RE: [users@httpd] Mod_proxy_balancer question

2017-05-15 Thread Hristiyan Kirov 
Hello,

Looks OK, however I’ve seen it defined like this:

   
BalancerMember ajp://host1:8018 route=host1
BalancerMember ajp://host2:8018 route=host2


ProxyPass /foo balancer://cluster/foo

Regards,
Hristiyan

From: Kartik Vashishta [mailto:kartik.u...@gmail.com]
Sent: Monday, May 15, 2017 20:15
To: users@httpd.apache.org
Subject: [users@httpd] Mod_proxy_balancer question

Hi,

We are using httpd 2.2 and wonder if a path to the application can be defined 
in the BalanceMember definition, so would this work:

BalanceMember "http://192.168.1.50:/foo/bar"; route=node1

Re: [users@httpd] How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Marat Khalili 
Just in case you are stuck, you can always use internal redirect to a CGI 
script (or PHP or whatever) and write whatever response you want with that 
script. It's kind of cheating but it should work.
-- 

With Best Regards,
Marat Khalili

On May 15, 2017 5:46:52 PM GMT+03:00, Jens Schleusener 
 wrote:
>Hi,
>
>my general question is how I can generate customized error responses 
>while using the mod_rewrite module. Yes, I know the page
>
>  https://httpd.apache.org/docs/2.4/custom-error.html
>
>but the ErrorDocument directive allows only to do some customization
>per 
>status code optionally refined by context but I want to output
>customized 
>error pages specifically for many different request conditions
>determined 
>mainly by various RewriteCond directives.
>
>Here an actual special example: On a server running httpd 2.4 I want to
>
>disallow the HTTPS access using the TLSv1.0 protocol. To order do that
>not 
>too "hard" but a little bit client-friendly TLSv1.0 accesses aren't yet
>
>really disabled but redirected for a limited period to an according 
>information page. Currently that is realized with the following 
>configuration
>
>  RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
>  RewriteRule (.*) /https_tlsv10.html [R=permanent,L]
>
>The big disadvantage of that solution is that it returns an obviously 
>incorrect HTTP response status code 301 ("Moved Permanently") but I
>want 
>that the server returns an appropriate 4xx or 5xx status code (ok, I am
>not 
>sure what would be an "appropriate" one). By the way, the current 301 
>redirection let some bots (using still TLSv1.0) nevertheless access
>that 
>information page many thousand times (but maybe they would that do also
>
>with a returned 4xx or 5xx response status code).
>
>Unfortunately for the RewriteRule directive for e.g. a Rewrite flag
>R=4xx 
>instead of R=permanent isn't allowed (only 300-399, why?) so I had 
>considered the usage of the  directive but didn't find a working 
>solution.
>
>So maybe the only working solution is the detour via an external CGI 
>program.
>
>Probably I have something overseen, so any ideas or comments?
>
>Jens
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

2017-05-15 Thread Jeff Cauhape 
Rick,

That could be, except that if I just gave the stop command and it's "still" 
running
it doesn't nearly concern me as much as getting an Elinks error and wondering
if it's because it isn't running or whether there is some other issue.

Besides, this It's DEAD/ALIVE message comes _ after _ the call to links to 
output
status, so if there are still running processes from a graceful shutdown, the 
output
just above it should make that clear. This does not replace the call to links, 
but is
in addition to it.

I could probably take out the "It's ALIVE" message and achieve my goals, but 
I've
always been a fan of sci-fi and this just seemed too good to pass up. :)

Jeff

-Original Message-
From: Houser, Rick [mailto:rick.hou...@jackson.com] 
Sent: Monday, May 15, 2017 1:54 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

> I just added a couple of lines of shell script following the links 
> command after
the 'status' command line switch. It checks for the number of httpd processes, 
and if there are none, it echoes "It's DEAD, Jim!".  Otherwise It echoes "It's 
ALIVE!!!".

Isn't that just going to give bad results, though?  For example, if you had 
issued apachectl stop, there would still be processes handling the graceful 
stop, but your script would say it's alive.


Rick Houser
Web Administration

> -Original Message-
> From: Jeff Cauhape [mailto:jpcauh...@nvdetr.org]
> Sent: Monday, May 15, 2017 16:22
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] A curious thing - apachectl status in 
> Apache 2.4.25
> 
> EXTERNAL EMAIL
> 
> 
> Eric,
> 
> Yes, I went from 2.4.6 bundled with Red Hat to a plain source code build.
> It didn't occur to me that it might be that simple. Thanks! :o
> 
> Mgmt has decided that they want the ability to easily have multiple 
> versions of Apache on our servers and to be able to switch from one 
> build to another by having symbolic links that are generic that point 
> to the active directory.
> Somewhat
> like the way Java does.
> 
> I just added a couple of lines of shell script following the links 
> command after the 'status' command line switch. It checks for the 
> number of httpd processes, and if there are none, it echoes "It's 
> DEAD, Jim!".  Otherwise It echoes "It's ALIVE!!!".
> 
> That seems pretty clear.
> 
> Jeff
> 
> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Monday, May 15, 2017 10:24 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] A curious thing - apachectl status in 
> Apache 2.4.25
> 
> On Mon, May 15, 2017 at 1:22 PM, Jeff Cauhape 
> wrote:
> > In the Apache 2.4.6 shell script apachectl, a call to “apachectl status”
> >
> > invokes systemctl status  httpd.service. This gives you easy-to-read
> >
> > output regardless if the server is running or not.
> 
> Did you go from a vendor package to a source install? The former 
> probably just customized apachectl.
> 
> 
> --
> Eric Covener
> cove...@gmail.com
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[
 \X K ܙ B

