  So that it will get secured.
Thanks & Regards,
Keerthi Narayan




--
Daniel Ferradal
IT Specialist

email dferradal at gmail.com
linkedin 
es.linkedin.com/in/danielferradal

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any

RE: [users@httpd]

2017-05-04 Thread saikiran....@wipro.com 
compile with JK connector


Best Regards
   Saikiran M



DO BUSINESS BETTER
CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES










-Original Message-
From: Stéphane Laurencelle [mailto:stephane.laurence...@momentum-tech.ca]
Sent: Tuesday, February 28, 2017 9:53 PM
To: users@httpd.apache.org
Subject: [users@httpd] RE : [users@httpd]

** This mail has been sent from an external source **

Hello Eric,

when i look at apachectl -M, i don't see the ajp module load but i see the 
proxy_mod module and when i try i get an error 404 in the apache log.

i don't know where to look to debug the module not loading in apache.

Stephane




De : Eric Covener [cove...@gmail.com]
Envoyé : 28 février 2017 10:54
À : users@httpd.apache.org
Objet : Re: [users@httpd]

On Tue, Feb 28, 2017 at 10:45 AM, Stéphane Laurencelle 
 wrote:
> even if i uncomment the line in httpd.conf file for enabling the
> module it don't seem to load

What do you observe exactly?

--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Headers blocking application content

2017-05-04 Thread saikiran....@wipro.com 
Hi,

We are using below header to fix the vulnerabilities.

Header set Content-Security-Policy "default-src 'none'; script-src 'self'; 
connect-src 'self'; img-src 'self'; style-src 'self';"

But after that application content is getting blocked while accessing it 
through browser.


We have given a try with same header but with different value.

Header set Content-Security-Policy "frame-ancestors"

Application is able show the content in IE and Firefox but not in chrome. 
Please suggest a fx immediately.

Best Regards

[http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg]

  Saikiran M

  Middleware Administrator  | SNXT Operations - Global Service Management Centre

  Wipro Limited

   p:  214924 | Toll Free 1800 200 5656

  #146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA



[cid:image002.png@01D198BF.43C16BA0]

DO BUSINESS BETTER

CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES




[cid:image003.png@01D198BF.43C16BA0]

[cid:image004.png@01D198BF.43C16BA0]

[cid:image005.png@01D198BF.43C16BA0]

[cid:image006.png@01D198BF.43C16BA0]





The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

Re: [users@httpd] I need help figuring out a 500 response code

2017-05-04 Thread John Covici 
Hi again.  Is there any way I can get help on my problem?  I am pretty
desperate -- I have shared hundreds of links and they are all no good
till I get this working again.

On Wed, 03 May 2017 09:08:35 -0400,
Daniel wrote:
> 
> [1  ]
> [2  ]
> Perhaps you should also add how you are configuring httpd to handle the 
> interpretation of PHP files.
> 
> That is, if you are, for example using mod_proxy_fcgi to send php file 
> requests to php-fpm you should see your 500 detailed errors there instead of 
> Apache.
> 
> Apache will always log 500status errors, so maybe you should make sure you 
> are checking the correct login if you are not using the case I describe above.
> 
> If you are using the dreaded mod_php you should check for php directives you 
> can specify for more verbose logging onto why your php scripts fail.
> 
> I use owncloud too, so if you want I can show you a configuration snippet on 
> how to set apache with mod_proxy_fcgi reverse proxy php requests to a php-fpm 
> pool
> 
> 2017-05-03 11:21 GMT+02:00 John Covici :
> 
>  The error_log just had one line or in debug mode a lot of information
>  about ssl and several lines about requireall granted, but no further
>  information about the error.
> 
>  On Wed, 03 May 2017 02:55:28 -0400,
>  Dr James Smith wrote:
>  >
>  > Is there an error.log in the same directory? This is usually in
>  > the same directory this should contain some information about why
>  > the system failed.
>  >
>  >
>  > On 03/05/2017 07:41, John Covici wrote:
>  > > Hi. I am having major problems figuring out a 500 response code I am
>  > > getting on my hserver.
>  > >
>  > > I am using apache 2.4.25 on gentoo linux up to date as of a few days
>  > > ago.
>  > >
>  > > So, I havinstalled owncloud which is a cloud server written in php and
>  > > it has worked for a long time, but for a few days I have gotten 500
>  > > when I try to access it. Now, I am using https normally to access and
>  > > when I look at the error_log, I get just one line like this:
>  > >
>  > > [Wed May 03 02:14:37.074791 2017] [ssl:info] [pid 22312] [client
>  > > 192.168.0.2:56613] AH01964: Connection to child 0 established (server
>  > > ccs.covici.com:443)
>  > >
>  > > If I change the loglevel to debug, I get all kinds of ssl information
>  > > and the lines saying that requireall was granted, but nothing about
>  > > the error.
>  > >
>  > > Now, if I change to http access, on my access_log I get lines like the
>  > > following:
>  > >
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
>  > > rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
>  > > rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 -
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
>  > > like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
>  > > like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 -
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
>  > > 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
>  > > 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
>  > >
>  > > Now, owncloud has theirownw log, but I get nothing in it.
>  > >
>  > > So, my question is how to find out more about why I am getting the 500
>  > > response and what I can do about it.
>  > >
>  > > Thanks in advance for any suggestions.
>  > >
>  >
>  >
>  >
>  > --
>  > The Wellcome Trust Sanger Institute is operated by Genome
>  > Research Limited, a charity registered in England with number
>  > 1021457 and a company registered in England with number 2742969,
>  > whose registered office is 215 Euston Road, London, NW1 2BE.
>  > -
>  > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  > For additional commands, e-mail: users-h...@httpd.apache.org
>  >
> 
>  --
>  Your life is like a penny. You're going to lose it. The question is:
>  How do
>  you spend it?
> 
>  John Covici
>  cov...@ccs.covici.com
> 
>  -
>  To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  For additional commands, e-mail: users-h...@httpd.apache.org
>

