[users@httpd] Set up an Apache HTTP server as a rotating proxy
Hi, Suppose that I have many proxies that I can use (called secondary proxies here). I'd like to create a master proxy that rotates its connection to these secondary proxies. In this way, an application only needs to connect to this master proxy and does not need to know whether the master proxy rotates among these secondary proxies. I see that apache reverse proxy probably may be able to do this. But I am not very sure. Could anybody confirm whether this is the case? Is there any specific configuration need to done to ensure a strict rotation policy? Thanks. https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html -- Regards, Peng - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
> Probably because you are essentially denying access to documentroot and this > path is checked for all requests. Looks like your are right, but why? What if there's a file there? What if there's a script there? A device file or a symbolic link to one? > or change documentroot to a directory you can give access even if it's an > empty directory to get rid of those messages or change the documentoot to > something else. I will do like you advise, but would still like to learn what's going on. -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Probably because you are essentially denying access to documentroot and this path is checked for all requests. Add a Require all granted or change documentroot to a directory you can give access even if it's an empty directory to get rid of those messages or change the documentoot to something else. Denying access to documentroot by default is not... 2018-02-09 16:30 GMT+01:00 Marat Khalili : >> At first glance, something in your browser is probably requesting the page >> /test. Since it doesn't correspond to any of your alias statements, it hits >> the DocumentRoot which you have denied access to. >> >> Is there a corresponding entry in your access log? > > > > There's no entry in access log, and the problem is easily reproduced with > curl/wget. There's only one request visible in tcpdump. I've also confirmed > that excluding proxy does not fix the problem. > > On the other hand, I don't see same problem on bare Apache installation > serving only static files. Can Mediawiki PHP create some internal requests? > How can I debug this? > > > -- > > With Best Regards, > Marat Khalili > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > -- Daniel Ferradal IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL Certificate Validation
On Thu, Feb 8, 2018 at 12:51 PM, Houser, Rick wrote: > I didn’t think you could have two virtualhost entries with the same IP/port. That's just name-based virtualhosts. The first one is the default. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
At first glance, something in your browser is probably requesting the page /test. Since it doesn't correspond to any of your alias statements, it hits the DocumentRoot which you have denied access to. Is there a corresponding entry in your access log? There's no entry in access log, and the problem is easily reproduced with curl/wget. There's only one request visible in tcpdump. I've also confirmed that excluding proxy does not fix the problem. On the other hand, I don't see same problem on bare Apache installation serving only static files. Can Mediawiki PHP create some internal requests? How can I debug this? -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
At first glance, something in your browser is probably requesting the page /test. Since it doesn't correspond to any of your alias statements, it hits the DocumentRoot which you have denied access to. Is there a corresponding entry in your access log? - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Feb 9, 2018 4:43 AM, "Marat Khalili" wrote: Dear list, I've installed and configured mediawiki as follows (on top of default Ubuntu 16.04 Apache/2.4.18 installation): DocumentRoot /var/www/html > > > Options None > Require all denied > > > > Options ExecCGI > Require host proxy.example.com > > > Options None > Require host proxy.example.com > > > Alias /wiki /opt/local/mediawiki/index.php > Alias /w/images /mnt/mediawiki/images > Alias /w /opt/local/mediawiki > *Everything works*, i.e. client successfully receive all pages with appropriate HTTP statuses in both client and Apache access log. However, for each request like /wiki/test I see the following extra message in error.log: [Fri Feb 09 09:35:25.368731 2018] [authz_core:error] [pid 695] [client > 10.4.1.4:56622] AH01630: client denied by server configuration: > /var/www/html/test > If I remove clause, these messages disappear. They trigger fail2ban and are generally confusing. What may be causing them and how to make them stop? -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Fw: unsubscribe
On 02/08/2018 09:18 PM, Richards, Toby wrote: > ?I sent my unsubscribe message over seven hours ago. Why am I still getting > messages? > > why take personal problems to the list? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Spurious access denied errors
Dear list, I've installed and configured mediawiki as follows (on top of default Ubuntu 16.04 Apache/2.4.18 installation): DocumentRoot /var/www/html Options None Require all denied Options ExecCGI Require host proxy.example.com Options None Require host proxy.example.com Alias /wiki /opt/local/mediawiki/index.php Alias /w/images /mnt/mediawiki/images Alias /w /opt/local/mediawiki *Everything works*, i.e. client successfully receive all pages with appropriate HTTP statuses in both client and Apache access log. However, for each request like /wiki/test I see the following extra message in error.log: [Fri Feb 09 09:35:25.368731 2018] [authz_core:error] [pid 695] [client 10.4.1.4:56622] AH01630: client denied by server configuration: /var/www/html/test If I remove clause, these messages disappear. They trigger fail2ban and are generally confusing. What may be causing them and how to make them stop? -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL Certificate Validation
The whole point of virtual hosts is you can have multiple of them - that
is the whole way Apache configuration works to have multiple sites being
served from the same server... currently I have servers with 20+
virtualhost configurations.
Having a single virtual host is OK - but if you have more than one
virtualhost (or you have multiple domains for a single virtualhost - we
do on sandbox/dev/staging/live sites) you would need to write a long set
of rewritecond entries..
The configuration I set up is the simplest extensible one...
On 08/02/2018 17:51, Houser, Rick wrote:
I didn’t think you could have two virtualhost entries with the same
IP/port. I would probably do this within with a single VirtualHost,
myself. Something like this combined with the RewriteRule:
RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$
Rick Houser
Web Engineer
*From:*Dr James A Smith [mailto:j...@sanger.ac.uk]
*Sent:* Thursday, February 08, 2018 12:18
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] SSL Certificate Validation
*EXTERNAL EMAIL*
The easiest way to do this is to make sure you have the correct
hostname in the virtual host - the one that matches your certificate
and another virtual host which has no hostname in it to catch all the
other requests.
return a forbidden response for all requests!
RewriteEngine On
RewriteRule ^(.*)$ - [L,F]
ServerName your.real.host.com
... real config...
On 08/02/2018 16:46, Houser, Rick wrote:
In addition to fixing your certificate, you may have a reason to
make sure the host header they send is correct. If they are
reaching you via an alternate hostname or something that’s getting
them to the correct IP, but shouldn’t be supported for your
service, stopping them from doing that might take aware the
incentive they see to disabling the hostname verification in the
first place.
Rick Houser
Web Engineer
*From:* Eric Covener [mailto:cove...@gmail.com]
*Sent:* Thursday, February 08, 2018 11:19
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] SSL Certificate Validation
*EXTERNAL EMAIL*
On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar
mailto:nbelm...@cscgroup.com>> wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.
We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t,
the Apache service launches fine and the users/developers are
able to connect however developers through their code bypass
the Server SSL certificate verification. I am not worried
about the client certificate validation since we are not using
it, all the concern is we need to stop users bypassing the
Server SSL verification who are claiming they have to bypass
it since the certificate name doesn’t match the server name in
the link being called. Kindly note that configuration in
hhtpd.conf is:
You can't stop them unless you control the client. You only
control the server. The only thing you could do is provide a
better certificate.
-- The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
