Re: [users@httpd] Getting hostname from FQDN as variable in config file

2018-05-10 Thread sebb 
On 10 May 2018 at 15:09, Eric Covener  wrote:
> On Thu, May 10, 2018 at 9:56 AM, sebb  wrote:
>> Is it possible the access the hostname part of a FQDN in a config file?
>>
>> For example, suppose the config has the following condition:
>>
>> 
>>
>> This might resolve to a directory such as:
>>
>> /var/test/NAME.example.com
>>
>> Is there a way to resolve just the initial part of the host, i.e. NAME?
>
> I think there are some quirks that make this a little unruly. But you
> could extract it with a simple SetEnvIf in advance than look at the
> set environment variable instead:

Thanks!

> SetEnvIf Host ^([^.]+) HOST_UNQUALIFIED=$1
>
> Then use reqenv('HOST_UNQUALIFIED') instead of the variable.

Turns one needs to use a different syntax:




> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Newbie - Apache as internet facing proxy for Windows/IIS backend .net app server?

2018-05-10 Thread Yehuda Katz 
You could add additional authentication requirements in the reverse proxy
for specific requests. You can also make sure to only proxy requests that
match what you think the backend should process.
There are a lot of tools that can help you, but as you said, you might get
the best results if someone actually looks at your specific system and your
specific requirements.

- Y

On Thu, May 10, 2018 at 10:49 AM Charles Marcus 
wrote:

> Ok, a follow-up question...
>
> My only concern here is security. This is not and never will be a heavily
> used system, but it will serve as a gateway to a backend accounting system,
> so I'm not concerned with load balancing or any of the other features that
> come with a reverse proxy. My only concern is that it be as secure as
> possible.
>
> I know that a reverse proxy in and of itself doesn't add any real security
> (other than this will be running on linux, which I'm more comfortable
> exposing to the internet).
>
> So, with that in mind... I would appreciate any links to how to do this
> with security as the primary goal. Something more than just 'enable
> mod_security'.
>
> Also, I would be very open to paying a consultant to assist in setting
> this up, if I can be convinced they are legit and worth their asking price.
> Two things I'd want/need help with is testing to whittle down the http
> features to only those necessary to interact with our system, taking
> advantage of mod_secs 'continuous passive security assessment' feature, and
> anything else that makes sense.
>
> And thanks for the responses so far!
>
> *Charles*
>
> On Mon May 07 2018 13:56:56 GMT-0400 (Eastern Standard Time), Yehuda Katz
>   wrote:
>
> Your application will still need to run on a Windows server with IIS, but
> it can be behind your firewall. Your Apache HTTPD server would go in your
> DMZ and would proxy connections between the clients on the internet and the
> internal server. (Your firewall would need to allow those connections.)
>
> - Y
>
> On Mon, May 7, 2018 at 1:44 PM Charles Marcus 
> wrote:
>
>> Ok, thanks!
>>
>> But to be clear - I asked the Support people and was told, and I quote:
>>
>> "The Webvantage, Client Portal and Mobile Server applications are .Net
>> IIS applications that require Microsoft Windows and IIS."
>>
>> So... was that just a typical response from a Windows support person who
>> doesn't really understand web servers?
>>
>> The software in question is described here:
>>
>> http://www.gotoadvantage.com/web-based-management-software
>>
>> I don't mind doing the work, I'd just rather not go down a rabbit hole
>> trying to do something that can/will never work.
>>
>> Thanks again,
>>
>> *Charles*
>>
>>
>> On Mon May 07 2018 13:37:36 GMT-0400 (Eastern Standard Time), Yehuda Katz
>>   wrote:
>>
>> Certainly. I would start with the Reverse Proxy Guide:
>> https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
>> Come back here if you have any questions.
>>
>> - Y
>>
>> On Mon, May 7, 2018 at 1:32 PM Charles Marcus 
>> wrote:
>>
>>> Hello all,
>>>
>>> I just want to know if this is even worth my time trying to figure out.
>>>
>>> We have an Accounting application (.ne/IIS on Windows Server 2008R2) on
>>> our LAN, but I need to provide a window to this through the internet, and
>>> I'd really, really like to not put a Windows Server on our DMZ facing the
>>> internet directly (if I have to, it will be a separate/standalone server
>>> that redirects/proxies to the Accounting server).
>>>
>>> first and foremost - is it even possible to setup an Apache server to do
>>> this? I loathe IIS, and also don't know much about it, but I'm also pretty
>>> much a noob when it comes to web servers in general. I do have some
>>> experience a while back with Apache, which is why I'm starting here.
>>>
>>> If it isn't, so be it, but if it is, is it very involved?
>>>
>>> Tia...
>>>
>>> *Charles*
>>>
>>
>>
>

Re: [users@httpd] Newbie - Apache as internet facing proxy for Windows/IIS backend .net app server?