Re: slotmem_shm zeigt Fehler beim reload an

2017-05-04 Thread Rainer Jung 

Am 04.05.2017 um 12:11 schrieb Denny Jahnke:


Hallo zusammen,

ich habe ein größeres Problem, welches auch nicht wirklich beständig ist, ich 
hoffe es kann mir jemand einen Tipp geben.

Folgende Konstellation:

Server-OS: Debian 8.7
HTTPD: Apache/2.4.10 (Debian) - über APT installiert
RAM: 32GB
CPU: 24 vCores

Nutzung: als Reverse Proxy (kein Forward Proxy von innen ins Internet!) für 
verschiedene Backend Applikationen, hinzu kommen diverse unterschiedliche 
Balancer-Konfigurationen über mod_proxy_balancer. Kein PHP/FPM/PERL oder so, 
nur zum Teil static content.

Wir haben 2 Systeme die HA über eine vorgeschaltete F5 LB redundant ausgelegt 
sind.

Das Verhalten:

Ich habe kleinere Rewrite Änderungen in 2-3 Vhosts durchgeführt (hauptsächlich Rewrites) 
und diese auf die Server übertragen, als ich "service apache2 reload" 
(configtest war zuvor erfolgreich!) auf dem 1. System durchgeführt habe ist dieser mir 
unter den Händen weggestorben, Ports waren auch weg. Fork-Prozesse aber teils noch 
vorhanden.

Folgende Fehlermeldung kam zum Vorschein in der error.log:

[Thu May 04 06:25:07.104831 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00292: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- 
resuming normal operations
[Thu May 04 06:25:07.104876 2017] [core:notice] [pid 17256:tid 140267085170560] 
AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 06:25:12.284974 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00297: SIGUSR1 received.  Doing graceful restart
[Thu May 04 06:25:13.181387 2017] [slotmem_shm:error] [pid 17256:tid 
140267085170560] (28)No space left on device: AH02611: create: 
apr_shm_create(/var/run/apache2/slotmem-shm-p9e1d2282_internet_cluster.shm) 
failed
[Thu May 04 06:25:13.181438 2017] [:emerg] [pid 17256:tid 140267085170560] 
AH00020: Configuration Failed, exiting

Allerdings ist mehr als genug Platz auf /var:

FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/swrvp1-var_vol   485G  9.5G  451G   3% /var

Ich habe die Konfigurationen aus dem Backup wieder hergestellt, ein "service apache2 
restart" hat die gleiche Fehlermeldung produziert. Erst als ich ein killall auf die 
verbliebenen Prozesse gemacht habe konnte ich mit einem sauberen Start den Apache wieder 
hoch bringen.

Zur Sicherheit habe ich die Konfigurationen auf dem zweiten Apache (der keinen 
reload gemacht hat) wieder zurück geändert. Da allerdings die Apaches 
regelmäßig neu gestartet werden, kam es hier (obwohl alte Konfiguration!) zu 
dem gleichen Fehlerbild und -meldung im error.log innerhalb von ca. 12 Stunden.

Jetzt laufen beide Systeme wieder augenscheinlich stabil und machen den reload 
ohne Probleme aber den Fehler hatte ich vor 1 Monat schon mal aber nur auf 
einem der beiden Systeme.

Hat jemand eine Idee oder stand schon mal vor dem selben Problem?


Sehr wahrscheinlich sind IPC-Ressourcen erschöpft. In dem Fall hier wohl 
Shared Memory (siehe ipcs -m zum Anzeigen, bzw. ipcs -lm zur Anzeige der 
konfigurierten Limits, ipcrm zum Löschen), es können aber auch mal 
Semaphoren sein (bei ipcs immer statt "-m" ein "-s").


IPC-Ressourcen können leaken, zum Beispiel wenn Prozesse crashen. D.h. 
schauen, dass alle Apaches unten sind, dann mit ipcs nachsehen, welche 
shared Memory-Segmente und Semaphoren noch belegt sind und ob der User 
passt, dann ggf. mit ipcrm löschen und die Apaches wieder starten.


Bei vielen Workern und Load Balancern in mod_proxy kann es auch sein, 
dass die eingestellten System-Limits für Shared Memory oder Semaphoren 
zu klein sind.


Den Fehler sollte man auch ganz gut mit

strace -v -f -o /var/tmp/strace.out service apache2 start

sehen können (in der großen Datei /var/tmp/strace.out), weil dort jeder 
system call mit Ergebniscode drin steht und an der entscheidenden Stelle 
dann ein "ENOSPC" auftauchen wird (der Fehlerwert für "No space left on 
device").


Mit "restart" wird strace nicht gehen, weil da ja nur ein Signal an den 
Apache Vater-Prozess gesendet wird und das Signal-Senden ja klappt. Da 
müsste man den laufenden Vater-Prozess vorher in das strace rein nehmen. 
Ist aber einfacher mit frischem Apache-Start.