RE: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

2017-05-15 Thread Houser, Rick 
> I just added a couple of lines of shell script following the links command 
> after
the 'status' command line switch. It checks for the number of httpd processes,
and if there are none, it echoes "It's DEAD, Jim!".  Otherwise It echoes "It's 
ALIVE!!!".

Isn't that just going to give bad results, though?  For example, if you had 
issued apachectl stop, there would still be processes handling the graceful 
stop, but your script would say it's alive.


Rick Houser
Web Administration

> -Original Message-
> From: Jeff Cauhape [mailto:jpcauh...@nvdetr.org]
> Sent: Monday, May 15, 2017 16:22
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] A curious thing - apachectl status in Apache 2.4.25
> 
> EXTERNAL EMAIL
> 
> 
> Eric,
> 
> Yes, I went from 2.4.6 bundled with Red Hat to a plain source code build.
> It didn't occur to me that it might be that simple. Thanks! :o
> 
> Mgmt has decided that they want the ability to easily have multiple versions
> of Apache on our servers and to be able to switch from one build to another
> by
> having symbolic links that are generic that point to the active directory.
> Somewhat
> like the way Java does.
> 
> I just added a couple of lines of shell script following the links command 
> after
> the 'status' command line switch. It checks for the number of httpd
> processes,
> and if there are none, it echoes "It's DEAD, Jim!".  Otherwise It echoes "It's
> ALIVE!!!".
> 
> That seems pretty clear.
> 
> Jeff
> 
> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Monday, May 15, 2017 10:24 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] A curious thing - apachectl status in Apache 2.4.25
> 
> On Mon, May 15, 2017 at 1:22 PM, Jeff Cauhape 
> wrote:
> > In the Apache 2.4.6 shell script apachectl, a call to “apachectl status”
> >
> > invokes systemctl status  httpd.service. This gives you easy-to-read
> >
> > output regardless if the server is running or not.
> 
> Did you go from a vendor package to a source install? The former probably
> just customized apachectl.
> 
> 
> --
> Eric Covener
> cove...@gmail.com
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

2017-05-15 Thread Jeff Cauhape 
Eric,

Yes, I went from 2.4.6 bundled with Red Hat to a plain source code build.
It didn't occur to me that it might be that simple. Thanks! :o

Mgmt has decided that they want the ability to easily have multiple versions
of Apache on our servers and to be able to switch from one build to another by
having symbolic links that are generic that point to the active directory. 
Somewhat
like the way Java does.

I just added a couple of lines of shell script following the links command after
the 'status' command line switch. It checks for the number of httpd processes,
and if there are none, it echoes "It's DEAD, Jim!".  Otherwise It echoes "It's 
ALIVE!!!".

That seems pretty clear.

Jeff

-Original Message-
From: Eric Covener [mailto:cove...@gmail.com] 
Sent: Monday, May 15, 2017 10:24 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

On Mon, May 15, 2017 at 1:22 PM, Jeff Cauhape  wrote:
> In the Apache 2.4.6 shell script apachectl, a call to “apachectl status”
>
> invokes systemctl status  httpd.service. This gives you easy-to-read
>
> output regardless if the server is running or not.

Did you go from a vendor package to a source install? The former probably just 
customized apachectl.


--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Jens Schleusener 

On Mon, 15 May 2017, Eric Covener wrote:


On Mon, May 15, 2017 at 12:32 PM, Jens Schleusener
 wrote:

Ok, in that case one could use the ErrorDocument directive (it works for me
principally) but how can one can achieve that that directive is not used
globally but only specific for the above case?

The idea to set in the above RewriteRule additionally an environment
variable for e.g. via a "E=tlsv10:1" flag and using

  
ErrorDocument 412 /https_tlsv10.html
  

seems not to work, the Apache httpd outputs the "412" standard error
message.


Re: the If misfiring, its because 

Thanks for the hint, I will try it.


But Is it much better than a redirect or rewrite to some document that
describes the problem but has a 200 status code?


That is a great question that I cannot answer it (you had tried it 
indirectly).


It becomes a little bit off-topic but an answer to this question would 
very important to me since I provide an FOSS offering server with more or 
less frequently changing releases so that the server tries to redirect 
normally failing accesses to URLs according to no longer available 
releases to "guessed" URLs of the corresponding current release. If the 
server does that transparently responding with a 200 status code a human 
client may get not really the resource he has requested although he may 
have the impression and additionally search engines may index resources 
that are not 100% related to the accessed URLs. Also a status code 301 
would be in this sense wrong since it implies the same problem.


