RE: [users@httpd] TLS1.2
Turn off SSLv3 and TLS 1.0. Borrowed config: SSLEngine on SSLCertificateFile "/etc/httpd/certs/facultyrecruitingqa_northwestern_edu_cert.cer" SSLCertificateKeyFile "/etc/httpd/certs/key.pem" # "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration # Generator as of August 2016. This tool is available at # https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some # require OpenSSL 1.1.0, which as of this writing was in pre-release. SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" Darryl Baker Sr. System Administrator Northwestern | Information Technology www.it.northwestern.edu From: ANKIT PALRECHA [mailto:ankyt.palre...@gmail.com] Sent: May 16, 2017 2:05 PM To: users@httpd.apache.org Subject: [users@httpd] TLS1.2 Hello Team, Any idea how can we test if apache supports TLS1.1 and TLS1.2? This is bundled with openssl? Please share detail on tls , how to test? Thanks Ankit Jain +91-9741336404
Re: [users@httpd] TLS1.2
HTTPD will support it if OpenSSL supports it. 2017-05-16 21:04 GMT+02:00 ANKIT PALRECHA : > Hello Team, > > Any idea how can we test if apache supports TLS1.1 and TLS1.2? > > > This is bundled with openssl? > > > Please share detail on tls , how to test? > > Thanks > Ankit Jain > +91-9741336404 -- Daniel Ferradal IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] TLS1.2
Hello Team, Any idea how can we test if apache supports TLS1.1 and TLS1.2? This is bundled with openssl? Please share detail on tls , how to test? Thanks Ankit Jain +91-9741336404
Re: [users@httpd] Need help in change of context root while redirecting url
Thanks Eric.. As we do not have pre prod environment, wanted to check before trying it. I will check and update. Thanks & regards, Sailaja On Tue, May 16, 2017 at 10:09 PM, Eric Covener wrote: > On Tue, May 16, 2017 at 12:24 PM, Sailaja Gadireddy > wrote: > > Hello Team, > > > > I have a requirement to change the context root in the url when > redirecting. > > > > For example: If user hits the url https://www.xyz.com/abc/def > > It should redirect to https://www.xyz.com/ghi/jkl. > > > > from url: https://www.xyz.com/abc/def --> https://www.xyz.com/ghi/jkl > > > > Please help me if RedirectMatch will work in this case. > > > > RedirectMatch /abc/def /ghi/jkl > > Try it and see? Apache doesn't care that you consider /abc and /ghi > context roots. You are free to pick any URL to redirect to. > > > -- > Eric Covener > cove...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] Need help in change of context root while redirecting url
On Tue, May 16, 2017 at 12:24 PM, Sailaja Gadireddy wrote: > Hello Team, > > I have a requirement to change the context root in the url when redirecting. > > For example: If user hits the url https://www.xyz.com/abc/def > It should redirect to https://www.xyz.com/ghi/jkl. > > from url: https://www.xyz.com/abc/def --> https://www.xyz.com/ghi/jkl > > Please help me if RedirectMatch will work in this case. > > RedirectMatch /abc/def /ghi/jkl Try it and see? Apache doesn't care that you consider /abc and /ghi context roots. You are free to pick any URL to redirect to. -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Need help in change of context root while redirecting url
Hello Team, I have a requirement to change the context root in the url when redirecting. For example: If user hits the url https://www.xyz.com/abc/def It should redirect to https://www.xyz.com/ghi/jkl. from url: https://www.xyz.com/*abc/def *--> https://www.xyz.com/ *ghi/jkl* Please help me if RedirectMatch will work in this case. RedirectMatch /*abc/def * / *ghi/jkl* Thanks & Regards, Sailaja.