Grüße sendet

Rainer Jung

--
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4: Proxy certificate configuration question

2017-05-04 Thread Marat Khalili 
Sorry, haven't configured it this way; probably someone who did will 
help. I can only advise you to look into SSLProxyMachineCertificatePath, 
maybe you could use that.



--

With Best Regards,
Marat Khalili

On 04/05/17 14:54, Markus Gausling wrote:

Thanks for response.

Maybe I did not make it clear but I need to have the certificates for the
authentication between HTTP Proxy and WebServer. So HTTP Proxy shall
authenticate WebServer and vice versa with the client certificate and
the secret key.

The clients that use the HTTP Proxy shall not be involved here and
authentication shall be handled completely between HTTP Proxy and remote
WebServer.

Basically I have configured the HTTP Proxy using
SSLProxyMachineCertificateFile and it is working fine. The problem I have
is that I have certificate and key as two separate files and so I
always have to combine them into one (and rewrite key BEGIN and END to add
RSA).

​Regards
Markus Gausling​


2017-05-04 12:54 GMT+02:00 Marat Khalili >:

You configure certificates of your proxy server exactly the same
way as for web server, using SSLCertificateFile,
SSLCertificateKeyFile and possibly SSLCertificateChainFile. Most
likely you don't need SSLProxyMachineCertificateFile (it
configures _client_ certificate of your server before other servers).


--

With Best Regards,
Marat Khalili

On 03/05/17 18:11, Markus Gausling wrote:

Hello,

when Apache is configured as a WebServer I can configure the private
key and the certificate of the server separately using
SSLCertificateFile and SSLCertificateKeyFile.

When configuring Apache as an HTTP Proxy (Reverse Proxy or Forward
Proxy) it seems I can only configure the proxy private key and
certificate if they are combined into a single PEM file with
SSLProxyMachineCertificateFile.

Is that understanding corrector is there also a way to defined
key and
certificate for an HTTP Proxy configuration separately?

Regards
Markus

Re: [users@httpd] HTTPS implementation to apache2 server, localhost

2017-05-04 Thread Keerthi Narayan 
below is the details of error log file

[Thu May 04 07:35:01.892795 2017] [ssl:warn] [pid 15336:tid
140037655033728] AH01906: 172.19.18.238:443:0 server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu May 04 07:35:01.892876 2017] [mpm_event:notice] [pid 15336:tid
140037655033728] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g configured -- resuming normal operations
[Thu May 04 07:35:01.892881 2017] [core:notice] [pid 15336:tid
140037655033728] AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 12:54:40.038040 2017] [mpm_event:notice] [pid 15336:tid
140037655033728] AH00491: caught SIGTERM, shutting down
[Thu May 04 12:54:40.780686 2017] [ssl:warn] [pid 18991:tid
140346453059456] AH01906: 172.19.18.238:443:0 server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu May 04 12:54:40.787424 2017] [ssl:warn] [pid 18992:tid
140346453059456] AH01906: 172.19.18.238:443:0 server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu May 04 12:54:40.788009 2017] [mpm_event:notice] [pid 18992:tid
140346453059456] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g configured -- resuming normal operations
[Thu May 04 12:54:40.788023 2017] [core:notice] [pid 18992:tid
140346453059456] AH00094: Command line: '/usr/sbin/apache2'



On Thu, May 4, 2017 at 2:33 PM, Daniel  wrote:

> At first sight there is no syntax error. Can you try to describe what
> error you get and paste related error.log entries?
>
> 2017-05-04 9:30 GMT+02:00 Keerthi Narayan :
>
>> Hi All,
>>
>> I am trying to implement HTTPS to my local server(apache2) and below is
>> configuration file.   -UBUNTU SERVER
>>
>> 
>> 
>> ServerAdmin user@localhost
>> ServerName x.x.x.x
>> ServerAlias www.x.x.x.x
>> DocumentRoot /var/www/html
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> SSLEngine on
>> SSLCertificateFile/etc/apache2/ssl/apache.crt
>> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
>>   
>> SSLOptions +StdEnvVars
>> 
>> 
>> SSLOptions +StdEnvVars
>> 
>> 
>> Options Indexes FollowSymLinks MultiViews
>> AllowOverride None
>> Order allow,deny
>> allow from all
>> 
>>  BrowserMatch "MSIE [2-6]" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
>> 
>> 
>>
>> Please advice me what else i have to configure apart from above
>> configuration or correction.  So that it will get secured.
>>
>> Thanks & Regards,
>> Keerthi Narayan
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>

Aw: AW: slotmem_shm zeigt Fehler beim reload an

2017-05-04 Thread Denny Jahnke 
Hi Andre,

Danke für den Tipp, wir nutzen allerdings bereits eine "neuere Version" von APR 
die den Fehler behoben haben soll:

ii  libapr1:amd64  1.5.1-3   amd64
Apache Portable Runtime Library

Aber Ansatz war schon mal sehr gut! Jemand noch eine Idee?