So currently the server answers with a 404 ("Not Found") but with an 
informative error page containing links to the new resources. Probably 
appropriate for human users but bad for search engines that get a lot of 
error responses (probably not regarding the contents of the error page).


I would be happy about a status code like 310 (a merge of 301 and 410) 
saying "Resource is no longer available but here is its successor" ;-)


Regards

Jens

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] A curious thing - apachectl status in Apache 2.4.25

2017-05-15 Thread Eric Covener 
On Mon, May 15, 2017 at 1:22 PM, Jeff Cauhape  wrote:
> In the Apache 2.4.6 shell script apachectl, a call to “apachectl status”
>
> invokes systemctl status  httpd.service. This gives you easy-to-read
>
> output regardless if the server is running or not.

Did you go from a vendor package to a source install? The former
probably just customized apachectl.


-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] A curious thing - apachectl status in Apache 2.4.25

2017-05-15 Thread Jeff Cauhape 
I recently built Apache 2.4.25 and am running it on RHEL 7.3.
I've found something that seems a step backwards from 2.4.6
and I'm hoping someone can shed some light on it.

In the Apache 2.4.6 shell script apachectl, a call to "apachectl status"
invokes systemctl status  httpd.service. This gives you easy-to-read
output regardless if the server is running or not.

In the Apache 2.4.25 version of apachectl, "apachectl status" instead
calls links with the /server-status URL. When the server is up, you
get a lot of info. When the server is down, you get a Elinks error,
which is a little ambiguous, as there could be other reasons for
links not working correctly.

Doesn't this seem like a step backwards?

Can someone explain the rationale for this?

(Please note: I can fix this, but I'm curious as to why it was done this way)

Thanks,

Jeff Cauhape
IT Professional III
Department of Employment, Training and Rehabilitation
Phone 1-775-684-3804
Email: jpcauh...@nvdetr.org

Re: [users@httpd] Re: How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Eric Covener 
On Mon, May 15, 2017 at 12:32 PM, Jens Schleusener
 wrote:
> Ok, in that case one could use the ErrorDocument directive (it works for me
> principally) but how can one can achieve that that directive is not used
> globally but only specific for the above case?
>
> The idea to set in the above RewriteRule additionally an environment
> variable for e.g. via a "E=tlsv10:1" flag and using
>
>   
> ErrorDocument 412 /https_tlsv10.html
>   
>
> seems not to work, the Apache httpd outputs the "412" standard error
> message.

Re: the If misfiring, its because

[users@httpd] Mod_proxy_balancer question

2017-05-15 Thread Kartik Vashishta 
Hi,

We are using httpd 2.2 and wonder if a path to the application can be
defined in the BalanceMember definition, so would this work:

BalanceMember "http://192.168.1.50:/foo/bar"; route=node1

[users@httpd] Re: How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Jens Schleusener 

On Mon, 15 May 2017, Eric Covener wrote:


On Mon, May 15, 2017 at 10:46 AM, Jens Schleusener
 wrote:

Unfortunately for the RewriteRule directive for e.g. a Rewrite flag R=4xx
instead of R=permanent isn't allowed (only 300-399, why?) so I had
considered the usage of the  directive but didn't find a working
solution.


Other codes are allowed, but you can't do anything with the
substitution in this case. The reason is that if you return any status
code like this, it short-circuits the processing of the URL by the
rest of the server, so nobody is around to convert the URL to a file
and serve it.

The manual says:
Any valid HTTP response status code may be specified, using the syntax
[R=305], with a 302 status code being used by default if none is
specified. The status code specified need not necessarily be a
redirect (3xx) status code. However, if a status code is outside the
redirect range (300-399) then the substitution string is dropped
entirely, and rewriting is stopped as if the L were used.


Thanks for the clarification. But I am a little bit slow-witted and don't 
understand what "substitution string is dropped entirely" means. I assume 
not only the further rewriting rules are skipped but unfortunately also 
the output of the defined substitution page (/https_tlsv10.html) in


 RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
 RewriteRule !^/https_tlsv10.html$ /https_tlsv10.html [R=412,L]

(the 412 is here just a placeholder for a really correct response status 
code) and the Apache httpd outputs "only" the standard page for an 412 
error?


Ok, in that case one could use the ErrorDocument directive (it works for 
me principally) but how can one can achieve that that directive is not 
used globally but only specific for the above case?


The idea to set in the above RewriteRule additionally an environment 
variable for e.g. via a "E=tlsv10:1" flag and using


  
ErrorDocument 412 /https_tlsv10.html
  

seems not to work, the Apache httpd outputs the "412" standard error 
message.


Regards

Jens

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirect all unconfigured sub-domains to specific sub-domain

2017-05-15 Thread James Smith 
You really only have one option at the moment and that is to pay for a 
wild card certificate which will do this {lets encrypt doesn't allow you 
yet}


It will probably set you back something like 100$ a year

o/w you will need to set your redirects up from xxx. to https:// 
individually and have a catch all that redirects the rest of the http 
request to a single https domain...