Re: [users@httpd] Getting PHP-FPM working
Yes, chroot = / I just sent a (really big!) strace file to this list that shows (I think) that the request is including more than just the file name. I'm hoping it makes sense to someone. Regards, John = On Tuesday 16 May 2017 04:19:08 Christian Hettler wrote: > hello John, > > Is ChrootDir activated? > > regards, > > Christian > > On Mon, May 15, 2017 at 10:42:37AM -0400, John Iliffe wrote: > > Hi Christian: > > > > I just noticed that you put "" around the parameters to > > ProxyPassMatch. > > > > I tried that and no change in the results. > > > > John > > > > > > On Monday 15 May 2017 05:21:59 Christian Hettler wrote: > > > Hello John, > > > > > > the manual (mod_proxy_fcgi.html) states: > > > > > > "The request URL is implicitly added to the 2nd parameter." > > > > > > (Did|Can) you try > > > > > > ProxyPassMatch "^/.*\.php(/.*)?$" > > > "fcgi://127.0.0.1:9015/httpd/iliffe/" > > > > > > instead of > > > > > > > # ProxyPassMatch ^/(.*\.php(/.*)?)$ > > > > fcgi://127.0.0.1:9015/httpd/iliffe/$1 > > > > > > regards, > > > > > > Christian > > > > > > On Sat, May 13, 2017 at 03:43:08PM -0400, John Iliffe wrote: > > > > I'm not sure is this is the correct list to post these questions > > > > to, since I now have things isolated to a single module in > > > > PHP-FPM, so please redirect me if necessary. This is a > > > > continuation of the problems I was having (on this list) > > > > installing a new server last month. > > > > > > > > - > > > > Summary: PHP-FPM will not execute any scripts; it is set up > > > > according to the PHP-FPM Wiki documentation so far as I can see. > > > > - > > > > > > > > O/S Fedora 25, Apache 2.4.25 compiled from source, PHP 7.1.3 > > > > compiled from source. > > > > > > > > I did a clean install of PHP-7.1.3 for testing, PHP-FPM is running > > > > under its own user/group phpfpm. Set up as listen on > > > > 127.0.0.1:9015 in pool www. Document root in www.conf is > > > > /httpd/iliffe which has been set to world readable, SELinux is > > > > set to permissive so it isn't in the equation. Log level on PHP > > > > is debug. All available log info is at the end of this memo. > > > > > > > > It seems obvious to me that the proxy_fcgi module is worked as > > > > expected and that the problem is somewhere in PHP-FPM. > > > > > > > > mod_php was tried as a check on the installation and works OK when > > > > enabled. > > > > > > > > I am using the minimalist proxy configuration in Apache, (the > > > > target PHP script is hard coded to avoid regex errors) and the > > > > target PHP script file is being reported correctly by both Apache > > > > and PHP-FPM. I checked by su as the phpfpm user and I can read > > > > this file, no problems at all. > > > > > > > > The problem has been traced to fpm_main.c, specifically the > > > > following: > > > > > > > > - > > > > if (UNEXPECTED(php_fopen_primary_script(&file_handle) == FAILURE)) > > > > { > > > > > > > > zend_try { > > > > > > > > zlog(ZLOG_ERROR, "Unable to open primary > > > > script: %s (%s)", > > > > primary_script, strerror(errno)); if (errno == > > > > EACCES) { > > > > > > > > SG(sapi_headers).http_response_code = > > > > 403; > > > > PUTS("Access denied.\n"); > > > > > > > > } else { > > > > > > > > SG(sapi_headers).http_response_code = > > > > 404; > > > > PUTS("No input file specified.\n"); > > > > > > > > > > > > > > > > Changing the script path in httpd.conf leads to a browser File Not > > > > Found error as would be expected. The document root in httpd.conf > > > > and in www.conf (PHP pool conf file for this pool) are the same. > > > > > > > > In Apache, the minimum is set in httpd.conf: > > > > > > > > # Default host (www.iliffe.ca) > > > > # This one picks up all IP based hacker garbage too > > > > > > > > > > > >ServerName www.iliffe.ca > > > >DocumentRoot /httpd/iliffe > > > >Options FollowSymLinks > > > >H2Direct on > > > > > > > > # ProxyPassMatch ^/(.*\.php(/.*)?)$ > > > > fcgi://127.0.0.1:9015/httpd/iliffe/$1 > > > > > > > > ProxyPassMatch ^/info$ > > > > fcgi://127.0.0.1:9015/httpd/iliffe/i_phpinfo.php > > > > > > > > As far as I can see, all necessary Apache modules are loaded: > > > > > > > > # /usr/apache-2.4.25/bin/httpd -M > > > > > > > > Loaded Modules: > > > > core_module (static) > > > > so_module (static) > > > > http_module (static) > > > > > > > > big list of modules skipped here > > > > > > > > proxy_module (shared) > > > > proxy_connect_
Re: [users@httpd] Re: How to proxy web server?