Gruß
Denny
 

Gesendet: Donnerstag, 04. Mai 2017 um 12:14 Uhr
Von: andre.wen...@bmw.de
An: users-de@httpd.apache.org
Betreff: AW: slotmem_shm zeigt Fehler beim reload an
Nutzt ihr ggf. noch ein veraltetes APR, wir hatten sowas ähnliches mal:

https://bz.apache.org/bugzilla/show_bug.cgi?id=55449

-Ursprüngliche Nachricht-
Von: Denny Jahnke [mailto:eurofigh...@gmx.net]
Gesendet: Donnerstag, 4. Mai 2017 12:12
An: users-de@httpd.apache.org
Betreff: slotmem_shm zeigt Fehler beim reload an


Hallo zusammen,
 
ich habe ein größeres Problem, welches auch nicht wirklich beständig ist, ich 
hoffe es kann mir jemand einen Tipp geben.
 
Folgende Konstellation:
 
Server-OS: Debian 8.7
HTTPD: Apache/2.4.10 (Debian) - über APT installiert
RAM: 32GB
CPU: 24 vCores
 
Nutzung: als Reverse Proxy (kein Forward Proxy von innen ins Internet!) für 
verschiedene Backend Applikationen, hinzu kommen diverse unterschiedliche 
Balancer-Konfigurationen über mod_proxy_balancer. Kein PHP/FPM/PERL oder so, 
nur zum Teil static content.
 
Wir haben 2 Systeme die HA über eine vorgeschaltete F5 LB redundant ausgelegt 
sind.
 
Das Verhalten:
 
Ich habe kleinere Rewrite Änderungen in 2-3 Vhosts durchgeführt (hauptsächlich 
Rewrites) und diese auf die Server übertragen, als ich "service apache2 reload" 
(configtest war zuvor erfolgreich!) auf dem 1. System durchgeführt habe ist 
dieser mir unter den Händen weggestorben, Ports waren auch weg. Fork-Prozesse 
aber teils noch vorhanden.
 
Folgende Fehlermeldung kam zum Vorschein in der error.log:
 
[Thu May 04 06:25:07.104831 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00292: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- 
resuming normal operations
[Thu May 04 06:25:07.104876 2017] [core:notice] [pid 17256:tid 140267085170560] 
AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 06:25:12.284974 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00297: SIGUSR1 received.  Doing graceful restart
[Thu May 04 06:25:13.181387 2017] [slotmem_shm:error] [pid 17256:tid 
140267085170560] (28)No space left on device: AH02611: create: 
apr_shm_create(/var/run/apache2/slotmem-shm-p9e1d2282_internet_cluster.shm) 
failed
[Thu May 04 06:25:13.181438 2017] [:emerg] [pid 17256:tid 140267085170560] 
AH00020: Configuration Failed, exiting
 
Allerdings ist mehr als genug Platz auf /var:
 
Filesystem                                    Size  Used Avail Use% Mounted on
/dev/mapper/swrvp1-var_vol               485G  9.5G  451G   3% /var
 
Ich habe die Konfigurationen aus dem Backup wieder hergestellt, ein "service 
apache2 restart" hat die gleiche Fehlermeldung produziert. Erst als ich ein 
killall auf die verbliebenen Prozesse gemacht habe konnte ich mit einem 
sauberen Start den Apache wieder hoch bringen.
 
Zur Sicherheit habe ich die Konfigurationen auf dem zweiten Apache (der keinen 
reload gemacht hat) wieder zurück geändert. Da allerdings die Apaches 
regelmäßig neu gestartet werden, kam es hier (obwohl alte Konfiguration!) zu 
dem gleichen Fehlerbild und -meldung im error.log innerhalb von ca. 12 Stunden.
 
Jetzt laufen beide Systeme wieder augenscheinlich stabil und machen den reload 
ohne Probleme aber den Fehler hatte ich vor 1 Monat schon mal aber nur auf 
einem der beiden Systeme.
 
Hat jemand eine Idee oder stand schon mal vor dem selben Problem?
 
Besten Dank!
 
Gruß
Denny

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4: Proxy certificate configuration question

2017-05-04 Thread Markus Gausling 
Thanks for response.

Maybe I did not make it clear but I need to have the certificates for the
authentication between HTTP Proxy and WebServer. So HTTP Proxy shall
authenticate WebServer and vice versa with the client certificate and
the secret key.

The clients that use the HTTP Proxy shall not be involved here and
authentication shall be handled completely between HTTP Proxy and remote
WebServer.

Basically I have configured the HTTP Proxy using
SSLProxyMachineCertificateFile and it is working fine. The problem I have
is that I have certificate and key as two separate files and so I
always have to combine them into one (and rewrite key BEGIN and END to add
RSA).

​Regards
Markus Gausling​


2017-05-04 12:54 GMT+02:00 Marat Khalili :

> You configure certificates of your proxy server exactly the same way as
> for web server, using SSLCertificateFile, SSLCertificateKeyFile and
> possibly SSLCertificateChainFile. Most likely you don't need
> SSLProxyMachineCertificateFile (it configures _client_ certificate of your
> server before other servers).
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 03/05/17 18:11, Markus Gausling wrote:
>
> Hello,
>
> when Apache is configured as a WebServer I can configure the private
> key and the certificate of the server separately using
> SSLCertificateFile and SSLCertificateKeyFile.
>
> When configuring Apache as an HTTP Proxy (Reverse Proxy or Forward
> Proxy) it seems I can only configure the proxy private key and
> certificate if they are combined into a single PEM file with
> SSLProxyMachineCertificateFile.
>
> Is that understanding corrector is there also a way to defined key and
> certificate for an HTTP Proxy configuration separately?
>
> Regards
> Markus
>
>
>

Re: [users@httpd] I need help figuring out a 500 response code

2017-05-04 Thread John Covici 
Daniel, I never heard back from you about how to change the config to
work with fcgi -- I would really like to get my server working again
and nothing I do, makes any difference, I always get the timeout and
the 500 response, so I still need some help.