On 2017-05-15 05:03 PM, Torge Riedel wrote:

Hi,

I'm using Apache 2.2 and currently have the following configuration 
files:


00-default-> redirect non-https-URLs to https-URLs
00-default-ssl   -> default configuration for 
https://mydomain.de and https://www.mydomain.de


Then several files

20-sub.mydomain.de-> configuration for https://sub.mydomain.de

So what I want to do is if a user browses to my domain with an 
unconfigured sub domain, he is redirected to lets say 
https://www.mydomain.de


Reason: Currently he gets a certificate error, cause cert 
(letsencrypt) is only valid https://mydomain.de and 
https://www.mydomain.de


Any hints?

Thanks in advance

Torge


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Redirect all unconfigured sub-domains to specific sub-domain

2017-05-15 Thread Torge Riedel 

Hi,

I'm using Apache 2.2 and currently have the following configuration files:

00-default-> redirect non-https-URLs to https-URLs
00-default-ssl   -> default configuration for https://mydomain.de 
and https://www.mydomain.de

Then several files

20-sub.mydomain.de-> configuration for https://sub.mydomain.de

So what I want to do is if a user browses to my domain with an unconfigured sub 
domain, he is redirected to lets say https://www.mydomain.de

Reason: Currently he gets a certificate error, cause cert (letsencrypt) is only 
valid https://mydomain.de and https://www.mydomain.de

Any hints?

Thanks in advance

Torge


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy and 404

2017-05-15 Thread Felipe Gasper 

> On 15 May 2017, at 11:13 AM, Eric Covener  wrote:
> 
> On Mon, May 15, 2017 at 11:06 AM, Felipe Gasper  
> wrote:
>>I’m noticing that mod_proxy sends its entire payload upstream without 
>> checking for an early response (e.g., 308 or 404). If upstream sends such a 
>> response then closes the connection, mod_proxy never sees it and reports a 
>> 502 back.
>> 
>>Browsers don’t behave this way; they see the response and forward it 
>> as expected. Is this a bug in mod_proxy?
> 
> It sounds like a behavior that could be improved.  The backend could
> also consume the body before sending the response or tearing down the
> connection.

Yeah, that may be our workaround for now, but when the client sends a large 
upload (e.g., attachments in webmail apps) it seems wasteful to make them wait 
for an upload whose result can be known right away.

Safari, Firefox, and Chrome all seem to handle this gracefully. Edge/IE is 
inconsistent: on the first submission it errors (“This page can’t be 
displayed”), but a reload of the POST shows a 404 as expected.

-FG
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] How to proxy web server?

2017-05-15 Thread Florian Lindner 
Hello,

Apache 2.4 on Debian Testing, mpm_itk

I have the Discourse web forum running in a docker container. The container's 
webserver is bount to localhost:2080. The
forum should be reachable at either forum.csc-stuttgart.org or 
csc-stuttgart.org/forum.

Possibility A:


ServerName forum.csc-stuttgart.org
AssignUserID csc-stuttgart csc-stuttgart
ProxyPreserveHost On
ProxyPass"/" "http://localhost:2080/";
ProxyPassReverse "/" "http://localhost:2080/";
DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub
[...]


That works fine, beside on little problem. I want to use Let's Encrypt SSL 
certificates on that which require a path
forum.csc-stuttgart.org/.well-known to be writable from the file system.
How can I take just one path out of the Proxy?

Wrap the ProxyPass/Reverse in a  with a PCRE that match 
everything except .well-known? Haven't tested it
yet. Any better solution?

Possibility B:


ServerName csc-stuttgart.org
ServerAlias *.csc-stuttgart.org
AssignUserID csc-stuttgart csc-stuttgart
DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub
[...]

LogLevel debug
ProxyPass http://localhost:2080/
ProxyPassReverse http://localhost:2080/




Seems to not trigger on csc-stuttgart.org/forum, tried

 and  and .

ProxyPass "/forum" http://localhost:2080/
ProxyPassReverse "/forum" http://localhost:2080/

Seems to do the trick, but the Reverse does not seem to work. Error Log says

[proxy:debug] mod_proxy.c(1228): [client 129.69.213.139:55350] AH01143: Running 
scheme http handler (attempt 0)
[proxy:debug] proxy_util.c(2156): AH00942: HTTP: has acquired connection for 
(localhost)
[proxy:debug] proxy_util.c(2209): [client 129.69.213.139:55350] AH00944: 
connecting http://localhost:2080/ to localhost:2080
[proxy:debug] proxy_util.c(2418): [client 129.69.213.139:55350] AH00947: 
connected / to localhost:2080
[proxy:debug] proxy_util.c(2884): AH02824: HTTP: connection established with 
[::1]:2080 (localhost)
[proxy:debug] proxy_util.c(3051): AH00962: HTTP: connection complete to 
[::1]:2080 (localhost)
[proxy:debug] proxy_util.c(2171): AH00943: http: has released connection for 
(localhost)
[core:info][ client 129.69.213.139:55350] AH00128: File does not exist: 
/home/csc-stuttgart/csc-stuttgart.org/pub/login

The webserver hat localhost:2080 redirected to /login/ which does not seem to 
rewritten by ProxyPassReverse to
forum/login accordingly.