Just add this line first: ProxyPass /.well-known ! You use the path and ! to specify this as an exception to not proxy. Always try to define ProxyPass in virtualhost (without location), as you show possibility A is the simpler one for me, less hassle assured, less convoluted, imo. 2017-05-16 15:19 GMT+02:00 Florian Lindner : > Am 15.05.2017 um 17:05 schrieb Florian Lindner: >> Hello, >> >> Apache 2.4 on Debian Testing, mpm_itk >> >> I have the Discourse web forum running in a docker container. The >> container's webserver is bount to localhost:2080. The >> forum should be reachable at either forum.csc-stuttgart.org or >> csc-stuttgart.org/forum. >> >> Possibility A: >> >> >> ServerName forum.csc-stuttgart.org >> AssignUserID csc-stuttgart csc-stuttgart >> ProxyPreserveHost On >> ProxyPass"/" "http://localhost:2080/"; >> ProxyPassReverse "/" "http://localhost:2080/"; >> DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub >> [...] >> >> >> That works fine, beside on little problem. I want to use Let's Encrypt SSL >> certificates on that which require a path >> forum.csc-stuttgart.org/.well-known to be writable from the file system. >> How can I take just one path out of the Proxy? >> >> Wrap the ProxyPass/Reverse in a with a PCRE that match >> everything except .well-known? Haven't tested it >> yet. Any better solution? > > Ok, I was able to achieve it using: > > > ServerName forum.csc-stuttgart.org > AssignUserID csc-stuttgart csc-stuttgart > > Redirect permanent / https://forum.csc-stuttgart.org/ > > DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub > CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log > combined > ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log > > > > ServerName forum.csc-stuttgart.org > AssignUserID csc-stuttgart csc-stuttgart > ProxyPreserveHost On > ProxyPass"/" "http://localhost:2080/"; > ProxyPassReverse "/" "http://localhost:2080/"; > DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub > CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log > combined > ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log > > SSLEngine On > SSLCertificateFile > /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.cert > SSLCertificateKeyFile > /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.key > > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > -- Daniel Ferradal IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: How to customize error responses (while using mod_rewrite)?
On Mon, 15 May 2017, Jens Schleusener wrote: On Mon, 15 May 2017, Eric Covener wrote: On Mon, May 15, 2017 at 12:32 PM, Jens Schleusener wrote: Ok, in that case one could use the ErrorDocument directive (it works for me principally) but how can one can achieve that that directive is not used globally but only specific for the above case? The idea to set in the above RewriteRule additionally an environment variable for e.g. via a "E=tlsv10:1" flag and using ErrorDocument 412 /https_tlsv10.html seems not to work, the Apache httpd outputs the "412" standard error message. Re: the If misfiring, its because Thanks for the hint, I will try it. With your hint and some testing I ended up now with the following by choosing for now the response error status code 412 ("Precondition Failed"): ErrorDocument 412 /https_tlsv10.html RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$ RewriteRule !^/https_tlsv10.html$ - [R=412,L] So my special example problem seems to be solved but the original general question how one can generate customized error responses while using the mod_rewrite module seems to have as general answer only the use of an appropriate CGI program. Thanks for the help Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: How to proxy web server?
Am 15.05.2017 um 17:05 schrieb Florian Lindner: > Hello, > > Apache 2.4 on Debian Testing, mpm_itk > > I have the Discourse web forum running in a docker container. The container's > webserver is bount to localhost:2080. The > forum should be reachable at either forum.csc-stuttgart.org or > csc-stuttgart.org/forum. > > Possibility A: > > > ServerName forum.csc-stuttgart.org > AssignUserID csc-stuttgart csc-stuttgart > ProxyPreserveHost On > ProxyPass"/" "http://localhost:2080/"; > ProxyPassReverse "/" "http://localhost:2080/"; > DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub > [...] > > > That works fine, beside on little problem. I want to use Let's Encrypt SSL > certificates on that which require a path > forum.csc-stuttgart.org/.well-known to be writable from the file system. > How can I take just one path out of the Proxy? > > Wrap the ProxyPass/Reverse in a with a PCRE that match > everything except .well-known? Haven't tested it > yet. Any better solution? Ok, I was able to achieve it using: ServerName forum.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart Redirect permanent / https://forum.csc-stuttgart.org/ DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log combined ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log ServerName forum.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart ProxyPreserveHost On ProxyPass"/" "http://localhost:2080/"; ProxyPassReverse "/" "http://localhost:2080/"; DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log combined ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log SSLEngine On SSLCertificateFile /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.cert SSLCertificateKeyFile /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.key - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Getting PHP-FPM working