Thanks in advance for any suggestions.

On Wed, 03 May 2017 09:08:35 -0400,
Daniel wrote:
> 
> [1  ]
> [2  ]
> Perhaps you should also add how you are configuring httpd to handle the 
> interpretation of PHP files.
> 
> That is, if you are, for example using mod_proxy_fcgi to send php file 
> requests to php-fpm you should see your 500 detailed errors there instead of 
> Apache.
> 
> Apache will always log 500status errors, so maybe you should make sure you 
> are checking the correct login if you are not using the case I describe above.
> 
> If you are using the dreaded mod_php you should check for php directives you 
> can specify for more verbose logging onto why your php scripts fail.
> 
> I use owncloud too, so if you want I can show you a configuration snippet on 
> how to set apache with mod_proxy_fcgi reverse proxy php requests to a php-fpm 
> pool
> 
> 2017-05-03 11:21 GMT+02:00 John Covici :
> 
>  The error_log just had one line or in debug mode a lot of information
>  about ssl and several lines about requireall granted, but no further
>  information about the error.
> 
>  On Wed, 03 May 2017 02:55:28 -0400,
>  Dr James Smith wrote:
>  >
>  > Is there an error.log in the same directory? This is usually in
>  > the same directory this should contain some information about why
>  > the system failed.
>  >
>  >
>  > On 03/05/2017 07:41, John Covici wrote:
>  > > Hi. I am having major problems figuring out a 500 response code I am
>  > > getting on my hserver.
>  > >
>  > > I am using apache 2.4.25 on gentoo linux up to date as of a few days
>  > > ago.
>  > >
>  > > So, I havinstalled owncloud which is a cloud server written in php and
>  > > it has worked for a long time, but for a few days I have gotten 500
>  > > when I try to access it. Now, I am using https normally to access and
>  > > when I look at the error_log, I get just one line like this:
>  > >
>  > > [Wed May 03 02:14:37.074791 2017] [ssl:info] [pid 22312] [client
>  > > 192.168.0.2:56613] AH01964: Connection to child 0 established (server
>  > > ccs.covici.com:443)
>  > >
>  > > If I change the loglevel to debug, I get all kinds of ssl information
>  > > and the lines saying that requireall was granted, but nothing about
>  > > the error.
>  > >
>  > > Now, if I change to http access, on my access_log I get lines like the
>  > > following:
>  > >
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
>  > > rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
>  > > 301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
>  > > rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 -
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
>  > > like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
>  > > 302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
>  > > like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 -
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
>  > > 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
>  > > 192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
>  > > /owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
>  > > 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
>  > >
>  > > Now, owncloud has theirownw log, but I get nothing in it.
>  > >
>  > > So, my question is how to find out more about why I am getting the 500
>  > > response and what I can do about it.
>  > >
>  > > Thanks in advance for any suggestions.
>  > >
>  >
>  >
>  >
>  > --
>  > The Wellcome Trust Sanger Institute is operated by Genome
>  > Research Limited, a charity registered in England with number
>  > 1021457 and a company registered in England with number 2742969,
>  > whose registered office is 215 Euston Road, London, NW1 2BE.
>  > -
>  > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  > For additional commands, e-mail: users-h...@httpd.apache.org
>  >
> 
>  --
>  Your life is like a penny. You're going to lose it. The question is:
>  How do
>  you spend it?
> 
>  John Covici
>  cov...@ccs.covici.com
> 
>  -
>  To

Re: [users@httpd] Apache 2.4: Proxy certificate configuration question

2017-05-04 Thread Marat Khalili 
You configure certificates of your proxy server exactly the same way as 
for web server, using SSLCertificateFile, SSLCertificateKeyFile and 
possibly SSLCertificateChainFile. Most likely you don't need 
SSLProxyMachineCertificateFile (it configures _client_ certificate of 
your server before other servers).



--

With Best Regards,
Marat Khalili

On 03/05/17 18:11, Markus Gausling wrote:

Hello,

when Apache is configured as a WebServer I can configure the private
key and the certificate of the server separately using
SSLCertificateFile and SSLCertificateKeyFile.

When configuring Apache as an HTTP Proxy (Reverse Proxy or Forward
Proxy) it seems I can only configure the proxy private key and
certificate if they are combined into a single PEM file with
SSLProxyMachineCertificateFile.

Is that understanding corrector is there also a way to defined key and
certificate for an HTTP Proxy configuration separately?

Regards
Markus

AW: slotmem_shm zeigt Fehler beim reload an

2017-05-04 Thread Andre.Wendel 
Nutzt ihr ggf. noch ein veraltetes APR, wir hatten sowas ähnliches mal:

https://bz.apache.org/bugzilla/show_bug.cgi?id=55449 

-Ursprüngliche Nachricht-
Von: Denny Jahnke [mailto:eurofigh...@gmx.net] 
Gesendet: Donnerstag, 4. Mai 2017 12:12
An: users-de@httpd.apache.org
Betreff: slotmem_shm zeigt Fehler beim reload an


Hallo zusammen,
 
ich habe ein größeres Problem, welches auch nicht wirklich beständig ist, ich 
hoffe es kann mir jemand einen Tipp geben.
 