Thanks for any ideas!

Florian


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy and 404

2017-05-15 Thread Eric Covener 
On Mon, May 15, 2017 at 11:06 AM, Felipe Gasper  wrote:
> I’m noticing that mod_proxy sends its entire payload upstream without 
> checking for an early response (e.g., 308 or 404). If upstream sends such a 
> response then closes the connection, mod_proxy never sees it and reports a 
> 502 back.
>
> Browsers don’t behave this way; they see the response and forward it 
> as expected. Is this a bug in mod_proxy?

It sounds like a behavior that could be improved.  The backend could
also consume the body before sending the response or tearing down the
connection.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] mod_proxy and 404

2017-05-15 Thread Felipe Gasper 
Hello,

I’m noticing that mod_proxy sends its entire payload upstream without 
checking for an early response (e.g., 308 or 404). If upstream sends such a 
response then closes the connection, mod_proxy never sees it and reports a 502 
back.

Browsers don’t behave this way; they see the response and forward it as 
expected. Is this a bug in mod_proxy?

-Felipe Gasper
Mississauga, ON
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Eric Covener 
On Mon, May 15, 2017 at 10:46 AM, Jens Schleusener
 wrote:
> Unfortunately for the RewriteRule directive for e.g. a Rewrite flag R=4xx
> instead of R=permanent isn't allowed (only 300-399, why?) so I had
> considered the usage of the  directive but didn't find a working
> solution.

Other codes are allowed, but you can't do anything with the
substitution in this case. The reason is that if you return any status
code like this, it short-circuits the processing of the URL by the
rest of the server, so nobody is around to convert the URL to a file
and serve it.

The manual says:
Any valid HTTP response status code may be specified, using the syntax
[R=305], with a 302 status code being used by default if none is
specified. The status code specified need not necessarily be a
redirect (3xx) status code. However, if a status code is outside the
redirect range (300-399) then the substitution string is dropped
entirely, and rewriting is stopped as if the L were used.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] How to customize error responses (while using mod_rewrite)?

2017-05-15 Thread Jens Schleusener 

Hi,

my general question is how I can generate customized error responses 
while using the mod_rewrite module. Yes, I know the page


 https://httpd.apache.org/docs/2.4/custom-error.html

but the ErrorDocument directive allows only to do some customization per 
status code optionally refined by context but I want to output customized 
error pages specifically for many different request conditions determined 
mainly by various RewriteCond directives.


Here an actual special example: On a server running httpd 2.4 I want to 
disallow the HTTPS access using the TLSv1.0 protocol. To order do that not 
too "hard" but a little bit client-friendly TLSv1.0 accesses aren't yet 
really disabled but redirected for a limited period to an according 
information page. Currently that is realized with the following 
configuration


 RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
 RewriteRule (.*) /https_tlsv10.html [R=permanent,L]

The big disadvantage of that solution is that it returns an obviously 
incorrect HTTP response status code 301 ("Moved Permanently") but I want 
that the server returns an appropriate 4xx or 5xx status code (ok, I am not 
sure what would be an "appropriate" one). By the way, the current 301 
redirection let some bots (using still TLSv1.0) nevertheless access that 
information page many thousand times (but maybe they would that do also 
with a returned 4xx or 5xx response status code).


Unfortunately for the RewriteRule directive for e.g. a Rewrite flag R=4xx 
instead of R=permanent isn't allowed (only 300-399, why?) so I had 
considered the usage of the  directive but didn't find a working 
solution.


So maybe the only working solution is the detour via an external CGI 
program.


Probably I have something overseen, so any ideas or comments?

Jens


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Getting PHP-FPM working

2017-05-15 Thread John Iliffe 
Hi Christian:

I just noticed that you put "" around the parameters to ProxyPassMatch.

I tried that and no change in the results.