2018-05-10 Thread Charles Marcus 
Ok, a follow-up question...

My only concern here is security. This is not and never will be a
heavily used system, but it will serve as a gateway to a backend
accounting system, so I'm not concerned with load balancing or any of
the other features that come with a reverse proxy. My only concern is
that it be as secure as possible.

I know that a reverse proxy in and of itself doesn't add any real
security (other than this will be running on linux, which I'm more
comfortable exposing to the internet).

So, with that in mind... I would appreciate any links to how to do this
with security as the primary goal. Something more than just 'enable
mod_security'.

Also, I would be very open to paying a consultant to assist in setting
this up, if I can be convinced they are legit and worth their asking
price. Two things I'd want/need help with is testing to whittle down the
http features to only those necessary to interact with our system,
taking advantage of mod_secs 'continuous passive security assessment'
feature, and anything else that makes sense.

And thanks for the responses so far!

*/Charles/*/*

*/
On Mon May 07 2018 13:56:56 GMT-0400 (Eastern Standard Time), Yehuda
Katz  wrote:
> Your application will still need to run on a Windows server with IIS,
> but it can be behind your firewall. Your Apache HTTPD server would go
> in your DMZ and would proxy connections between the clients on the
> internet and the internal server. (Your firewall would need to allow
> those connections.) 
>
> - Y
>
> On Mon, May 7, 2018 at 1:44 PM Charles Marcus
> > wrote:
>
> Ok, thanks!
>
> But to be clear - I asked the Support people and was told, and I
> quote:
>
> "The Webvantage, Client Portal and Mobile Server applications are
> .Net IIS applications that require Microsoft Windows and IIS."
>
> So... was that just a typical response from a Windows support
> person who doesn't really understand web servers?
>
> The software in question is described here:
>
> http://www.gotoadvantage.com/web-based-management-software
>
> I don't mind doing the work, I'd just rather not go down a rabbit
> hole trying to do something that can/will never work.
>
> Thanks again,
>
> */Charles/*/*
>
>
> */
> On Mon May 07 2018 13:37:36 GMT-0400 (Eastern Standard Time),
> Yehuda Katz   wrote:
>> Certainly. I would start with the Reverse Proxy
>> Guide: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
>> Come back here if you have any questions.
>>
>> - Y
>>
>> On Mon, May 7, 2018 at 1:32 PM Charles Marcus
>> > wrote:
>>
>> Hello all,
>>
>> I just want to know if this is even worth my time trying to
>> figure out.
>>
>> We have an Accounting application (.ne/IIS on Windows Server
>> 2008R2) on our LAN, but I need to provide a window to this
>> through the internet, and I'd really, really like to not put
>> a Windows Server on our DMZ facing the internet directly (if
>> I have to, it will be a separate/standalone server that
>> redirects/proxies to the Accounting server).
>>
>> first and foremost - is it even possible to setup an Apache
>> server to do this? I loathe IIS, and also don't know much
>> about it, but I'm also pretty much a noob when it comes to
>> web servers in general. I do have some experience a while
>> back with Apache, which is why I'm starting here.
>>
>> If it isn't, so be it, but if it is, is it very involved?
>>
>> Tia...
>>
>> */Charles/*/*
>> */
>>
>

Re: [users@httpd] Getting hostname from FQDN as variable in config file

2018-05-10 Thread Eric Covener 
On Thu, May 10, 2018 at 9:56 AM, sebb  wrote:
> Is it possible the access the hostname part of a FQDN in a config file?
>
> For example, suppose the config has the following condition:
>
> 
>
> This might resolve to a directory such as:
>
> /var/test/NAME.example.com
>
> Is there a way to resolve just the initial part of the host, i.e. NAME?

I think there are some quirks that make this a little unruly. But you
could extract it with a simple SetEnvIf in advance than look at the
set environment variable instead:

SetEnvIf Host ^([^.]+) HOST_UNQUALIFIED=$1

Then use reqenv('HOST_UNQUALIFIED') instead of the variable.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Getting hostname from FQDN as variable in config file

2018-05-10 Thread sebb 
Is it possible the access the hostname part of a FQDN in a config file?

For example, suppose the config has the following condition:



This might resolve to a directory such as:

/var/test/NAME.example.com

Is there a way to resolve just the initial part of the host, i.e. NAME?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Security Headers, ISP, no root won't work

2018-05-10 Thread i...@h-c-b.de 
Hi!

I want to enable some security headers. I don't have access to my =
vhosts, and not to the apache config, so I used my .htaccess.


Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=3Dblock"
Header set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer"
Header set Content-Security-Policy "default-src 'self' ; =
referrer no-referrer ;"
Header unset X-Powered-By


According to my ISP there are the following directives:

apache2.config: AllowOverride none
vhosts  AllowOverride All

None of the above security headers are working. Any tips?

Thank you!
hc


smime.p7s
Description: S/MIME cryptographic signature