Folgende Konstellation:
 
Server-OS: Debian 8.7
HTTPD: Apache/2.4.10 (Debian) - über APT installiert
RAM: 32GB
CPU: 24 vCores
 
Nutzung: als Reverse Proxy (kein Forward Proxy von innen ins Internet!) für 
verschiedene Backend Applikationen, hinzu kommen diverse unterschiedliche 
Balancer-Konfigurationen über mod_proxy_balancer. Kein PHP/FPM/PERL oder so, 
nur zum Teil static content.
 
Wir haben 2 Systeme die HA über eine vorgeschaltete F5 LB redundant ausgelegt 
sind.
 
Das Verhalten:
 
Ich habe kleinere Rewrite Änderungen in 2-3 Vhosts durchgeführt (hauptsächlich 
Rewrites) und diese auf die Server übertragen, als ich "service apache2 reload" 
(configtest war zuvor erfolgreich!) auf dem 1. System durchgeführt habe ist 
dieser mir unter den Händen weggestorben, Ports waren auch weg. Fork-Prozesse 
aber teils noch vorhanden.
 
Folgende Fehlermeldung kam zum Vorschein in der error.log:
 
[Thu May 04 06:25:07.104831 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00292: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- 
resuming normal operations
[Thu May 04 06:25:07.104876 2017] [core:notice] [pid 17256:tid 140267085170560] 
AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 06:25:12.284974 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00297: SIGUSR1 received.  Doing graceful restart
[Thu May 04 06:25:13.181387 2017] [slotmem_shm:error] [pid 17256:tid 
140267085170560] (28)No space left on device: AH02611: create: 
apr_shm_create(/var/run/apache2/slotmem-shm-p9e1d2282_internet_cluster.shm) 
failed
[Thu May 04 06:25:13.181438 2017] [:emerg] [pid 17256:tid 140267085170560] 
AH00020: Configuration Failed, exiting
 
Allerdings ist mehr als genug Platz auf /var:
 
Filesystem                                    Size  Used Avail Use% Mounted on
/dev/mapper/swrvp1-var_vol               485G  9.5G  451G   3% /var
 
Ich habe die Konfigurationen aus dem Backup wieder hergestellt, ein "service 
apache2 restart" hat die gleiche Fehlermeldung produziert. Erst als ich ein 
killall auf die verbliebenen Prozesse gemacht habe konnte ich mit einem 
sauberen Start den Apache wieder hoch bringen.
 
Zur Sicherheit habe ich die Konfigurationen auf dem zweiten Apache (der keinen 
reload gemacht hat) wieder zurück geändert. Da allerdings die Apaches 
regelmäßig neu gestartet werden, kam es hier (obwohl alte Konfiguration!) zu 
dem gleichen Fehlerbild und -meldung im error.log innerhalb von ca. 12 Stunden.
 
Jetzt laufen beide Systeme wieder augenscheinlich stabil und machen den reload 
ohne Probleme aber den Fehler hatte ich vor 1 Monat schon mal aber nur auf 
einem der beiden Systeme.
 
Hat jemand eine Idee oder stand schon mal vor dem selben Problem?
 
Besten Dank!
 
Gruß
Denny

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

slotmem_shm zeigt Fehler beim reload an

2017-05-04 Thread Denny Jahnke 

Hallo zusammen,
 
ich habe ein größeres Problem, welches auch nicht wirklich beständig ist, ich 
hoffe es kann mir jemand einen Tipp geben.
 
Folgende Konstellation:
 
Server-OS: Debian 8.7
HTTPD: Apache/2.4.10 (Debian) - über APT installiert
RAM: 32GB
CPU: 24 vCores
 
Nutzung: als Reverse Proxy (kein Forward Proxy von innen ins Internet!) für 
verschiedene Backend Applikationen, hinzu kommen diverse unterschiedliche 
Balancer-Konfigurationen über mod_proxy_balancer. Kein PHP/FPM/PERL oder so, 
nur zum Teil static content.
 
Wir haben 2 Systeme die HA über eine vorgeschaltete F5 LB redundant ausgelegt 
sind.
 
Das Verhalten:
 
Ich habe kleinere Rewrite Änderungen in 2-3 Vhosts durchgeführt (hauptsächlich 
Rewrites) und diese auf die Server übertragen, als ich "service apache2 reload" 
(configtest war zuvor erfolgreich!) auf dem 1. System durchgeführt habe ist 
dieser mir unter den Händen weggestorben, Ports waren auch weg. Fork-Prozesse 
aber teils noch vorhanden.
 