John

On Monday 15 May 2017 05:21:59 Christian Hettler wrote:
> Hello John,
> 
> the manual (mod_proxy_fcgi.html) states:
> 
> "The request URL is implicitly added to the 2nd parameter."
> 
> (Did|Can) you try
> 
> ProxyPassMatch "^/.*\.php(/.*)?$" "fcgi://127.0.0.1:9015/httpd/iliffe/"
> 
> instead of
> 
> > #   ProxyPassMatch ^/(.*\.php(/.*)?)$
> > fcgi://127.0.0.1:9015/httpd/iliffe/$1
> 
> regards,
> 
> Christian
> 
> On Sat, May 13, 2017 at 03:43:08PM -0400, John Iliffe wrote:
> > I'm not sure is this is the correct list to post these questions to,
> > since I now have things isolated to a single module in PHP-FPM, so
> > please redirect me if necessary.  This is a continuation of the
> > problems I was having (on this list) installing a new server last
> > month.
> > 
> > -
> > Summary: PHP-FPM will not execute any scripts; it is set up according
> > to the PHP-FPM Wiki documentation so far as I can see.
> > -
> > 
> > O/S  Fedora 25, Apache 2.4.25 compiled from source, PHP 7.1.3 compiled
> > from source.
> > 
> > I did a clean install of PHP-7.1.3 for testing, PHP-FPM is running
> > under its own user/group phpfpm.  Set up as listen  on 127.0.0.1:9015
> > in pool www.  Document root in www.conf is /httpd/iliffe which has
> > been set to world readable, SELinux is set to permissive so it isn't
> > in the equation.  Log level on PHP is debug.  All available log info
> > is at the end of this memo.
> > 
> > It seems obvious to me that the proxy_fcgi module is worked as
> > expected and that the problem is somewhere in PHP-FPM.
> > 
> > mod_php was tried as a check on the installation and works OK when
> > enabled.
> > 
> > I am using the minimalist proxy configuration in Apache, (the target
> > PHP script is hard coded to avoid regex errors) and the target PHP
> > script file is being reported correctly by both Apache and PHP-FPM. 
> > I checked by su as the phpfpm user and I can read this file, no
> > problems at all.
> > 
> > The problem has been traced to fpm_main.c, specifically the following:
> > 
> > -
> > if (UNEXPECTED(php_fopen_primary_script(&file_handle) == FAILURE)) {
> > 
> > zend_try {
> > 
> > zlog(ZLOG_ERROR, "Unable to open primary script: %s 
> > (%s)",
> > primary_script, strerror(errno)); if (errno == EACCES) {
> > 
> > SG(sapi_headers).http_response_code = 403;
> > PUTS("Access denied.\n");
> > 
> > } else {
> > 
> > SG(sapi_headers).http_response_code = 404;
> > PUTS("No input file specified.\n");
> > 
> > 
> > 
> > Changing the script path in httpd.conf leads to a browser File Not
> > Found error as would be expected.  The document root in httpd.conf
> > and in www.conf (PHP pool conf file for this pool) are the same.
> > 
> > In Apache, the minimum is set in httpd.conf:
> > 
> > # Default host (www.iliffe.ca)
> > # This one picks up all IP based hacker garbage too
> > 
> > 
> >ServerName www.iliffe.ca
> >DocumentRoot /httpd/iliffe
> >Options FollowSymLinks
> >H2Direct on
> > 
> > #   ProxyPassMatch ^/(.*\.php(/.*)?)$
> > fcgi://127.0.0.1:9015/httpd/iliffe/$1
> > 
> >   ProxyPassMatch ^/info$
> >   fcgi://127.0.0.1:9015/httpd/iliffe/i_phpinfo.php
> > 
> > As far as I can see, all necessary Apache modules are loaded:
> > 
> > # /usr/apache-2.4.25/bin/httpd -M
> > 
> > Loaded Modules:
> >  core_module (static)
> >  so_module (static)
> >  http_module (static)
> > 
> >  big list of modules skipped here
> > 
> >  proxy_module (shared)
> >  proxy_connect_module (shared)
> >  proxy_http_module (shared)
> >  proxy_fcgi_module (shared)
> >  ssl_module (shared)
> >  unixd_module (shared)
> >  http2_module (shared)
> >  status_module (shared)
> > 
> > **more modules skipped here
> > 
> > I'm completely stuck here and any ideas or assistance would be
> > appreciated.
> > 
> > Regards,
> > 
> > John
> > 
> > All following errors from one screen access:
> > -
> > PHP-FPM log:
> > [13-May-2017 14:40:33.423449] DEBUG: pid 16444,
> > fpm_pctl_perform_idle_server_maintenance(), line 379: [pool www]
> > currently 0 active children, 2 spare children, 2 running children.
> > Spawning rate 1 [13-May-2017 14:40:34.265891] WARNING: pid 16444,
> > fpm_stdio_child_said(), line 197: [pool www] child 16445 said into
> > stderr: "ERROR: main(), line 1947: Unable to open primary script:
> > /httpd/iliffe/i_phpinfo.php (No such file or directory)"
> > [13-May-2017 14:40:34.265952] DEBUG: pid 16444, fpm_event_loop(), line
> > 419: event module tri

Re: [users@httpd] Getting PHP-FPM working

2017-05-15 Thread John Iliffe 
Thank you for your suggestion Christian.

Same result.  (there are no passed parameters to the script being invoked).

httpd.conf:
  ProxyPassMatch ^/.*\.php(/.*)?$ fcgi://127.0.0.1:9015/httpd/iliffe/

Browser:
No input file specified. 