hello John, Is ChrootDir activated? regards, Christian On Mon, May 15, 2017 at 10:42:37AM -0400, John Iliffe wrote: > Hi Christian: > > I just noticed that you put "" around the parameters to ProxyPassMatch. > > I tried that and no change in the results. > > John > > On Monday 15 May 2017 05:21:59 Christian Hettler wrote: > > Hello John, > > > > the manual (mod_proxy_fcgi.html) states: > > > > "The request URL is implicitly added to the 2nd parameter." > > > > (Did|Can) you try > > > > ProxyPassMatch "^/.*\.php(/.*)?$" "fcgi://127.0.0.1:9015/httpd/iliffe/" > > > > instead of > > > > > # ProxyPassMatch ^/(.*\.php(/.*)?)$ > > > fcgi://127.0.0.1:9015/httpd/iliffe/$1 > > > > regards, > > > > Christian > > > > On Sat, May 13, 2017 at 03:43:08PM -0400, John Iliffe wrote: > > > I'm not sure is this is the correct list to post these questions to, > > > since I now have things isolated to a single module in PHP-FPM, so > > > please redirect me if necessary. This is a continuation of the > > > problems I was having (on this list) installing a new server last > > > month. > > > > > > - > > > Summary: PHP-FPM will not execute any scripts; it is set up according > > > to the PHP-FPM Wiki documentation so far as I can see. > > > - > > > > > > O/S Fedora 25, Apache 2.4.25 compiled from source, PHP 7.1.3 compiled > > > from source. > > > > > > I did a clean install of PHP-7.1.3 for testing, PHP-FPM is running > > > under its own user/group phpfpm. Set up as listen on 127.0.0.1:9015 > > > in pool www. Document root in www.conf is /httpd/iliffe which has > > > been set to world readable, SELinux is set to permissive so it isn't > > > in the equation. Log level on PHP is debug. All available log info > > > is at the end of this memo. > > > > > > It seems obvious to me that the proxy_fcgi module is worked as > > > expected and that the problem is somewhere in PHP-FPM. > > > > > > mod_php was tried as a check on the installation and works OK when > > > enabled. > > > > > > I am using the minimalist proxy configuration in Apache, (the target > > > PHP script is hard coded to avoid regex errors) and the target PHP > > > script file is being reported correctly by both Apache and PHP-FPM. > > > I checked by su as the phpfpm user and I can read this file, no > > > problems at all. > > > > > > The problem has been traced to fpm_main.c, specifically the following: > > > > > > - > > > if (UNEXPECTED(php_fopen_primary_script(&file_handle) == FAILURE)) { > > > > > > zend_try { > > > > > > zlog(ZLOG_ERROR, "Unable to open primary script: %s > > > (%s)", > > > primary_script, strerror(errno)); if (errno == EACCES) { > > > > > > SG(sapi_headers).http_response_code = 403; > > > PUTS("Access denied.\n"); > > > > > > } else { > > > > > > SG(sapi_headers).http_response_code = 404; > > > PUTS("No input file specified.\n"); > > > > > > > > > > > > Changing the script path in httpd.conf leads to a browser File Not > > > Found error as would be expected. The document root in httpd.conf > > > and in www.conf (PHP pool conf file for this pool) are the same. > > > > > > In Apache, the minimum is set in httpd.conf: > > > > > > # Default host (www.iliffe.ca) > > > # This one picks up all IP based hacker garbage too > > > > > > > > >ServerName www.iliffe.ca > > >DocumentRoot /httpd/iliffe > > >Options FollowSymLinks > > >H2Direct on > > > > > > # ProxyPassMatch ^/(.*\.php(/.*)?)$ > > > fcgi://127.0.0.1:9015/httpd/iliffe/$1 > > > > > > ProxyPassMatch ^/info$ > > > fcgi://127.0.0.1:9015/httpd/iliffe/i_phpinfo.php > > > > > > As far as I can see, all necessary Apache modules are loaded: > > > > > > # /usr/apache-2.4.25/bin/httpd -M > > > > > > Loaded Modules: > > > core_module (static) > > > so_module (static) > > > http_module (static) > > > > > > big list of modules skipped here > > > > > > proxy_module (shared) > > > proxy_connect_module (shared) > > > proxy_http_module (shared) > > > proxy_fcgi_module (shared) > > > ssl_module (shared) > > > unixd_module (shared) > > > http2_module (shared) > > > status_module (shared) > > > > > > **more modules skipped here > > > > > > I'm completely stuck here and any ideas or assistance would be > > > appreciated. > > > > > > Regards, > > > > > > John > > > > > > All following errors from one screen access: > > > - > > > PHP-FPM log: > > > [13-May-2017 14:40:33.423449] DEBUG: pid 16444, > > > fpm_pctl_perform_idle_server_maintenance(), line 379: [pool www] > > > currently 0 active children, 2 spare children, 2 running children