Folgende Fehlermeldung kam zum Vorschein in der error.log:
 
[Thu May 04 06:25:07.104831 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00292: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- 
resuming normal operations
[Thu May 04 06:25:07.104876 2017] [core:notice] [pid 17256:tid 140267085170560] 
AH00094: Command line: '/usr/sbin/apache2'
[Thu May 04 06:25:12.284974 2017] [mpm_worker:notice] [pid 17256:tid 
140267085170560] AH00297: SIGUSR1 received.  Doing graceful restart
[Thu May 04 06:25:13.181387 2017] [slotmem_shm:error] [pid 17256:tid 
140267085170560] (28)No space left on device: AH02611: create: 
apr_shm_create(/var/run/apache2/slotmem-shm-p9e1d2282_internet_cluster.shm) 
failed
[Thu May 04 06:25:13.181438 2017] [:emerg] [pid 17256:tid 140267085170560] 
AH00020: Configuration Failed, exiting
 
Allerdings ist mehr als genug Platz auf /var:
 
Filesystem                                    Size  Used Avail Use% Mounted on
/dev/mapper/swrvp1-var_vol               485G  9.5G  451G   3% /var
 
Ich habe die Konfigurationen aus dem Backup wieder hergestellt, ein "service 
apache2 restart" hat die gleiche Fehlermeldung produziert. Erst als ich ein 
killall auf die verbliebenen Prozesse gemacht habe konnte ich mit einem 
sauberen Start den Apache wieder hoch bringen.
 
Zur Sicherheit habe ich die Konfigurationen auf dem zweiten Apache (der keinen 
reload gemacht hat) wieder zurück geändert. Da allerdings die Apaches 
regelmäßig neu gestartet werden, kam es hier (obwohl alte Konfiguration!) zu 
dem gleichen Fehlerbild und -meldung im error.log innerhalb von ca. 12 Stunden.
 
Jetzt laufen beide Systeme wieder augenscheinlich stabil und machen den reload 
ohne Probleme aber den Fehler hatte ich vor 1 Monat schon mal aber nur auf 
einem der beiden Systeme.
 
Hat jemand eine Idee oder stand schon mal vor dem selben Problem?
 
Besten Dank!
 
Gruß
Denny

-
To unsubscribe, e-mail: users-de-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-de-h...@httpd.apache.org

Re: [users@httpd] Error in log, Idk problem

2017-05-04 Thread Daniel 
You are using 2.4.x better stick to 2.4 directives.

Remove all references to Order/Allow/Deny/Satisfy, stick to Require
directives only.

Also, default behaviour in 2.4 is like "Satisfy any" so it seems you don't
need to specify Require any or anything like that in this case, and If you
are already specifying "Require valid-user" having another directive to
deny all is therefore redundant.


2017-05-04 9:57 GMT+02:00 Alexandru Duzsardi <
alexandru.duzsa...@pitechnologies.ro>:

> Check your CUPS configuration , i think by default only allows access from
> localhost to it’s web admin page
>
>
>
> 
>
>
>
> *From:* Luiz Guilherme Nunes Fernandes [mailto:narutospi...@gmail.com]
> *Sent:* Wednesday, May 3, 2017 8:33 PM
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] Error in log, Idk problem
>
>
>
> Hi,
>
> I have a problem and I do not know how to fix it,
>
> Is problem with sub directories, I try redirect with cups. Although have
> errors, I can navigate.
>
>
>
> if i remove lines:
>
> Order deny,allow
>
> Deny from All
>
>
>
> And i add no erros, and no have authentication with Active Directory
>
>Allow from all
>
>Order Deny,Allow
>
>
>
> Attention: No erros in apache configure file, only erros in log.
>
>
>
> My file configuration:
>
> 
>
> 
>
> ProxyPreserveHost On
>
> ProxyPass / http://10.1.1.75:631/
>
> ProxyPassReverse / http://10.1.1.75:631/
>
>
>
>CacheEnable disk /
>
>CacheRoot /var/spool/httpd
>
>CacheDirLevels 5
>
>CacheDirLength 4
>
>CacheMinFileSize 1024
>
>CacheMaxFileSize 10485760
>
>CacheDefaultExpire 144000
>
>
>
> 
>
> Order deny,allow
>
> Deny from All
>
> # Allow from all
>
> # Order Deny,Allow
>
>
>
> AuthName "Informe usuario da rede LDAP"
>
> AuthType Basic
>
> AuthBasicProvider ldap
>
> AuthLDAPUrl ldap://ldap/ou=ldap,dc=com,dc=br?sAMAccountName
>
> AuthLDAPBindDN cn=UsrLDAP,cn=Users,ou=ldap,dc=com,dc=br
>
> AuthLDAPBindPassword X
>
> Require valid-user
>
> Satisfy any
>
> 
>
>
>
> 
>
>
>
> 
>
> Error:
>
> [Wed May 03 10:28:57.562769 2017] [access_compat:error] [pid 14722]
> [client 10.251.14.140:35328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/help/, referer:
> http://10.1.1.75/admin
>
> 
>
> [Wed May 03 10:47:38.214012 2017] [access_compat:error] [pid 14725]
> [client 10.251.14.140:36325] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/help/, referer:
> http://10.1.1.75/admin
>
> [Wed May 03 10:47:38.910394 2017] [access_compat:error] [pid 14727]
> [client 10.251.14.140:36328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/jobs/, referer:
> http://10.1.1.75/admin
>
> [Wed May 03 10:47:44.151292 2017] [access_compat:error] [pid 14727]
> [client 10.251.14.140:36328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/jobs/, referer:
> http://10.1.1.75/jobs/
>
> [Wed May 03 10:47:48.905561 2017] [access_compat:error] [pid 14727]
> [client 10.251.14.140:36328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/jobs/, referer:
> http://10.1.1.75/jobs/
>
> [Wed May 03 10:47:51.476263 2017] [access_compat:error] [pid 14727]
> [client 10.251.14.140:36328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/help/, referer:
> http://10.1.1.75/jobs/
>
> [Wed May 03 10:47:53.428483 2017] [access_compat:error] [pid 14727]
> [client 10.251.14.140:36328] AH01797: client denied by server
> configuration: proxy:http://10.1.1.75:631/help/, referer:
> http://10.1.1.75/help/
>
> 
>
>
>
> --
>
> <<<-
> -->>>
>
> < Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
> Pai, senão por mim >
>
>  (João 14:6)
>
>
> Att.
> ♪ ♫  Luiz Guilherme Nunes
> Fernandes  ♫ ♪
>
> <<<-
> -->>>
>



-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] HTTPS implementation to apache2 server, localhost

2017-05-04 Thread Daniel 
At first sight there is no syntax error. Can you try to describe what error
you get and paste related error.log entries?