Apache error log:
[Mon May 15 10:12:26.832070 2017] [proxy_fcgi:error] [pid 10030:tid 
139886816392960] [client 206.248.138.118:50926] AH01071: Got error 'Unable 
to open primary script: /httpd/iliffe//i_phpinfo.php (No such file or 
directory)\n'

php-fpm error log:
[15-May-2017 10:12:26] WARNING: [pool www] child 7551 said into 
stderr: "ERROR: Unable to open primary script: /httpd/iliffe//i_phpinfo.php 
(No such file or directory)"

Regards,

John
===
On Monday 15 May 2017 05:21:59 Christian Hettler wrote:
> Hello John,
> 
> the manual (mod_proxy_fcgi.html) states:
> 
> "The request URL is implicitly added to the 2nd parameter."
> 
> (Did|Can) you try
> 
> ProxyPassMatch "^/.*\.php(/.*)?$" "fcgi://127.0.0.1:9015/httpd/iliffe/"
> 
> instead of
> 
> > #   ProxyPassMatch ^/(.*\.php(/.*)?)$
> > fcgi://127.0.0.1:9015/httpd/iliffe/$1
> 
> regards,
> 
> Christian
> 
> On Sat, May 13, 2017 at 03:43:08PM -0400, John Iliffe wrote:
> > I'm not sure is this is the correct list to post these questions to,
> > since I now have things isolated to a single module in PHP-FPM, so
> > please redirect me if necessary.  This is a continuation of the
> > problems I was having (on this list) installing a new server last
> > month.
> > 
> > -
> > Summary: PHP-FPM will not execute any scripts; it is set up according
> > to the PHP-FPM Wiki documentation so far as I can see.
> > -
> > 
> > O/S  Fedora 25, Apache 2.4.25 compiled from source, PHP 7.1.3 compiled
> > from source.
> > 
> > I did a clean install of PHP-7.1.3 for testing, PHP-FPM is running
> > under its own user/group phpfpm.  Set up as listen  on 127.0.0.1:9015
> > in pool www.  Document root in www.conf is /httpd/iliffe which has
> > been set to world readable, SELinux is set to permissive so it isn't
> > in the equation.  Log level on PHP is debug.  All available log info
> > is at the end of this memo.
> > 
> > It seems obvious to me that the proxy_fcgi module is worked as
> > expected and that the problem is somewhere in PHP-FPM.
> > 
> > mod_php was tried as a check on the installation and works OK when
> > enabled.
> > 
> > I am using the minimalist proxy configuration in Apache, (the target
> > PHP script is hard coded to avoid regex errors) and the target PHP
> > script file is being reported correctly by both Apache and PHP-FPM. 
> > I checked by su as the phpfpm user and I can read this file, no
> > problems at all.
> > 
> > The problem has been traced to fpm_main.c, specifically the following:
> > 
> > -
> > if (UNEXPECTED(php_fopen_primary_script(&file_handle) == FAILURE)) {
> > 
> > zend_try {
> > 
> > zlog(ZLOG_ERROR, "Unable to open primary script: %s 
> > (%s)",
> > primary_script, strerror(errno)); if (errno == EACCES) {
> > 
> > SG(sapi_headers).http_response_code = 403;
> > PUTS("Access denied.\n");
> > 
> > } else {
> > 
> > SG(sapi_headers).http_response_code = 404;
> > PUTS("No input file specified.\n");
> > 
> > 
> > 
> > Changing the script path in httpd.conf leads to a browser File Not
> > Found error as would be expected.  The document root in httpd.conf
> > and in www.conf (PHP pool conf file for this pool) are the same.
> > 
> > In Apache, the minimum is set in httpd.conf:
> > 
> > # Default host (www.iliffe.ca)
> > # This one picks up all IP based hacker garbage too
> > 
> > 
> >ServerName www.iliffe.ca
> >DocumentRoot /httpd/iliffe
> >Options FollowSymLinks
> >H2Direct on
> > 
> > #   ProxyPassMatch ^/(.*\.php(/.*)?)$
> > fcgi://127.0.0.1:9015/httpd/iliffe/$1
> > 
> >   ProxyPassMatch ^/info$
> >   fcgi://127.0.0.1:9015/httpd/iliffe/i_phpinfo.php
> > 
> > As far as I can see, all necessary Apache modules are loaded:
> > 
> > # /usr/apache-2.4.25/bin/httpd -M
> > 
> > Loaded Modules:
> >  core_module (static)
> >  so_module (static)
> >  http_module (static)
> > 
> >  big list of modules skipped here
> > 
> >  proxy_module (shared)
> >  proxy_connect_module (shared)
> >  proxy_http_module (shared)
> >  proxy_fcgi_module (shared)
> >  ssl_module (shared)
> >  unixd_module (shared)
> >  http2_module (shared)
> >  status_module (shared)
> > 
> > **more modules skipped here
> > 
> > I'm completely stuck here and any ideas or assistance would be
> > appreciated.
> > 
> > Regards,
> > 
> > John
> > 
> > All following errors from one screen access:
> >

Re: [users@httpd] Getting PHP-FPM working

2017-05-15 Thread Christian Hettler 
Hello John,

the manual (mod_proxy_fcgi.html) states:

"The request URL is implicitly added to the 2nd parameter."