2017-05-04 9:30 GMT+02:00 Keerthi Narayan :

> Hi All,
>
> I am trying to implement HTTPS to my local server(apache2) and below is
> configuration file.   -UBUNTU SERVER
>
> 
> 
> ServerAdmin user@localhost
> ServerName x.x.x.x
> ServerAlias www.x.x.x.x
> DocumentRoot /var/www/html
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> SSLEngine on
> SSLCertificateFile/etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
>   
> SSLOptions +StdEnvVars
> 
> 
> SSLOptions +StdEnvVars
> 
> 
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
> 
>  BrowserMatch "MSIE [2-6]" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
> 
> 
>
> Please advice me what else i have to configure apart from above
> configuration or correction.  So that it will get secured.
>
> Thanks & Regards,
> Keerthi Narayan
>
>


-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

RE: [users@httpd] Error in log, Idk problem

2017-05-04 Thread Alexandru Duzsardi 
Check your CUPS configuration , i think by default only allows access from 
localhost to it’s web admin page

 

 

 

From: Luiz Guilherme Nunes Fernandes [mailto:narutospi...@gmail.com] 
Sent: Wednesday, May 3, 2017 8:33 PM
To: users@httpd.apache.org
Subject: [users@httpd] Error in log, Idk problem

 

Hi,

I have a problem and I do not know how to fix it,

Is problem with sub directories, I try redirect with cups. Although have 
errors, I can navigate.

 

if i remove lines:

Order deny,allow

Deny from All

 

And i add no erros, and no have authentication with Active Directory

   Allow from all

   Order Deny,Allow

 

Attention: No erros in apache configure file, only erros in log.

 

My file configuration:





ProxyPreserveHost On

ProxyPass / http://10.1.1.75:631/

ProxyPassReverse / http://10.1.1.75:631/

 

   CacheEnable disk /

   CacheRoot /var/spool/httpd

   CacheDirLevels 5

   CacheDirLength 4

   CacheMinFileSize 1024

   CacheMaxFileSize 10485760

   CacheDefaultExpire 144000

 



Order deny,allow

Deny from All

# Allow from all

# Order Deny,Allow

 

AuthName "Informe usuario da rede LDAP"

AuthType Basic

AuthBasicProvider ldap

AuthLDAPUrl ldap://ldap/ou=ldap,dc=com,dc=br?sAMAccountName

AuthLDAPBindDN cn=UsrLDAP,cn=Users,ou=ldap,dc=com,dc=br

AuthLDAPBindPassword X

Require valid-user

Satisfy any



 



 



Error:

[Wed May 03 10:28:57.562769 2017] [access_compat:error] [pid 14722] [client 
10.251.14.140:35328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/help/, referer: 
http://10.1.1.75/admin



[Wed May 03 10:47:38.214012 2017] [access_compat:error] [pid 14725] [client 
10.251.14.140:36325  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/help/, referer: 
http://10.1.1.75/admin

[Wed May 03 10:47:38.910394 2017] [access_compat:error] [pid 14727] [client 
10.251.14.140:36328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/jobs/, referer: 
http://10.1.1.75/admin

[Wed May 03 10:47:44.151292 2017] [access_compat:error] [pid 14727] [client 
10.251.14.140:36328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/jobs/, referer: 
http://10.1.1.75/jobs/

[Wed May 03 10:47:48.905561 2017] [access_compat:error] [pid 14727] [client 
10.251.14.140:36328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/jobs/, referer: 
http://10.1.1.75/jobs/

[Wed May 03 10:47:51.476263 2017] [access_compat:error] [pid 14727] [client 
10.251.14.140:36328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/help/, referer: 
http://10.1.1.75/jobs/

[Wed May 03 10:47:53.428483 2017] [access_compat:error] [pid 14727] [client 
10.251.14.140:36328  ] AH01797: client denied by 
server configuration: proxy:http://10.1.1.75:631/help/, referer: 
http://10.1.1.75/help/



 

-- 

<<<--->>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao Pai, 
senão por mim >

 (João 14:6)


Att.
♪ ♫  Luiz Guilherme Nunes Fernandes  ♫ ♪

<<<--->>>

[users@httpd] HTTPS implementation to apache2 server, localhost

2017-05-04 Thread Keerthi Narayan 
Hi All,

I am trying to implement HTTPS to my local server(apache2) and below is
configuration file.   -UBUNTU SERVER



ServerAdmin user@localhost
ServerName x.x.x.x
ServerAlias www.x.x.x.x
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile/etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  
SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

 BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown



Please advice me what else i have to configure apart from above
configuration or correction.  So that it will get secured.

Thanks & Regards,
Keerthi Narayan