(Did|Can) you try

ProxyPassMatch "^/.*\.php(/.*)?$" "fcgi://127.0.0.1:9015/httpd/iliffe/"

instead of

> #   ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9015/httpd/iliffe/$1


regards,

Christian

On Sat, May 13, 2017 at 03:43:08PM -0400, John Iliffe wrote:
> I'm not sure is this is the correct list to post these questions to, since 
> I now have things isolated to a single module in PHP-FPM, so please 
> redirect me if necessary.  This is a continuation of the problems I was 
> having (on this list) installing a new server last month.
> 
> -
> Summary: PHP-FPM will not execute any scripts; it is set up according to 
> the PHP-FPM Wiki documentation so far as I can see.
> -
> 
> O/S  Fedora 25, Apache 2.4.25 compiled from source, PHP 7.1.3 compiled from 
> source.
> 
> I did a clean install of PHP-7.1.3 for testing, PHP-FPM is running under 
> its own user/group phpfpm.  Set up as listen  on 127.0.0.1:9015 in pool 
> www.  Document root in www.conf is /httpd/iliffe which has been set to world 
> readable, SELinux is set to permissive so it isn't in the equation.  Log 
> level on PHP is debug.  All available log info is at the end of this memo.
> 
> It seems obvious to me that the proxy_fcgi module is worked as expected and 
> that the problem is somewhere in PHP-FPM.
> 
> mod_php was tried as a check on the installation and works OK when enabled.
> 
> I am using the minimalist proxy configuration in Apache, (the target PHP 
> script is hard coded to avoid regex errors) and the target PHP script file 
> is being reported correctly by both Apache and PHP-FPM.  I checked by su as 
> the phpfpm user and I can read this file, no problems at all.
> 
> The problem has been traced to fpm_main.c, specifically the following:
> 
> -
> if (UNEXPECTED(php_fopen_primary_script(&file_handle) == FAILURE)) {
>   zend_try {
>   zlog(ZLOG_ERROR, "Unable to open primary script: %s 
> (%s)", primary_script, strerror(errno));
>   if (errno == EACCES) {
>   SG(sapi_headers).http_response_code = 403;
>   PUTS("Access denied.\n");
>   } else {
>   SG(sapi_headers).http_response_code = 404;
>   PUTS("No input file specified.\n");
> 
> 
> Changing the script path in httpd.conf leads to a browser File Not Found 
> error as would be expected.  The document root in httpd.conf and in 
> www.conf (PHP pool conf file for this pool) are the same.
> 
> In Apache, the minimum is set in httpd.conf:  
> 
> # Default host (www.iliffe.ca)
> # This one picks up all IP based hacker garbage too
> 
>ServerName www.iliffe.ca
>DocumentRoot /httpd/iliffe
>Options FollowSymLinks
>H2Direct on
> 
> #   ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9015/httpd/iliffe/$1
>   ProxyPassMatch ^/info$ fcgi://127.0.0.1:9015/httpd/iliffe/i_phpinfo.php
> 
> As far as I can see, all necessary Apache modules are loaded:
> 
> # /usr/apache-2.4.25/bin/httpd -M
> Loaded Modules:
>  core_module (static)
>  so_module (static)
>  http_module (static)
> 
>  big list of modules skipped here
>  proxy_module (shared)
>  proxy_connect_module (shared)
>  proxy_http_module (shared)
>  proxy_fcgi_module (shared)
>  ssl_module (shared)
>  unixd_module (shared)
>  http2_module (shared)
>  status_module (shared)
> 
> **more modules skipped here
> 
> I'm completely stuck here and any ideas or assistance would be appreciated.
> 
> Regards,
> 
> John
> 
> All following errors from one screen access:
> -
> PHP-FPM log:
> [13-May-2017 14:40:33.423449] DEBUG: pid 16444, 
> fpm_pctl_perform_idle_server_maintenance(), line 379: [pool www] currently 
> 0 active children, 2 spare children, 2 running children. Spawning rate 1
> [13-May-2017 14:40:34.265891] WARNING: pid 16444, fpm_stdio_child_said(), 
> line 197: [pool www] child 16445 said into stderr: "ERROR: main(), line 
> 1947: Unable to open primary script: /httpd/iliffe/i_phpinfo.php (No such 
> file or directory)"
> [13-May-2017 14:40:34.265952] DEBUG: pid 16444, fpm_event_loop(), line 419: 
> event module triggered 1 events
> [13-May-2017 14:40:34.424195] DEBUG: pid 16444, 
> fpm_pctl_perform_idle_server_maintenance(), line 379: [pool www] currently 
> 0 active children, 2 spare children, 2 running children. Spawning rate 1
> 
> 
> Apache Access Log:
> 206.248.138.118 - - [13/May/2017:14:40:34 -0400] "GET /info HTTP/1.1" 404 
> 25 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 
> Firefox/45.0"
> --
> 
> Apache Error Log:
> [Sat May 13 14:40:34.266066 2017] [proxy_fcgi:error] [pid 16122:tid 
> 14052575985433